Re: [radext] Feedback solicited: Acct-Session-Id, Acct-Multi-Session-Id, Accounting-On/Off and Subsystem-On/Off
Nick Lowe <nick.lowe@lugatech.com> Wed, 07 October 2015 09:19 UTC
Return-Path: <nick.lowe@lugatech.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A7CF1B2C8F for <radext@ietfa.amsl.com>; Wed, 7 Oct 2015 02:19:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XgsFtLp5NE50 for <radext@ietfa.amsl.com>; Wed, 7 Oct 2015 02:18:53 -0700 (PDT)
Received: from mail-wi0-f169.google.com (mail-wi0-f169.google.com [209.85.212.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E14441A906E for <radext@ietf.org>; Wed, 7 Oct 2015 02:18:52 -0700 (PDT)
Received: by wicge5 with SMTP id ge5so203439593wic.0 for <radext@ietf.org>; Wed, 07 Oct 2015 02:18:51 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=/pywqilEkxN6gqLyauHqqmV4DLdGMUzv6lWOv8Tfutk=; b=XZlQGkXn2WMk6v3vj8/8hoUmrTzMrqUHm9DMkuhvkqs+yG7m6Dy6WdqFnKgV/DtA0w sRRjsWRnhJZDqtssRwHCQ86a2CazuKnGN/1mJ49xlCJJwmko7nbHqsOKB1oA+Odxr3EL 2L7dFkRqjWhVM9AX4vuopftd9HyialEB6fsZkjglAd29pS75RE8py0gOG87chH2+Oh7i 7wpc1qohgvFMrqgJkoqPX+RBZMY9O7VvJ7QFsbBE3sSoGogFMZZuttLypUxSCc61WJzU 3rtuBCqNmVgBMmnEe48KKWv/lRR+ntrK+0M6okcQCZYv5pzAspk5ZjmHTnKlluK7R9Z8 1AUg==
X-Gm-Message-State: ALoCoQmyJEfDLSBZ3h9PlZW5mBfRvHWJKLcVVa5y6ByYLiq2j8iYzxeWPsUenagUmMEr3mXRjymO
MIME-Version: 1.0
X-Received: by 10.194.76.7 with SMTP id g7mr40698348wjw.44.1444209531044; Wed, 07 Oct 2015 02:18:51 -0700 (PDT)
Received: by 10.28.49.11 with HTTP; Wed, 7 Oct 2015 02:18:50 -0700 (PDT)
X-Originating-IP: [94.116.196.121]
In-Reply-To: <CAGnO3dqEyjx9tFt_xW=Tp06a4aqS8Zm+KGWfqhFR8LtOb8xciw@mail.gmail.com>
References: <CAGnO3dpgytEmyf0Dk_0w9TbBM-6uav7z63LJ6WzpFoyw_jhKrw@mail.gmail.com> <5654BCDA-9F97-44A4-97F1-EF0FBA3C715B@deployingradius.com> <CAGnO3dogfPGcZNsrwqTp3nNvpAPtjx=5tvKvNH6xtvDfJb+kPQ@mail.gmail.com> <BLU181-W342B673453E05BC255710C93370@phx.gbl> <CAGnO3doM6m8WtU=KGJh+4hhPDu3f=t+6GE+bkVfLmgH0AanhvA@mail.gmail.com> <CAGnO3dqEyjx9tFt_xW=Tp06a4aqS8Zm+KGWfqhFR8LtOb8xciw@mail.gmail.com>
Date: Wed, 07 Oct 2015 10:18:50 +0100
Message-ID: <CAGnO3dqiyeUEi=1Gu3Y7pXiq0zy4-cLrvNDVWWAT2BOh7KfjJQ@mail.gmail.com>
From: Nick Lowe <nick.lowe@lugatech.com>
To: radext@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/radext/zorpjxhGdnRM8LCO8-OkUaqCmc4>
Subject: Re: [radext] Feedback solicited: Acct-Session-Id, Acct-Multi-Session-Id, Accounting-On/Off and Subsystem-On/Off
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Oct 2015 09:19:00 -0000
Corrections made. Reference to RFC 2866 ===================== Acct-Status-Type Description This attribute indicates whether this Accounting-Request marks the beginning of the user service (Start) or the end (Stop). It MAY be used by the client to mark the start of accounting for the NAS (for example, upon booting) by specifying Accounting-On and to mark the end of accounting for the NAS (for example, just before a scheduled reboot) by specifying Accounting-Off. Where Accounting-On or Accounting-Off is specified, a Called-Station-Id attribute SHOULD NOT be present. In the case that one is present, the value MUST apply to the whole NAS. It MAY be used by the client to mark the start of accounting for a subsystem of the NAS (for example, when an IEEE 802.11 BSS becomes available) by specifying Subsystem-On and to mark the end of accounting for a subsystem of the NAS (for example, when an IEEE 802.11 BSS is no longer available) by specifying Subsystem-Off. Where Subsystem-On or Subsystem-Off is specified, a Called-Station-Id attribute MUST be present. The subsystem is indicated by the value of the Called-Station-Id attribute. It MUST uniquely identify the subsystem to the NAS. It is strongly recommended that the value of the Called-Station-Id