Wireless Access

Reply
Occasional Contributor I
Posts: 6
Registered: ‎08-30-2013

Accounting Request not recieved

Hi All,

 

We just upgraded from 3.4 to 6.2 there was no configuration changes done but after upgrade we are not recieveing any Accounting request though its configured in RADIUS Accounting Server Group.

 

Any help its quite urgent

 

Thanks in advance

Guru Elite
Posts: 21,580
Registered: ‎03-29-2007

Re: Accounting Request not recieved

[ Edited ]

Your best bet is to open a support case, because you have provided little information where we can make a determination.  ArubaOS 3.x did not have interim accounting so the only time you would see it is on authentication and when the user leaves the user table.  ArubaOS 6.1 added interim accounting, but it is off by default.  You would see accounting start and stop messages in the auth-tracebuf:

 

Sep  2 07:05:07  rad-resp              <-  e8:99:c4:92:c9:5b  00:1a:1e:1d:bc:41/cppm-192.168.1.32  10    113   
Sep  2 07:05:07  eap-req               <-  e8:99:c4:92:c9:5b  00:1a:1e:1d:bc:41                    10    43    
Sep  2 07:05:07  eap-resp              ->  e8:99:c4:92:c9:5b  00:1a:1e:1d:bc:41                    10    80    
Sep  2 07:05:07  rad-req               ->  e8:99:c4:92:c9:5b  00:1a:1e:1d:bc:41/cppm-192.168.1.32  11    300   
Sep  2 07:05:07  rad-accept            <-  e8:99:c4:92:c9:5b  00:1a:1e:1d:bc:41/cppm-192.168.1.32  11    264   
Sep  2 07:05:07  eap-success           <-  e8:99:c4:92:c9:5b  00:1a:1e:1d:bc:41                    10    4     
Sep  2 07:05:07  assg-vlan-req          *  e8:99:c4:92:c9:5b  00:1a:1e:1d:bc:41                    1000  1     new vlan: dot1x for wireless
Sep  2 07:05:07  assg-vlan-resp         *  e8:99:c4:92:c9:5b  00:1a:1e:1d:bc:41                    -     1     
Sep  2 07:05:07  wpa2-key1             <-  e8:99:c4:92:c9:5b  00:1a:1e:1d:bc:41                    -     117   
Sep  2 07:05:07  wpa2-key2             ->  e8:99:c4:92:c9:5b  00:1a:1e:1d:bc:41                    -     117   
Sep  2 07:05:07  wpa2-key3             <-  e8:99:c4:92:c9:5b  00:1a:1e:1d:bc:41                    -     151   
Sep  2 07:05:07  wpa2-key4             ->  e8:99:c4:92:c9:5b  00:1a:1e:1d:bc:41                    -     95    
Sep  2 07:05:08  rad-acct-start        ->  e8:99:c4:92:c9:5b  00:1a:1e:1d:bc:41                    -     -     

 

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: Accounting Request not recieved

It would help if you posted the config. I assume that acct updates were received before?
Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Occasional Contributor I
Posts: 6
Registered: ‎08-30-2013

Re: Accounting Request not recieved

Thank you guys for your quick response

 

In 3.4 version it didnt supported RADIUS Interim - update requests but RADIUS Accounting(Start & Stop) were recieved correctly. But after recent OS upgrade broke this functionality whichis very crucial for us. Here is AAA profile and Server Group configs snipet;

 

CONFIG:

user-role login_Portal
captive-portal "Portal"
access-list session Portal-logon-policy

 

user-role Portal_initial_role
captive-portal "Portal"
access-list session captiveportal

 

aaa xml-api server "172.X.X.X"
key <VALUE>

access-list session control

 

aaa authentication-server radius "AAAServer"

host "172.X.X.X"
key <VALUE>

 

aaa server-group "AAA"
auth-server AAAServer

 

aaa profile "AAATCPortal"
initial-role "Portal_initial_role"
radius-accounting "AAA"
xml-api-server "172.X.X.X"

 

aaa authentication captive-portal "Portal"
default-role "login_Portal"
login-page "<External Portal URL>"
no enable-welcome-page

 

In firewall for IP session there any to any permit, Please let me know if above config is enough to understand the issue.

 

Thanks in Advance

Veerat

Guru Elite
Posts: 21,580
Registered: ‎03-29-2007

Re: Accounting Request not recieved

Question:

 

Do you use to XML API server to move clients into their proper role, or do you use a radius server to authenticate them?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 6
Registered: ‎08-30-2013

Re: Accounting Request not recieved

The user authentication happening via XML API using 'authenticate' command which is happening as expected. Our use case is once user is authenticated we should recieve start request subsequently Interim update request and Stop request.

 

I hope the given configuration is correct , we have configured it as mentioned in 6.2 UG;

 

Using the WebUI (ArubaOS 6.2 | User Guide Authentication Servers | 186  & 187 | Authentication Servers ArubaOS 6.2 | User Guide)
1. Navigate to the Configuration > Security > Authentication > AAA Profiles page.
2. Select AAA Profile, then select the AAA profile instance.
3. (Optional) In the Profile Details pane, select RADIUS Interim Accounting to allow the controller to send Interim-
Update messages with current user statistics to the server at regular intervals. This option is disabled by default,
allowing the controller to send only start and stop messages RADIUS accounting server.
4. In the profile list, scroll down and select the Radius Accounting Server Group for the AAA profile. Select the
server group from the drop-down menu.
You can add additional servers to the group or configure server rules.
5. Click Apply.

 

 

Occasional Contributor I
Posts: 6
Registered: ‎08-30-2013

Re: Accounting Request not recieved

[ Edited ]

We are using a external captive portal for authentiation hence a XML API server is used, Please find our expected flow;

 

1. User connects to configured SSID ( having External Captive portal cofiguration).

2. User goes to browser and type any site in response user gets redirected to external captive portal page.

3. User enters the login credentails where Login button send a XML API request to WLC and in response WLC converts the API request and sends auth to configured RADIUS Server.

4. If User successfully authenticated by RADIUS Server then WLC should send an Accounting-Start request.

5. An Stop request should be sent to RADIUS Server when Session-Timeout is reached which is replied back in auth request .

 

Please let me know if you need any more info on the flow;

 

Regards,

Veerat

Guru Elite
Posts: 21,580
Registered: ‎03-29-2007

Re: Accounting Request not recieved

Are you  using user_add or user_authenticate to change the role of the user via the XML api?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 6
Registered: ‎08-30-2013

Re: Accounting Request not recieved

user_authenticate 

Guru Elite
Posts: 21,580
Registered: ‎03-29-2007

Re: Accounting Request not recieved

User_authenticate should generate radius accounting packets.  Please open a TAC case.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: