9.8. RADIUS Accounting

Home Prev	cOS Core 14.00.17 Administration Guide	Next

9.8.1. Overview

The Central Database Approach

Within a network environment containing large numbers of users, it is advantageous to have one or a cluster of central servers that maintain user account information and are responsible for authentication and authorization tasks. The central database residing on such dedicated servers contains all user credentials as well as details of connections. This significantly reducing administration complexity.

The Remote Authentication Dial-in User Service (RADIUS) is an Authentication, Authorization and Accounting (AAA) protocol widely used to implement this central database approach and is used by cOS Core to implement user accounting.

RADIUS Architecture

The RADIUS protocol is based on a client/server architecture. The Clavister firewall acts as the client of the RADIUS server, creating and sending requests to a dedicated server(s). In RADIUS terminology the firewall acts as the Network Access Server (NAS).

For user authentication, the RADIUS server receives the requests, verifies the user's information by consulting its database, and returns either an "accept" or "reject" reply to the requesting client.

With the RFC-2866 standard, RADIUS was extended to handle the delivery of accounting information and this is the standard followed by cOS Core for user accounting. In this way, all the benefits of centralized servers are thus extended to user connection accounting.

The usage of RADIUS for cOS Core authentication is discussed in Section 9.2, Authentication Setup.

9.8.2. RADIUS Accounting Messages

Message Generation

Statistics, such as number of bytes sent and received, and number of packets sent and received are updated and stored throughout RADIUS sessions. All statistics are updated for an authenticated user whenever a connection related to an authenticated user is closed.

When a new client session is started by a user establishing a new connection through the firewall, cOS Core sends an AccountingRequest START message to a nominated RADIUS server, to record the start of the new session. User account information is also delivered to the RADIUS server. The server will send back an AccountingResponse message to cOS Core, acknowledging that the message has been received.

When a user is no longer authenticated, for example, after the user logs out or the session time expires, an AccountingRequest STOP message is sent by cOS Core containing the relevant session statistics. The information included in these statistics is user configurable. The contents of the START and STOP messages are described in detail below:

START Message Parameters

Parameters included in START messages sent by cOS Core are:

Type - Marks this AccountingRequest as signaling the beginning of the service (START).
ID - A unique random 7 character string identifier to enable matching of an AccountingRequest with Acct-Status-Type set to STOP.
User Name - The user name of the authenticated user.
NAS IP Address - The IP address of the Clavister firewall.
NAS Port - The port of the NAS on which the user was authenticated (this is a physical interface and not a TCP or UDP port).
User IP Address - The IP address of the authenticated user. This is sent only if specified on the authentication server.
How Authenticated - How the user was authenticated. This is set to either RADIUS if the user was authenticated via RADIUS, or LOCAL if the user was authenticated via a local user database.
Delay Time - The time delay (in seconds) since the AccountingRequest packet was sent and the authentication acknowledgment was received. This can be subtracted from the time of arrival on the server to find the approximate time of the event generating this AccountingRequest. Note that this does not reflect network delays. The first attempt will have this parameter set to zero.
Timestamp - The number of seconds since 1st January, 1970. Used to set a timestamp when the packet was sent from cOS Core.

STOP Message Parameters

Parameters included in STOP messages sent by cOS Core are:

Type - Marks this accounting request as signaling the end of a session (STOP).
ID - An identifier matching a previously sent AccountingRequest packet, with Acct-Status-Type set to START.
User Name - The user name of the authenticated user.
NAS IP Address - The IP address of the Clavister firewall.
NAS Port - The port on the NAS on which the user was authenticated. (This is a physical interface and not a TCP or UDP port).
User IP Address - The IP address of the authenticated user. This is sent only if specified on the authentication server.
Input Bytes - The number of bytes received by the user. (*)
Output Bytes - The number of bytes sent by the user. (*)
Input Packets - The number of packets received by the user. (*)
Output Packets - The number of packets sent by the user. (*)
Session Time - The number of seconds this session lasted. (*)
Termination Cause - The reason why the session was terminated.
How Authenticated - How the user was authenticated. This is set to either RADIUS if the user was authenticated via RADIUS, or LOCAL if the user was authenticated via a local user database.
Delay Time - See the above comment about this parameter.
Timestamp - The number of seconds since 1970-01-01. Used to set a timestamp when the packet was sent from the firewall.

In addition, two more attributes may be sent:

Input Gigawords - Indicates how many times the Input Bytes counter has wrapped. This is only sent if Input Bytes has wrapped, and if the Input Bytes attribute is sent.
Output Gigawords - Indicates how many times the Output Bytes counter has wrapped. This is only sent if Output Bytes has wrapped, and if the Output Bytes attribute is sent.

	Tip: The meaning of the asterisk after a list entry
	The asterisk (*) symbol after an entry in the list above indicates that the sending of the parameter is optional and is configurable.

9.8.3. Interim Accounting Messages

In addition to START and STOP messages cOS Core can optionally periodically send Interim Accounting Messages to update the accounting server with the current status of an authenticated user.

Messages are Snapshots

An interim accounting message can be seen as a snapshot of the network resources that an authenticated user has used up until a given point. With this feature, the RADIUS server can track how many bytes and packets an authenticated user has sent and received up until the point when the last message was sent.

An Interim Accounting Message contains the current values of the statistics for an authenticated user. It contains more or less the same parameters as found in an accounting request STOP message, except that the Acct-Terminate-Cause is not included (as the user has not disconnected yet).

Message Frequency

The frequency of interim accounting messages can be specified either on the authentication server or in cOS Core. Switching on the setting in cOS Core will override the setting on the accounting server.

