Requirement:
How do we configure the controller to send a "Radius accounting stop" immediately after user disassociates without waiting for idle-timeout?
Solution:
- Radius accounting stop message will be sent after user idle-timeout expiry in pre 6.4.1.x release.
- Moving from 6.4.1.0 Radius accounting stop is sent immediately after user disassociate without waiting for idle-timeout.
- This feature is only supported for wireless users in tunnel and d-tunnel forward modes.
- Configuring user-idle-timeout as 0 in aaa profile will immediately trigger radius accounting stop upon client disassociates.
Configuration:
CLI configuration:
(config) #aaa profile default
(AAA Profile "default") #user-idle-timeout ?
<seconds> User idle timeout in seconds. Value of 0 deletes the user immediately on disassoc/disconnect. Valid range is 30-15300 seconds in multiples of 30 seconds
(AAA Profile "default") #user-idle-timeout 0
UI Configuration:
Verification
#show aaa profile default
AAA Profile “default"
----------------------
Parameter Value
--------- -----
Initial role logon
MAC Authentication Profile N/A
MAC Authentication Default Role mac-role
MAC Authentication Server Group pavan-grp
802.1X Authentication Profile test-dot1x
802.1X Authentication Default Role authenticated
802.1X Authentication Server Group pavan-grp
Download Role from CPPM Disabled
L2 Authentication Fail Through Disabled
Multiple Server Accounting Disabled
User idle timeout 0 sec
RADIUS Accounting Server Group rad-acct-grp
RADIUS Interim Accounting Enabled
XML API server 10.15.100.245
RFC 3576 server 10.15.100.245
User derivation rules N/A
Wired to Wireless Roaming Enabled
SIP authentication role N/A
Device Type Classification Enabled
Enforce DHCP Disabled
PAN Firewall Integration Disabled
#Show auth-tracebuf count 40 – will display below information
May 27 04:44:17 station-up * 00:26:c6:44:86:08 d8:c7:c8:8b:5e:f1 - - wpa2 aes
May 27 04:44:17 eap-id-req <- 00:26:c6:44:86:08 d8:c7:c8:8b:5e:f1 1 5
May 27 04:44:17 eap-id-resp -> 00:26:c6:44:86:08 d8:c7:c8:8b:5e:f1 1 11 smoke1
May 27 04:44:17 rad-req -> 00:26:c6:44:86:08 d8:c7:c8:8b:5e:f1 200 199
May 27 04:44:17 rad-resp <- 00:26:c6:44:86:08 d8:c7:c8:8b:5e:f1/pavan-radius 200 90
May 27 04:44:17 eap-req <- 00:26:c6:44:86:08 d8:c7:c8:8b:5e:f1 2 6
May 27 04:44:17 eap-nak -> 00:26:c6:44:86:08 d8:c7:c8:8b:5e:f1 2 6
May 27 04:44:17 rad-req -> 00:26:c6:44:86:08 d8:c7:c8:8b:5e:f1/pavan-radius 201 232
May 27 04:44:17 rad-resp <- 00:26:c6:44:86:08 d8:c7:c8:8b:5e:f1/pavan-radius 201 90
May 27 04:44:17 eap-req <- 00:26:c6:44:86:08 d8:c7:c8:8b:5e:f1 7 107
May 27 04:44:17 eap-resp -> 00:26:c6:44:86:08 d8:c7:c8:8b:5e:f1 7 43
May 27 04:44:17 rad-req -> 00:26:c6:44:86:08 d8:c7:c8:8b:5e:f1/pavan-radius 204 269
May 27 04:44:17 rad-accept <- 00:26:c6:44:86:08 d8:c7:c8:8b:5e:f1/pavan-radius 204 238
May 27 04:44:17 eap-success <- 00:26:c6:44:86:08 d8:c7:c8:8b:5e:f1 7 4
