4.5 Accounting-specific Attributes
| Acct-Status-Type |
| Attribute Number | 40 |
| Length | 6 |
| Value | ENUM |
| Allowed in | Accounting-Request |
| Prohibited in | Accounting-Response |
| Presence in Packet | Required |
| Maximum Iterations | 1 |
This attribute indicates whether the Accounting-Request packet is being sent upon the user first authenticating and connecting to the network or upon the user finishing use of the services and disconnecting. It can also be used to mark when to start and stop accounting should the RADIUS client gear require rebooting or other system maintenance. Note that when RADIUS client gear crashes, stop records in general are not sent to the accounting server. Obviously, this has the potential to mess up accounting data, and a crashed client is not all that uncommon.
The payload value of the attribute contains 15 possible values, each of which are listed in Table 4-1.
Table 4-1. Values for the Acct-Status-Type attribute
| Value | Status type |
|---|---|
| 1 | Start |
| 2 | Stop |
| 3 | Interim-Update |
| 7 | Accounting-On |
| 8 | Accounting-Off |
| 9 -14 | Reserved; used for tunnel accounting |
| 15 | Reserved; used for failed attempts |
| Acct-Delay-Time |
| Attribute Number | 41 |
| Length | 6 |
| Value | INTEGER |
| Allowed in | Accounting-Request |
| Prohibited in | Accounting-Response |
| Presence in Packet | Not required |
| Maximum Iterations | 1 |
The Acct-Delay-Time attribute records how many seconds the client has been trying to push this packet through to the accounting server. While the significance of this attribute may seem less than overwhelming on the outset, by subtracting this value from the time a packet arrives at the accounting server, the time of the request-generating event (a sign-on, sign-off, termination, etc.) can be computed. Network transit time is not factored into this calculation.
As I mentioned earlier, when the attributes of any accounting packet change, the identifier associated with the packet must be changed as well. This rule carries over into this attribute specifically : when the delay time is changed, a new identifier must be generated for the new packet.
| Acct-Input-Octets |
| Attribute Number | 42 |
| Length | 6 |
| Value | INTEGER |
| Allowed in | Accounting-Request, interim updates |
| Prohibited in | Accounting-Response |
| Presence in Packet | Not required |
| Maximum Iterations | 1 |
This attribute, which can only be found in Accounting-Request packets with Acct-Status-Type set to code 2 (Stop) or interim updates (covered in Chapter 9), indicates the number of incoming octets passed through a specific client port during one session.
| Acct-Output-Octets |
| Attribute Number | 43 |
| Length | 6 |
| Value | INTEGER |
| Allowed in | Accounting-Request |
| Prohibited in | Accounting-Response |
| Presence in Packet | Not required |
| Maximum Iterations | 1 |
The opposite of Acct-Input-Octets , this attribute, which can only be found in Accounting-Request packets with the Acct-Status-Type set to code 2 (Stop), indicates the number of outgoing octets transmitted through a specific client port during one session.
| Acct-Session-ID |
| Attribute Number | 44 |
| Length | 3 or more octets |
| Value | STRING |
| Allowed in | Accounting-Request |
| Prohibited in | Accounting-Response |
| Presence in Packet | Required |
| Maximum Iterations | 1 |
This attribute is used to uniquely identify a session so that accounting stop and start records can be collated and recorded accurately. There are a few considerations as to the packets that these attributes can be found in:
- Accounting-Request packets
-
are required to have Acct-Session-ID .
- Access-Request packets
-
are allowed to contain this attribute. If this is the case, then the RADIUS client gear is required to use the same session ID in all packets pertaining to that connection for the duration of that session.
The RFC requires that this session ID be printed using the UTF-8 10646 character set. From RFC 2866: "For example, one implementation uses a string with an 8-digit upper case hexadecimal number, [sic] the first two digits increment on each reboot (wrapping every 256 reboots) and the next 6 digits counting from 0 for the first person logging in after a reboot up to 2 24-1 , about 16 million. Other encodings are possible."
In practice, however, RADIUS client equipment tends to not send the Acct-Session-ID attributes using unique values. Many reuse these values across reboots, which can make tracking a session in its entirety using accounting data much more difficult.
| Acct- Authentic |
| Attribute Number | 45 |
| Length | 6 |
| Value | ENUM |
| Allowed in | Accounting-Request |
| Prohibited in | Accounting-Response |
| Presence in Packet | Not required |
| Maximum Iterations | 1 |
This optional attribute indicates the method with which the user's declared identity was verified . There are three possible values for this attribute, which are listed in Table 4-2.
Table 4-2. Values for the Acct-Authentic attribute
| Value | Authentication method |
|---|---|
| 1 | RADIUS |
| 2 | Local |
| 3 | Remote |
The second value, "Local," within the context of this attribute signifies that the client verified the identity of this user of its own accord through an authentication method other than RADIUS. This can cause problems when matching accounting data to authentication/authorization information, since no authorization data exists for the session.
| Acct-Session-Time |
| Attribute Number | 46 |
| Length | 6 |
| Value | INTEGER |
| Allowed in | Accounting-Request, interim updates |
| Prohibited in | Accounting-Response |
| Presence in Packet | Not required |
| Maximum Iterations | 1 |
This attribute, found in Accounting-Request packets and interim records, indicates the time in seconds that a user has been connected. Note that this attribute can only be present when the Acct-Status-Type attribute inside the request packet is set to code 2 (Stop).
