drdaeman / accel-ppp Goto Github PK

Some ISPs want usernames to be case-insensitive. Or treat underscores and dashes as the same character.
Some allow additional metadata in User-Name string, like username:dynamic or (DOMAIN\\username).
Some want old good exact matches.

Let's introduce a configurable username collation.

Proposed configuration example:

[usernames]
extract=^([^:]+):
on-no-match=use-whole-string
case-sensitive=0
translate="-":"_"
strip=" ","."

Another option would be to support Chargeable-User-Identity (RFC4372) RADIUS attribute to return canonicalized username from RADIUS server. This option should be investigated. Obvious downside is that it is applicable only to RADIUS-based setups, and does not work well with CLI. However, on first glance it feels like a more correct approach.

When receiving CoA/PoD packet, only the first matching session is used. Among the supported attributes, User-Name and Calling-Station-Id attributes are not unique (but at least User-Name is forced to be used together with something that would match only single session), and could be shared by multiple sessions. I believe, all of the matching sessions should be handled.

ACK/NAK rules are per RFC5176 sections 2.1 and 2.2:

The NAS responds to a Disconnect-Request packet sent by a Dynamic Authorization Client with a Disconnect-ACK if all associated session context is discarded and the user session(s) are no longer connected, or a Disconnect-NAK, if the NAS was unable to disconnect one or more sessions and discard all associated session context.

The NAS responds to a CoA-Request sent by a Dynamic Authorization Client with a CoA-ACK if the NAS is able to successfully change the authorizations for the user session(s), or a CoA-NAK if the CoA- Request is unsuccessful. A NAS MUST respond to a CoA-Request including a Service-Type Attribute with an unsupported value with a CoA-NAK; an Error-Cause Attribute with value "Unsupported Service" SHOULD be included.

I.e. ACK is sent only if all sessions, matching the request, were processed. This also means that the current behavior of handling only one session is not compliant with the RFC.