Security

Reply
Contributor II

machine/user auth and accounting periodic update

Hey!

 

I have turned on user or computer authentication and it works fine.  Computer names and users are logged and given access from the policy manager - good news.

 

However the gateway stops after a minute.  After using a stopwatch I saw that it always went off after precisely one minute.

 

It is due to: aaa accounting update periodic 1 in the HP switch programming.

 

Changing it to 5 gives you 5 minutes of internet.  I have removed this command.

 

Is this normal? and do I need the command for other purposes?

Re: machine/user auth and accounting periodic update

Instead of periodic, can you set accounting to start-stop instead?

 

If your using ClearPass, RADIUS accounting is necessary for licensing (6.7) and to have proper Accounting data in ClearPass. You would also want RADIUS Interim-Accounting set to True in the server's RADIUS settings.


Michael Haring
Architecture and Implementation Consultant
Optiv Security Inc.
Highlighted

Re: machine/user auth and accounting periodic update

In addition - the default should be 0 / disabled.

 

HPE Networking: http://h22208.www2.hpe.com/eginfolib/networking/docs/switches/WB/15-18/5998-8152_wb_2920_asg/content/ch06s13.html

 

Snippet from the link above:

Syntax:

[no] aaa accounting update periodic <1-525600>

Sets the accounting update period for all accounting sessions on the switch.

The no form disables the update function and resets the value to zero.

Default: zero; disabled

 


Michael Haring
Architecture and Implementation Consultant
Optiv Security Inc.
Contributor II

Re: machine/user auth and accounting periodic update

Hi, Thanks for this

 

I have Log Accounting Interim-Update Packets set to TRUE

I had disabled/set to 0 the aaa accounting periodic update previously

 

I have added:

 

aaa accounting exec start-stop radius

aaa accounting network start-stop radius

 

to the switch programming - does it need both these commands for clearpass - assuming they are correct?

 

Thank you for your help

 

Re: machine/user auth and accounting periodic update

Exec would be for administration of the switch - console, ssh, telnet.

 

Network would be for device authentications on the ports.


Michael Haring
Architecture and Implementation Consultant
Optiv Security Inc.
Contributor II

Re: machine/user auth and accounting periodic update

great, thanks for clearing that up I will go with 

 

aaa accounting network start-stop radius

 

then 

Guru Elite

Re: machine/user auth and accounting periodic update

Be sure to follow the ClearPass Solution Guide for Wired Policy Enforcement for fully validated configurations.


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: