How to enable RADIUS accounting for IPv6 users in ArubaOS

Aruba Employee

Requirement:

How to track  the bandwidth usage of the clients with IPv6 addresses.

 



Solution:

 

Pre 6.5, we can only perform authentication/authorization of IPv6 clients. Starting Aruba OS 6.5, we have the capability to monitor the bandwidth usage of the clients with IPv6 addresses.

 

* We are following RFC 6911 which defines the attributes to be used for IPv6 access networks.

* The Framed-IPv6-Address is the key attribute and will be used in accounting start, stop and interim packets.

* With IPv6 implementation, it is possible for a single host to have multiple IPv6 addresses.

* We now have ability to track the usage of each and every IPv6 entry.

 

A host can have both IPv4 andIPv6 addresses. Following behavior is expected in the mentioned scenarios-

With one IPv6 address:
  Start, stop and interim update messages are sent for the only IPv6 address.

With one each IPv4 and IPv6 address:
  Start, stop and interim update messages are sent for both IPv4 and IPv6 address.

With multiple IPv6 address:
  Start, stop and interim update messages are sent for each of the IPv6 addresses.

With multiple IPv6 and multiple IPv4 address:

  Start, stop and interim update messages are sent for each of the IPv6 addresses.

  Start message is sent only for the first IPv4 address.

  Interim updates are sent for all the IPv4 addresses.

  •Stop message is sent only for the last IPv4 entry.

 



Configuration:

 

There is no separate configuration required to enable RADIUS accounting for IPv6 users.  

Currently, controller code has checks where the accounting for IPv6 clients is blocked, which will be removed starting Aruba OS 6.5.

We only need to ensure that the RADIUS accounting server is mapped to the respective AAA profile. Accounting messages for IPv4 and IPv6 clients will be sent by default.

 

Limitation

 

* RADIUS accounting is only supported on Tunnel and D-tunnel mode.

* Bridge and Split Tunnel modes are not supported.



Verification

 

We can view the accounting messages being sent by the controller in security logs after enabling the below logging

Logging level debugging security process authmgr subcat aaa

 

Show log security all

Apr 12 08:59:02 :124038:  <INFO> |authmgr|  Selected server CPPM for method=radius-accounting; user=ACCOUNTING,  essid=accounting, domain=<>, server-group=CPPM

Apr 12 08:59:02 :121031:  <DBUG> |authmgr| |aaa| [rc_api.c:56] Radius accounting using server CPPM

Apr 12 08:59:02 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1827] Sending radius accounting request

Apr 12 08:59:02 :121031:  <DBUG> |authmgr| |aaa| [rc_request.c:55] Add Request: id=40, srv=10.17.164.45, fd=63

Apr 12 08:59:02 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1901] Sending radius request to CPPM:10.17.164.45:1813 id:40,len:346

Apr 12 08:59:02 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1912]  User-Name: ACCOUNTING

Apr 12 08:59:02 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1912]  NAS-IP-Address: 10.17.171.165

Apr 12 08:59:02 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1912]  NAS-Port-Id: 0

Apr 12 08:59:02 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1912]  NAS-Port-Type: Wireless-IEEE802.11

Apr 12 08:59:02 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1912]  Acct-Session-Id: ACCOUNTIC0EEFB300361-570D2956-DBF71

Apr 12 08:59:02 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1912]  Event-Timestamp: 04/12/2016 16:59:02

Apr 12 08:59:02 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1912]  Acct-Multi-Session-Id: C0EEFB300361-0000000004

Apr 12 08:59:02 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1912]  Framed-IPv6-address: fe80::c2ee:fbff:fe30:361

Apr 12 08:59:02 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1912]  Calling-Station-Id: C0EEFB300361

Apr 12 08:59:02 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1912]  Called-Station-Id: 000B86DDCA60

Apr 12 08:59:02 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1912]  Class: \220e\365\354\333)L\205\223\026\032s\300g/l\274\013

Apr 12 08:59:02 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1912]  Acct-Delay-Time: 0

Apr 12 08:59:02 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1912]  Aruba-Essid-Name: accounting

Apr 12 08:59:02 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1912]  Aruba-Location-Id: ac:a3:1e:cd:3a:4a

Apr 12 08:59:02 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1912]  Aruba-AP-Group: default

Apr 12 08:59:02 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1912]  Aruba-User-Role: authenticated

Apr 12 08:59:02 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1912]  Aruba-User-Vlan:

Apr 12 08:59:02 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1912]  Aruba-Device-Type: Android

Apr 12 08:59:02 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1912]  Acct-Status-Type: Start

Apr 12 08:59:02 :121031:  <DBUG> |authmgr| |aaa| [rc_server.c:1912]  Acct-Authentic: RADIUS

Apr 12 08:59:02 :124004:  <DBUG> |authmgr|  rc_start_acct_req:938 aal_rad_acct returned 0

Apr 12 08:59:02 :124004:  <DBUG> |authmgr|  user_download: User fe80::c2ee:fbff:fe30:361  Router Acl(0)

Apr 12 08:59:02 :124004:  <DBUG> |authmgr|  get_traffic_prio_from_role: |TC-PROF GET|: Profile Name (Default) Role name (authenticated) val(15)

Apr 12 08:59:02 :124004:  <DBUG> |authmgr|  user_download: |TC-PROF|: Role (authenticated)  Traffic Prio(15)

Apr 12 08:59:02 :124162:  <DBUG> |authmgr|  Enforcing L2 check for mac c0:ee:fb:30:03:61.

Version history
Revision #:
3 of 3
Last update:
‎05-28-2016 02:00 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: