[tac_plus] session.session_id values coming different for each accounting record?

Alan McKinnon alan.mckinnon at gmail.com
Thu Sep 19 14:27:45 UTC 2013 

Logically, you would think there would be such a thing; the packet type
name even leads you to believe it. It is "accounting", not "command
logging", so surely it should be able to track user sessions so you can
account for them? (Think old dial-up systems billed by type or time).

But no, I have not found such a mechanism in the protocol.

The document that describes the Tacacs+ protocol is here (AFAIK it never
made it to a full RFC):

http://tools.ietf.org/html/draft-grant-tacacs-02

Perhaps you can see something there to use. The "data" and "reason"
fields in authorization and accounting resp at first glance look like
they might be useful, but I haven't thought it through how one might
make use of them (or even if you could)





On 19/09/2013 16:03, Sachin.6.Gupta wrote:
> Oh :(. Thanks Alan for clarifying it. I completely misunderstood it.
> 
> Is there any way/key value to identify accounting packets for a single session?
> I mean is there a value which remains constant throughout till the user logs out?
> 
> Regards
> 
> -----Original Message-----
> From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon
> Sent: Thursday, September 19, 2013 7:25 PM
> To: tac_plus at shrubbery.net
> Subject: Re: [tac_plus] session.session_id values coming different for each accounting record?
> 
> On 19/09/2013 15:42, Sachin.6.Gupta wrote:
>> Hi,
>>
>> Facing a strange problem when fetching the session id.
>> I am storing the session id in the accounting logs also. My understanding is that when tacacs+ client sends accounting packet to TACACS+ server, session_id should remain same for the host till logout happens.
>> However session_id is getting populated differently for each accounting packet.
>>
>> Is this the expected behavour? Or something is wrong here?
>>
>> PS: I am testing in lab and only nas is connected with one user only.
>>
>> Please guide.
> 
> I guess you have wrongly assumed what session means here, it is not a login session from login to logout. From the Tacacs draft RFC in section "Technical Definitions"
> 
> Session
>     The concept of a session is used throughout this document. A TACACS+ session is a single authentication sequence, a single authorization exchange, or a single accounting exchange.
>     The session concept is important because a session identifier is used as a part of the encryption, and it is used by both ends to distinguish between packets belonging to multiple sessions.
>     Multiple sessions may be supported simultaneously and/or consecutively on a single TCP connection if both the daemon and client support this. If multiple sessions are not being multiplexed over a single tcp connection, a new connection should be opened for each
> TACACS+ session and closed at the end of that session. For accounting
> and authorization, this implies just a single pair of packets exchanged over the connection (the request and its reply). For authentication, a single session may involve an arbitrary number of packets being exchanged.
>     The session is an operational concept that is maintained between the
> TACACS+ client and daemon. It does not necessarily correspond to a given
> user or user action.
> 
> 
> 
> 
> 
> --
> Alan McKinnon
> alan.mckinnon at gmail.com
> 
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
> 
> ============================================================================================================================Disclaimer:  This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at <a href="http://www.techmahindra.com/Disclaimer.html">http://www.techmahindra.com/Disclaimer.html</a> externally and <a href="http://tim.techmahindra.com/tim/disclaimer.html">http://tim.techmahindra.com/tim/disclaimer.html</a> internally within Tech Mahindra.============================================================================================================================
> 
> ============================================================================================================================Disclaimer:  This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at <a href="http://www.techmahindra.com/Disclaimer.html">http://www.techmahindra.com/Disclaimer.html</a> externally and <a href="http://tim.techmahindra.com/tim/disclaimer.html">http://tim.techmahindra.com/tim/disclaimer.html</a> internally within Tech Mahindra.============================================================================================================================
> 


-- 
Alan McKinnon
alan.mckinnon at gmail.com

More information about the tac_plus mailing list