[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Is provisioning services in Accounting-Request packets bad?
David B. Nelson wrote:
>> The NAS sends an Access-Request to the RADIUS server.
>> The RADIUS server originates the Accounting-Request.
>
> To a RADIUS Accounting Server?
Nope. To a provisioning system. e.g. firewall. It opens FW rules
for the IP, send an ACK, and otherwise discards the accounting data.
The normal accounting stream still exists, and uses a completely
different path through the network.
> Let's see if I've got this....
>
> The NAS (Node A) sends an Access-Request to the RADIUs Server (Node B) which then sends an Accounting-Request to the RADIUS Accounting Server (Node C), and subsequently the RADIUS Server (Node B) sends an Access-Accept to the NAS (Node A)? The RADIUS Accounting Server (Node C) by some means creates access rules for the user and sends them to the Firewall (Node D)?
>
> Yikes.
Something like that.
>> The *intent* appears to be that waiting the extra 1/10s for the NAS to
>> originate the Accounting-Request would be a catastrophic delay. The
>> "network setup" side of the user session needs to be done before the
>> Access-Accept is received by the NAS.
>>
>> The "simplest" way to do this is to overload RADIUS.
>
> Well, RADIUS has a history of being an eminently overload-able protocol. :-)
>
> I think it's unusual, to say the least, for a RADIUS Server to initiate a request on behalf of a NAS unless that RADIUS Server is acting in the role of RADIUS Proxy Server. That doesn't seem to be the case here.
Yup.
Alan DeKok.
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>