RADIUS Accounting

Introduction

RADIUS accounting logs information about dial-in connections. This information is often used for billing purposes. RADIUS accounting consists of a client/server format; as transactions occur, they are recorded in a file named /usr/adm/radacct/portmastername/detail on the RADIUS accounting server.

How RADIUS Accounting Works

RADIUS accounting consists of an accounting server and accounting clients (PortMasters). The radiusd daemon for accounting is a child process of the radiusd authentication daemon; it starts automatically when radiusd is executed.

The RADIUS accounting server uses the UDP protocol, and listens for UDP packets at port 1646.

RADIUS accounting consists of the following steps:

  1. The PortMaster (accounting client) sends an accounting-request packet containing the record of an event to the accounting server.
  2. The accounting server sends an accounting-response packet back to the PortMaster to acknowledge receipt of the request.
  3. If the PortMaster does not receive a response, it continues to send accounting-requests until it receives a response.

    A backoff algorithm is used to determine the delay between accounting-requests if an accounting-response is not received.

  4. The PortMaster records the number of seconds that have passed between the event and the current attempt to send the record; this number is the Acct-Delay-Time value. As additional time passes before an accounting-response is received, the Acct-Delay-Time is updated.
  5. When the user is connected, a Start accounting record is recorded in a file called /usr/adm/radacct/portmastername/detail on the accounting server.

    The Start record typically contains the Session-Id, the User-Name, Service-Type, Login-Service, Login-IP-Host, Acct-Delay-Time, and other relevant information from a user's entry in the users file.

Note - When the user is disconnected, a Stop record is generated. This record contains the same information as the Start record, however, it also includes Acct-Session-Time, which records the time (in seconds) of a user's session.

Getting Started

Select a UNIX host to use as the RADIUS accounting server. This host may be the same host as the RADIUS server used for authentication or a separate host.

Choose a host with the following characteristics:

For typical installations, allocate 50 MB per 1000 users if the logs are rotated monthly. Keep in mind that it is much better to allocate too much space than too little; your usage may vary.

For example, if you have 1000 users, one port for every 10 users, an average connect time (per user) of one hour, and all ports are in use around the clock, one month of logs would require 50 MB of disk space:

700 bytes/session * 1000 users * 1 port/10 users * 1 session/hour * 24 hours/day * 30 days/month

Livingston recommends the use of a secondary RADIUS accounting server. The primary accounting server is always used first; if this server is unavailable, the secondary server is used.

Client Configuration

To configure RADIUS accounting information on a PortMaster, see "RADIUS Client Configuration."

Server Configuration

To install the RADIUS accounting server, log into the selected accounting server as root. Create a radacct directory within the /usr/adm directory.

mkdir /usr/adm/radacct
chmod 700 /usr/adm/radacct

RADIUS accounting automatically creates subdirectories within the /usr/adm/radacct directory for each PortMaster serving as a RADIUS accounting client and logs the accounting start and stop records to the detail file in the directory.

RADIUS Accounting Flags

The flags associated with the parent radiusd are described in "RADIUS Server Configuration."

The radiusd accounting daemon may also be used with these flags:

-a
Specifies an alternate directory for RADIUS accounting logs. The default directory is /usr/adm/radacct.
-v
Displays the RADIUS version number without starting the radiusd daemon. This flag also applies to the RADIUS authentication server; the RADIUS authentication and accounting servers have the same version number.

Accounting Attributes

In order for RADIUS accounting to function, a series of accounting attributes (listed below) are defined in the /etc/raddb/dictionary file on the RADIUS server.

Acct-Status-Type

Acct-Status-Type has two values: Start and Stop. A Start record is created when a user session begins. A Stop record is recorded when the session ends.

Acct-Delay-Time

The PortMaster records the number of seconds that have passed between the event and the current attempt to send the record; this number is the Acct-Delay-Time value.

The approximate time of an event can be determined by subtracting the Acct-Delay-Time from the time of the record's arrival on the RADIUS accounting server.

