On 9 Sep 2011, at 14:23, Bjørn Mork wrote: > Arran Cudbard-Bell <a.cudba...@freeradius.org> writes: > >> As Alan says your NAS won't generate Accounting-Requests if the RADIUS >> server rejects the user (unless its very broken). > > Why would that be broken? > > Yes, I do see that you can trigger RADIUS accounting traffic without > authenticating, but the additional load (both for NAS and RADIUS server) > is probably negligible compared to the failed authentication anyway. > > Some NASes will let you configure acct stop on reject. See e.g. > http://www.juniper.net/techpubs/en_US/junos11.2/topics/reference/configuration-statement/accounting-stop-on-access-deny-802-1x.html > >
RFC 2866: When a client is configured to use RADIUS Accounting, at the start of service delivery it will generate an Accounting Start packet describing the type of service being delivered and the user it is being delivered to, and will send that to the RADIUS Accounting server, which will send back an acknowledgement that the packet has been received. At the end of service delivery the client will generate an Accounting Stop packet describing the type of service that was delivered and optionally statistics such as elapsed time, input and output octets, or input and output packets. It will send that to the RADIUS Accounting server, which will send back an acknowledgement that the packet has been received. The NAS never provides a service so it should not be sending any accounting packets. Just because people demanded it and the vendor caved, it doesn't mean its correct or compliant. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Waging war on ignorance and apathy one Access-Challenge at a time. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html