attribute that is used for a session SHOULD match the value of the Called-Station-Id that identifies the subsystem. The value of any Called-Station-Id attributes that are used in accounting types that are session specific SHOULD match the value used when Subsystem-On and Subsystem-Off are specified where they come under the scope of that subsystem. For IEEE 802.11, this attribute SHOULD be used to store the BSSID (upper case only) in ASCII format, with octet values separated by a "-". Example: "00-10-A4-23-19-C0". Where the SSID is known, it SHOULD be appended to the BSSID in UTF-8 format, separated from the BSSID with a ":". Example "00-10-A4-23-19-C0:AP1". The SSID MUST be UTF-8 encoded as the SSID may be UTF-8 encoded. A summary of the Acct-Status-Type attribute format is shown below. The fields are transmitted from left to right. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type 40 for Acct-Status-Type. Length 6 Value The Value field is four octets. 1 Start 2 Stop 3 Interim-Update 7 Accounting-On 8 Accounting-Off 9-14 Reserved for Tunnel Accounting 15 Reserved for Failed ?? Subsystem-On ?? Subsystem-Off Acct-Session-Id Description This attribute is a globally unique Accounting ID to make it easy to match start and stop records in a log file. The start and stop records for a given session MUST have the same Acct-Session-Id. An Accounting-Request packet MUST have an Acct-Session-Id. An Access-Request packet MAY have an Acct-Session-Id; if it does, then the NAS MUST use the same Acct-Session-Id in the Accounting-Request packets for that session. It is strongly recommended that the Acct-Session-Id SHOULD contain UTF-8 encoded 10646 [7] characters. It MUST exhibit global and temporal uniqueness. For example, an implementation may use a string with a UUID. Other encodings are possible. A summary of the Acct-Session-Id attribute format is shown below. The fields are transmitted from left to right. 0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Text ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type 44 for Acct-Session-Id. Length >= 3 String The String field SHOULD be a string of UTF-8 encoded 10646 [7] characters. Acct-Multi-Session-Id Description This attribute is a globally unique Accounting ID to make it easy to link together multiple related sessions in a log file. Each session linked together would have a globally unique Acct-Session-Id but the same Acct-Multi-Session-Id. It is strongly recommended that the Acct-Multi-Session-Id SHOULD contain UTF-8 encoded 10646 [7] characters. It MUST exhibit global and temporal uniqueness. For example, an implementation may use a string with a UUID. Other encodings are possible. A summary of the Acct-Session-Id attribute format is shown below. The fields are transmitted from left to right. 0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | String ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type 50 for Acct-Multi-Session-Id. Length >= 3 String The String field SHOULD contain UTF-8 encoded 10646 [7] characters. Reference to RFC 3580 ===================== Acct-Multi-Session-Id The purpose of this attribute is to make it possible to link together multiple related sessions for IEEE 802.11. While [IEEE8021X] does not act on aggregated ports, it is possible for a Supplicant roaming between Basic Service Sets or in failover accounting from one Controller to another to cause multiple RADIUS accounting packets to be sent by the same or different Access Points or Controllers. Where supported by the Access Points or the Controllers, the Acct-Multi-Session-Id attribute can be used to link together the multiple related sessions of a roaming Supplicant or in failover accounting from one Controller to another. In