Hi. Sorry if this is a dumb thing, but I've searched a lot and din't find
any solution to this problem.
I'm using freeradius (versions 0.9.3, 1.0.0 and 1.0.4) with MySQL 3.23 and
4.1.7 (different mappings between FR and My)
I have some clients to wich I'm proxying requests to some realms. All works
OK but there is one client wich is using Cisco Secure ACS, wich is giving me
some headaches.
With this one, Access-* packets go OK, but when the NAS (Cisco AS5300) sends
an Accounting-Request to that realm and I proxy it to the home server, it
sends me an Accounting-Response with an (I think) irregular attribute:
Message-Authenticator (Ext. Attr. 80), wich I think is not permitted in the
RFC for accounting packets.
So, my FR, discards it as supposed thus leading my NAS to re-send accounting
request a lot of times until it gives up.
This leads me to three main questions:
1) Am I reading OK the RFC? I mean ¿Is it right that Attribute 80 is NOT
permitted in Accounting-* packets?
2) Each time the NAS re-sends packets, FR handles it as it were a new
packet, for a new call/connection. This way, I have each call for this
specific realm n times, with n being the times I configure the NAS to
re-send the packet. Every time the NAS re-sends an Accounting-start, the SQL
query in sql.conf says "INSERT blah blah blah", wich leads to a new record
be inserted into the database, and every time the NAS re-sends an
Accounting-stop, the SQL query says "UPDATE blah blah blah", so it leads to
calls being recorded many times. The question is ¿is there any way to solve
this through configuration, and I didn't find it because I'm a dumb? ¿Or I
have to "touch" the code for the radius to verify if the packet is a
repeated one or not?
3) Is there any known bug or propietary feature from Cisco wich causes this
incompatibility thing? I've searched about it and didn't find anything.
I know that "3" is not at all about freeradius, but perhaps some of you came
accross this at any time.
Any help will be very appreciated.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
