Connection ID issue using anyconnect client

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Tue Sep 27 06:37:18 PDT 2016 

On Tue, Sep 27, 2016 at 2:32 PM, Martin Oehler <martin.oehler at gmx.net> wrote:
> thanks for your effort. I tried the patch, it does what you wrote but
> I feel like we should discuss whether this is a good solution.
>
> After adding some debug statements I am able to understand what is going
> on:
>
> 1) The process id that is transferred with
>
>      Acct-Status-Type = Start
>
>    to freeradius is used for the initial nas-port id.
>
>
>    Sep 27 11:14:03 sec-mod: process_worker_packet pid=23678
>    Sep 27 11:14:03 radius-auth: communicating username (example) and
>      password
>
> 2) The connect-script receives the id that is used by a later
>    process:
>
>    Sep 27 11:14:05 sec-mod: process_worker_packet pid=23681
>    Sep 27 11:14:05 radius-auth: opening session
>      DElVwYHxWp0x4EmrYEWWZGFLRsu1jDQZKvxhD2oOHKE=
>    Sep 27 11:14:06 sec-mod: initiating session for user 'example'
>      (session: DElVwY)
>
>    Sep 27 11:14:06 OCSERV Connection: id=23681, reason=connect, ...
>    Sep 27 11:14:15 OCSERV Disconnect: id=23681, reason=disconnect, ...
>
>    Here we have the id 23681 vs 23678 conflict.
>
> 3) Using your patch, the is is changed, but freeradius is not only
>    changing the nas-port but also the Acct-Unique-Session-Id.
>
>    radacct log:
>
>    Tue Sep 27 11:14:05 2016
>         Acct-Status-Type = Start
>         Acct-Session-Id = "DElVwYHxWp0x4EmrYEWWZGFLRsu1jDQZKvxhD2oOHKE="
>         NAS-Port = 23678
>         Acct-Unique-Session-Id = "58c128d0a972a6f4"
>
>    Tue Sep 27 11:14:15 2016
>         Acct-Status-Type = Interim-Update
>         Acct-Session-Id = "DElVwYHxWp0x4EmrYEWWZGFLRsu1jDQZKvxhD2oOHKE="
>         NAS-Port = 23681
>         Acct-Unique-Session-Id = "670d65df6cca4478"
>
>    Tue Sep 27 11:14:15 2016
>         Acct-Status-Type = Stop
>         Acct-Session-Id = "DElVwYHxWp0x4EmrYEWWZGFLRsu1jDQZKvxhD2oOHKE="
>         NAS-Port = 23681
>         Acct-Unique-Session-Id = "670d65df6cca4478"
>
> Without the patch, the Acct-Unique-Session-Id stays the same. I'm unsure
> whether the change of the Acct-Unique-Session-Id is a desired behaviour,
> it doesn't seem like the behaviour one would expect.

The unique session ID is a freeradius generated field. As far as I
understand you can make it be generated without the port.
http://freeradius.org/radiusd/man/rlm_acct_unique.txt

More information about the openconnect-devel mailing list