![[Top]](../images/home.jpg)
![[Contents]](../images/contents.jpg)
![[Prev]](../images/previous.jpg)
![[Next]](../images/next.jpg)
![[Last]](../images/index.jpg)
Setting Up RADIUS Accounting
This chapter discusses how to set up RADIUS accounting. It consists of the following sections:
Before you begin
Before you set up RADIUS accounting, you must install the most recent Ascend RADIUS daemon. Follow the instructions in Installing the RADIUS daemon.
Overview of accounting configuration tasks
When you set up the RADIUS server for accounting, you must specify certain system-wide settings, as explained in Performing required accounting configuration tasks. Other system-wide settings are optional, as described in Performing optional accounting configuration tasks. In addition, depending on your accounting needs, you can carry out the following tasks:
Finally, to start up the RADIUS accounting server, follow the instructions in Starting the RADIUS daemon with accounting enabled.
Setting up system-wide RADIUS accounting values
This section explains how to configure RADIUS accounting on a system-wide basis. Some steps are required. Others are optional.
Performing required accounting configuration tasks
When you set up RADIUS accounting, you must specify:
- System-wide accounting parameters
- Accounting port in
/etc/services
- Accounting directory
Specifying system-wide accounting parameters on the MAX TNT
To set accounting parameters that affect all users on a system-wide basis, perform the following steps at the MAX TNT configuration interface:
- In the External-Auth profile, set Acct-Type =RADIUS.
- Open the Rad-Acct-Client subprofile.
- For each Acct-Server parameter, specify the IP address of a RADIUS host.
- For the Acct-Port parameter, enter the UDP port number you specified in
/etc/services for the authentication process of the daemon. Or, if you used the
incr keyword with the -A option when starting the daemon, add 1 to the number of the
UDP port for authentication services, and enter the sum.
- For the Acct-Key parameter, enter the RADIUS client password, exactly as it appears in
the RADIUS
clients file.
Specifying the accounting port
Add to the /etc/services file a line identifying the RADIUS daemon's accounting port. Use the following format:
radacct 1646/udp #radius-accounting
The port number you specify must match the port number indicated by the Acct-Port parameter in the External-Auth profile's Rad-Acct-Client subprofile.
Specifying the accounting directory
Create the /usr/adm/radacct directory. Or, when starting the daemon, use the -a option to specify a different directory in which to store accounting information. The accounting process in the daemon creates a file named detail in /usr/adm/radacct, or in the directory you specify with the -a option. The detail file contains accounting records.
Performing optional accounting configuration tasks
In the External-Auth profile, you can specify that the RADIUS accounting daemon generate unique accounting IDs based on the source UDP port number of accounting packets. In addition, depending on the needs of your site, you have the option of specifying one or more values in the Rad-Acct-Client subprofile of the External-Auth profile:
- Source for RADIUS accounting requests
- Timeout value
- Retry limit
- Session-report interval
- Numeric base for the session ID
- Reset time
In addition, you can set parameters in the Rad-Acct-Client subprofile that control:
- Whether the MAX TNT sends Accounting Stop packets when a connection fails authentication
- Whether the MAX TNT send Accounting Stop packets that do not contain a user name
Generating RADIUS accounting IDs based on source port number
RADIUS uses ID values in Request-Response matching. For each unique accounting request (including retries, if a response is not received within the configured timeout period), RADIUS assigns an 8-bit ID value. The assigned value is freed when the request is no longer pending-that is, when RADIUS matches a request with a response, or the request times out.
When the MAX TNT runs at high capacity, RADIUS can run out of unique IDs. By default, when the server reaches its limit of 256 outstanding requests, no unique values are available for the next accounting request. To overcome this limitation, you can specify that each request be identified by the UDP source port as well as by the RADIUS ID value. To configure the MAX TNT to send the source UDP port number in RADIUS Request-Response matching, set Rad-ID-Source-Unique=Port-Unique in the External-Auth profile.
Specifying the source for RADIUS accounting requests
Set the Acct-Src-Port parameter to a value representing the MAX TNT unit's UDP source port for sending RADIUS accounting requests. You may specify the same value for authentication and accounting requests.
Specifying a timeout value
To specify the number of seconds the MAX TNT waits for a response to a RADIUS accounting request, set the Acct-Timeout parameter in the Rad-Acct-Client subprofile of the External-Auth profile. You can specify a value from 1 to 10. The default value is 1.
Specifying a retry limit
When the MAX TNT is configured for RADIUS accounting, it sends Accounting Start and Stop packets to the RADIUS server to record connections. If the server does not acknowledge a packet within the number of seconds you specify for the Acct-Timeout parameter, the MAX TNT tries again, resending the packet until the server responds, or dropping the packet because the queue is full. To set the maximum number of retries for Accounting packets, set the Acct-Limit-Retry parameter to a value greater than 0 (zero). A value of 0 (the default) indicates an unlimited number of retries.