9.8.4. Configuring RADIUS Accounting

In order to activate RADIUS accounting the following is required:

The RADIUS server must be defined in cOS Core.
A user authentication object must have a rule associated with it where a RADIUS server is specified.
The external RADIUS server itself must be correctly configured.

Setting the Source IP

By default, the Source IP property will be set to Automatic and the IP address of the firewall's sending interface will be used as the source address for traffic sent to the RADIUS server. If this property is set to Manual, a specific source IP address can be used for traffic sent to the server.

If the source IP address is specified, the administrator must also manually configure cOS Core to ARP publish the IP address on the sending interface. Doing this is described in Section 3.5.3, ARP Publish.

Further RADIUS Considerations

Some important points should be noted about RADIUS activation:

RADIUS accounting will not function where a connection is subject to a Stateless Policy entry in the IP rule set (or a FwdFast IP rule).
The same RADIUS server does not need to handle both authentication and accounting; one server can be responsible for authentication while another is responsible for accounting tasks.
Multiple RADIUS servers can be configured in cOS Core to deal with the event when the primary server is unreachable.

Example 9.9. RADIUS Accounting Server Setup

This example shows configuring of cOS Core with a local RADIUS server called my-accounting using IP address 192.168.3.1 and port 1813. Assume the shared secret is 231562514098273.

Command-Line Interface

Device:/> add RadiusAccounting my-accounting
			IPAddress=192.168.3.1
			SharedSecret=231562514098273
			Port=1813
			RetryTimeout=2
			RoutingTable=main

InControl

Follow similar steps to those used for the Web Interface below.

Web Interface

Go to: Policies > User Authentication > Accounting > RADIUS > Add > RADIUS Server
Now enter:
- Name: my-accounting
- IP Address: 192.168.3.1
- Port: 1813
- Retry Timeout: 2
- Shared Secret: 231562514098273
- Confirm Secret: 231562514098273
- Routing Table: main
Click OK

9.8.5. RADIUS Accounting Security

Communication between cOS Core and any RADIUS accounting server is protected by the use of a shared secret. This secret is never sent over the network but instead a 16 byte long Authenticator code is calculated using a one way MD5 hash function and this is used to authenticate accounting messages.

The shared secret is case sensitive, can contain up to 128 characters, and must be typed exactly the same for cOS Core and for the RADIUS server.

Messages are sent using the UDP protocol and the default port number used is 1813 although this is configurable.

9.8.6. RADIUS Accounting and High Availability

In an HA cluster, accounting information is synchronized between the active and passive firewalls. This means that accounting information is automatically updated on both cluster members whenever a connection is closed.

Special Accounting Events

Two special accounting events are also used by the active unit to keep the passive unit synchronized:

An AccountingStart event is sent to the inactive member in an HA setup whenever a response has been received from the accounting server. This specifies that accounting information should be stored for a specific authenticated user.
A problem with accounting information synchronization could occur if an active unit has an authenticated user for whom the associated connection times out before it is synchronized on the inactive unit.

To get around this problem, a special AccountingUpdate event is sent to the passive unit on a timeout and this contains the most recent accounting information for connections.

9.8.7. Handling Unresponsive RADIUS Servers

It can happen that a RADIUS client sends an AccountingRequest START packet which a RADIUS server never replies to. If this happens, cOS Core will resend the request after the user-specified number of seconds. This will mean, however, that a user will still have authenticated access while cOS Core is trying to contact the accounting server.

Three Connection Attempts are Made

Only after cOS Core has made three attempts to reach the server will it conclude that the accounting server is unreachable. The administrator can use the cOS Core advanced setting Allow on error to determine how this situation is handled.

If the Allow on error setting is enabled, an already authenticated user's session will be unaffected. If it is not enabled, any affected user will automatically be logged out even if they have already been authenticated.

9.8.8. Accounting and System Shutdowns

In the case that the client for some reason fails to send a RADIUS AccountingRequest STOP packet, the accounting server will never be able to update its user statistics, but will most likely believe that the session is still active. This situation should be avoided.

In the case that the firewall administrator issues a shutdown command while authenticated users are still online, the AccountingRequest STOP packet will potentially never be sent. To avoid this, the advanced setting Logout at shutdown allows the administrator to explicitly specify that cOS Core must first send a STOP message for any authenticated users to any configured RADIUS servers before commencing with the shutdown.

9.8.9. Limitations with NAT

The User Authentication module in cOS Core is based on the user's IP address. Problems can therefore occur with users who have the same IP address.

This can happen, for example, when several users are behind the same network using NAT to allow network access through a single external IP address. This means that as soon as one user is authenticated, traffic coming through that NAT IP address could be assumed to be coming from that one authenticated user even though it may come from other users on the same network. cOS Core RADIUS Accounting will therefore gather statistics for all the users on the network together as though they were one user instead of individuals.

9.8.10. Advanced RADIUS Settings

The following advanced settings are available with RADIUS accounting:

Allow on error

If there is no response from a configured RADIUS accounting server when sending accounting data for a user that has already been authenticated, then enabling this setting means that the user will continue to be logged in.

Disabling the setting will mean that the user will be logged out if the RADIUS accounting server cannot be reached even though the user has been previously authenticated.

Default: Enabled

Logout at shutdown

If there is an orderly shutdown of the firewall by the administrator, cOS Core will delay the shutdown until it has sent RADIUS accounting STOP messages to any configured RADIUS server.

If this option is not enabled, cOS Core will shut down even though there may be RADIUS accounting sessions that have not been correctly terminated. This could lead to the situation that the RADIUS server will assume users are still logged in even though their sessions have been terminated.

Default: Enabled

Maximum Radius Contexts

The maximum number of contexts allowed with RADIUS. This applies to RADIUS use with both accounting and authentication.

Default: 1024