Re: Is provisioning services in Accounting-Request packets bad?

[Alan DeKok <aland@deployingradius.com>]

David B. Nelson wrote:
>> The NAS sends an Access-Request to the RADIUS server.
>> The RADIUS server originates the Accounting-Request.
> 
> To a RADIUS Accounting Server?

  Nope.  To a provisioning system.  e.g. firewall.  It opens FW rules
for the IP, send an ACK, and otherwise discards the accounting data.

  The normal accounting stream still exists, and uses a completely
different path through the network.

> Let's see if I've got this....
> 
> The NAS (Node A) sends an Access-Request to the RADIUs Server (Node B) which then sends an Accounting-Request to the RADIUS Accounting Server (Node C), and subsequently the RADIUS Server (Node B) sends an Access-Accept to the NAS (Node A)?  The RADIUS Accounting Server (Node C) by some means creates access rules for the user and sends them to the Firewall (Node D)?
> 
> Yikes.

  Something like that.

>> The *intent* appears to be that waiting the extra 1/10s for the NAS to
>> originate the Accounting-Request would be a catastrophic delay.  The
>> "network setup" side of the user session needs to be done before the
>> Access-Accept is received by the NAS.
>>
>> The "simplest" way to do this is to overload RADIUS.
> 
> Well, RADIUS has a history of being an eminently overload-able protocol.  :-)
> 
> I think it's unusual, to say the least, for a RADIUS Server to initiate a request on behalf of a NAS unless that RADIUS Server is acting in the role of RADIUS Proxy Server.  That doesn't seem to be the case here.

  Yup.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>