Cisco APs with 12.3(4) and newer firmware can be configured to send RADIUS accounting packets to AMP so that AMP can display the usernames of associated users. This document is intended as a guide for the basic setup of IOS-to-AMP RADIUS accounting.
There are two steps involved: configuring the APs to send RADIUS accounting packets (this document covers doing this from both the web interface and the config file), and configuring AMP to accept them.
PART I: CONFIGURE THE APs
(A) From an AP's web interface:
A1. On the Security -> Server Manager page, find the Corporate Servers section and add the AMP as a RADIUS Server.
A2. In the Default Server Priorities section select the AMP as the Priority 1 Accounting server.
Now the AP knows that when it's told to send RADIUS accounting packets, it should send them to AMP. The final step is to configure each SSID to send RADIUS Accounting packets when users associate and disassociate.
A3. On the Security -> SSID Manager page, select each AP for which you want to enable accounting, and check Enable Accounting towards the bottom.
(B) In the IOS Config:
B1. Define AMP as a RADIUS server:
radius-server host 10.200.0.2 auth-port 1812 acct-port 1813 key 7 02070D491C071924
B2. Define that the RADIUS server is an accounting server:
aaa group server radius rad_acct
server 10.200.0.2 auth-port 1812 acct-port 1813
server 10.2.25.159 auth-port 1812 acct-port 1813
B3. Configure the SSID to send RADIUS accounting packets:
dot11 ssid airwave-office
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
PART II: CONFIGURE AMP TO ACCEPT RADIUS ACCOUNTING PACKETS FROM THE APs
1. Go to the AMP Setup -> RADIUS Accounting page and add your APs. You can add one AP at a time, a set of network and netmask definitions one at a time, or you can import a list of APs via a .csv (comma separated values) file.
If you've set this up as described above, but you don't see usernames in AMP, there are several things to check:
1. Check to see whether AMP is rejecting packets it's receiving from the APs. If in /var/log/radius/radius.log there are messages like "Error: Ignoring request from unknown client", then check AMP's AMP Setup -> RADIUS Accounting page to make sure that your APs have been added.
2. When AMP accepts packets from an AP, it creates a directory for that AP in /var/log/radius/radacct/. So if you're troubleshooting an AP at 10.51.1.14 AND there's no /var/log/radius/radacct/10.51.1.14 directory AND there are no "unknown client" messages, we can be confident that AMP is not receiving any packets.
3. Are the APs configured properly? AMP can add a lot of value in ensuring this because AMP's Advanced IOS feature can apply the setting on all your APs and it can audit the APs' configs.
4. Is there a firewall between the APs and AMP? Is it possible that it's blocking RADIUS accounting packets on port 1813?
How to enable detailed RADIUS accounting packet logging