The MAX TNT always attempts at least one retry. For example, if you set the number of retries to 10, the MAX TNT makes 11 attempts: the original attempt plus 10 retries.
Specifying the interval for sending session reports
The MAX TNT can report the number of sessions by class to a RADIUS accounting server. The Acct-Sess-Interval parameter specifies the interval, in seconds, at which the MAX TNT sends session reports. You can specify a number between 0 and 65535.The default value is 0 (zero), which specifies that the MAX TNT does not send reports on session events.
(For complete information about setting up the MAX TNT for session reports, see Classifying user sessions in RADIUS.)
Specifying the numeric base for the session ID
The Acct-Session-ID attribute is a unique numeric string identified with the session reported in an Accounting packet. The Acct-Id-Base parameter controls whether the MAX TNT presents Acct-Session-ID to the accounting server in base 10 or base 16. You can specify one of the following settings:
- Acct-Base-10 (decimal) specifies that the numeric base is 10. The default value is 10.
- Acct-Base-16 (hexadecimal) specifies that the numeric base is 16.
For example, when you set Acct-Id-Base=Acct-Base-10, the MAX TNT presents a typical session ID to the accounting server in the following format:
"1234567890"
When you set Acct-Id-Base=Acct-Base-16, the MAX TNT presents the same session ID in the following format:
"499602D2"
Note: Changing the value of Acct-Id-Base while sessions are active creates inconsistencies
between the Start and Stop records.
Specifying the reset time
To specify the number of seconds that must elapse before the MAX TNT returns to using the primary RADIUS accounting server., set the Acct-Reset-Time parameter. The default is 0 (zero), which specifies that the MAX TNT does not return to using the primary RADIUS accounting server.
Specifying whether to send Stop packets when authentication fails
By default, RADIUS Accounting Stop packets are sent for authenticated connections, connections that are dropped before authenticating, and connections that fail authentication. To configure the MAX TNT not to send Stop packets for connections that fail authentication, set Acct-Drop-Stop-On-Auth-Fail=Yes in the Rad-Acct-Client subprofile of the External-Auth profile.
Specifying whether to send Stop packets with no user name
At times, the MAX TNT can send an Accounting Stop packet to the RADIUS server without having sent an Accounting Start packet. Such Stop packets have no user name. To specify that the MAX TNT should not send an Accounting Stop packet that does not contain a user name, set Acct-Stop-Only=No in the Rad-Acct-Client subprofile of the External-Auth profile.
Example of setting up system-wide RADIUS accounting
The configuration illustrated in Figure 12-1 uses three RADIUS accounting servers. Clients dialing in across the WAN use both framed and unframed protocols on analog and digital lines. The RADIUS daemon for each server receives client requests on UDP port 512, and the client password is tntpass.
Figure 12-1. Sample network topology for setting up system-wide RADIUS accounting
In addition to the required parameters, the configuration also specifies that the MAX TNT must:
- Generate RADIUS accounting IDs based on source port number.
- Use UDP source port 500 for sending accounting requests.
- Increase the timeout value to 10 seconds.
- Increase the retry limit to 6.
To set the values for the sample configuration, you would proceed as follows:
admin> read external-auth
EXTERNAL-AUTH read
admin> list
auth-type=none
acct-type=none
rad-id-space=unified
rad-id-source-unique=system-unique
rad-serv-enable=no
rad-auth-client={ 0.0.0.0 0.0.0.0 0.0.0.0 0 0 "" no 0 no no no 0 yes +
rad-acct-client={ 0.0.0.0 0.0.0.0 0.0.0.0 0 0 "" 0 0 acct-base-10 0 +
rad-auth-server={ 0 no rad-serv-attr-any [ 0.0.0.0 0.0.0.0 0.0.0.0 +
tac-auth-client={ 0.0.0.0 0.0.0.0 0.0.0.0 0 0 "" 0 }
tacplus-auth-client={ 0.0.0.0 0.0.0.0 0.0.0.0 0 0 "" 0 0 }
tacplus-acct-client={ 0.0.0.0 0.0.0.0 0.0.0.0 0 0 "" }
local-profiles-first=lpf-yes
admin> set acct-type=radius
admin> set rad-id-source-unique=port-unique
admin> list rad-acct-client
acct-server-1=0.0.0.0
acct-server-2=0.0.0.0
acct-server-3=0.0.0.0
acct-port=0
acct-src-port=0
acct-key=""
acct-timeout=0
acct-sess-interval=0
acct-id-base=acct-base-10
acct-reset-time=0
acct-stop-only=yes
acct-limit-retry=0
acct-drop-stop-on-auth-fail=no
admin> set acct-server-1=10.1.2.1
admin> set acct-server-2=10.1.2.2
admin> set acct-server-3=10.1.2.3
admin> set acct-port=512
admin> set acct-src-port=500
admin> set acct-key=tntpass
admin> set acct-timeout=10
admin> set acct-limit-retry=6
admin> write external-auth
EXTERNAL-AUTH written
Setting up accounting on a per-user basis
A network reseller can serve many different ISPs, each with a different access policy. The reseller carries traffic for individual users, and must bill for usage according to the policies of the appropriate ISP. With per-user accounting, a network reseller can direct accounting information about specific users to a RADIUS server belonging to a particular ISP. Each RADIUS user profile can specify that accounting data goes to one or both of the following locations:
- The server specified by the Acct-Server parameter in the External-Auth profile's Rad-Acct-Client subprofile. This server is known as the default server.
- The RADIUS accounting server specified by the Ascend-User-Acct-Host attribute in the RADIUS user profile.
When an accounting event occurs, the MAX TNT sends an accounting message to the specified server. The MAX TNT places each accounting message on a list and waits for an acknowledgment from the RADIUS server. If an acknowledgment does not arrive within the time specified by the Acct-Timeout parameter, the MAX TNT resends the accounting message. RADIUS discards the oldest entry on the list when the total number of entries exceeds the maximum.
Overview of per-user accounting attributes
When you set up accounting on a per-user basis, you use the attributes described in Table 12-1.
Specifying per-user accounting attributes
To specify a RADIUS accounting server in a RADIUS user profile:
- Set up the RADIUS user profile, as discussed in the preceding chapters.
- Set the Ascend-User-Acct-Type attribute to specify the RADIUS accounting server for the
connection.
- Set the Ascend-User-Acct-Host attribute to the IP address of the RADIUS accounting
server for the connection.
- Set the Ascend-User-Acct-Port attribute to the UDP port number you specified for the
authentication process in
/etc/services. Or, if you used the incr keyword with the
-A argument when starting the daemon, specify the sum of 1 plus the number of the UDP
port for authentication services.
- Set the Ascend-User-Acct-Key attribute to the value of the RADIUS client password,
exactly as it appears in the RADIUS
clients file.
- Set the Ascend-User-Acct-Base attribute to specify whether the numeric base of the
RADIUS Acct-Session-ID attribute is 10 or 16 (optional).
- Set the Ascend-User-Acct-Time attribute to the number of seconds the MAX TNT waits
for a response to a RADIUS accounting request (optional).
If Ascend-User-Acct-Type is set to Ascend-User-Acct-User-Default, the MAX TNT sends two different packets: one to the server specified in the user profile, and one to the default server.
Example of setting up per-user accounting
In Figure 12-2, the MAX TNT sends accounting information to the RADIUS server at 200.250.56.10 for the user Emma. The destination UDP port is 1645, and the RADIUS client password is mypassword.
Figure 12-2. Sample network topology for setting up accounting on a per-user basis
To set up per-user accounting for the user Emma, you would configure her user profile as follows:
Emma Password="m2dan", User-Service=Framed-User
Framed-Protocol=PPP,
Framed-Address=200.250.55.9,
Ascend-Link-Compression=Link-Comp-Stac,
Framed-Compression=Van-Jacobson-TCP-IP,
Ascend-Route-IP=Route-IP-Yes,
Ascend-Metric=2,
Ascend-User-Acct-Type=Ascend-User-Acct-User,
Ascend-User-Acct-Host=200.250.56.10,
Ascend-User-Acct-Port=1645,
Ascend-User-Acct-Key="mypassword"
Setting up accounting with dynamic IP addressing
In some networks, the RADIUS accounting server requires an IP address for all callers. For callers that receive an IP address from a pool, this requirement presents a problem. During PPP authentication, RADIUS verifies the name and password, but not the caller's IP address. To track calls during the authentication period, you must set up one or more IP address pools as described in Defining a pool of addresses for dynamic assignment. Then, in the Rad-Auth-Client subprofile of the External-Auth profile, set Auth-Pool=Yes.
When Auth-Pool=Yes, the MAX TNT includes the caller's assigned IP address as the value of the Framed-Address attribute. The MAX TNT allocates this address from pool #1. (If you do not define pool #1, the call does not have an IP address during authentication.) Because an IP assignment is not usually part of an Access-Request, you must modify the RADIUS daemon. The assigned IP address might not last the duration of the connection, or it might not be meaningful. Here are five possibilities:
- If Assign-Address=No in the IP-Answer subprofile of the Answer-Defaults profile, and the caller's RADIUS user profile does not supply an IP address for the caller, the MAX TNT returns the IP address to pool #1. However, the address continues to appear in RADIUS accounting entries.
- If Assign-Address=No and the caller's RADIUS user profile supplies an IP address for the caller, the MAX TNT returns the IP address to pool #1. The IP address from the user profile appears in RADIUS accounting entries.
- If Assign-Address=Yes, and Ascend-Assign-IP-Pool in the RADIUS user profile points to a pool that has no valid IP address, the IP address from pool #1 appears in accounting entries. The MAX TNT returns the address to the pool when the call disconnects.
- If Assign-Address=Yes and Must-Accept-Address-Assign=Yes on the MAX TNT, and Ascend-Assign-IP-Pool points to a pool that has a valid IP address, the IP address from that pool appears in RADIUS accounting entries for the duration of the call. The MAX TNT returns the address to the pool when the call disconnects.
- If Assign-Address=Yes, Must-Accept-Address-Assign=No, Ascend-Assign-IP-Pool points to a pool that has a valid IP address, and the caller does not specify an address, the IP address from the pool appears in RADIUS accounting entries. If the caller does specify an IP address, that address appears in RADIUS accounting entries.
Classifying user sessions in RADIUS
The Class and Ascend-Number-Sessions attributes enable access providers to classify their user sessions for purposes such as billing clients on the basis of the service option they choose. If you customize RADIUS properly, you can set up the MAX TNT to periodically issue accounting requests.
Using the Class attribute
If you include the Class attribute in the RADIUS user profile, the RADIUS server sends it to the MAX TNT in the Access-Accept packet when the session begins. Class then appears in Accounting-Request packets the MAX TNT sends to the RADIUS accounting server whenever a session starts and whenever a session stops. The accounting entries specify the class on a per-user and per-session basis.
Using the Ascend-Number-Sessions attribute
The Ascend-Number-Sessions attribute reports information about all user sessions (that is, on the number of current sessions of each class). The attribute has a compound value. The first part indicates a user-session class. The second part reports the number of active sessions in that class. In the case of multichannel calls, such as MP+ calls, each separate connection counts as a session.
Generating periodic accounting requests
On the MAX TNT, you can set the Acct-Sess-Interval parameter in the External-Auth profile's Rad-Acct-Client subprofile to send accounting requests at regular intervals. At the specified interval, the MAX TNT reports the number of open sessions by sending an Ascend-Access-Event-Request packet (code 33). The packet contains the NAS-Identifier attribute, followed by a list of Ascend-Number-Sessions attributes.
Only RADIUS daemons you customize to recognize packet code 33 respond to Ascend-Access-Event-Request packets from the MAX TNT. Other accounting daemons ignore it. When modifying the daemon, make sure that it recognizes an Ascend-Access-Event-Request packet in the following format:
Code (8-bit)=33
Identifier (8-bit)
Length (16-bit)
Authenticator (48-bit for an accounting server, 64-bit for an authentication server)
List of attributes
Example of classifying user sessions
Suppose that the MAX TNT has three classes of clients: Class-1, Class-2, and Class-3. At the time of the sessions report, there are eight active sessions: three Class-1 sessions, four Class-2 sessions, and one Class-3 session. The accounting packet that the MAX TNT sends to the RADIUS accounting server has three Ascend-Number-Session attributes, one for each of the class/session pairs.
Using SNMP to specify the primary accounting server
By default, if the MAX TNT uses a secondary RADIUS accounting server because the primary one goes out of service, the MAX TNT does not use the first host again until the second machine fails. This situation occurs even if the first host comes online while the second host is still servicing requests. However, you can use an SNMP Set command to specify that the MAX TNT use the first host again. Such a need might arise if you shut down the primary server and then make it available again.
Every time you reset the server with the Set command, the MAX TNT generates an SNMP trap. The MAX TNT also generates a trap if it changes to the next server because the current server fails to respond. The trap is an Enterprise Specific Trap (18) and specifies the Object ID and IP address for the new server. The Object ID for the accounting server is 1.3.6.1.4.1.529.13.4.1.6.x, where x is the index of the current server (1-3).
The following MIB objects support changing the current RADIUS accounting server:
radAcctHostIPAddress OBJECT-TYPE
SYNTAX IpAddress
ACCESS read-only
STATUS mandatory
DESCRIPTION "The IP address of the Accounting server. The
value 0.0.0.0 is returned if entry is invalid."
::= { radiusAcctStatsEntry 6 }
radAcctCurrentServerFlag OBJECT-TYPE
SYNTAX INTEGER {
invalid(1),
current(2)
}
ACCESS read-write
STATUS mandatory
DESCRIPTION "Value indicates whether this entry is the
current accounting server or not. Writing any
value will cause the current server to be reset
to the primary server (Host #1)."
::= { radiusAcctStatsEntry 7 }
Starting the RADIUS daemon with accounting enabled
To enable accounting, start the RADIUS daemon with the -A argument.
When using a flat ASCII file
If you are using a flat ASCII file, enter the following command line:
radiusd -A services | incr
If you specify the services argument, the daemon creates the accounting process, but only if a line defining the UDP port to use for accounting appears in the /etc/services file. Otherwise, the daemon does not start.
If you specify the incr argument, the daemon creates the accounting process with the UDP port specified as the accounting port in the /etc/services file. If you have not defined the port, the daemon increments the UDP port specified for radiusd and uses that port number. This action is the default if you do not specify the -A argument.
When using a UNIX DBM database
To start the RADIUS daemon when using a UNIX DBM database, enter the following command line:
radiusd.dbm -A services
You must specify the services argument when you start the daemon in DBM mode.
Understanding accounting records
This section describes:
- What kind of information appears in accounting records
- Where accounting records are stored
- What kinds of packets RADIUS accounting uses
- Which attributes appear in each type of packet
What type of information appears in accounting records?
RADIUS accounting records information about WAN sessions only. Specifically, RADIUS logs information about three types of events:
- Start session. Denotes the beginning of a session with the MAX TNT. Information about this event appears in an accounting Start record.
- Stop session. Denotes the end of a session with the MAX TNT. Information about this event appears in an accounting Stop record.
- Failure-to-start session. Denotes that a login attempt has failed. Information about this event appears in an accounting Failure-to-start record.
When the MAX TNT recognizes one of these events, it sends an accounting request to RADIUS. When the accounting server receives the request, it combines the information into a record and timestamps it. Each type of accounting record contains attributes associated with an event type, and can show the number of packets the MAX TNT transmitted and received, the protocol in use, the user name and IP address of the client, and so on. All counters are session based, and reset to 0 (zero) when the session starts. At the end of the session, the interfaces are reported as Down and show 0 (zero).
You can use RADIUS accounting to:
- Gather billing information, including who called, how long the session lasted, and how much traffic occurred during the session.
- Troubleshoot RADIUS and MAX TNT operations. Accounting records can contain information about how many login failures occurred, and can describe the characteristics of the failed attempts.
Where are accounting records stored?
The RADIUS accounting server writes each record to a log file. If you run an unmodified Ascend RADIUS daemon, the Ascend RADIUS accounting file and the Livingston RADIUS accounting file have the same name:
usr/adm/radacct/host/detail
where host is the RADIUS client. Because the client of the RADIUS accounting server is your MAX TNT, host is your MAX TNT unit's symbolic host name, or its IP address in dotted decimal notation.
What kinds of packets does RADIUS accounting use?
RADIUS accounting uses two kinds of packets: Accounting Start and Accounting Stop.
Accounting Start packets
Accounting Start packets signal a Start session event. When the MAX TNT begins a terminal-server or routing session, and the call passes authentication or the user logs in, the MAX TNT sends an Accounting Start packet to the RADIUS accounting server. The packet describes the type of session in use and the name of the user opening the session.
The MAX TNT does not send an Accounting Start packet if a call fails authentication or otherwise fails to log in. In some cases, a session begins with a user login and then authentication follows, such as when a terminal-server user chooses PPP or SLIP after login. If User-Service=Login-User, or if User-Service is unspecified, the MAX TNT sends an Accounting Start packet after login. Information from an Accounting Start packet appears in a Start record in the log file.
Accounting Stop packets
Accounting Stop packets signal a Stop session or Failure-to-start session event. By default, the MAX TNT always sends an Accounting Stop packet at the end of a session, including cases in which a user fails authentication. Information from an Accounting Stop packet appears in a Stop record or Failure-to-start record in the log file.
Non-accounting attributes in Start and Stop records
An Accounting Start record or Stop record can contain attributes that are not accounting specific. Table 12-2 lists them. Of the attributes listed in Table 12-2, only the NAS-Identifier attribute can appear in a Failure-to-start record as well.
Accounting attributes in Start records
Table 12-3 lists the accounting-specific attributes that can appear in a Start record.
Accounting attributes in Stop records
Table 12-4 lists the accounting attributes that can appear in a Stop record.
Table 12-4. Accounting-specific attributes in Stop records
Attribute
|
Description
|
Conditions for inclusion
|
|---|
|
Acct-Authentic (45)
|
Indicates the method the MAX TNT used to authenticate an incoming call:
RADIUS (1) indicates that RADIUS authenticated the incoming call.
Local (2) indicates that the MAX TNT used a local Connection profile, TACACS profile, or TACACS+ profile, or that the MAX TNT accepted the call without authentication.
|
Session must be authenticated.
|
|
Acct-Delay-Time (41)
|
Indicates the number of seconds between the time an event occurred and the time the MAX TNT sent the packet. If RADIUS does not acknowledge the packet, the MAX TNT resends it. The value of Acct-Delay-Time changes to reflect the proper event time.
|
None.
|
|
Acct-Input-Octets (42)
|
Indicates the number of octets the MAX TNT received during the session. The value reflects only the data delivered by PPP or other encapsulation. It does not include the header or other protocol-dependent components of the packet.
|
Session must be authenticated.
An asynchronous connection must be in use. That is, the data must be unframed.
|
|
Acct-Input-Packets (47)
|
Indicates the number of packets the MAX TNT received during the session. The packets are counted before the encapsulation is removed. The attribute's value does not include maintenance packets, such as keepalive or management packets.
|
Session must be authenticated.
A framed protocol must be in use.
|
|
Acct-Output-Octets (43)
|
Indicates the number of octets the MAX TNT sent during the session. The value reflects only the data delivered by PPP or other encapsulation. It does not include the header or other protocol-dependent components of the packet.
|
Session must be authenticated.
An asynchronous connection must be in use. That is, the data must be unframed.
|
|
Acct-Output-Packets (48)
|
Indicates the number of packets the MAX TNT sent during the session. The packets are counted before the encapsulation is removed. The attribute's value does not include maintenance packets, such as keepalive or management packets.
|
Session must be authenticated.
A framed protocol must be in use.
|
|
Acct-Session-Id (44)
|
Consists of a unique numeric string identified with the routing or terminal-server session reported in the Accounting packet. The string is a random number of up to seven digits. RADIUS correlates the Accounting Start packet and Accounting Stop packet with Acct-Session-Id. Its value can range from 1 to 2,137,383,647.
|
None.
|
|
Acct-Session-Time (46)
|
Indicates the number of seconds the session has been logged in.
|
Session must be authenticated.
|
|
Acct-Status-Type (40)
|
Requests that have Acct-Status-Type set to Start are Accounting Start packets. The information in these packets appears in Start records.
Requests that have Acct-Status-Type set to Stop are Accounting Stop packets. The information in these packets appears in Stop or Failure-to-start records.
|
None.
|
|
Ascend-Connect-Progress (196)
|
Indicates the state of the connection before it disconnects.
|
None.
|
|
Ascend-Data-Rate (197)
|
Indicates the rate of data received on the connection in bits per second.
|
None.
|
|
Ascend-Disconnect-Cause (195)
|
Indicates the reason a connection was taken offline.
|
None.
|
|
Ascend-Event-Type (150)
|
Indicates a cold-start notification, informing the accounting server that the MAX TNT has started up.
|
For a cold-start notification, the MAX TNT sends values for NAS-Identifier and Ascend-Event-Type in an Ascend-Access-Event-Request packet (code 33). The RADIUS accounting server must send back an Ascend-Access-Event-Response packet (code 34), with the correct identifier, to the MAX TNT.
|
|
Ascend-First-Dest (189)
|
Records the destination IP address of the first packet the MAX TNT received on a connection after authentication.
|
Session must be authenticated.
|
|
Ascend-Home-Agent-IP-Addr (183)
|
Indicates the IP address of the home agent associated with the mobile client.
|
Session has ended.
Accounting-Request packet includes Acct-Status-Type=Stop.
Session was authenticated and encapsulated by means of Ascend Tunnel Management Protocol (ATMP).
|
|
Ascend-Multilink-ID (187)
|
Reports the ID number of the Multilink bundle when the session closes.
|
Session must be authenticated.
|
|
Ascend-Num-In-Multilink (188)
|
Records the number of sessions remaining in a Multilink bundle when the session closes.
|
Session must be authenticated.
|
|
Ascend-Number-Sessions (202)
|
Indicates the number of active user sessions of a given class (as specified by the Class attribute). In the case of multichannel calls, such as MP+ calls, each separate connection counts as a session.
|
The MAX TNT sends the Ascend-Number-Sessions attribute in Ascend-Access-Event-Request packets. Only RADIUS daemons you customize to recognize packet code 33 respond to these request packets.
|
|
Ascend-Pre-Input-Octets (190)
|
Reports the number of octets the MAX TNT received before authentication. The value reflects only the data delivered by PPP or other encapsulation. It does not include the header or other protocol-dependent components of the packet.
|
Session must be authenticated.
An asynchronous connection must be in use. That is, the data must be unframed.
|
|
Ascend-Pre-Input-Packets (192)
|
Reports the number of packets the MAX TNT received before authentication. The packets are counted before the encapsulation is removed. The attribute's value does not include maintenance packets, such as keepalive or management packets.
|
Session must be authenticated.
|
|
Ascend-Pre-Output-Octets (191)
|
Reports the number of octets the MAX TNT sent before authentication. The value reflects only the data delivered by PPP or other encapsulation. It does not include the header or other protocol-dependent components of the packet.
|
Session must be authenticated.
An asynchronous connection must be in use. That is, the data must be unframed.
|
|
Ascend-Pre-Output-Packets (193)
|
Reports the number of packets the MAX TNT sent before authentication. The packets are counted before the encapsulation is removed. The attribute's value does not include maintenance packets, such as keepalive or management packets.
|
Session must be authenticated.
|
|
Ascend-PreSession-Time (198)
|
Indicates the length of time, in seconds, from when a call connected to when it completed authentication.
|
None.
|
|
Ascend-User-Acct-Base (142)
|
Indicates whether the numeric base of the RADIUS Acct-Session-ID attribute is 10 or 16.
|
None.
|
|
Ascend-User-Acct-Host (139)
|
Indicates the IP address of the RADIUS server to use for the connection.
|
None.
|
|
Ascend-User-Acct-Key (141)
|
Indicates the RADIUS client password as it appears in the clients file.
|
None.
|
|
Ascend-User-Acct-Port (140)
|
Indicates a destination UDP port number for the connection.
|
None.
|
|
Ascend-User-Acct-Time (143)
|
Indicates the number of seconds the MAX TNT waits for a response to a RADIUS accounting request.
|
None.
