[NEBULA] RADIUS - Accounting Stop packet - Framed-IP-Address value

yomismo
yomismo Posts: 8
First Comment
edited April 2021 in Nebula

Good morning,

We are testing Zyxel Nebula with an external captive portal and external Radius authentication.

As I can see, in Accounting Start and Interim Update packets, the value Framed-IP-Address is sent:

  • User-Name = "38205631@XXXXX"
  • Framed-IP-Address = 172.16.40.169
  • Acct-Session-Id = "5C0FA66D"
  • Acct-Status-Type = Interim-Update
  • Acct-Authentic = RADIUS
  • NAS-IP-Address = 127.0.0.1
  • NAS-Port = 1787
  • NAS-Port-Type = Ethernet
  • Calling-Station-Id = "24-FD-52-XX-XX-XX"
  • Called-Station-Id = "60-31-97-XX-XX-XX:Nebula"
  • Acct-Session-Time = 61
  • Acct-Input-Octets = 105400
  • Acct-Output-Octets = 403250
  • Event-Timestamp = Dec 11, 2018 12:48:57.000000000 Hora estándar romance


But in Accounting Stop packet Framed-IP-Address is not sent, is it possible to add it?:

  • User-Name = "38205631@XXXXXX"
  • Acct-Session-Id = "5C0FA66D"
  • Acct-Status-Type = Stop
  • Acct-Authentic = RADIUS
  • NAS-IP-Address = 127.0.0.1
  • NAS-Port = 1787
  • NAS-Port-Type = Ethernet
  • Calling-Station-Id = "24-FD-52-XX-XX-XX"
  • Called-Station-Id = "60-31-97-XX-XX-XX:Nebula"
  • Acct-Session-Time = 504
  • Acct-Input-Octets = 0
  • Acct-Output-Octets = 0
  • Event-Timestamp = Dec 11, 2018 12:56:20.000000000 Hora estándar romance

Thanks in advanced.

All Replies

  • Zyxel_Freda
    Zyxel_Freda Posts: 397  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment

    Hi @yomismo,

    As we are a layer 2 device, we have a design limitation that affects the frame-IP-address:

    If the client STA connects for the first time to one AP, the accounting start will include the Frame-IP-address as it is the first time connecting. However, if the client STA roams from one AP to another, or already associated to one AP and disconnects/reconnects, the accounting start will not include the Frame-IP-address as the APs only check the MAC address for previously authenticated devices. Or, if the STA disconnects in a short period that the interim packet is not set, then accounting stop will also not have Frame-IP-address.

    Thanks.

  • Hello Freda,

    We have been checking your last answer, and as you know, in Europe is extrictily necessary to identify all connections from a device. We have to keep al the traceability of the connections on site because of the GDPR (General Data Protection Regulation), that is a regulation in EU law on data protection and privacy for all individual citizens of the European Union.

    So for companies like us it is necessary to receive this attribute (Framed-IP-Address) also in Accounting-Stop packet, so we can offer Nebula solution and don´t have legal problems.

    Also we have checked that sometimes User-Name attribute is not send in the Accounting-Stop packet, do you know why this could happens?

    If you need more information do not hesitate to ask us.

    Thanks in advanced.

  • Zyxel_Freda
    Zyxel_Freda Posts: 397  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    edited December 2019

    Hello @yomismo2,

    There are two enhancements in next release as following.

    ·       Frame-IP-Address in accounting Start and Stop under scenarios explained below.

    ·       Input/output octets shows the actual usage


    The Frame-IP-Address in start/stop have some scenarios where it will be empty, because our devices are L2 and check MAC address only.

    • If the client STA connects for the first time to one AP, the accounting start will include the Frame-IP-address as it is the first time connecting.
    • If the client STA roams from one AP to another, or already associated to one AP and disconnects/reconnects, the accounting start will not include the Frame-IP-address as the APs only check the MAC address for previously authenticated devices.
    • If the STA disconnects in a short period that the interim packet is not sent, then accounting stop will not not have Frame-IP-address either.

    Thanks.

Nebula Tips & Tricks