such a situation, if the session context is transferred between Access Points or Controllers, accounting packets MAY be sent without a corresponding authentication and authorization exchange, provided that Association has occurred. However, in such a situation it is assumed that the Acct-Multi-Session-Id is transferred between the Access Points or the Controllers as part of the Inter-Access Point Protocol (IAPP) or another handoff scheme. If the Acct-Multi-Session-Id were not globally unique between Access Points and Controllers, then it is possible that the chosen Acct-Multi-Session-Id will overlap with an existing value allocated on that Access Point or Controller, and the Accounting Server would therefore be unable to distinguish a roaming or failover session from a multi-link session. In order to provide global uniqueness, it is suggested that the Acct-Multi-Session-Id be an UTF-8 encoded UUID that offers inherent global and temporal uniqueness. An alternative construction for the Acct-Multi-Session-Id may be of the form: BSSID | Supplicant MAC Address | NTP Timestamp Here "|" represents concatenation, the BSSID is the MAC address of the BSS under which the session started, and the 64-bit NTP timestamp indicates the beginning of the original session. In order to provide for consistency of the Acct-Multi-Session-Id between roaming or failover sessions, the Acct-Multi-Session-Id may be moved between Access Points or Controllers as part of IAPP or another handoff scheme. The use of an Acct-Multi-Session-Id of this form should guarantee uniqueness among all Basic Service Sets, Access Points, Supplicants, Controllers and sessions. Since the NTP timestamp does not wrap on reboot, there is no possibility that a rebooted Access Point or Controller could choose an Acct-Multi-Session-Id that could be confused with that of a previous session once time synchronisation has occurred. The downside of this construction is that it is dependent on time synchronisation having occurred. For this reason, a UUID is preferred. Since the Acct-Multi-Session-Id is of type String as defined in [RFC2866], for use with IEEE 802.1X, it is encoded as an UTF-8 string of Hex digits. Example: "00-10-A4-23-19-C0-00-12-B2- 14-23-DE-AF-23-83-C0-76-B8-44-E8" Called-Station-Id For IEEE 802.1X Authenticators, this attribute is used to store the bridge MAC address or IEEE 802.11 BSSID in ASCII format (upper case only), with octet values separated by a "-". Example: "00-10-A4-23-19-C0". For IEEE 802.11, where the SSID is known, it SHOULD be appended in UTF-8 format to the BSSID, separated from the BSSID with a ":". Example "00-10-A4-23-19-C0:AP1". The SSID MUST be UTF-8 encoded as the SSID may be UTF-8 encoded.
- [radext] Feedback solicited: Acct-Session-Id, Acc… Nick Lowe
- Re: [radext] Feedback solicited: Acct-Session-Id,… Nick Lowe
- Re: [radext] Feedback solicited: Acct-Session-Id,… Alan DeKok
- Re: [radext] Feedback solicited: Acct-Session-Id,… Nick Lowe
- Re: [radext] Feedback solicited: Acct-Session-Id,… Bernard Aboba
- [radext] Fwd: Feedback solicited: Acct-Session-Id… Nick Lowe
- Re: [radext] Feedback solicited: Acct-Session-Id,… Nick Lowe
- Re: [radext] Feedback solicited: Acct-Session-Id,… Nick Lowe
- Re: [radext] Feedback solicited: Acct-Session-Id,… Nick Lowe
- Re: [radext] Feedback solicited: Acct-Session-Id,… Nick Lowe
- Re: [radext] Feedback solicited: Acct-Session-Id,… Nick Lowe
- Re: [radext] Feedback solicited: Acct-Session-Id,… Nick Lowe
- Re: [radext] Feedback solicited: Acct-Session-Id,… Nick Lowe
- Re: [radext] Feedback solicited: Acct-Session-Id,… lionel.morand
- Re: [radext] Feedback solicited: Acct-Session-Id,… Bernard Aboba
- Re: [radext] Feedback solicited: Acct-Session-Id,… Alan DeKok