Hello Nikos, On Tue, Sep 27, 2016 at 09:10:47AM +0200, Nikos Mavrogiannopoulos wrote: > On Sun, Sep 25, 2016 at 5:50 PM, Martin Oehler <martin.oehler at gmx.net> wrote: > > You are right. The anyconnect client gets initially handled by a > different process than the one finally gets to handle it. The > openconnect on the other hand uses a single process throughout its > lifetime thus it is reported correctly. What we can do for the former > client is to update the reported nas-port on the subsequent accounting > messages: > > Could you try out the following branch and check whether it addresses > the nas-port issue? > https://gitlab.com/ocserv/ocserv/merge_requests/13 thanks for your effort. I tried the patch, it does what you wrote but I feel like we should discuss whether this is a good solution. After adding some debug statements I am able to understand what is going on: 1) The process id that is transferred with Acct-Status-Type = Start to freeradius is used for the initial nas-port id. Sep 27 11:14:03 sec-mod: process_worker_packet pid=23678 Sep 27 11:14:03 radius-auth: communicating username (example) and password 2) The connect-script receives the id that is used by a later process: Sep 27 11:14:05 sec-mod: process_worker_packet pid=23681 Sep 27 11:14:05 radius-auth: opening session DElVwYHxWp0x4EmrYEWWZGFLRsu1jDQZKvxhD2oOHKE= Sep 27 11:14:06 sec-mod: initiating session for user 'example' (session: DElVwY) Sep 27 11:14:06 OCSERV Connection: id=23681, reason=connect, ... Sep 27 11:14:15 OCSERV Disconnect: id=23681, reason=disconnect, ... Here we have the id 23681 vs 23678 conflict. 3) Using your patch, the is is changed, but freeradius is not only changing the nas-port but also the Acct-Unique-Session-Id. radacct log: Tue Sep 27 11:14:05 2016 Acct-Status-Type = Start Acct-Session-Id = "DElVwYHxWp0x4EmrYEWWZGFLRsu1jDQZKvxhD2oOHKE=" NAS-Port = 23678 Acct-Unique-Session-Id = "58c128d0a972a6f4" Tue Sep 27 11:14:15 2016 Acct-Status-Type = Interim-Update Acct-Session-Id = "DElVwYHxWp0x4EmrYEWWZGFLRsu1jDQZKvxhD2oOHKE=" NAS-Port = 23681 Acct-Unique-Session-Id = "670d65df6cca4478" Tue Sep 27 11:14:15 2016 Acct-Status-Type = Stop Acct-Session-Id = "DElVwYHxWp0x4EmrYEWWZGFLRsu1jDQZKvxhD2oOHKE=" NAS-Port = 23681 Acct-Unique-Session-Id = "670d65df6cca4478" Without the patch, the Acct-Unique-Session-Id stays the same. I'm unsure whether the change of the Acct-Unique-Session-Id is a desired behaviour, it doesn't seem like the behaviour one would expect. What do you think? Kind regards, Martin
