Can the controller to send a "Radius accounting stop" immediately after user disassociates?

Aruba Employee

Requirement:

How do we configure the controller to send a "Radius accounting stop" immediately after user disassociates without waiting for idle-timeout?

 

 



Solution:

  • Radius accounting stop message will be sent after user idle-timeout expiry in pre 6.4.1.x release.
  • Moving from 6.4.1.0 Radius accounting stop is sent immediately after user disassociate without waiting for idle-timeout.
  • This feature is  only supported for wireless users in tunnel and d-tunnel forward modes.
  • Configuring user-idle-timeout as 0 in aaa profile will  immediately trigger radius accounting stop upon client disassociates.

 



Configuration:

CLI configuration:

(config) #aaa profile default
(AAA Profile "default") #user-idle-timeout ?
<seconds>              User idle timeout in seconds. Value of 0 deletes the user immediately on                    disassoc/disconnect. Valid range is 30-15300 seconds in multiples of 30                      seconds

(AAA Profile "default") #user-idle-timeout 0

 

UI Configuration:

 

 

 



Verification

#show aaa profile default

 

AAA Profile “default"

----------------------

Parameter                           Value

---------                           -----

Initial role                        logon

MAC Authentication Profile          N/A

MAC Authentication Default Role     mac-role

MAC Authentication Server Group     pavan-grp

802.1X Authentication Profile       test-dot1x

802.1X Authentication Default Role  authenticated

802.1X Authentication Server Group  pavan-grp

Download Role from CPPM             Disabled

L2 Authentication Fail Through      Disabled

Multiple Server Accounting          Disabled

User idle timeout                   0 sec    

RADIUS Accounting Server Group      rad-acct-grp

RADIUS Interim Accounting           Enabled

XML API server                      10.15.100.245

RFC 3576 server                     10.15.100.245

User derivation rules               N/A

Wired to Wireless Roaming           Enabled

SIP authentication role             N/A

Device Type Classification          Enabled

Enforce DHCP                        Disabled

PAN Firewall Integration            Disabled

 

#Show auth-tracebuf count  40 – will display below information

 

May 27 04:44:17  station-up             *  00:26:c6:44:86:08  d8:c7:c8:8b:5e:f1               -    -    wpa2 aes

May 27 04:44:17  eap-id-req            <-  00:26:c6:44:86:08  d8:c7:c8:8b:5e:f1               1    5

May 27 04:44:17  eap-id-resp           ->  00:26:c6:44:86:08  d8:c7:c8:8b:5e:f1               1    11   smoke1

May 27 04:44:17  rad-req               ->  00:26:c6:44:86:08  d8:c7:c8:8b:5e:f1               200  199

May 27 04:44:17  rad-resp              <-  00:26:c6:44:86:08  d8:c7:c8:8b:5e:f1/pavan-radius  200  90

May 27 04:44:17  eap-req               <-  00:26:c6:44:86:08  d8:c7:c8:8b:5e:f1               2    6

May 27 04:44:17  eap-nak               ->  00:26:c6:44:86:08  d8:c7:c8:8b:5e:f1               2    6

May 27 04:44:17  rad-req               ->  00:26:c6:44:86:08  d8:c7:c8:8b:5e:f1/pavan-radius  201  232

May 27 04:44:17  rad-resp              <-  00:26:c6:44:86:08  d8:c7:c8:8b:5e:f1/pavan-radius  201  90

May 27 04:44:17  eap-req               <-  00:26:c6:44:86:08  d8:c7:c8:8b:5e:f1               7    107

May 27 04:44:17  eap-resp              ->  00:26:c6:44:86:08  d8:c7:c8:8b:5e:f1               7    43

May 27 04:44:17  rad-req               ->  00:26:c6:44:86:08  d8:c7:c8:8b:5e:f1/pavan-radius  204  269

May 27 04:44:17  rad-accept            <-  00:26:c6:44:86:08  d8:c7:c8:8b:5e:f1/pavan-radius  204  238

May 27 04:44:17  eap-success           <-  00:26:c6:44:86:08  d8:c7:c8:8b:5e:f1               7    4

May 27 04:44:17  wpa2-key1             <-  00:26:c6:44:86:08  d8:c7:c8:8b:5e:f1               -    117

May 27 04:44:17  wpa2-key2             ->  00:26:c6:44:86:08  d8:c7:c8:8b:5e:f1               -    135

May 27 04:44:17  wpa2-key3             <-  00:26:c6:44:86:08  d8:c7:c8:8b:5e:f1               -    151

May 27 04:44:17  wpa2-key4             ->  00:26:c6:44:86:08  d8:c7:c8:8b:5e:f1               -    95

May 27 04:44:21  rad-acct-start        ->  00:26:c6:44:86:08  d8:c7:c8:8b:5e:f1               -    -

May 27 04:44:41  eap-logoff            ->  00:26:c6:44:86:08  d8:c7:c8:8b:5e:f1               -    -

May 27 04:44:41  rad-acct-stop         ->  00:26:c6:44:86:08  d8:c7:c8:8b:5e:f1               -    -

May 27 04:44:41  station-down           *  00:26:c6:44:86:08  d8:c7:c8:8b:5e:f1               -    -

 

Show log user all – Will display the below information

 

May 27 04:44:22 :522038:  <INFO> |authmgr|  username=smoke1 MAC=00:26:c6:44:86:08 IP=172.2.2.2 Authentication result=Authentication Successful method=radius-accounting server=pavan-radius

May 27 04:44:41 :522296:  <DBUG> |authmgr|  Auth GSM : USER_STA delete event for user 00:26:c6:44:86:08 age 0 deauth_reason 1

May 27 04:44:41 :522036:  <INFO> |authmgr|  MAC=00:26:c6:44:86:08 Station DN: BSSID=d8:c7:c8:8b:5e:f1 ESSID=test-ssid-wpa2-50 VLAN=276 AP-name=AP134-b5ee

May 27 04:44:41 :522261:  <DBUG> |authmgr|  "User MAC:00:26:c6:44:86:08: purge IP:172.2.2.2.

May 27 04:44:41 :522301:  <DBUG> |authmgr|  Auth GSM : USER publish for uuid 18 mac 00:26:c6:44:86:08 name smoke1 role authenticated devtype Win XP wired 0 authtype 4 subtype 9  encrypt-type 10 conn-port 8448 fwd-mode 0

May 27 04:44:41 :522005:  <INFO> |authmgr|  MAC=00:26:c6:44:86:08 IP=172.2.2.2 User entry deleted: reason=user request

May 27 04:44:41 :522004:  <DBUG> |authmgr|  MAC=00:26:c6:44:86:08 Reset station role to authenticated (158) (ingress=65546)

May 27 04:44:41 :522050:  <INFO> |authmgr|  MAC=00:26:c6:44:86:08,IP=N/A User data downloaded to datapath, new Role=authenticated/158, bw Contract=0/0, reason=Station resetting role, idle-timeout=0

May 27 04:44:41 :522262:  <DBUG> |authmgr|  "User MAC:00:26:c6:44:86:08: Total users purged = 1.

May 27 04:44:41 :522244:  <DBUG> |authmgr|  MAC=00:26:c6:44:86:08 Station Deleted Update MMS

May 27 04:44:41 :522301:  <DBUG> |authmgr|  Auth GSM : USER publish for uuid 18 mac 00:26:c6:44:86:08 name smoke1 role authenticated devtype Win XP wired 0 authtype 4 subtype 9  encrypt-type 10 conn-port 8448 fwd-mode 0

May 27 04:44:41 :522004:  <DBUG> |authmgr|  00:26:c6:44:86:08: station datapath entry deleted

May 27 04:44:41 :522290:  <DBUG> |authmgr|  Auth GSM : MAC_USER delete for mac 00:26:c6:44:86:08

May 27 04:44:41 :522303:  <DBUG> |authmgr|  Auth GSM : USER delete for mac 00:26:c6:44:86:08 uuid 18

May 27 04:44:41 :522265:  <DBUG> |authmgr|  "MAC:00:26:c6:44:86:08: Deallocating UUID: 18.

May 27 04:44:41 :522038:  <INFO> |authmgr|  username=smoke1 MAC=00:26:c6:44:86:08 IP=172.2.2.2 Authentication result=Authentication Successful method=radius-accounting server=pavan-radius

 

 

Note:

The idle timeout of 0 should not be configured in aaa profiles meant for wired users or remote users. It is applicable only for wireless users in tunnel/d-tunnel mode.

 

 

Version history
Revision #:
3 of 3
Last update:
‎05-28-2016 01:37 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: