Radius Accounting Logs

Christian Roy (roychri@total.net)
Thu, 24 Apr 1997 11:08:00 -0400

Hi,
Maybe I'm not sending this to the right mailling list. Please let me know
if this is the case.
We are an Internet Service Provider in Montreal and some of our modem Banks
are using Radius Authentication with Portmasters. We want to be able to
charge users who use too many hours. We already have billing software that
interprets our usage logs. For Example :

Usage Log:
Username StartDate StartTime StopDate StopTime LenghtOfCallInMinutes

Example :
bob 04/04/97 20:00:00 04/04/97 21:00:00 60

I already wrote a C++ program that parses Radius logs and converts them
into usage Logs. I'm trying to eliminate errors by detecting 'Login without
Logout' and 'Logout without Login'

'Login without Logout':
When a Login is detected, I check for previous Login on the same modem. If
there is, I simply disregard the previous login (by removing it from
memory) and call it a 'login without logout'. I then add the current
detected login in memory

'Logout without Login':
When a Logout is detected, I check for a previous matching login for the
same modem. If I can't find one, I call it a 'Logout without Login'. If I
find a matching login, I remove the Login in memory and create the usage line.

To find the matching Login or Logout I use the Client-Id and Client-Port-Id.

Here is what I found in the Radius Logs:

Mon Apr 21 09:08:26 1997
Acct-Session-Id = "3900AECA"
User-Name = "bob"
Client-Id = 199.166.232.19
Client-Port-Id = 25
Acct-Status-Type = Start
Acct-Authentic = RADIUS
User-Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Address = 199.166.232.177
Acct-Delay-Time = 0

Mon Apr 21 09:34:03 1997
Acct-Session-Id = "3900AEF6"
User-Name = "sam"
Client-Id = 199.166.232.19
Client-Port-Id = 25
Acct-Status-Type = Start
Acct-Authentic = RADIUS
User-Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Address = 199.166.232.150
Acct-Delay-Time = 0

Mon Apr 21 09:34:26 1997
Acct-Session-Id = "3900AEF6"
User-Name = "sam"
Client-Id = 199.166.232.19
Client-Port-Id = 25
Acct-Status-Type = Stop
Acct-Session-Time = 23
Acct-Authentic = RADIUS
User-Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Address = 199.166.232.150
Acct-Delay-Time = 0

Mon Apr 21 09:35:00 1997
Acct-Session-Id = "3900AECA"
User-Name = "bob"
Client-Id = 199.166.232.19
Client-Port-Id = 25
Acct-Status-Type = Stop
Acct-Session-Time = 1464
Acct-Authentic = RADIUS
User-Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Address = 199.166.232.177
Acct-Delay-Time = 130

Maybe I don't very well understand these logs but it clearly shows that bob
and sam were connected on the same modem for a few seconds...
Is that what these logs means? If yes, then I have a big problem with my
logs because I detec about 400 of these each day.

If that's not what it means, can you offer me an explanation?

This is what my program does parsing these logs as input :

Detect first login. (bob)
Look in memory if a previous login with same Client-Id and same
Client-Port-Id.
doesn't find anything. (Because first login of logs)
Add this Login in memory.
Detect second Login (sam)
Look in memory if a previous login with same Client-Id and same
Client-Port-Id.
It find something: display Login without Logout and remove previous login
(bob) from memory
Add this Login in memory. (sam)
Detect first Logout (sam)
Look in memory if a previous login with same Client-Id and same
Client-Port-Id.
Found : create Usage Line (sam)
Remove login from memory (sam)
Detect second Logout (bob)
Look in memory if a previous login with same Client-Id and same
Client-Port-Id.
doesn't find anything : Display Logout without Login.
End of program.

That is abviously not the way to go because bob won't show up in the usage
logs.

Any tips from anyone would be apreciated.

Christian Roy

///
(. .)
---oOO-(_)--OOo---
roychri@total.net
Programmer Analyst
TotalNet (Accent Internet)
1-800-920-SURF
(514)481-2585