[cisco-nas] Accounting problem with Cisco Aironet 1200

Aaron Leonard Aaron at cisco.com
Tue May 17 13:43:46 EDT 2005 

Marina,

Please be aware that the access point is a layer two device,
not a layer three device, and does not necessarily have any
visibility into layer three information such as IP addresses.

While the access point may eventually be able to learn the
client's IP address and display it via "show dot11 associations",
it does this by sniffing packets received by the client *after*
the client has fully authenticated and associated.  There is no
guarantee that the AP will ever successfully learn the client's
IP address (since the client may fail to emit IP packets for
an arbitrarily long time).

Regards,

Aaron

---

>Hi all.
>
>I have a problem with my Cisco Aironet and AAA.
>
>It doesn't send the user Framed-IP-Adress in accounting packets. The 
>architecture is 802.1x:
>
>FreeRADIUS         <------------------->    Access Point with DHCP 
><--------------------------> Client
>10.88.88.150                                       10.88.88.1          
>                                                       10.88.X.X
>
>- The user is authenticating against Freeradius server with EAP. That's 
>working out without problems.
>- The user gets an IP Address from the Access Point. It's working too.
>- The accounting is not working as I expect:
>   -> The accounting packets sent to radius server don't include the IP 
>of the Framed-User.
>   -> This known solution for this problem is the command "aaa 
>accounting delay-start", but with it, accounting packets are never sent 
>after the Access-Accept packet, except for telnet EXEC logins.
>
>Am I missing something ?
>Please help me..
>
>Thanks !
>
>ap#sh ver
>Cisco Internetwork Operating System Software
>IOS (tm) C1200 Software (C1200-K9W7-M), Version 12.2(13)JA4, EARLY 
>DEPLOYMENT RELEASE SOFTWARE (fc1)
>Technical Support: http://www.cisco.com/techsupport
>Copyright (c) 1986-2004 by cisco Systems, Inc.
>Compiled Fri 16-Apr-04 12:22 by cmong
>Image text-base: 0x00003000, data-base: 0x0053CF74
>
>ROM: Bootstrap program is C1200 boot loader
>BOOTLDR: C1200 Boot Loader (C1200-BOOT-M) Version 12.2(8)JA, EARLY 
>DEPLOYMENT RELEASE SOFTWARE (fc1)
>
>ap#sh conf
>Using 2950 out of 32768 bytes
>!
>version 12.2
>no service pad
>service timestamps debug datetime msec
>service timestamps log datetime msec
>service password-encryption
>!
>hostname ap
>!
>enable secret 5 $1$/obN$Y7Uj9MNPbS7YGVxIO4I841
>!
>username root privilege 15 password 7 06140E254541011C04134658585F
>ip subnet-zero
>ip domain name m6.fr
>ip dhcp excluded-address 10.88.88.1
>!
>ip dhcp pool airpool
>  network 10.88.0.0 255.255.0.0
>  lease 10
>!
>aaa new-model
>!
>!
>aaa group server radius rad_eap
>server 10.88.88.150 auth-port 1812 acct-port 1813
>!
>aaa group server radius rad_mac
>!
>aaa group server radius rad_acct
>server 10.88.88.150 auth-port 1812 acct-port 1813
>!
>aaa group server radius rad_admin
>!
>aaa group server tacacs+ tac_admin
>!
>aaa group server radius rad_pmip
>!
>aaa group server radius dummy
>!
>aaa authentication login default group radius local
>aaa authentication login eap_methods group rad_eap
>aaa authentication login mac_methods local
>aaa authorization network default group radius
>aaa accounting delay-start
>aaa accounting update periodic 2
>aaa accounting exec default start-stop group radius
>aaa accounting network acct_methods start-stop group rad_acct
>aaa session-id common
>!
>bridge irb
>!
>!
>interface Dot11Radio0
>no ip address
>no ip route-cache
>!
>encryption mode ciphers tkip
>!
>ssid morgane8021X
>   authentication open eap eap_methods
>   authentication key-management wpa
>   accounting acc_methods
>!
>ssid touristes
>   authentication open
>   authentication key-management wpa
>   accounting acct_methods
>   wpa-psk ascii 7 095E4F0D100A1F170A0850797F7F
>!
>speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 
>36.0 48.0 54.0
>rts threshold 2312
>station-role root
>bridge-group 1
>bridge-group 1 subscriber-loop-control
>bridge-group 1 block-unknown-source
>no bridge-group 1 source-learning
>no bridge-group 1 unicast-flooding
>bridge-group 1 spanning-disabled
>!
>interface FastEthernet0
>no ip address
>no ip route-cache
>duplex auto
>speed auto
>bridge-group 1
>no bridge-group 1 source-learning
>bridge-group 1 spanning-disabled
>!
>interface BVI1
>ip address 10.88.88.1 255.255.0.0
>no ip route-cache
>!
>ip http server
>ip http help-path 
>http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100
>ip radius source-interface BVI1
>snmp-server view dot11view ieee802dot11 included
>snmp-server community open RW
>snmp-server community ieee view ieee802dot11 RW
>snmp-server enable traps tty
>radius-server host 10.88.88.150 auth-port 1812 acct-port 1813 key 7 
>03074E090F1B345F
>radius-server attribute 8 include-in-access-req
>radius-server attribute 32 include-in-access-req format %h
>radius-server attribute 44 include-in-access-req
>radius-server authorization permit missing Service-Type
>radius-server vsa send accounting
>radius-server vsa send authentication
>bridge 1 route ip
>!
>!
>line con 0
>line vty 5 15
>!
>end
>
>
>_______________________________________________
>cisco-nas mailing list
>cisco-nas at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nas
>  
>

More information about the cisco-nas mailing list