Requirement:
How to track the bandwidth usage of the clients with IPv6 addresses.
Solution:
Pre 6.5, we can only perform authentication/authorization of IPv6 clients. Starting Aruba OS 6.5, we have the capability to monitor the bandwidth usage of the clients with IPv6 addresses.
* We are following RFC 6911 which defines the attributes to be used for IPv6 access networks.
* The Framed-IPv6-Address is the key attribute and will be used in accounting start, stop and interim packets.
* With IPv6 implementation, it is possible for a single host to have multiple IPv6 addresses.
* We now have ability to track the usage of each and every IPv6 entry.
A host can have both IPv4 andIPv6 addresses. Following behavior is expected in the mentioned scenarios-
With one IPv6 address:
Start, stop and interim update messages are sent for the only IPv6 address.
With one each IPv4 and IPv6 address:
Start, stop and interim update messages are sent for both IPv4 and IPv6 address.
With multiple IPv6 address:
Start, stop and interim update messages are sent for each of the IPv6 addresses.
With multiple IPv6 and multiple IPv4 address:
Start, stop and interim update messages are sent for each of the IPv6 addresses.
Start message is sent only for the first IPv4 address.
Interim updates are sent for all the IPv4 addresses.
•Stop message is sent only for the last IPv4 entry.
Configuration:
There is no separate configuration required to enable RADIUS accounting for IPv6 users.
Currently, controller code has checks where the accounting for IPv6 clients is blocked, which will be removed starting Aruba OS 6.5.
We only need to ensure that the RADIUS accounting server is mapped to the respective AAA profile. Accounting messages for IPv4 and IPv6 clients will be sent by default.
Limitation
* RADIUS accounting is only supported on Tunnel and D-tunnel mode.
* Bridge and Split Tunnel modes are not supported.
Verification
We can view the accounting messages being sent by the controller in security logs after enabling the below logging
Logging level debugging security process authmgr subcat aaa
Show log security all
Apr 12 08:59:02 :124038: <INFO> |authmgr| Selected server CPPM for method=radius-accounting; user=ACCOUNTING, essid=accounting, domain=<>, server-group=CPPM
Apr 12 08:59:02 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:56] Radius accounting using server CPPM
Apr 12 08:59:02 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1827] Sending radius accounting request
Apr 12 08:59:02 :121031: <DBUG> |authmgr| |aaa| [rc_request.c:55] Add Request: id=40, srv=10.17.164.45, fd=63
Apr 12 08:59:02 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1901] Sending radius request to CPPM:10.17.164.45:1813 id:40,len:346
Apr 12 08:59:02 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1912] User-Name: ACCOUNTING
Apr 12 08:59:02 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1912] NAS-IP-Address: 10.17.171.165
Apr 12 08:59:02 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1912] NAS-Port-Id: 0
Apr 12 08:59:02 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1912] NAS-Port-Type: Wireless-IEEE802.11
Apr 12 08:59:02 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1912] Acct-Session-Id: ACCOUNTIC0EEFB300361-570D2956-DBF71
Apr 12 08:59:02 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1912] Event-Timestamp: 04/12/2016 16:59:02
Apr 12 08:59:02 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1912] Acct-Multi-Session-Id: C0EEFB300361-0000000004
Apr 12 08:59:02 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1912] Framed-IPv6-address: fe80::c2ee:fbff:fe30:361
Apr 12 08:59:02 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1912] Calling-Station-Id: C0EEFB300361
Apr 12 08:59:02 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1912] Called-Station-Id: 000B86DDCA60
Apr 12 08:59:02 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1912] Class: \220e\365\354\333)L\205\223\026\032s\300g/l\274\013
Apr 12 08:59:02 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1912] Acct-Delay-Time: 0
Apr 12 08:59:02 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1912] Aruba-Essid-Name: accounting
Apr 12 08:59:02 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1912] Aruba-Location-Id: ac:a3:1e:cd:3a:4a
Apr 12 08:59:02 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1912] Aruba-AP-Group: default
Apr 12 08:59:02 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1912] Aruba-User-Role: authenticated
Apr 12 08:59:02 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1912] Aruba-User-Vlan:
Apr 12 08:59:02 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1912] Aruba-Device-Type: Android
Apr 12 08:59:02 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1912] Acct-Status-Type: Start
Apr 12 08:59:02 :121031: <DBUG> |authmgr| |aaa| [rc_server.c:1912] Acct-Authentic: RADIUS
Apr 12 08:59:02 :124004: <DBUG> |authmgr| rc_start_acct_req:938 aal_rad_acct returned 0
Apr 12 08:59:02 :124004: <DBUG> |authmgr| user_download: User fe80::c2ee:fbff:fe30:361 Router Acl(0)
Apr 12 08:59:02 :124004: <DBUG> |authmgr| get_traffic_prio_from_role: |TC-PROF GET|: Profile Name (Default) Role name (authenticated) val(15)
Apr 12 08:59:02 :124004: <DBUG> |authmgr| user_download: |TC-PROF|: Role (authenticated) Traffic Prio(15)
Apr 12 08:59:02 :124162: <DBUG> |authmgr| Enforcing L2 check for mac c0:ee:fb:30:03:61.