[cisco-nas] Accounting problem with Cisco Aironet 1200
Aaron Leonard
Aaron at cisco.com
Wed May 18 12:30:56 EDT 2005
Marina,
Having the AP support "aaa accounting delay-start" and include
the Framed-IP-Address attribute would be a new feature - if you
want such a thing, you would need to pursue this with your
Cisco account team and help them make a business case for it.
I would want to roll such a feature into a more comprehensive
L3 relationship between the AP (or wireless controller) and the
client. For example, I could imagine that the AP/controller
could implement DHCP server functionality which could dynamically
choose to supply a given client with a given IP address based upon
a RADIUS-supplied Framed-IP-Address. Possibly we could implement
per-user virtual interfaces (using RBE as a model, perhaps?) to
which individual access lists and QoS policies could be a applied.
Meantime, the best practice would be to assign different classes
of users to different VLANs (as mentioned in my last posting).
Regards,
Aaron
---
> Aaron,
>
> Thanks for your answer. I'm OK with the fact that there is not
> guarantee that the AP will ever successfully know the IP address. But
> let's consider a case where it manages to know it and to display it
> with the show dot11 associations command, then it sould be able to
> send it in RADIUS packets (?).
>
> Like I said before, with the "aaa accounting delay-start" activated
> command in my conf, no accounting packets are sent at all (that means
> the AP consider that the IP negociation has not ended yet), but the AP
> actually knows the IP address of the user (as I can verify it with the
> following command):
>
> ap#show dot11 associations
>
> 802.11 Client Stations on Dot11Radio0:
>
> SSID [morgane8021X] :
>
> MAC Address IP address Device Name
> Parent State
> 0011.5034.3388 10.88.0.1 4500-radio -
> self EAP-Assoc
>
> That's unexpected behavior. Is something wrong in my conf ?
>
> Thanks in advance
>
> Marina
>
>
> Aaron Leonard a écrit :
>
>> Marina,
>>
>> Please be aware that the access point is a layer two device,
>> not a layer three device, and does not necessarily have any
>> visibility into layer three information such as IP addresses.
>>
>> While the access point may eventually be able to learn the
>> client's IP address and display it via "show dot11 associations",
>> it does this by sniffing packets received by the client *after*
>> the client has fully authenticated and associated. There is no
>> guarantee that the AP will ever successfully learn the client's
>> IP address (since the client may fail to emit IP packets for
>> an arbitrarily long time).
>>
>> Regards,
>>
>> Aaron
>>
>> ---
>>
>>> Hi all.
>>>
>>> I have a problem with my Cisco Aironet and AAA.
>>>
>>> It doesn't send the user Framed-IP-Adress in accounting packets. The
>>> architecture is 802.1x:
>>>
>>> FreeRADIUS <-------------------> Access Point with DHCP
>>> <--------------------------> Client
>>> 10.88.88.150
>>> 10.88.88.1
>>> 10.88.X.X
>>>
>>> - The user is authenticating against Freeradius server with EAP.
>>> That's working out without problems.
>>> - The user gets an IP Address from the Access Point. It's working too.
>>> - The accounting is not working as I expect:
>>> -> The accounting packets sent to radius server don't include the
>>> IP of the Framed-User.
>>> -> This known solution for this problem is the command "aaa
>>> accounting delay-start", but with it, accounting packets are never
>>> sent after the Access-Accept packet, except for telnet EXEC logins.
>>>
>>> Am I missing something ?
>>> Please help me..
>>>
>>> Thanks !
>>>
>>> ap#sh ver
>>> Cisco Internetwork Operating System Software
>>> IOS (tm) C1200 Software (C1200-K9W7-M), Version 12.2(13)JA4, EARLY
>>> DEPLOYMENT RELEASE SOFTWARE (fc1)
>>> Technical Support: http://www.cisco.com/techsupport
>>> Copyright (c) 1986-2004 by cisco Systems, Inc.
>>> Compiled Fri 16-Apr-04 12:22 by cmong
>>> Image text-base: 0x00003000, data-base: 0x0053CF74
>>>
>>> ROM: Bootstrap program is C1200 boot loader
>>> BOOTLDR: C1200 Boot Loader (C1200-BOOT-M) Version 12.2(8)JA, EARLY
>>> DEPLOYMENT RELEASE SOFTWARE (fc1)
>>>
>>> ap#sh conf
>>> Using 2950 out of 32768 bytes
>>> !
