Environment :
Any Aruba OS
Any Aruba Access Point
Any Aruba Controller
When multiple RADIUS Servers (say Server A, Server B and Server C) are configured in a server group, and the server group is mapped for AAA authentication and accounting, then as a client authenticates using Server A, we don't see any accounting information for the client on Server A.
Accounting does not follow the same server used for client authentication because Accounting and Authentication are handled separately.
This is expected behaviour and not really a problem as such. It would need a separate feature to check for Client's Authenticating Server before sending its Accounting information to a Server.
Accounting does not follow the same server used for client authentication because Accounting and Authentication are separately handled, i.e. different ports are used for each purpose on the radius server. There is no policy for accounting packet on the Server end. Particularly when we have "fail-through" enabled for authentication we expect that the servers down the list are checked when we get a Radius-Reject from the first server. However, there is never any "accounting reject" packet possible to be sent by an Accounting Server, hence Accounting is sent to the first server that accepts the accounting request i.e. sends a "Acct-Response". On the Aruba Controller, we only enforce the accounting interim update/stop to follow the same radius server we sent the accounting start.
If we want the same server to handle authentication as well as accounting functions for a set of users, we need to ensure the authentication server is on top of the server-group listing. We also need to ensure the server is always available and includes all users that we need auth/accounting for. However if we need to use server redundancy (aka fail-through) feature plus need accounting to go to the same server, this is not possible because of the explanation in the first para above. We need to choose one feature over the other in this case.
Same as Case# 1463907