| Acct-Input-Packets |
| Attribute Number | 47 |
| Length | 6 |
| Value | INTEGER |
| Allowed in | Accounting-Request, interim updates |
| Prohibited in | Accounting-Response |
| Presence in Packet | Not required |
| Maximum Iterations | 1 |
This attribute, which can only be found in Accounting-Request packets with the Acct-Status-Type set to code 2 (Stop) and in interim accounting updates, indicates the number of incoming packets passed through a specific RADIUS client port to a framed user during one session.
| Acct-Output-Packets |
| Attribute Number | 48 |
| Length | 6 |
| Value | INTEGER |
| Allowed in | Accounting-Request, interim updates |
| Prohibited in | Accounting-Response |
| Presence in Packet | Not required |
| Maximum Iterations | 1 |
The opposite of Acct-Input-Packets , this attribute, which can only be found in Accounting-Request packets with the Acct-Status-Type set to code 2 (Stop) and in interim accounting updates, indicates the number of outgoing packets transmitted through a specific client port from a framed user during one session.
| Acct-Terminate-Cause |
| Attribute Number | 49 |
| Length | 6 |
| Value | ENUM |
| Allowed in | Accounting-Request |
| Prohibited in | Accounting-Response |
| Presence in Packet | Not required |
| Maximum Iterations | 1 |
The Acct-Terminate-Cause attribute indicates the reason, if possible and applicable , that a user's session was ended. Like a good number of the other accounting attributes, the request packet must contain the Acct-Status-Type attribute set to Stop (code 2 ).
Listed in Table 4-3 are the 18 possible values for this attribute.
Table 4-3. Values for the Acct-Terminate-Cause attribute
| Value | Termination cause |
|---|---|
| 1 | User Request |
| 2 | Lost Carrier |
| 3 | Lost Service |
| 4 | Idle Timeout |
| 5 | Session Timeout |
| 6 | Admin Reset |
| 7 | Admin Reboot |
| 8 | Port Error |
| 9 | NAS Error |
| 10 | NAS Request |
| 11 | NAS Reboot |
| 12 | Port Unneeded |
| 13 | Port Preempted |
| 14 | Port Suspended |
| 15 | Service Unavailable |
| 16 | Callback |
| 17 | User Error |
| 18 | Host Request |
Let's take a closer look at each of these termination causes:
- User Request
-
The user initiated the termination by logging off.
- Lost Carrier
-
The port could no longer hold DCD.
- Lost Service
-
For some reason, the service is unavailable for continued provision. Connection interruptions are the most likely cause.
- Idle Timeout
-
The configured limit for an idle connection was reached.
- Session Timeout
-
The configured limit for the length of a single session was reached.
- Admin Reset
-
The system administrator reset hardware necessary to continue the connection.
- Admin Reboot
-
The system administrator is terminating all service on a particular machine, most likely immediately preceding a reboot.
- Port Error
-
The NAS gear encountered an error in the port; service could not be continued.
- NAS Error
-
The NAS gear encountered an error somewhere other than in the port; service could not be continued.
- NAS Request
-
The NAS gear terminated the connection for another, unknown reason.
- NAS Reboot
-
The NAS gear "crashed" and required a reboot. (This attribute is used almost exclusively for nonadministrative restarts.) Unfortunately, this is not a reliable mechanism, as this signal is often not sent on a reboot. Lobby your NAS manufacturer for a fix if your equipment is affected by this.
- Port Unneeded
-
The NAS, through some algorithm, determined that the port was no longer needed to continue maintaining a certain threshold of quality of service.
- Port Preempted
-
A higher priority thread required the use of the port.
- Port Suspended
-
The NAS requested to end a virtual session by suspending it.
- Service Unavailable
-
For whatever reason, the NAS gear is unavailable to service the request.
- Callback
-
The NAS is ending the current connection so that it may dial the user back to continue his service.
- User Error
-
The user input data incorrectly.
- Host Request
-
The host ended the session predictably and as expected.
| Acct-Multi-Session-ID |
| Attribute Number | 50 |
| Length | 3 or more octets |
| Value | STRING |
| Allowed in | Accounting-Request |
| Prohibited in | Accounting-Response |
| Presence in Packet | Not required |
| Maximum Iterations | Unlimited |
This attribute contains a unique ID that can be used to "thread" data from multiple related sections together into one log file. The Acct-Session-ID for each session would be unique, but all would be linked by a common Acct-Multi-Session-ID . This is useful for applications where multilinking and channel-bonding services, such as multilink PPP, are provided and supported. More details on these services are provided in Chapter 6.
| Acct-Link-Count |
| Attribute Number | 51 |
| Length | 6 |
| Value | INTEGER |
| Allowed in | Accounting-Request |
| Prohibited in | Accounting-Response |
| Presence in Packet | Not required |
| Maximum Iterations | Unlimited |
This attribute indicates the number of current sessions in a multilink transaction. The way this value is determined is of particular interest. Let's examine it more closely.
The value field simply shows the number of times links have been observed by the accounting server whose connections are using the same Acct-Multi-Session-ID . The following is a tabulation example of link counts. By using these link counts and enumerating each Accounting Stop packet received, the accounting server can determine when its recordkeeping is complete for any given multilink session:
Multi-Session-ID Session-ID Status-Type Link-Count 52 21 Start 1 52 22 Start 2 52 23 Start 3 52 22 Stop 3 52 21 Stop 3 52 24 Start 4 52 23 Stop 4 52 22 Stop 4
