Security

Hi there,

 

We have setup accounting to track usage etc of our clients, but I am not convinced it is working correctly.

The reason I say this, is that if I log off and on again a few times, not all the logins are sent to the accounting - we don't see all the Accounting-Request Start and Stop entries, the number of misses is random.

 

We also want the interim accounting info, so have ticked that box as well, but I am not sure what interval we should be seeing, should this be regular or random?

An example of what we are seeing relating to the random interim-update is below.

 

Tue Feb 25 09:00:07 2014
        NAS-IP-Address = 10.62.20.65
        User-Name = "A#####"
        [...]
        Acct-Session-Id = "A#####5CD998A364AB-B1"
        [...]
        Acct-Status-Type = Start
        [...]
        Packet-Src-Port = 1814
         Service = "WA"
         Client = "XXX"
         HUB = "123 ABC"
        Timestamp = 1393318807

Tue Feb 25 09:08:27 2014
        NAS-IP-Address = 10.62.20.65
        User-Name = "A#####"
        [...]
        Acct-Session-Id = "A#####5CD998A364AB-B1"
        [...]
        Acct-Status-Type = Interim-Update
        Acct-Input-Octets = 37778
        Acct-Output-Octets = 36549
        Acct-Input-Packets = 457
        Acct-Output-Packets = 73
        Acct-Session-Time = 501
        [...]
        Packet-Src-Port = 1814
            Service = "WA" 
         Client = "XXX" 
         HUB = "123 ABC" 

      Timestamp = 1393319307

        [...]

Tue Feb 25 09:17:10 2014
        NAS-IP-Address = 10.62.20.65
        User-Name = "A#####"
        [...]
        Acct-Session-Id = "A#####5CD998A364AB-B2"
        [...]
        Acct-Status-Type = Start
        [...]
        Packet-Src-Port = 1814
      Service = "WA" 
         Client = "XXX" 
         HUB = "123 ABC" 
        Timestamp = 1393319830


Tue Feb 25 09:19:47 2014
        NAS-IP-Address = 10.62.20.65
        User-Name = "A#####"
        Acct-Session-Id = "A#####5CD998A364AB-B2"
        [...]
        Acct-Status-Type = Interim-Update
        Acct-Input-Octets = 7039
        Acct-Output-Octets = 1031
        Acct-Input-Packets = 92
        Acct-Output-Packets = 5
        Acct-Session-Time = 157
        [...]
        Packet-Src-Port = 1814
      Service = "WA" 
         Client = "XXX" 
         HUB = "123 ABC" 
        Timestamp = 1393319987

Tue Feb 25 10:35:03 2014
        NAS-IP-Address = 10.62.20.65
        User-Name = "B#####"
        [...]
        Acct-Session-Id = "B#####5CD998A364AB-BA"
        [...]
        Acct-Status-Type = Start
        [...]
        Packet-Src-Port = 1814
      Service = "WA" 
         Client = "XXX" 
         HUB = "123 ABC" 
        Timestamp = 1393324503

Tue Feb 25 10:41:01 2014
        NAS-IP-Address = 10.62.20.65
        User-Name = "B#####"
        [...]
        Acct-Session-Id = "B#####"
        Acct-Status-Type = Interim-Update
        Acct-Input-Octets = 93307
        Acct-Output-Octets = 731885
        Acct-Input-Packets = 884
        Acct-Output-Packets = 789
        Acct-Session-Time = 358
        [...]
        Packet-Src-Port = 1814
      Service = "WA" 
         Client = "XXX" 
         HUB = "123 ABC" 
        Timestamp = 1393324861

awightman, what sort of server are you using for accounting, is it Clearpass or another?  Is this a controller based or Instant based wlan?

 

The interim accounting interval default, and max is 10 mins.  You can change this value in the aaa-timers.

 

aaa timers stats-timeout 300 seconds

 

 

 

Hi Mike,

 

We are using free-radius not Clearpass, it's a controller-based solution. 

We havent adjusted the timers but if you see the interim-updates in the info, you will see that is varies for 8 minutes in one, then 6 minutes in another.

More concerning is the lack of start-stop packets for some of the connections I made though.

 

Cheers

Andrew

I'd probably start with a radius capture on the controller to see if that matches what you see in the logs there.

 

v 6.3 - packet-capture controlpath udp 1613

pre 6.3 - packet-capture udp 1613

 

Captured packets are stored in /var/log/oslog/filter.pcap within the logs.

 

I've not had to deal a lot with accounting, but if you're not seeing what you expect, that may be one for TAC to take a look at.

 

 

Hi Mike,

 

My situation has got even worse now!!!

On another airport I have configured MAC auth (guess the application ;-)), and I get NO accounting packets at all.

 

Does Aruba acrtually do accounting - seems pretty hit and miss to be honest.

 

Hopefully Aruba step in and tell me that I missed a checkbox or something but pretty sure the config is all good.

The users get authenticated OK, the accounting server is defined in the profile (same as the auth server), and Interim accounting box is also checked for good measure!!

 

Cheers

Andrew

1.  Make sure you have the right server configured in the radius accounting profile in the AAA profile.

2.  Radius accounting is only sent to the first server in the server group.

3.  Radius accounting stop is generated when the user is aged out of the user table, NOT when they disconnect.

4.  Maybe you should open a support case so that you can get all of your questions answered.

 

Hi,

I only have one server in the server group, and this is the server in the accounting profile as well, so can't understand why it's not working.

Cheers

Hi Andrew,

 

What port is your radius server configured for accounting?  Make sure this matches in your Aruba radius server config.  Sometimes, they use port 1646 instead of 1813.

 

Did you manage to get a radius capture on the controller to check if the accounting messages are being generated?

Hi Mike,
We allow both radius ports old and new through the firewall, but no packets even hit the next hop device, so looks like they are not being generated at all..

Cheers

awightman have you opened a TAC ticket? they are setup to actually test this and confirm / deny your observations and hopefully solve your issue.

Hi all, was this resolved - what was the fix please?

In follow-up genuininely interested to know how the Aruba should behave in this regard compared with other offerings...

https://community.aerohive.com/aerohive/topics/use_the_framed_ip_address_avp_containing_a_clients_ip_address_correctly_in_radius_accounting