Hello. My name is Marcos, and I'm doing a final degree project
involving a Radius server and a Cisco Aironet 1200 NAS. The Radius
server is Freeradius 1.0.4 running on a Fedora Core 4 linux box. The
client is a Windows XP laptop, using a Cisco 802.11a/b/g wireless lan
client adapter (PCMCIA) or a Intel BG2200 integrated wireless adapter.
I'm using EAP-TLS.<br>
<br>
The authentication and authorization parts ar working perfectly. All
the certificates hav been created, and the laptop connects without
problems.<br>
<br>
My problem is, the NAS is sending "accounting-request" packages as
expected, to the Radius server, but only the "Acct-Session-Time"
attribute is being tracked. All the other attributes are missing. I
need specially the "Acct-Output-Octets" and "Acct-Input-Octets"
attributes, but I haven't been able to get it working.<br>
<br>
The Cisco documentation states this NAS should be able to send all the
accounting attributes I need. The list is in this webpage:<br>
<a href="http://www.cisco.com/en/US/products/hw/wireless/ps430/products_configuration_guide_chapter09186a008010f9d6.html#87406">http://www.cisco.com/en/US/products/hw/wireless/ps430/products_configuration_guide_chapter09186a008010f9d6.html#87406
</a><br>
<br>
Here is an extract:<br>
<br>
<span class="content">Table 9-1 <a name="87406"></a><a name="1021659"></a>Accounting Attributes the Access Point Sends to the Accounting Server<br>
[...]<br>
</span><span class="content"> Acct-Session-Time: </span><span class="content"> The elapsed time in seconds that the client
device has been associated to the access point. The access point sends
this attribute only with the ACCT_STOP and ACCT_UPDATE status types.<br>
<br>
</span><span class="content"> Acct-Input-Octets: </span><span class="content"> The number of octets received on the wireless
network through the access point since the client device associated to
the access point. The access point sends this attribute only with the
ACCT_STOP and ACCT_UPDATE status types.<br>
<br>
</span><span class="content"> Acct-Output-Octets: </span><span class="content"> The number of octets sent on the wireless
network through the access point since the client device associated to
the access point. The access point sends this attribute only with the
ACCT_STOP and ACCT_UPDATE status types.<br>
[...]<br>
</span><span class="content"><b><span style="font-weight: bold;"></span><br>
</b></span><br>
Here is an extract of the "detail" file in the Radius "radacct"
directory of the logs
(/var/log/radius/radacct/192.168.100.1/detail-20051213).<br>
<br>
Tue Dec 13 13:52:36 2005<br>
Acct-Session-Id = "0000002D"<br>
Called-Station-Id = "0013.60e7.e900"<br>
Calling-Station-Id = "0040.96a8.2b73"<br>
Cisco-AVPair = "ssid=wifi2005"<br>
Cisco-AVPair = "nas-location=unspecified"<br>
Cisco-AVPair = "connect-progress=Call Up"<br>
Acct-Session-Time = 2051<br>
Acct-Authentic = RADIUS<br>
User-Name = "Portatil_XP"<br>
Acct-Status-Type = Alive<br>
NAS-Port-Type = Wireless-802.11<br>
Cisco-NAS-Port = "37"<br>
NAS-Port = 37<br>
Service-Type = Framed-User<br>
NAS-IP-Address = <a href="http://192.168.100.1">192.168.100.1</a><br>
Acct-Delay-Time = 0<br>
Client-IP-Address = <a href="http://192.168.100.1">192.168.100.1</a><br>
Acct-Unique-Session-Id = "90e48e71577c8417"<br>
Timestamp = 1134478356<br>
<br>
---------------------------------------------------------------------------------------------------------------------------------------------------<br>
<br>
I've sniffed the connection usin ethereal, and I checked only those attributes are sent inside the Radius package.<br>
<br>
I've also checked via SNMP that the octets are being accounted by the NAS, here they are the two queries I did:<br>
<br>
[root@wifi2005 ~]# snmpget -v2c -c IT-UNIOVI <a href="http://192.168.100.1">192.168.100.1</a> ifInOctets.1<br>
IF-MIB::ifInOctets.1 = Counter32: 2347354<br>
[root@wifi2005 ~]# snmpget -v2c -c IT-UNIOVI <a href="http://192.168.100.1">192.168.100.1</a> ifOutOctets.1<br>
IF-MIB::ifOutOctets.1 = Counter32: 19268485<br>
<br>
After some time surfing from the laptop, I repeated the query and both values had increased accordingly.<br>
<br>
---------------------------------------------------------------------------------------------------------------------------------------------------<br>
<br>
Here is the Aironet 1200 running config:<br>
<br>
ap#show running-config<br>
Building configuration...<br>
<br>
Current configuration : 3332 bytes<br>
!<br>
version 12.2<br>
no service pad<br>
service timestamps debug datetime msec<br>