May 27 04:44:17 wpa2-key1 <- 00:26:c6:44:86:08 d8:c7:c8:8b:5e:f1 - 117
May 27 04:44:17 wpa2-key2 -> 00:26:c6:44:86:08 d8:c7:c8:8b:5e:f1 - 135
May 27 04:44:17 wpa2-key3 <- 00:26:c6:44:86:08 d8:c7:c8:8b:5e:f1 - 151
May 27 04:44:17 wpa2-key4 -> 00:26:c6:44:86:08 d8:c7:c8:8b:5e:f1 - 95
May 27 04:44:21 rad-acct-start -> 00:26:c6:44:86:08 d8:c7:c8:8b:5e:f1 - -
May 27 04:44:41 eap-logoff -> 00:26:c6:44:86:08 d8:c7:c8:8b:5e:f1 - -
May 27 04:44:41 rad-acct-stop -> 00:26:c6:44:86:08 d8:c7:c8:8b:5e:f1 - -
May 27 04:44:41 station-down * 00:26:c6:44:86:08 d8:c7:c8:8b:5e:f1 - -
Show log user all – Will display the below information
May 27 04:44:22 :522038: <INFO> |authmgr| username=smoke1 MAC=00:26:c6:44:86:08 IP=172.2.2.2 Authentication result=Authentication Successful method=radius-accounting server=pavan-radius
May 27 04:44:41 :522296: <DBUG> |authmgr| Auth GSM : USER_STA delete event for user 00:26:c6:44:86:08 age 0 deauth_reason 1
May 27 04:44:41 :522036: <INFO> |authmgr| MAC=00:26:c6:44:86:08 Station DN: BSSID=d8:c7:c8:8b:5e:f1 ESSID=test-ssid-wpa2-50 VLAN=276 AP-name=AP134-b5ee
May 27 04:44:41 :522261: <DBUG> |authmgr| "User MAC:00:26:c6:44:86:08: purge IP:172.2.2.2.
May 27 04:44:41 :522301: <DBUG> |authmgr| Auth GSM : USER publish for uuid 18 mac 00:26:c6:44:86:08 name smoke1 role authenticated devtype Win XP wired 0 authtype 4 subtype 9 encrypt-type 10 conn-port 8448 fwd-mode 0
May 27 04:44:41 :522005: <INFO> |authmgr| MAC=00:26:c6:44:86:08 IP=172.2.2.2 User entry deleted: reason=user request
May 27 04:44:41 :522004: <DBUG> |authmgr| MAC=00:26:c6:44:86:08 Reset station role to authenticated (158) (ingress=65546)
May 27 04:44:41 :522050: <INFO> |authmgr| MAC=00:26:c6:44:86:08,IP=N/A User data downloaded to datapath, new Role=authenticated/158, bw Contract=0/0, reason=Station resetting role, idle-timeout=0
May 27 04:44:41 :522262: <DBUG> |authmgr| "User MAC:00:26:c6:44:86:08: Total users purged = 1.
May 27 04:44:41 :522244: <DBUG> |authmgr| MAC=00:26:c6:44:86:08 Station Deleted Update MMS
May 27 04:44:41 :522301: <DBUG> |authmgr| Auth GSM : USER publish for uuid 18 mac 00:26:c6:44:86:08 name smoke1 role authenticated devtype Win XP wired 0 authtype 4 subtype 9 encrypt-type 10 conn-port 8448 fwd-mode 0
May 27 04:44:41 :522004: <DBUG> |authmgr| 00:26:c6:44:86:08: station datapath entry deleted
May 27 04:44:41 :522290: <DBUG> |authmgr| Auth GSM : MAC_USER delete for mac 00:26:c6:44:86:08
May 27 04:44:41 :522303: <DBUG> |authmgr| Auth GSM : USER delete for mac 00:26:c6:44:86:08 uuid 18
May 27 04:44:41 :522265: <DBUG> |authmgr| "MAC:00:26:c6:44:86:08: Deallocating UUID: 18.
May 27 04:44:41 :522038: <INFO> |authmgr| username=smoke1 MAC=00:26:c6:44:86:08 IP=172.2.2.2 Authentication result=Authentication Successful method=radius-accounting server=pavan-radius
Note:
The idle timeout of 0 should not be configured in aaa profiles meant for wired users or remote users. It is applicable only for wireless users in tunnel/d-tunnel mode.