Receiving error while disconnecting/reauthorizing user from "Active Sessions" in guest module

MVP
MVP
Problem:

We would notice the below error while disconnecting/reauthorizing user from "Active Sessions"

 



Diagnostics:

The above error is expected when the accounting id  mapped to radius request and accounting id sent in accounting request is different.

When we check the access tracker, for Radius session identifier:  R00000364-08-5ed628fc, we can see that the accounting id mapped is d4:81:d7D481D7D3CE6D-5ED628FC-C1DE2

Request Details Summary -

Session Identifier: R00000364-08-5ed628fc

Date and Time: Jun 02, 2020 12:25:00 CEST

Username: d4:81:d7:d3:ce:6d

End-Host Identifier: d4:81:d7:d3:ce:6d

Access Device IP/Port: 10.1.1.2:8452

Audit Posture Status: UNKNOWN (100)

System Posture Status: UNKNOWN (100)

Login Status: ACCEPT

Input RADIUS Attributes -

Radius:Aruba:Aruba-Essid-Name =  

Radius:Aruba:Aruba-Port-Id = 10.1.1.2:0/0/4

Radius:IETF:Acct-Session-Id = d4:81:d7D481D7D3CE6D-5ED628FC-C1DE2

Radius:IETF:Calling-Station-Id = d4:81:d7:d3:ce:6d

Radius:IETF:NAS-IP-Address = 10.1.1.2

Radius:IETF:NAS-Port = 8452

Radius:IETF:NAS-Port-Type = 15

Radius:IETF:Service-Type = 10

Radius:IETF:User-Name = d4:81:d7:d3:ce:6d

 

Also from pcap, we can see that accounting id mapped in radius request is d4:81:d7D481D7D3CE6D-5ED628FC-C1DE2, however accounting request sent from NAD is with a different accounting id: d4:81:d7D481D7D3CE6D-5ED628FE-5FBBB as shown below:

 

 

 

As a result of this when we navigate to Monitoring->Live Monitoring->Accounting, we will not be able to find: Accounting id: d4:81:d7D481D7D3CE6D-5ED628FC-C1DE2 which is mapped to radius session id.R00000364-08-5ed628fc. We would only be able to find accnt id:  d4:81:d7D481D7D3CE6D-5ED628FE-5FBBB and radius session id would not be mapped for the accounting id: d4:81:d7D481D7D3CE6D-5ED628FE-5FBBB

 



Solution

Some NAS vendors would send accounting session id in radius request packet and accounting request packet. In such scenarios, the accounting session id should be same in the radius request and accounting request packet. 

 

If the accounting session id is different in radius request  and accounting request, then above error would be noticed and issue needs to be addressed from NAS vendor to ensure the accounting session id is same in radius request  and accounting request.

 

In the below request, the accnt id mapped to radius request is  d4:81:d7D481D7D3CE6D-5ED62664-BC7DE​

Request Details Summary -

Session Identifier: R00000360-08-5ed62664

Date and Time: Jun 02, 2020 12:13:56 CEST

Username: d4:81:d7:d3:ce:6d

End-Host Identifier: d4:81:d7:d3:ce:6d

Access Device IP/Port: 10.1.1.2:8452

Audit Posture Status: UNKNOWN (100)

System Posture Status: UNKNOWN (100)

Login Status: ACCEPT

 

Input RADIUS Attributes -

Radius:Aruba:Aruba-Essid-Name =  

Radius:Aruba:Aruba-Port-Id = 10.1.1.2:0/0/4

Radius:IETF:Acct-Session-Id = d4:81:d7D481D7D3CE6D-5ED62664-BC7DE

Radius:IETF:Calling-Station-Id = d4:81:d7:d3:ce:6d

Radius:IETF:NAS-IP-Address = 10.1.1.2

Radius:IETF:NAS-Port = 8452

Radius:IETF:NAS-Port-Type = 15

Radius:IETF:Service-Type = 10

Radius:IETF:User-Name = d4:81:d7:d3:ce:6d

 

From pcap, we can see that the accnt id in radius request and accnt id in accounting request packet is same: d4:81:d7D481D7D3CE6D-5ED62664-BC7DE​

 

 

As a result of this when we navigate to Monitoring->Live Monitoring->Accounting, for the accounting id: d4:81:d7D481D7D3CE6D-5ED62664-BC7DE, we would see the radius session id mapped: R00000364-08-5ed628fc and for such sessions, we will be able to disconnect/reauthorize the user.

 

 

Version history
Revision #:
2 of 2
Last update:
2 weeks ago
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: