[cisco-nas] Accounting problem with Cisco Aironet 1200

Marina Benard mbenard at m6.fr
Tue May 17 12:17:30 EDT 2005


Hi all.

I have a problem with my Cisco Aironet and AAA.

It doesn't send the user Framed-IP-Adress in accounting packets. The 
architecture is 802.1x:

FreeRADIUS         <------------------->    Access Point with DHCP 
<--------------------------> Client
10.88.88.150                                       10.88.88.1          
                                                       10.88.X.X

- The user is authenticating against Freeradius server with EAP. That's 
working out without problems.
- The user gets an IP Address from the Access Point. It's working too.
- The accounting is not working as I expect:
   -> The accounting packets sent to radius server don't include the IP 
of the Framed-User.
   -> This known solution for this problem is the command "aaa 
accounting delay-start", but with it, accounting packets are never sent 
after the Access-Accept packet, except for telnet EXEC logins.

Am I missing something ?
Please help me..

Thanks !

ap#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C1200 Software (C1200-K9W7-M), Version 12.2(13)JA4, EARLY 
DEPLOYMENT RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Fri 16-Apr-04 12:22 by cmong
Image text-base: 0x00003000, data-base: 0x0053CF74

ROM: Bootstrap program is C1200 boot loader
BOOTLDR: C1200 Boot Loader (C1200-BOOT-M) Version 12.2(8)JA, EARLY 
DEPLOYMENT RELEASE SOFTWARE (fc1)

ap#sh conf
Using 2950 out of 32768 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
enable secret 5 $1$/obN$Y7Uj9MNPbS7YGVxIO4I841
!
username root privilege 15 password 7 06140E254541011C04134658585F
ip subnet-zero
ip domain name m6.fr
ip dhcp excluded-address 10.88.88.1
!
ip dhcp pool airpool
  network 10.88.0.0 255.255.0.0
  lease 10
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.88.88.150 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
server 10.88.88.150 auth-port 1812 acct-port 1813
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default group radius local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization network default group radius
aaa accounting delay-start
aaa accounting update periodic 2
aaa accounting exec default start-stop group radius
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers tkip
!
ssid morgane8021X
   authentication open eap eap_methods
   authentication key-management wpa
   accounting acc_methods
!
ssid touristes
   authentication open
   authentication key-management wpa
   accounting acct_methods
   wpa-psk ascii 7 095E4F0D100A1F170A0850797F7F
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 
36.0 48.0 54.0
rts threshold 2312
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 10.88.88.1 255.255.0.0
no ip route-cache
!
ip http server
ip http help-path 
http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100
ip radius source-interface BVI1
snmp-server view dot11view ieee802dot11 included
snmp-server community open RW
snmp-server community ieee view ieee802dot11 RW
snmp-server enable traps tty
radius-server host 10.88.88.150 auth-port 1812 acct-port 1813 key 7 
03074E090F1B345F
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req format %h
radius-server attribute 44 include-in-access-req
radius-server authorization permit missing Service-Type
radius-server vsa send accounting
radius-server vsa send authentication
bridge 1 route ip
!
!
line con 0
line vty 5 15
!
end




More information about the cisco-nas mailing list