[c-nsp] Cisco NAS radius accounting

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Thu Dec 30 04:54:23 EST 2004 

Sean,

> We're currently using stacks of Portmaster3's for dialin access for
> our customers. After some testing we have found that mica modem equipt
> AS5200's offer a better connection for those customers, 'in the
> sticks'. 
> 
> Our test AS5200 is running IOS Version 12.1(25).
> 
> Although they seemingly offer a better connection, I am having other
> problems with the 5200's related to accounting.
> 
> First and most important. When the AS5200 is rebooted, it resets the
> Acct-Session-Id (!). This is a major problem for our accounting. Is it
> possible to retain the session ID? Or, even set it with radius?

Please configure "radius-server unique-ident 1" (this command is hidden
in 12.1, but you should be able to enter it). This value is put into
prepended to the session id. When you reload the system, this counter is
increased. It is one byte only, so session-ids will roll over after 255
reboots, but this should be enough for most applications.

Not knowing how your accounting scripts work, another alternative to
assign a unique identifier to your accounting records could be the use
of the Radius "Class" attribute. If you include this in an
"Access-Accept" packet (i.e. Class =
"some_unique_string_assigned_by_your_radius_server"), the NAS will
include this attribute in all subsequent accounting records.
 
> Also a problem, but less important. The 5200 only sends the connect
> info, specifically tx/rx speed, in the stop packet. Is it possible to
> send that information in the start packet to radius?

Hmm, not sure if this works in 12.1 (can'tr try right now). Newer
releases (12.2T and later) support IETF attribute 77 ("Connect-Info"),
but AS5200 doesn't run 12.2 images. You might want to try to define your
Radius server as "non-standard", then we might add addtl. attributes
(like Ascend attributes): "radius-server host 1.1.1.1 auth-port 1645
acct-port 1646 non-standard"

> aaa accounting network default wait-start group radius

Why do you use "wait-start"? haven't seen many configs with this..
"start-stop" is the most common configuration..

	oli

More information about the cisco-nsp mailing list