Acct-Session-Id

Acct-Session-Id is a unique number assigned to each Start and Stop record to make it easy to match the Start and Stop records in a detail file, and to eliminate duplicate records.

The Acct-Session-Id is a string consisting of 8 uppercase hexadecimal digits. The first two digits increment each time the PortMaster is rebooted. The next 6 digits begin at 0 (for the first user login after a reboot) and increment up to approximately 16 million logins. This is equal to one user logging into each port of a 30-port unit every minute for an entire year.

Acct-Authentic

Acct-Authentic records whether the user was authenticated via RADIUS or by the PortMaster User Table. Accounting records are not generated for passthrough users, as those users are authenticated by the destination host.

Acct-Session-Time

The Acct-Session-Time records the user's connection time in seconds. This information is only included in Stop records.

NAS-Port-Type

NAS-Port-Type records the type of port used in the connection. The port type may be any of the following: Async, Sync, ISDN, ISDN-V120, or ISDN-V110.

Acct-Input-Octets and Acct-Output-Octets

Records the number of bytes received (Acct-Input-Octets) and sent (Acct-Output-Octets) during a session. These values only appear in Stop records.

Called-Station-Id and Calling-Station-Id

Called-Station-Id and Calling-Station-Id record the called and calling numbers. This information is recorded when the NAS-Port-Type is ISDN, ISDN-V120, or ISDN-V110 where supported by the local Telco.

Timestamp

Timestamp records the time of arrival on the RADIUS Accounting host measured in seconds since the epoch (00:00 January 1, 1970).

This attribute provides a machine-friendly version of the logging time at the beginning of the accounting record. To find the actual time of the event, subtract Acct-Delay-Time from Timestamp.

Request-Authenticator

The Request-Authenticator attribute only appears in an accounting record when the RADIUS 2.0 server notices a problem with the accounting request's digital signature.

A Request-Authenticator of None means that the accounting request was not digitally signed, and was probably sent by a PortMaster running a version of ComOS that did not sign accounting packets. If the Request-Authenticator value is Unverified, the accounting request signature did not match the expected value. Ensure that the shared secret on the PortMaster matches the shared secret in the /etc/raddb/clients file.

Acct-Terminate-Cause

The Acct-Terminate-Cause, shown below, indicates the cause of a session's termination. This information only appears in Stop records.

Admin-Reset
Port was reset by an administrator.
Host-Request
Session was disconnected or logged out by the Login-IP-Host. This can indicate normal termination of a login session or that the remote host has crashed or become unreachable.
Idle-Timeout
Idle timer expired for user or port.
Lost-Carrier
Session terminated when the modem dropped DCD. This can indicate any of the following: the user or his modem hung up the phone from their end (in which case there is no problem), the line was dropped, the line took a noise hit too severe for the modem to recover from, or the local modem dropped DCD for some other reason.
Port-Error
PortMaster had to reset the port. Most commonly occurs when a device attached to the port caused too many interrupts.
Session-Timeout
Session timer expired for user.
User-Error
PortMaster received a PPP Configuration Request or ACK when a session was already established, so it terminated the session. This is caused by a PPP implementation error in the dial-in client.
User-Request
Dial-in PPP client requested that we terminate the connection. This message is expected from a proper PPP client termination.

Examples

The following example displays two accounting records in a PortMaster's detail file.

Tue Jul 30 14:48:18 1996
	Acct-Session-Id = "35000004"
	User-Name = "bob"
	NAS-IP-Address = 172.16.64.91
	NAS-Port = 1
	NAS-Port-Type = Async
	Acct-Status-Type = Start
	Acct-Authentic = RADIUS
	Service-Type = Login-User
	Login-Service = Telnet
	Login-IP-Host = 172.16.64.25
	Acct-Delay-Time = 0
	Timestamp = 838763298

