[cisco-nas] Accounting problem with Cisco Aironet 1200

Mathieu Benard mbenard at m6.fr
Wed May 18 04:32:42 EDT 2005 

Aaron,

Thanks for your answer. I'm OK with the fact that there is not guarantee 
that the AP will ever successfully know the IP address. But let's 
consider a case where it manages to know it and to display it with the 
show dot11 associations command, then it sould be able to send it in 
RADIUS packets (?).

Like I said before, with the "aaa accounting delay-start" activated 
command in my conf, no accounting packets are sent at all (that means 
the AP consider that the IP negociation has not ended yet), but the AP 
actually knows the IP address of the user (as I can verify it with the 
following command):

ap#show dot11 associations

802.11 Client Stations on Dot11Radio0:

SSID [morgane8021X] :

MAC Address    IP address      Device        Name            
Parent         State
0011.5034.3388 10.88.0.1       4500-radio    -               
self           EAP-Assoc

That's unexpected behavior. Is something wrong in my conf ?

Thanks in advance

Marina


Aaron Leonard a écrit :

> Marina,
>
> Please be aware that the access point is a layer two device,
> not a layer three device, and does not necessarily have any
> visibility into layer three information such as IP addresses.
>
> While the access point may eventually be able to learn the
> client's IP address and display it via "show dot11 associations",
> it does this by sniffing packets received by the client *after*
> the client has fully authenticated and associated.  There is no
> guarantee that the AP will ever successfully learn the client's
> IP address (since the client may fail to emit IP packets for
> an arbitrarily long time).
>
> Regards,
>
> Aaron
>
> ---
>
>> Hi all.
>>
>> I have a problem with my Cisco Aironet and AAA.
>>
>> It doesn't send the user Framed-IP-Adress in accounting packets. The 
>> architecture is 802.1x:
>>
>> FreeRADIUS         <------------------->    Access Point with DHCP 
>> <--------------------------> Client
>> 10.88.88.150                                       
>> 10.88.88.1          
>>                                                       10.88.X.X
>>
>> - The user is authenticating against Freeradius server with EAP. 
>> That's working out without problems.
>> - The user gets an IP Address from the Access Point. It's working too.
>> - The accounting is not working as I expect:
>>   -> The accounting packets sent to radius server don't include the 
>> IP of the Framed-User.
>>   -> This known solution for this problem is the command "aaa 
>> accounting delay-start", but with it, accounting packets are never 
>> sent after the Access-Accept packet, except for telnet EXEC logins.
>>
>> Am I missing something ?
>> Please help me..
>>
>> Thanks !
>>
>> ap#sh ver
>> Cisco Internetwork Operating System Software
>> IOS (tm) C1200 Software (C1200-K9W7-M), Version 12.2(13)JA4, EARLY 
>> DEPLOYMENT RELEASE SOFTWARE (fc1)
>> Technical Support: http://www.cisco.com/techsupport
>> Copyright (c) 1986-2004 by cisco Systems, Inc.
>> Compiled Fri 16-Apr-04 12:22 by cmong
>> Image text-base: 0x00003000, data-base: 0x0053CF74
>>
>> ROM: Bootstrap program is C1200 boot loader
>> BOOTLDR: C1200 Boot Loader (C1200-BOOT-M) Version 12.2(8)JA, EARLY 
>> DEPLOYMENT RELEASE SOFTWARE (fc1)
>>
>> ap#sh conf
>> Using 2950 out of 32768 bytes
>> !
>> version 12.2
>> no service pad
>> service timestamps debug datetime msec
>> service timestamps log datetime msec
>> service password-encryption
>> !
>> hostname ap
>> !
>> enable secret 5 $1$/obN$Y7Uj9MNPbS7YGVxIO4I841
>> !
>> username root privilege 15 password 7 06140E254541011C04134658585F
>> ip subnet-zero
>> ip domain name m6.fr
>> ip dhcp excluded-address 10.88.88.1
>> !
>> ip dhcp pool airpool
>>  network 10.88.0.0 255.255.0.0
>>  lease 10
>> !
>> aaa new-model
>> !
>> !
>> aaa group server radius rad_eap
>> server 10.88.88.150 auth-port 1812 acct-port 1813
>> !
>> aaa group server radius rad_mac
>> !
>> aaa group server radius rad_acct
>> server 10.88.88.150 auth-port 1812 acct-port 1813
>> !
>> aaa group server radius rad_admin
>> !
>> aaa group server tacacs+ tac_admin
>> !
>> aaa group server radius rad_pmip
>> !
>> aaa group server radius dummy
>> !
>> aaa authentication login default group radius local
>> aaa authentication login eap_methods group rad_eap
>> aaa authentication login mac_methods local
>> aaa authorization network default group radius
>> aaa accounting delay-start
>> aaa accounting update periodic 2
>> aaa accounting exec default start-stop group radius
>> aaa accounting network acct_methods start-stop group rad_acct
>> aaa session-id common
>> !
>> bridge irb
>> !
>> !
>> interface Dot11Radio0
>> no ip address
>> no ip route-cache
>> !
>> encryption mode ciphers tkip
>> !
>> ssid morgane8021X
>>   authentication open eap eap_methods
>>   authentication key-management wpa
>>   accounting acc_methods
>> !
>> ssid touristes
>>   authentication open
>>   authentication key-management wpa
>>   accounting acct_methods
>>   wpa-psk ascii 7 095E4F0D100A1F170A0850797F7F
>> !
>> speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 
>> 36.0 48.0 54.0
>> rts threshold 2312
>> station-role root
>> bridge-group 1
>> bridge-group 1 subscriber-loop-control
>> bridge-group 1 block-unknown-source
>> no bridge-group 1 source-learning
>> no bridge-group 1 unicast-flooding
>> bridge-group 1 spanning-disabled
>> !
>> interface FastEthernet0
>> no ip address
>> no ip route-cache
>> duplex auto
>> speed auto
>> bridge-group 1
>> no bridge-group 1 source-learning
>> bridge-group 1 spanning-disabled
>> !
>> interface BVI1
>> ip address 10.88.88.1 255.255.0.0
>> no ip route-cache
>> !
>> ip http server
>> ip http help-path 
>> http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100 
>>
>> ip radius source-interface BVI1
>> snmp-server view dot11view ieee802dot11 included
>> snmp-server community open RW
>> snmp-server community ieee view ieee802dot11 RW
>> snmp-server enable traps tty
>> radius-server host 10.88.88.150 auth-port 1812 acct-port 1813 key 7 
>> 03074E090F1B345F
>> radius-server attribute 8 include-in-access-req
>> radius-server attribute 32 include-in-access-req format %h
>> radius-server attribute 44 include-in-access-req
>> radius-server authorization permit missing Service-Type
>> radius-server vsa send accounting
>> radius-server vsa send authentication
>> bridge 1 route ip
>> !
>> !
>> line con 0
>> line vty 5 15
>> !
>> end
>>
>>
>> _______________________________________________
>> cisco-nas mailing list
>> cisco-nas at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nas
>>  
>>
>
>
>

More information about the cisco-nas mailing list