Troubleshooting RADIUS Accounting Problems

By JuliaOstrowski posted Jun 10, 2014 06:10 PM


This document is useful for troubleshooting RADIUS Accounting Problems, assuming that you have already done the first 2 most important steps:

1. Configured an external device such as an AP or a wireless gateway to send RADIUS Accounting packets to AMP 

2. Configured that device as an allowed RADIUS Accounting client on the AMP Setup -> RADIUS Accounting page

If you've done both of those, but you don't see usernames in AMP, there are several things to check:

1. Check to see whether AMP is rejecting packets it's receiving from the APs, gateway, etc. If in /var/log/radius/radius.log there are messages like "Error: Ignoring request from unknown client", then check AMP's AMP Setup -> RADIUS Accounting page to make sure that your APs, gateway, etc. have been added.

2. When AMP accepts packets from a device, it creates a directory for that device in /var/log/radius/radacct/. So if you're troubleshooting a device at AND there's no /var/log/radius/radacct/ directory AND there are no "unknown client" messages, we can be confident that AMP is not receiving any packets. (Please see KB article "How to enable detailed radius accounting packet logging" to enable this feature.)

3. Are the APs configured properly? AMP can add a lot of value in ensuring this because AMP's Advanced IOS feature can apply the setting on all your APs and it can audit the APs' configs.

4. Is there a firewall between the APs and AMP? Is it possible that it's blocking RADIUS accounting packets on port 1813?