Tue Jul 30 14:48:39 1996
	Acct-Session-Id = "35000004"
	User-Name = "bob"
	NAS-IP-Address = 172.16.64.91
	NAS-Port = 1
	NAS-Port-Type = Async
	Acct-Status-Type = Stop
	Acct-Session-Time = 21
	Acct-Authentic = RADIUS
	Acct-Input-Octets = 22
	Acct-Output-Octets = 187
	Acct-Terminate-Cause = Host-Request
	Service-Type = Login-User
	Login-Service = Telnet
	Login-IP-Host = 172.16.64.25
	Acct-Delay-Time = 0
	Timestamp = 838763319

The Acct-Status-Type attribute in the record indicates whether the record was sent when the connection began (Start) or when it ended (Stop). In the Start record above, the Acct-Session-Id is listed at the beginning of the record. Note that this value matches the Acct-Session-Id of the Stop record, indicating that these records correspond to the same session.

User-Name specifies the username, in this case, bob. NAS-IP-Address specifies the IP address of the PortMaster. NAS-Port-Type specifies that this is an asynchronous connection. Acct-Authentic specifies that bob is authenticated via RADIUS.

Service-Type and Login-Service specify that bob is a login user using Telnet. Login-IP-Host specifies the host that user bob logged into.

In the Stop accounting record, Acct-Session-Time specifies that bob's connection lasted 21 seconds. Acct-Input-Octets indicates that 22 bytes of incoming traffic was received; Acct-Output-Octets indicates that 187 bytes of outgoing traffic was sent.

The Acct-Terminate-Cause indicates that a Host-Request terminated the session, meaning that bob logged out of the host or that the host logged him out.

The Acct-Delay-Time is 0 seconds, indicating that the RADIUS accounting server received the accounting-request on the first try.

For more information on accounting attributes, see "Accounting Attributes" and the Check and Reply Item Table.

The following example displays Start and Stop accounting records for an ISDN PPP connection.

Wed May  8 10:51:12 1996
	Acct-Session-Id = "2400020E"
	User-Name = "Pbob"
	NAS-IP-Address = 172.16.1.21
	NAS-Port = 12
	NAS-Port-Type = ISDN
	Acct-Status-Type = Start
	Acct-Authentic = RADIUS
	Called-Station-Id = "5551111"
	Calling-Station-Id = "5105552222"
	Service-Type = Framed-User
	Framed-Protocol = PPP
	Framed-Address = 172.16.93.1
	Acct-Delay-Time = 0
	Timestamp = 838763356

Wed May  8 12:50:49 1996
	Acct-Session-Id = "2400020E"
	User-Name = "Pbob"
	NAS-IP-Address = 172.16.1.21
	NAS-Port = 12
	NAS-Port-Type = ISDN
	Acct-Status-Type = Stop
	Acct-Session-Time = 7177
	Acct-Authentic = RADIUS
	Acct-Input-Octets = 14994
	Acct-Output-Octets = 90862
	Called-Station-Id = "5551111"
	Calling-Station-Id = "5105552222"
	Service-Type = Framed-User
	Framed-Protocol = PPP
	Framed-Address = 172.16.93.1
	Acct-Delay-Time = 0
	Timestamp = 838763378

In the Start record of the example above, the NAS-Port-Type specifies that the user Pbob is using ISDN for his connection. Called-Station-Id and Calling-Station-Id specify the source and destination of the ISDN call. Service-Type and Framed-Protocol indicate that user Pbob is a framed user using PPP to establish the connection.

The Stop record in this example indicates that the login time for user bob was 7177 seconds or 1 hour, 59 minutes, and 37 seconds. The Acct-Input-Octets and Acct-Output-Octets indicate that the incoming traffic for this session was 14994 bytes, and outgoing traffic was 90862 bytes.

Note - Examples of PERL scripts to process the RADIUS accounting logs are available at Livingston's FTP site at ftp://ftp.livingston.com/pub/le/radius/.


/ Prev / Next / TOC / Preface / Overview / Server / Client / User / Menu / SecurID / Accounting / Troubleshooting /


© Copyright 1996, Livingston Enterprises, Inc. Revised Wednesday January 28, 1998 18:12 EST