Wireless Access

Reply
MVP
Posts: 498
Registered: ‎04-03-2007

No radius accounting session for MAC auth users

I'm hoping that this is an easy one and my eyes are just crossed...

 

In both lab and production testing, I'm finding that no RADIUS accounting is taking place for MAC auth clients. Associate the client to 802.1X and there's accounting. Back to MAC auth = no accounting. Doing a "show aaa state user <ip>" shows:

 

...

RadAcct sessionID:n/a

...

 

Looking at the auth-tracebuf, I can confirm no rad-acct-start/stop messages are seen.

 

In the aaa-profile, I have an accounting server group defined as well as enabled interim accounting.

 

What am I missing??

==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
MVP
Posts: 507
Registered: ‎05-11-2011

Re: No radius accounting session for MAC auth users

 

Just a quick one.

 

You do have "Mac Auth Server Group" set to your Radius server group right? :) If you're doing local mac-auth then now Radius traffic is going on.


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
MVP
Posts: 498
Registered: ‎04-03-2007

Re: No radius accounting session for MAC auth users

Sure do. Here's the aaa profile applied to the virtual-ap:

 

AAA Profile "wifi-at-osu-kcwx"
------------------------------
Parameter                           Value
---------                           -----
Initial role                        osu-cp-unauthenticated
MAC Authentication Profile          osu-mac-auth
MAC Authentication Default Role     osu-cp-unauthenticated
MAC Authentication Server Group     osu-radius-west-kcwx
802.1X Authentication Profile       N/A
802.1X Authentication Default Role  guest
802.1X Authentication Server Group  N/A
L2 Authentication Fail Through      Disabled
User idle timeout                   N/A
RADIUS Accounting Server Group      osu-accounting-west-kcwx
RADIUS Interim Accounting           Enabled
XML API server                      N/A
RFC 3576 server                     #.#.#.#
RFC 3576 server                     #.#.#.#
RFC 3576 server                     #.#.#.#
RFC 3576 server                     #.#.#.#
RFC 3576 server                     #.#.#.#
RFC 3576 server                     #.#.#.#
RFC 3576 server                     #.#.#.#
User derivation rules               N/A
Wired to Wireless Roaming           Enabled
SIP authentication role             N/A
Device Type Classification          Enabled
Enforce DHCP                        Disabled

 

The names of the MAC auth server group and radius accounting server group are different, but the servers defined within are identical.

 

Any other ideas?

==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
MVP
Posts: 507
Registered: ‎05-11-2011

Re: No radius accounting session for MAC auth users

That should work, so I'm afraid I don't have anything concrete to add.

 

Some wild thoughts..

* you could try to use the same server group on both places, but - weird if that has anything to do with things.. I've just done small things wrong enough times to get all paranoid when it comes to those things :)

* You're using a psk protected SSID and for some reason the mac-auth aaa doesn't kick in.

* Some server or user-rule overrides the aaa-profile you want the device to trigger.

 

Tho I'm sure you've checked the role the device lands in and it's all as it should be..


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
MVP
Posts: 498
Registered: ‎04-03-2007

Re: No radius accounting session for MAC auth users

Thanks for the suggestions. Unfortunately, I do not believe those will help.

 

- The server groups are identical for all intents and purposes. I believe one is the clone of the other, in fact.

- There is no PSK on this network; nevertheless, I do see mac-auth kicking in, as the request comes into ClearPass successfully as MAC auth

- This is just an open network with MAC auth enabled. The aaa-profile applied is based on the one defined in the virtual-ap, which I posted above. As you can see, there are no user derivation rules, and I can tell you we aren't using any server derivation rules

 

Any other ideas from you or anyone else?

 

Can someone at least let me know this is incorrect behavior by looking at one of their own MAC auth clients and seeing if there is a radius accounting session ID?

==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: No radius accounting session for MAC auth users

I don't have a MAC-AUTH only SSID, but I do have guest w/ MAC caching.  I can confirm that accounting is working for MAC cache'd authentications.  Session ID is present along with all of the accounting data you'd expect.

 

Silly question, but do you have interim updates enabled on your CP server?

Administration > Server Manager > Server Configuration > SERVER_NAME > Service Parameters (tab) > Radius Server (drop-down).

Log Accounting Interim-Update Packets = TRUE

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite
Posts: 8,320
Registered: ‎09-08-2010

Re: No radius accounting session for MAC auth users

Ryan, here's a MAC-AUTH with an active accounting session.

 

accounting-record.png


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 498
Registered: ‎04-03-2007

Re: No radius accounting session for MAC auth users

I verified that publisher and 6 subscribers all have interim accounting set to "True".

 

Tim, with your MAC-auth service that is accurately performing accounting, do you mind putting a device in debug on the controller and sharing the auth-tracebuf of it getting online? I want to see if you actually see the rad-acct-start/stop messages. Also, can you do a "show aaa state user <ip> | include RadAcct" and share that? I'm looking to verify the sessionID is there as well.

 

Thank you!

==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Guru Elite
Posts: 8,320
Registered: ‎09-08-2010

Re: No radius accounting session for MAC auth users

[ Edited ]

rad-acct-start.png

 

aaa-state-acct.PNG

 

aaa-state-acct-cppm.PNG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 498
Registered: ‎04-03-2007

Re: No radius accounting session for MAC auth users

Thanks, Tim. I'll dig into this some more.

==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Search Airheads
Showing results for 
Search instead for 
Did you mean: