Re: CUI reloaded

[Tomasz Wolniewicz <twoln@xxxxxx>]

stefan.winter@xxxxxxxxxx wrote:
> You're right that we don't have a striking need for accounting. 
> Nevertheless it is the SPs decision to generate Accounting packets or 
> not, so it would not be wise to ignore the fact that there *may* be 
> Accounting packets floating around in our infrastructure. IIRC, there 
> are even a few federations that make actual use of it. You don't want 
> to state that when turning on CUI, everybody has to turn off 
> Accounting, do you?
Well no, I would prefer to tell them to turn off accounting, regardless 
of the fact if they want to use CUI or not. What business do you have as 
the IdP administrator to know how many bytes your roaming users are 
transferring and at which places? These bytes do not belong to you, they 
belong to the SP. The SP is not charging IdP for these bytes, so this 
information should not be made available in the name of protecting 
user's privacy. The SP has the right to gather this information, and for 
this reason it would be very useful to be able to use CUI and create 
usage statistics per CUI value.This will not be easy, if the NASes do 
not handle CUI as they should. One way to implement this would be to 
gather use statistics per guest IP and bind IP to CUI (as we should 
anyway). This is not done via Radius accounting, but definitely gives 
quite reliable information.
> Also, accounting does have a few upsides even for us. If we had 
> accounting throughout the infrastructure, we could have a more 
> deterministic view on the number of *uses* of our infrastructure (and 
> could move on from the unholy discussion that "number of successful 
> authentications" is the only idea we've got). All those re-auths 
> happening on the same user session could then be easily dissected into 
> a single user session.
I do not agree. We can count Calling-Station-Id's and count one CSId per 
day. This way we will have individual roaming users (orperhaps devices) 
without using CUI from accounting. Using CSId we can get proper 
statistics today, using any other method we need to rely on the 
infrastructure implementing CUI or accounting, which is not going to 
happen very soon. Besides, accounting does not necessarily give so much 
more information. Accounting Start/Stop may very well happen when the 
client changes the AP, also when the client reauthenticates to the same 
AP it may cause an Accounting Stop.

Yours
Tomasz

--
Tomasz Wolniewicz    
         twoln@xxxxxx        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576