[cisco-nas] Radius and Aironet 1200 > missing accounting attributes
Marcos González
mgtroyas at gmail.com
Tue Dec 20 05:00:03 EST 2005
Hello. My name is Marcos, and I'm doing a final degree project involving a
Radius server and a Cisco Aironet 1200 NAS. The Radius server is Freeradius
1.0.4 running on a Fedora Core 4 linux box. The client is a Windows XP
laptop, using a Cisco 802.11a/b/g wireless lan client adapter (PCMCIA) or a
Intel BG2200 integrated wireless adapter. I'm using EAP-TLS.
The authentication and authorization parts ar working perfectly. All the
certificates hav been created, and the laptop connects without problems.
My problem is, the NAS is sending "accounting-request" packages as expected,
to the Radius server, but only the "Acct-Session-Time" attribute is being
tracked. All the other attributes are missing. I need specially the
"Acct-Output-Octets" and "Acct-Input-Octets" attributes, but I haven't been
able to get it working.
The Cisco documentation states this NAS should be able to send all the
accounting attributes I need. The list is in this webpage:
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_configuration_guide_chapter09186a008010f9d6.html#87406
Here is an extract:
Table 9-1 Accounting Attributes the Access Point Sends to the Accounting
Server
[...]
Acct-Session-Time: The elapsed time in seconds that the client device has
been associated to the access point. The access point sends this attribute
only with the ACCT_STOP and ACCT_UPDATE status types.
Acct-Input-Octets: The number of octets received on the wireless network
through the access point since the client device associated to the access
point. The access point sends this attribute only with the ACCT_STOP and
ACCT_UPDATE status types.
Acct-Output-Octets: The number of octets sent on the wireless network
through the access point since the client device associated to the access
point. The access point sends this attribute only with the ACCT_STOP and
ACCT_UPDATE status types.
[...]
*
*
Here is an extract of the "detail" file in the Radius "radacct" directory of
the logs (/var/log/radius/radacct/192.168.100.1/detail-20051213).
Tue Dec 13 13:52:36 2005
Acct-Session-Id = "0000002D"
Called-Station-Id = "0013.60e7.e900"
Calling-Station-Id = "0040.96a8.2b73"
Cisco-AVPair = "ssid=wifi2005"
Cisco-AVPair = "nas-location=unspecified"
Cisco-AVPair = "connect-progress=Call Up"
Acct-Session-Time = 2051
Acct-Authentic = RADIUS
User-Name = "Portatil_XP"
Acct-Status-Type = Alive
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "37"
NAS-Port = 37
Service-Type = Framed-User
NAS-IP-Address = 192.168.100.1
Acct-Delay-Time = 0
Client-IP-Address = 192.168.100.1
Acct-Unique-Session-Id = "90e48e71577c8417"
Timestamp = 1134478356
---------------------------------------------------------------------------------------------------------------------------------------------------
I've sniffed the connection usin ethereal, and I checked only those
attributes are sent inside the Radius package.
I've also checked via SNMP that the octets are being accounted by the NAS,
here they are the two queries I did:
[root at wifi2005 ~]# snmpget -v2c -c IT-UNIOVI 192.168.100.1 ifInOctets.1
IF-MIB::ifInOctets.1 = Counter32: 2347354
[root at wifi2005 ~]# snmpget -v2c -c IT-UNIOVI 192.168.100.1 ifOutOctets.1
IF-MIB::ifOutOctets.1 = Counter32: 19268485
After some time surfing from the laptop, I repeated the query and both
values had increased accordingly.
---------------------------------------------------------------------------------------------------------------------------------------------------
Here is the Aironet 1200 running config:
ap#show running-config
Building configuration...
Current configuration : 3332 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
logging queue-limit 100
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
username Cisco password 7 XXXXXXXXXXXXXXXXXXXXXX
ip subnet-zero
!
aaa new-model
!
!
aaa group server radius rad_eap
server 192.168.100.2 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
server 192.168.100.2 auth-port 1812 acct-port 1813
accounting accept milista
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad_acct1
server 192.168.100.2 auth-port 1812 acct-port 1813
accounting accept milista
!
aaa group server radius rad_eap1
server 192.168.100.2 auth-port 1812 acct-port 1813
!
aaa authentication login default group rad_wifi2005 local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login eap_methods1 group rad_eap1
aaa authentication ppp default group rad_wifi2005
aaa authorization exec default local
aaa authorization ipmobile default group rad_pmip
aaa authorization network default group rad_wifi2005
aaa accounting update periodic 1
aaa accounting exec default start-stop group rad_wifi2005
aaa accounting network default start-stop group radius
aaa accounting network acct_methods start-stop group rad_acct
aaa accounting network acct_methods1 start-stop group rad_acct1
aaa accounting connection default start-stop group rad_wifi2005
aaa session-id common
dot11 network-map
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
load-interval 30
!
encryption mode ciphers tkip
!
ssid wifi2005
authentication open eap eap_methods1
authentication network-eap eap_methods1
authentication key-management wpa
accounting acct_methods1
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0
48.0 54.0
rts threshold 2312
station-role root
dot1x reauth-period server
dot1x client-timeout 20
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.100.1 255.255.255.0
no ip route-cache
!
ip default-gateway x.x.x.x
ip http server
ip http help-path
http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/122-15.JA/1100
ip radius source-interface BVI1
snmp-server community IT-UNIOVI RO
snmp-server enable traps tty
radius-server attribute 32 include-in-access-req format %h
radius-server attribute list lista_atributos
!
radius-server attribute list milista
attribute 1-200
!
radius-server host 192.168.100.2 auth-port 1812 acct-port 1813 key 7
XXXXXXXXXXXXXXXXXXXXXXXX
radius-server timeout 10
radius-server key 7 XXXXXXXXXXXXXXXXXXXXXXX
radius-server authorization permit missing Service-Type
radius-server vsa send accounting
bridge 1 route ip
!
!
!
line con 0
line vty 5 15
!
end
---------------------------------------------------------------------------------------------------------------------------------------------------
The "milista" attributes list was an attemp to make all the attributes being
reported, but it didn't make any difference.
I've been trying to make those attributes to bereported for weeks. If
somebody could find what I'm doing wrog, or I'm missing out, would be of
great value for me. Also if somebody knows this AP is not able to report
those attributes, it'd help me completely. I apologize for the long email.
Many thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/cisco-nas/attachments/20051220/3c181354/attachment.html
More information about the cisco-nas
mailing list