All Topics » Pulse Policy Secure



Problem with Junos 8.5 accounting message


nam nguyen
Contributor (11)
Apr 16, 2014 3:29am

Dear all !

 

I have 02 router: 01 using version 8.5 and 01 using version higher than 10.4 We have 01 Steel-Belt Radius Server version 6.1 I have implemented AAA solution:

- For authentication and authorization, both router is running as expect.

- For accounting, we see that there are different between 02 router as below:

 

Router running Junos version higher than 10.4: In accounting start/interim-update/stop message, router always return attribute User-Name with value = user login as expect 1/ Accounting Start

          Accounting Status Attribute (40), length: 6, Value: Start

            0x0000: 0000 0001

          Accounting Session ID Attribute (44), length: 13, Value: 5A95349087F

            0x0000: 3541 3935 3334 3930 3837 46

          Accounting Delay Attribute (41), length: 6, Value: 00 secs

            0x0000: 0000 0000

          Username Attribute (1), length: 5, Value: nam

            0x0000: 6e61 6d

          NAS ID Attribute (32), length: 6, Value: MX80

            0x0000: 4d58 3830

          NAS IP Address Attribute (4), length: 6, Value: 10.0.0.210

            0x0000: 0a00 00d2

          Calling Station Attribute (31), length: 11, Value: 10.0.0.98

            0x0000: 3130 2e30 2e30 2e39 38 2/ Accounting Interim

                          Accounting Status Attribute (40), length: 6, Value: Interim-Update

            0x0000: 0000 0003

          Accounting Session ID Attribute (44), length: 13, Value: 5A95349087F

            0x0000: 3541 3935 3334 3930 3837 46

          Accounting Delay Attribute (41), length: 6, Value: 00 secs

            0x0000: 0000 0000

          Username Attribute (1), length: 5, Value: nam

            0x0000: 6e61 6d

          NAS ID Attribute (32), length: 6, Value: MX80

            0x0000: 4d58 3830

          Vendor Specific Attribute (26), length: 13, Value: Vendor: Juniper Networks (2636)

            Vendor Attribute: 8, Length: 7, Value: exit ..

            0x0000: 0000 0a4c 0807 6578 6974 20

          NAS IP Address Attribute (4), length: 6, Value: 10.0.0.210

            0x0000: 0a00 00d2

          Calling Station Attribute (31), length: 11, Value: 10.0.0.98

            0x0000: 3130 2e30 2e30 2e39 38                    

3/ Accouting stop

         Accounting Status Attribute (40), length: 6, Value: Stop

            0x0000: 0000 0002

          Accounting Session ID Attribute (44), length: 13, Value: 5A95349087F

            0x0000: 3541 3935 3334 3930 3837 46

          Accounting Delay Attribute (41), length: 6, Value: 00 secs

            0x0000: 0000 0000

          Username Attribute (1), length: 5, Value: nam

            0x0000: 6e61 6d

          Accounting Session Time Attribute (46), length: 6, Value: 09 secs

            0x0000: 0000 0009

          Accounting Termination Cause Attribute (49), length: 6, Value: User Request

            0x0000: 0000 0001

          NAS ID Attribute (32), length: 6, Value: MX80

            0x0000: 4d58 3830

          NAS IP Address Attribute (4), length: 6, Value: 10.0.0.210

            0x0000: 0a00 00d2

          Calling Station Attribute (31), length: 4, Value: ..

            0x0000: fec7

 

But Router running Junos verion 8.5, it only return attribute User-Name in accouting Start message with Value=Juniper-Local-User-Name which is configured on router. This problem isn't as expect because we need to monitor which user login to Router in accounting message.

 

1/ Accounting Start

          Accounting Status Attribute (40), length: 6, Value: Start

            0x0000: 0000 0001

          Accounting Session ID Attribute (44), length: 14, Value: 12A5534D5997

            0x0000: 3132 4135 3533 3444 3539 3937

          Accounting Delay Attribute (41), length: 6, Value: 00 secs

            0x0000: 0000 0000

          Username Attribute (1), length: 9, Value: juniper

            0x0000: 6a75 6e69 7065 72

          NAS ID Attribute (32), length: 2, Value:

          NAS IP Address Attribute (4), length: 6, Value: 172.16.254.2

            0x0000: ac10 fe02

2/ Accounting Interim

          Accounting Status Attribute (40), length: 6, Value: Interim-Update

            0x0000: 0000 0003

          Accounting Session ID Attribute (44), length: 14, Value: 12A5534D5999

            0x0000: 3132 4135 3533 3444 3539 3939

          Accounting Delay Attribute (41), length: 6, Value: 00 secs

            0x0000: 0000 0000

          NAS ID Attribute (32), length: 2, Value:

          Vendor Specific Attribute (26), length: 24, Value: Vendor: Juniper Networks (2636)

            Vendor Attribute: 8, Length: 18, Value: show ospf route ..

            0x0000: 0000 0a4c 0812 7368 6f77 206f 7370 6620

            0x000f: 726f 7574 6520

          NAS IP Address Attribute (4), length: 6, Value: 172.16.254.2

            0x0000: ac10 fe02

                                               

3/ Accouting stop

          Accounting Status Attribute (40), length: 6, Value: Stop

            0x0000: 0000 0002

          Accounting Session ID Attribute (44), length: 14, Value: 12A5534D5999

            0x0000: 3132 4135 3533 3444 3539 3939

          Accounting Delay Attribute (41), length: 6, Value: 00 secs

            0x0000: 0000 0000

          Accounting Session Time Attribute (46), length: 6, Value: 19 secs

            0x0000: 0000 0013

          Accounting Termination Cause Attribute (49), length: 6, Value: User Request

            0x0000: 0000 0001

          NAS ID Attribute (32), length: 2, Value:

          NAS IP Address Attribute (4), length: 6, Value: 172.16.254.2

            0x0000: ac10 fe02

 

Currently, router running Junos 8.5 cannot upgrade to higher version because of flash size.

 

I  have searched Junos document and there isn't any different in configuration guide.

 

My question is:

- From which version Juniper change this behavior or is it software bug ?

- Is there any way to configure Router running Junos 8.5 to return attribute User-Name with Value=user login and return attribute User-Name in both Start/Stop/Interim accounting message.

- If not, Is there any way to workaround to return other attribute with Value= user login in Start/Stop/Interim accounting message

 

Please help me

 

Thanks in advanced




Raveen
Contributor (11)
Correct Answer
Apr 27, 2014 10:25pm

Hi Nam

 

This is an expected behavior in Junos 8.5 where you do not see User-Name for Accounting interim/Stop messages.

The code of Junos was improved and from 10.4Rx, you should see correct values.

Moreover, Junos 8.5 is end of support already, consider for an upgrade to 11.4Rx.

 

Regards,

Raveen