|
|
Ascend-User-Acct-Type (138)
|
Indicates the RADIUS accounting server(s) to use for the connection.
|
None.
|
|
Ascend-Xmit-Rate (255)
|
Indicates the rate of data transmitted on the connection in bits per second. For ISDN calls, Ascend-Xmit-Rate indicates the transmit data rate. For analog calls, it indicates the modem baud rate at the time of the initial connection.
|
None.
|
Accounting attributes in Failure-to-start records
Failure-to-start records can contain only a subset of the information found in Stop records. The following attributes can appear:
Acct-Delay-Time (41)
Acct-Session-Id (44)
Acct-Status-Type (40)
Ascend-Connect-Progress (196)
Ascend-Data-Rate (197)
Ascend-Disconnect-Cause (195)
Ascend-PreSession-Time (198)
For a brief description of each of these attributes, see Table 12-4.
Proxy RADIUS accounting
The master shelf controller keeps track of all accounting Start records sent by host cards. If the shelf controller determines that a host card has gone down for any reason, it acts as proxy for the card and sends the accounting server a fail-safe Stop record for each of the card's open sessions. The host card may be brought down administratively, may be removed from the system, or may go down due to an error condition.
How proxy RADIUS accounting works
When RADIUS accounting is in use, the usual situation occurs as shown in Figure 12-3.
Figure 12-3. Normal RADIUS accounting (no proxy necessary)
When a call comes in, the host card first sends a Start record to the shelf controller, which stores it as an Accounting Fail-Safe (AFS) record. The host card then sends one or more Start records to the RADIUS accounting server, repeating until it receives an ACK from the server. Similarly, when the call clears, the host card sends a Stop record to the shelf controller, which causes it to delete the AFS record for that session. The host card then sends the accounting server Stop records until it receives an ACK from the server.
When RADIUS accounting is in use and the host card goes down for any reason, proxy accounting occurs as shown in Figure 12-4.
Figure 12-4. Proxy accounting (host card goes down)
In this case, when the shelf controller notes that the host card is down, it uses its own information about the host card and the stored AFS record to send a Stop record directly to the RADIUS accounting server, repeating until it receives a Stop ACK from the server. The shelf controller then deletes the AFS record for that session.
Note that if the accounting server is accessible only by means of the host card that goes down, Stop records cannot be delivered successfully.
Contents of the Stop record sent by proxy
The AFS Stop record does not contain all the information that appears in a record sent by a host card. In particular, it does not contain the input/output octet count fields or any other dynamic information related to the session. In Table 12-5, Yes indicates that the attribute is included in the Stop record, if applicable. No indicates that the attribute either is not included in the record or is set to null, as appropriate.
Sample accounting records
This section provides sample Start and Stop records for the following configurations:
- A Pipeline 25 dialing into a MAX TNT
- A modem calling into a MAX TNT
The section also illustrates a Stop record sent by proxy.
A Pipeline 25 dialing into a MAX TNT
When a Pipeline 25 dials into a MAX TNT, the Start record might look like the following:
Tue Feb 18 12:00:41 1997 /* Session startup time */
User-Name="ht-net" /* The name of the Pipeline 25 */
NAS-Identifier=206.65.212.46 /* The IP address of the MAX TNT */
NAS-Port=1057 /* Call on channel 2, line 2, slot 2, shelf 1 */
Acct-Status-Type=Start /* Start record. */
Acct-Delay-Time=0 /* Always zero for a Start record */
Acct-Session-Id="1234567" /* Session identification number */
Acct-Authentic=RADIUS /* RADIUS authentication in use */
Client-Port-DNIS="3142" /* Called-party number */
Framed-Protocol=PPP /* PPP call */
Framed-Address=11.0.0.1 /* IP address of the Pipeline 25 */
The Stop record might look like the following:
Tue Feb 18 12:02:48 1997 /* Session hangup time */
User-Name="ht-net" /* The name of the Pipeline 25 */
NAS-Identifier=206.65.212.46 /* The IP address of the MAX TNT */
NAS-Port=1057 /* Call on channel 2, line 2, slot 2, shelf 1 */
Acct-Status-Type=Stop /* Stop record */
Acct-Delay-Time=18 /* MAX TNT tried to send packet for 18 seconds
*/
Acct-Session-Id="1234567" /* Session identification number */
Acct-Authentic=RADIUS /* RADIUS authentication used */
Acct-Session-Time=128 /* Number of seconds in session */
Acct-Input-Octets=2421 /* Bytes received from the Pipeline */
Acct-Output-Octets=1517 /* Bytes sent to the Pipeline */
Acct-Input-Packets=79 /* Packets received from the Pipeline */
Acct-Output-Packets=47 /* Packets sent to the Pipeline */
Ascend-Disconnect-Cause=100 /* Session timeout */
Ascend-Connect-Progress=60 /* LAN session up */
Ascend-Data-Rate=31200 /* Receive data rate in bits per second */
Ascend-Xmit-Rate=48000 /* Transmit data rate in bits per seconds */
Ascend-PreSession-Time=0 /*Secs from connection to authentication*/
Ascend-Pre-Input-Octets=174 /* Input octets pre-authentication */
Ascend-Pre-Output-Octets=204 /* Output octets pre-authentication */
Ascend-Pre-Input-Packets=7 /* Input packets pre-authentication */
Ascend-Pre-Output-Packets=8 /* Output packets pre-authentication */
Ascend-First-Dest=10.81.44.111 /* Dest IP address of 1st packet */
Ascend-Multilink-ID=64 /* ID number of Multilink bundle */.
