Connection ID issue using anyconnect client

Martin Oehler martin.oehler at gmx.net
Tue Sep 27 05:32:31 PDT 2016 

Hello Nikos,

On Tue, Sep 27, 2016 at 09:10:47AM +0200, Nikos Mavrogiannopoulos wrote:
> On Sun, Sep 25, 2016 at 5:50 PM, Martin Oehler <martin.oehler at gmx.net> wrote:
> 
>  You are right. The anyconnect client gets initially handled by a
> different process than the one finally gets to handle it. The
> openconnect on the other hand uses a single process throughout its
> lifetime thus it is reported correctly. What we can do for the former
> client is to update the reported nas-port on the subsequent accounting
> messages:
> 
> Could you try out the following branch and check whether it addresses
> the nas-port issue?
> https://gitlab.com/ocserv/ocserv/merge_requests/13

thanks for your effort. I tried the patch, it does what you wrote but 
I feel like we should discuss whether this is a good solution.

After adding some debug statements I am able to understand what is going 
on:

1) The process id that is transferred with

     Acct-Status-Type = Start

   to freeradius is used for the initial nas-port id.


   Sep 27 11:14:03 sec-mod: process_worker_packet pid=23678
   Sep 27 11:14:03 radius-auth: communicating username (example) and 
     password

2) The connect-script receives the id that is used by a later
   process:

   Sep 27 11:14:05 sec-mod: process_worker_packet pid=23681
   Sep 27 11:14:05 radius-auth: opening session 
     DElVwYHxWp0x4EmrYEWWZGFLRsu1jDQZKvxhD2oOHKE=
   Sep 27 11:14:06 sec-mod: initiating session for user 'example' 
     (session: DElVwY)

   Sep 27 11:14:06 OCSERV Connection: id=23681, reason=connect, ...
   Sep 27 11:14:15 OCSERV Disconnect: id=23681, reason=disconnect, ...

   Here we have the id 23681 vs 23678 conflict.

3) Using your patch, the is is changed, but freeradius is not only
   changing the nas-port but also the Acct-Unique-Session-Id.

   radacct log:

   Tue Sep 27 11:14:05 2016
        Acct-Status-Type = Start
        Acct-Session-Id = "DElVwYHxWp0x4EmrYEWWZGFLRsu1jDQZKvxhD2oOHKE="
        NAS-Port = 23678
        Acct-Unique-Session-Id = "58c128d0a972a6f4"

   Tue Sep 27 11:14:15 2016
        Acct-Status-Type = Interim-Update
        Acct-Session-Id = "DElVwYHxWp0x4EmrYEWWZGFLRsu1jDQZKvxhD2oOHKE="
        NAS-Port = 23681
        Acct-Unique-Session-Id = "670d65df6cca4478"

   Tue Sep 27 11:14:15 2016
        Acct-Status-Type = Stop
        Acct-Session-Id = "DElVwYHxWp0x4EmrYEWWZGFLRsu1jDQZKvxhD2oOHKE="
        NAS-Port = 23681
        Acct-Unique-Session-Id = "670d65df6cca4478"

Without the patch, the Acct-Unique-Session-Id stays the same. I'm unsure
whether the change of the Acct-Unique-Session-Id is a desired behaviour,
it doesn't seem like the behaviour one would expect.

What do you think?

Kind regards,
Martin

More information about the openconnect-devel mailing list