[j-nsp] Radius accounting

michael.firth at bt.com michael.firth at bt.com
Wed Nov 29 17:35:28 EST 2006 

According to the documentation at:
 
http://www.juniper.net/techpubs/software/junos/junos81/swconfig81-system-basics/html/sys-mgmt-summary3.html#2608518
 
The default Radius accounting port, if none is specified, is port 1646. The default Radius authentication port is 1812. I suspect that the 'source-port radius' statement is only allowing port 1812 through, and your RE filter is blocking the accounting.
 
Curiously, in the firewall filter documentation at:
 
http://www.juniper.net/techpubs/software/junos/junos81/swconfig81-policy/html/firewall-config11.html#1014289
 
there is a 'radacct' port definition, but that is port 1813, which doesn't seem to be the same as the default port used by the Radius sub-system for accounting.
 
Hope this helps
 
Michael

________________________________

From: juniper-nsp-bounces at puck.nether.net on behalf of evan.2.williams at bt.com
Sent: Wed 29/11/2006 20:59
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] Radius accounting



Been working on getting radius to work to cisco acs, authentcation is
fine, but accounting I get this all the time.

Nov 29 20:31:40 Event:Cmd uname:fester Cmd - "file list "
Nov 29 20:31:40 Radius record: sess-id:AED4533A001 status-type:update
uname:********
Nov 29 20:31:40 auditd_rad_send: sent rad message
Nov 29 20:31:45 AUDITD_RADIUS_REQUEST_TIMED_OUT:
auditd_rad_timeout_handler: retransmitted request to RADIUS server
10.213.36.142
Nov 29 20:31:50 AUDITD_RADIUS_REQUEST_TIMED_OUT:
auditd_rad_timeout_handler: retransmitted request to RADIUS server
10.213.36.142
Nov 29 20:31:55 AUDITD_RADIUS_REQUEST_DROPPED:
auditd_rad_timeout_handler: discarding Accounting-Request message; no
RADIUS server responded
Nov 29 20:31:55 auditd_rad_clear: cleared timer
Nov 29 20:31:55 auditd_rad_clear: deselected the reader
Nov 29 20:31:55 auditd_rad_dispatch: no more records in queue; all
dispatched.

No accounting port has been set, and here is the accounting destination
set up
destination {
    /* sets the radius accounting to the ACS */
    radius {
        server {
            10.213.36.142 {
                secret "$9$IGQEhrvMX-b2BIK87N2gJGDkPQ"; ## SECRET-DATA
                timeout 5;
                source-address 212.31.220.58;
            }
        }
    }
}
show configuration firewall family inet filter <********> term radius
from {
    source-prefix-list {
        radius-addresses;
    }
    protocol udp;
    source-port radius;
}
then {
    policer radius-policer;
    count radius;
    accept;
}
I have the Cisco ACS address in the policy-options prefix-list
radius-addresses

Appreciate any tips on this.

Evan Williams

_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list