Ascend-Num-In-Multilink=0 /* # of sessions in Multilink bundle */
Client-Port-DNIS="3142" /* Called-party number */
Framed-Protocol=PPP /* PPP call */
Framed-Address=11.0.0.1 /* IP address of the Pipeline 25 */
A modem calling into a MAX TNT
If a modem dials into the MAX TNT to reach its terminal server, the call can only be an unframed call. It cannot be a PPP, MP, or MP+ call. Therefore, the attributes Framed-Protocol and Framed-Address do not appear in the sample records, and Login-Service=Unframed-User.
A Start record might look like the following:
Tue Feb 18 12:00:00 1997 /* Session startup time */
User-Name="Berkeley" /* The name of the modem caller */
NAS-Identifier=200.65.212.46 /* The IP address of the MAX TNT */
NAS-Port=1057 /* Call on channel 2, line 2, slot 2, shelf 1 */
Acct-Status-Type=Start /* Start record. */
Acct-Delay-Time=0 /* Always zero for a Start record */
Acct-Session-Id="3456789" /* Session identification number */
Acct-Authentic=RADIUS /* RADIUS authentication in use */
Client-Port-DNIS="3143" /* Called-party number */
Login-Service=Unframed-User /* Modem call */
The Stop record might look like the following:
Tue Feb 18 12:03:00 1997 /* Session hangup time */
User-Name="Berkeley" /* The name of the modem caller */
NAS-Identifier=200.65.212.46 /* The IP address of the MAX TNT */
NAS-Port=1057 /* Call on channel 2, line 2, slot 2, shelf 1 */
Acct-Status-Type=Stop /* Stop record */
Acct-Delay-Time=18 /* MAX TNT tried to send packet for 18 seconds
*/
Acct-Session-Id="3456789" /* Session identification number */
Acct-Authentic=RADIUS /* RADIUS authentication used */
Acct-Session-Time=128 /* Number of seconds in session */
Acct-Input-Octets=2421 /* Bytes received from the Pipeline */
Acct-Output-Octets=1517 /* Bytes sent to the Pipeline */
Acct-Input-Packets=79 /* Packets received from the Pipeline */
Acct-Output-Packets=47 /* Packets sent to the Pipeline */
Ascend-Disconnect-Cause=100 /* Session timeout */
Ascend-Connect-Progress=60 /* LAN session up */
Ascend-Data-Rate=31200 /* Receive data rate in bits per second */
Ascend-Xmit-Rate=48000 /* Transmit data rate in bits per seconds */
Ascend-PreSession-Time=0 /*Secs from connection to authentication*/
Ascend-Pre-Input-Octets=174 /* Input octets pre-authentication */
Ascend-Pre-Output-Octets=204 /* Output octets pre-authentication */
Ascend-Pre-Input-Packets=7 /* Input packets pre-authentication */
Ascend-Pre-Output-Packets=8 /* Output packets pre-authentication */
Ascend-First-Dest=10.81.44.111 /* Dest IP address of 1st packet */
Ascend-Multilink-ID=64 /* ID number of Multilink bundle *.
Ascend-Num-In-Multilink=0 /* # of sessions in Multilink bundle */
Client-Port-DNIS="3143" /* Called-party number */
Login-Service=Unframed-User /* Modem call */
A Stop record sent by proxy
Following is an example of a shelf controller accounting proxy for an HDLC call:
Wed Nov 5 14:50:21 1997
User-Name="joel-mhp"
NAS-Identifier=200.65.212.199
NAS-Port=2272
NAS-Port-Type=Sync
Acct-Status-Type=Stop
Acct-Delay-Time=0
Acct-Session-Id="246212864"
Acct-Authentic=RADIUS
Acct-Session-Time=4
Acct-Input-Octets=0
Acct-Output-Octets=0
Acct-Input-Packets=0
Acct-Output-Packets=0
Ascend-Disconnect-Cause=210
Ascend-Connect-Progress=67
Ascend-Data-Rate=0
Ascend-PreSession-Time=0
Ascend-Pre-Input-Octets=174
Ascend-Pre-Output-Octets=204
Ascend-Pre-Input-Packets=7 /
Ascend-Pre-Output-Packets=8
Framed-Protocol=PPP
Framed-Address=200.168.6.66
techpubs@eng.ascend.com
Copyright © 1998, Ascend Communications, Inc. All rights
reserved.