
	RADIUS ACCOUNTING

RADIUS 1.16 is included in the 3.1 release.

RADIUS 1.16 adds support for RADIUS Accounting (requires ComOS 3.1),
hooks for Challenge/Response via the new Access-Challenge packet type,
and ports to Alpha OSF/1, BSDI BSD/386, Linux, SCO, and Unixware
It already ran on SunOS, Solaris, AIX, HP/UX and Ultrix.  It includes
a new /etc/raddb/dictionary file that defines the additional attributes
required for Accounting support.

There is now a -v flag to print the version and an -a flag to specify
an alternative accounting directory, the same way -d specifies an
alternative raddb directory.

To use RADIUS Accounting install the new radiusd and dictionary file,
then use the "set accounting" command on any PortMasters running ComOS 3.1 
or later.


RADIUS Accounting 

RADIUS Accounting has been added in ComOS 3.1 and RADIUS 1.16.
The three big improvements over using syslog accounting records are:

1. Unique accounting IDs to make it easier to match start and end records.
2. Elapsed time recorded in end record so you don't have to match start
   and end records to produce billing information
3. Up to 100 records are buffered in the PortMaster until acknowledged as
   received by the accounting server.

RADIUS Accounting uses the RADIUS protocol for its packet format and
adds Attributes to handle the additional information needed for
accounting.  The Accounting Server listens for UDP packets at port
1646, and is not required to run on the same host as the RADIUS server,
although that can be done and is often convenient.  A Backup Accounting
Server is supported.

Accounting records are buffered until acknowledged.  The PortMaster
sends an Accounting-Request packet to the Accounting Server, which
sends back an Accounting-Response packet to acknowledge that it has
received that record.  The PortMaster will keep the record and continue
sending Accounting-Requests until it receives an Accounting-Response.
An exponential backoff algorithm is used since accounting records do
not have the time-critical nature of Access-Requests (there's no user
waiting on the transaction).  The Acct-Delay-Time attribute tells how
many seconds have passed between the event generating the record and
the current attempt to send the record.

In addition to the accounting attributes, various RADIUS attributes are
included in the accounting packets to describe the type of service provided.

Here are the additional Attributes that Accounting adds:


ATTRIBUTE	Acct-Status-Type	40	integer

Start			1
Stop			2

A Start record is sent when service begins, and a Stop
record is sent when service ends.


ATTRIBUTE	Acct-Delay-Time		41	integer

Acct-Delay-Time is how many seconds the PortMaster has been trying to
submit this record for, and should be subtracted from the time of
arrival to find the approximate time of the event (it'll actually
be the time of the event plus transit time of this packet through
the network.)


ATTRIBUTE	Acct-Session-Id		44	string

Acct-Session-ID is a unique Accounting ID to make it easy to match
records up in a logfile.  The Start and Stop records for a given
session have the same Acct-Session-Id.

In our implementation on the PortMaster we use a string of an 8-digit
uppercase hexadecimal number, the first two digits increment on each
reboot (wrapping after 256 reboots, which for a PortMaster in normal
service should take decades) and the next 6 digits counting from 0 for
the first person logging in after a reboot up to 2^24-1, about 16
million, or one person logging in per port per minute for an entire
year on a 30-port unit.


ATTRIBUTE	Acct-Authentic		45	integer

RADIUS			1
Local			2

Acct-Authentic is how the user was authenticated, whether by
RADIUS or by the local User Table in the PortMaster.
Passthrough users do not generate Accounting records, since they
are authenticated by the host.

ATTRIBUTE	Acct-Session-Time	46	integer

Acct-Session-Time is how many seconds the user was connected
for, and is only present in Stop records.


Restrictions

A future release will implement Acct-Input-Octets (42) and
Acct-Output-Octets (43).

Acct-Session-Time is not accurate for "!root" administrative logins.

Framed-Compression is not included in Accounting records.


Examples

Here are some examples of the RADIUS accounting output.
We log the records for each PortMaster into its own file under
/usr/adm/radacct/{portmaster-hostname}/detail but that location can be
changed with the -a flag.  The timestamps are generated by the host
running the accounting server.

We provide source to both the RADIUS server and RADIUS accounting
server so if you want to modify this output you'll be able to do so; in
particular large sites may want to make calls to SQL or other database
routines rather than printing to an ASCII text file.

Wed Oct  5 22:00:55 1994
	Acct-Session-Id = "06000003"
	User-Name = "carl"
	Client-Id = 149.198.1.18
	Client-Port-Id = 19
	Acct-Status-Type = Start
	Acct-Authentic = RADIUS
	User-Service-Type = Login-User
	Login-Service = PortMaster
	Login-Host = 149.198.1.70
	Acct-Delay-Time = 0

Wed Oct  5 23:15:31 1994
	Acct-Session-Id = "06000003"
	User-Name = "carl"
	Client-Id = 149.198.1.18
	Client-Port-Id = 19
	Acct-Status-Type = Stop
	Acct-Session-Time = 4480
	Acct-Authentic = RADIUS
	User-Service-Type = Login-User
	Login-Service = PortMaster
	Login-Host = 149.198.1.70
	Acct-Delay-Time = 0

Thu Oct  6 16:14:53 1994
	Acct-Session-Id = "06000004"
	User-Name = "Pdan"
	Client-Id = 149.198.1.18
	Client-Port-Id = 19
	Acct-Status-Type = Start
	Acct-Authentic = Local
	User-Service-Type = Framed-User
	Framed-Protocol = PPP
	Framed-IPX-Network = 108.144.16.16
	Acct-Delay-Time = 0

Thu Oct  6 16:15:57 1994
	Acct-Session-Id = "06000004"
	User-Name = "Pdan"
	Client-Id = 149.198.1.18
	Client-Port-Id = 19
	Acct-Status-Type = Stop
	Acct-Session-Time = 64
	Acct-Authentic = Local
	User-Service-Type = Framed-User
	Framed-Protocol = PPP
	Framed-IPX-Network = 108.144.16.16
	Acct-Delay-Time = 0