service timestamps log datetime msec<br>
service password-encryption<br>
!<br>
hostname ap<br>
!<br>
logging queue-limit 100<br>
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX<br>
!<br>
username Cisco password 7 XXXXXXXXXXXXXXXXXXXXXX<br>
ip subnet-zero<br>
!<br>
aaa new-model<br>
!<br>
!<br>
aaa group server radius rad_eap<br>
server <a href="http://192.168.100.2">192.168.100.2</a> auth-port 1812 acct-port 1813<br>
!<br>
aaa group server radius rad_mac<br>
!<br>
aaa group server radius rad_acct<br>
server <a href="http://192.168.100.2">192.168.100.2</a> auth-port 1812 acct-port 1813<br>
accounting accept milista<br>
!<br>
aaa group server radius rad_admin<br>
!<br>
aaa group server tacacs+ tac_admin<br>
!<br>
aaa group server radius rad_pmip<br>
!<br>
aaa group server radius dummy<br>
!<br>
aaa group server radius rad_acct1<br>
server <a href="http://192.168.100.2">192.168.100.2</a> auth-port 1812 acct-port 1813<br>
accounting accept milista<br>
!<br>
aaa group server radius rad_eap1<br>
server <a href="http://192.168.100.2">192.168.100.2</a> auth-port 1812 acct-port 1813<br>
!<br>
aaa authentication login default group rad_wifi2005 local<br>
aaa authentication login eap_methods group rad_eap<br>
aaa authentication login mac_methods local<br>
aaa authentication login eap_methods1 group rad_eap1<br>
aaa authentication ppp default group rad_wifi2005<br>
aaa authorization exec default local<br>
aaa authorization ipmobile default group rad_pmip<br>
aaa authorization network default group rad_wifi2005<br>
aaa accounting update periodic 1<br>
aaa accounting exec default start-stop group rad_wifi2005<br>
aaa accounting network default start-stop group radius<br>
aaa accounting network acct_methods start-stop group rad_acct<br>
aaa accounting network acct_methods1 start-stop group rad_acct1<br>
aaa accounting connection default start-stop group rad_wifi2005<br>
aaa session-id common<br>
dot11 network-map<br>
!<br>
!<br>
bridge irb<br>
!<br>
!<br>
interface Dot11Radio0<br>
no ip address<br>
no ip route-cache<br>
load-interval 30<br>
!<br>
encryption mode ciphers tkip<br>
!<br>
ssid wifi2005<br>
authentication open eap eap_methods1<br>
authentication network-eap eap_methods1<br>
authentication key-management wpa<br>
accounting acct_methods1<br>
!<br>
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0<br>
rts threshold 2312<br>
station-role root<br>
dot1x reauth-period server<br>
dot1x client-timeout 20<br>
bridge-group 1<br>
bridge-group 1 subscriber-loop-control<br>
bridge-group 1 block-unknown-source<br>
no bridge-group 1 source-learning<br>
no bridge-group 1 unicast-flooding<br>
bridge-group 1 spanning-disabled<br>
!<br>
interface FastEthernet0<br>
no ip address<br>
no ip route-cache<br>
duplex auto<br>
speed auto<br>
bridge-group 1<br>
no bridge-group 1 source-learning<br>
bridge-group 1 spanning-disabled<br>
!<br>
interface BVI1<br>
ip address <a href="http://192.168.100.1">192.168.100.1</a> <a href="http://255.255.255.0">255.255.255.0</a><br>
no ip route-cache<br>
!<br>
ip default-gateway x.x.x.x<br>
ip http server<br>
ip http help-path <a href="http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/122-15.JA/1100">http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/122-15.JA/1100</a><br>
ip radius source-interface BVI1<br>
snmp-server community IT-UNIOVI RO<br>
snmp-server enable traps tty<br>
radius-server attribute 32 include-in-access-req format %h<br>
radius-server attribute list lista_atributos<br>
!<br>
radius-server attribute list milista<br>
attribute 1-200<br>
!<br>
radius-server host <a href="http://192.168.100.2">192.168.100.2</a> auth-port 1812 acct-port 1813 key 7 XXXXXXXXXXXXXXXXXXXXXXXX<br>
radius-server timeout 10<br>
radius-server key 7 XXXXXXXXXXXXXXXXXXXXXXX<br>
radius-server authorization permit missing Service-Type<br>
radius-server vsa send accounting<br>
bridge 1 route ip<br>
!<br>
!<br>
!<br>
line con 0<br>
line vty 5 15<br>
!<br>
end<br>
<br>
---------------------------------------------------------------------------------------------------------------------------------------------------<br>
<br>
The "milista" attributes list was an attemp to make all the attributes being reported, but it didn't make any difference.<br>
I've been trying to make those attributes to bereported for weeks. If
somebody could find what I'm doing wrog, or I'm missing out, would be
of great value for me. Also if somebody knows this AP is not able to
report those attributes, it'd help me completely. I apologize for the
long email. Many thanks in advance.<br>