Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

RADIUS accounting when client roams

This thread has been viewed 8 times

  • 1.  RADIUS accounting when client roams

    Posted Jan 13, 2019 10:40 AM

    Hello,

     

    When a client is roaming from AP1 > AP2 with 802.1X auth and RADIUS accounting defined on the SSID, do we expect AP2, after full 802.1X auth, send Accounting-Request (start) to the server if the previous session is still active (session on AP1, because the client didn't send disassociation frame, and AP1 didn't send Accounting-Request (stop) packet?

     

    Thanks,

    Myky



  • 2.  RE: RADIUS accounting when client roams

    EMPLOYEE
    Posted Jan 13, 2019 03:42 PM

    You would expect the client to send an accounting stop when the client is aged out of the user table, NOT on a roam.



  • 3.  RE: RADIUS accounting when client roams

    Posted Jan 13, 2019 04:16 PM

    Thanks man!

     

    I have done some tests, and yes you are right. If a client leaving the AP (due to roaming or if a user disables wireless) and there was no disassociate frame from the client, AP will keep session for 5 minutes (in my case) and then send accounting stop message (same time removing a client from the table).

    Unfortunately, l do not have two APs to test, but wondering if the destination AP, when a client roams, will send a new Accounting request (l assume it should).

     

    Your thoughts? 

     

    Thanks,

    Myky



  • 4.  RE: RADIUS accounting when client roams

    EMPLOYEE
    Posted Jan 13, 2019 04:29 PM

    No.



  • 5.  RE: RADIUS accounting when client roams

    Posted Jan 13, 2019 04:40 PM

    So we cannot have two simultaneous accounting sessions? The first session must be stopped in order for the second AP initiate another one? 

    Thanks again!



  • 6.  RE: RADIUS accounting when client roams

    EMPLOYEE
    Posted Jan 13, 2019 05:00 PM

    There is a single session.  It begins when a user connects to an SSID and stops when a user is aged out of a session for whatever reason.



  • 7.  RE: RADIUS accounting when client roams

    Posted Jan 13, 2019 05:11 PM

    Maybe l am missing something. I understood that source AP will have one session while the client is connected, but the destination AP also will create its own association session when the client roams.

     

    So, in the end, we have two sessions: one on the source AP (because the client didn't inform AP that is leaving/roaming) and another one on the destination AP.

     

    Or you referring to the single (floating) Accounting session, not the actual AP association sessions?

     

    Thanks.

    Myky



  • 8.  RE: RADIUS accounting when client roams
    Best Answer

    EMPLOYEE
    Posted Jan 13, 2019 07:08 PM

    Or you referring to the single (floating) Accounting session, not the actual AP association sessions?

     

     

    Correct.



  • 9.  RE: RADIUS accounting when client roams

    Posted Jan 22, 2019 05:47 AM

    Hey,

     

    Ok had a chance to test it. Destination AP will initiate new Accounting-Request (start) session regardless in the device sent a dissasociate frame to the source AP or not:

     

    Screenshot 2019-01-22 at 10.44.57.png



  • 10.  RE: RADIUS accounting when client roams

    Posted Jul 10, 2020 06:35 AM

    This was not work as expected, in my IAP Cluster, when client roams from AP1> AP2, the aruba IAP sends a Stop Session accounting from AP1 and an Start Session Accounting from AP2, this is a problema because i use Sophos Radius SSO, then when the client is loged out from Firewall, his active connections is closed.

     

    Apps that use google cloud messaging stop working for few minutes when the device roams.

     

    Its possible to config Aruba IAP Cluste to do not send accountig stop when client roams?