Security

Reply
Contributor I

RADIUS accounting when client roams

Hello,

 

When a client is roaming from AP1 > AP2 with 802.1X auth and RADIUS accounting defined on the SSID, do we expect AP2, after full 802.1X auth, send Accounting-Request (start) to the server if the previous session is still active (session on AP1, because the client didn't send disassociation frame, and AP1 didn't send Accounting-Request (stop) packet?

 

Thanks,

Myky

Guru Elite

Re: RADIUS accounting when client roams

You would expect the client to send an accounting stop when the client is aged out of the user table, NOT on a roam.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Contributor I

Re: RADIUS accounting when client roams

Thanks man!

 

I have done some tests, and yes you are right. If a client leaving the AP (due to roaming or if a user disables wireless) and there was no disassociate frame from the client, AP will keep session for 5 minutes (in my case) and then send accounting stop message (same time removing a client from the table).

Unfortunately, l do not have two APs to test, but wondering if the destination AP, when a client roams, will send a new Accounting request (l assume it should).

 

Your thoughts? 

 

Thanks,

Myky

Guru Elite

Re: RADIUS accounting when client roams

No.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Contributor I

Re: RADIUS accounting when client roams

So we cannot have two simultaneous accounting sessions? The first session must be stopped in order for the second AP initiate another one? 

Thanks again!

Guru Elite

Re: RADIUS accounting when client roams

There is a single session.  It begins when a user connects to an SSID and stops when a user is aged out of a session for whatever reason.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Contributor I

Re: RADIUS accounting when client roams

Maybe l am missing something. I understood that source AP will have one session while the client is connected, but the destination AP also will create its own association session when the client roams.

 

So, in the end, we have two sessions: one on the source AP (because the client didn't inform AP that is leaving/roaming) and another one on the destination AP.

 

Or you referring to the single (floating) Accounting session, not the actual AP association sessions?

 

Thanks.

Myky

Guru Elite

Re: RADIUS accounting when client roams


Or you referring to the single (floating) Accounting session, not the actual AP association sessions?

 


 

Correct.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Contributor I

Re: RADIUS accounting when client roams

Hey,

 

Ok had a chance to test it. Destination AP will initiate new Accounting-Request (start) session regardless in the device sent a dissasociate frame to the source AP or not:

 

Screenshot 2019-01-22 at 10.44.57.png

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: