[tac_plus] session.session_id values coming different for each accounting record?

Alan McKinnon alan.mckinnon at gmail.com
Thu Sep 19 13:54:56 UTC 2013


On 19/09/2013 15:42, Sachin.6.Gupta wrote:
> Hi,
> 
> Facing a strange problem when fetching the session id.
> I am storing the session id in the accounting logs also. My understanding is that when tacacs+ client sends accounting packet to TACACS+ server, session_id should remain same for the host till logout happens.
> However session_id is getting populated differently for each accounting packet.
> 
> Is this the expected behavour? Or something is wrong here?
> 
> PS: I am testing in lab and only nas is connected with one user only.
> 
> Please guide.

I guess you have wrongly assumed what session means here, it is not a
login session from login to logout. From the Tacacs draft RFC in section
"Technical Definitions"

Session
    The concept of a session is used throughout this document. A TACACS+
session is a single authentication sequence, a single authorization
exchange, or a single accounting exchange.
    The session concept is important because a session identifier is
used as a part of the encryption, and it is used by both ends to
distinguish between packets belonging to multiple sessions.
    Multiple sessions may be supported simultaneously and/or
consecutively on a single TCP connection if both the daemon and client
support this. If multiple sessions are not being multiplexed over a
single tcp connection, a new connection should be opened for each
TACACS+ session and closed at the end of that session. For accounting
and authorization, this implies just a single pair of packets exchanged
over the connection (the request and its reply). For authentication, a
single session may involve an arbitrary number of packets being exchanged.
    The session is an operational concept that is maintained between the
TACACS+ client and daemon. It does not necessarily correspond to a given
user or user action.





-- 
Alan McKinnon
alan.mckinnon at gmail.com



More information about the tac_plus mailing list