[cisco-nas] Radius and Aironet 1200 > missing accounting attributes

Marcos González mgtroyas at gmail.com
Tue Dec 20 05:00:03 EST 2005


Hello. My name is Marcos, and I'm doing a final degree project involving a
Radius server and a Cisco Aironet 1200 NAS. The Radius server is Freeradius
1.0.4 running on a Fedora Core 4 linux box. The client is a Windows XP
laptop, using a Cisco 802.11a/b/g wireless lan client adapter (PCMCIA) or a
Intel BG2200 integrated wireless adapter. I'm using EAP-TLS.

The authentication and authorization parts ar working perfectly. All the
certificates hav been created, and the laptop connects without problems.

My problem is, the NAS is sending "accounting-request" packages as expected,
to the Radius server, but only the "Acct-Session-Time" attribute is being
tracked. All the other attributes are missing. I need specially the
"Acct-Output-Octets" and "Acct-Input-Octets" attributes, but I haven't been
able to get it working.

The Cisco documentation states this NAS should be able to send all the
accounting attributes I need. The list is in this webpage:
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_configuration_guide_chapter09186a008010f9d6.html#87406

Here is an extract:

Table 9-1   Accounting Attributes the Access Point Sends to the Accounting
Server
[...]
 Acct-Session-Time: The elapsed time in seconds that the client device has
been associated to the access point. The access point sends this attribute
only with the ACCT_STOP and ACCT_UPDATE status types.

 Acct-Input-Octets: The number of octets received on the wireless network
through the access point since the client device associated to the access
point. The access point sends this attribute only with the ACCT_STOP and
ACCT_UPDATE status types.

 Acct-Output-Octets: The number of octets sent on the wireless network
through the access point since the client device associated to the access
point. The access point sends this attribute only with the ACCT_STOP and
ACCT_UPDATE status types.
[...]
*
*
Here is an extract of the "detail" file in the Radius "radacct" directory of
the logs (/var/log/radius/radacct/192.168.100.1/detail-20051213).

Tue Dec 13 13:52:36 2005
        Acct-Session-Id = "0000002D"
        Called-Station-Id = "0013.60e7.e900"
        Calling-Station-Id = "0040.96a8.2b73"
        Cisco-AVPair = "ssid=wifi2005"
        Cisco-AVPair = "nas-location=unspecified"
        Cisco-AVPair = "connect-progress=Call Up"
        Acct-Session-Time = 2051
        Acct-Authentic = RADIUS
        User-Name = "Portatil_XP"
        Acct-Status-Type = Alive
        NAS-Port-Type = Wireless-802.11
        Cisco-NAS-Port = "37"
        NAS-Port = 37
        Service-Type = Framed-User
        NAS-IP-Address = 192.168.100.1
        Acct-Delay-Time = 0
        Client-IP-Address = 192.168.100.1
        Acct-Unique-Session-Id = "90e48e71577c8417"
        Timestamp = 1134478356

---------------------------------------------------------------------------------------------------------------------------------------------------

I've sniffed the connection usin ethereal, and I checked only those
attributes are sent inside the Radius package.

I've also checked via SNMP that the octets are being accounted by the NAS,
here they are the two queries I did:

[root at wifi2005 ~]# snmpget -v2c -c IT-UNIOVI 192.168.100.1 ifInOctets.1
IF-MIB::ifInOctets.1 = Counter32: 2347354
[root at wifi2005 ~]# snmpget -v2c -c IT-UNIOVI 192.168.100.1 ifOutOctets.1
IF-MIB::ifOutOctets.1 = Counter32: 19268485

After some time surfing from the laptop, I repeated the query and both
values had increased accordingly.

---------------------------------------------------------------------------------------------------------------------------------------------------

Here is the Aironet 1200 running config:

ap#show running-config
Building configuration...

Current configuration : 3332 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
logging queue-limit 100
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
username Cisco password 7 XXXXXXXXXXXXXXXXXXXXXX
ip subnet-zero
!
aaa new-model
!
!
aaa group server radius rad_eap
 server 192.168.100.2 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
 server 192.168.100.2 auth-port 1812 acct-port 1813
 accounting accept milista
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad_acct1
 server 192.168.100.2 auth-port 1812 acct-port 1813
 accounting accept milista
!
aaa group server radius rad_eap1
 server 192.168.100.2 auth-port 1812 acct-port 1813
!
aaa authentication login default group rad_wifi2005 local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login eap_methods1 group rad_eap1
aaa authentication ppp default group rad_wifi2005
aaa authorization exec default local
aaa authorization ipmobile default group rad_pmip
aaa authorization network default group rad_wifi2005
aaa accounting update periodic 1
aaa accounting exec default start-stop group rad_wifi2005
aaa accounting network default start-stop group radius
aaa accounting network acct_methods start-stop group rad_acct
aaa accounting network acct_methods1 start-stop group rad_acct1
aaa accounting connection default start-stop group rad_wifi2005
aaa session-id common
dot11 network-map
!
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 load-interval 30
 !
 encryption mode ciphers tkip
 !
 ssid wifi2005
    authentication open eap eap_methods1
    authentication network-eap eap_methods1
    authentication key-management wpa
    accounting acct_methods1
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0
48.0 54.0
 rts threshold 2312
 station-role root
 dot1x reauth-period server
 dot1x client-timeout 20
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address 192.168.100.1 255.255.255.0
 no ip route-cache
!
ip default-gateway x.x.x.x
ip http server
ip http help-path
http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/122-15.JA/1100
ip radius source-interface BVI1
snmp-server community IT-UNIOVI RO
snmp-server enable traps tty
radius-server attribute 32 include-in-access-req format %h
radius-server attribute list lista_atributos
!
radius-server attribute list milista
 attribute 1-200
!
radius-server host 192.168.100.2 auth-port 1812 acct-port 1813 key 7
XXXXXXXXXXXXXXXXXXXXXXXX
radius-server timeout 10
radius-server key 7 XXXXXXXXXXXXXXXXXXXXXXX
radius-server authorization permit missing Service-Type
radius-server vsa send accounting
bridge 1 route ip
!
!
!
line con 0
line vty 5 15
!
end

---------------------------------------------------------------------------------------------------------------------------------------------------

The "milista" attributes list was an attemp to make all the attributes being
reported, but it didn't make any difference.
I've been trying to make those attributes to bereported for weeks. If
somebody could find what I'm doing wrog, or I'm missing out, would be of
great value for me. Also if somebody knows this AP is not able to report
those attributes, it'd help me completely. I apologize for the long email.
Many thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/cisco-nas/attachments/20051220/3c181354/attachment.html


More information about the cisco-nas mailing list