>>> version 12.2
>>> no service pad
>>> service timestamps debug datetime msec
>>> service timestamps log datetime msec
>>> service password-encryption
>>> !
>>> hostname ap
>>> !
>>> enable secret 5 $1$/obN$Y7Uj9MNPbS7YGVxIO4I841
>>> !
>>> username root privilege 15 password 7 06140E254541011C04134658585F
>>> ip subnet-zero
>>> ip domain name m6.fr
>>> ip dhcp excluded-address 10.88.88.1
>>> !
>>> ip dhcp pool airpool
>>> network 10.88.0.0 255.255.0.0
>>> lease 10
>>> !
>>> aaa new-model
>>> !
>>> !
>>> aaa group server radius rad_eap
>>> server 10.88.88.150 auth-port 1812 acct-port 1813
>>> !
>>> aaa group server radius rad_mac
>>> !
>>> aaa group server radius rad_acct
>>> server 10.88.88.150 auth-port 1812 acct-port 1813
>>> !
>>> aaa group server radius rad_admin
>>> !
>>> aaa group server tacacs+ tac_admin
>>> !
>>> aaa group server radius rad_pmip
>>> !
>>> aaa group server radius dummy
>>> !
>>> aaa authentication login default group radius local
>>> aaa authentication login eap_methods group rad_eap
>>> aaa authentication login mac_methods local
>>> aaa authorization network default group radius
>>> aaa accounting delay-start
>>> aaa accounting update periodic 2
>>> aaa accounting exec default start-stop group radius
>>> aaa accounting network acct_methods start-stop group rad_acct
>>> aaa session-id common
>>> !
>>> bridge irb
>>> !
>>> !
>>> interface Dot11Radio0
>>> no ip address
>>> no ip route-cache
>>> !
>>> encryption mode ciphers tkip
>>> !
>>> ssid morgane8021X
>>> authentication open eap eap_methods
>>> authentication key-management wpa
>>> accounting acc_methods
>>> !
>>> ssid touristes
>>> authentication open
>>> authentication key-management wpa
>>> accounting acct_methods
>>> wpa-psk ascii 7 095E4F0D100A1F170A0850797F7F
>>> !
>>> speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0
>>> 24.0 36.0 48.0 54.0
>>> rts threshold 2312
>>> station-role root
>>> bridge-group 1
>>> bridge-group 1 subscriber-loop-control
>>> bridge-group 1 block-unknown-source
>>> no bridge-group 1 source-learning
>>> no bridge-group 1 unicast-flooding
>>> bridge-group 1 spanning-disabled
>>> !
>>> interface FastEthernet0
>>> no ip address
>>> no ip route-cache
>>> duplex auto
>>> speed auto
>>> bridge-group 1
>>> no bridge-group 1 source-learning
>>> bridge-group 1 spanning-disabled
>>> !
>>> interface BVI1
>>> ip address 10.88.88.1 255.255.0.0
>>> no ip route-cache
>>> !
>>> ip http server
>>> ip http help-path
>>> http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100
>>>
>>> ip radius source-interface BVI1
>>> snmp-server view dot11view ieee802dot11 included
>>> snmp-server community open RW
>>> snmp-server community ieee view ieee802dot11 RW
>>> snmp-server enable traps tty
>>> radius-server host 10.88.88.150 auth-port 1812 acct-port 1813 key 7
>>> 03074E090F1B345F
>>> radius-server attribute 8 include-in-access-req
>>> radius-server attribute 32 include-in-access-req format %h
>>> radius-server attribute 44 include-in-access-req
>>> radius-server authorization permit missing Service-Type
>>> radius-server vsa send accounting
>>> radius-server vsa send authentication
>>> bridge 1 route ip
>>> !
>>> !
>>> line con 0
>>> line vty 5 15
>>> !
>>> end
>>>
>>>
>>> _______________________________________________
>>> cisco-nas mailing list
>>> cisco-nas at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nas
>>>
>>>
>>
>>
>>
More information about the cisco-nas
mailing list