Wireless Access

Hi All,

We just upgraded from 3.4 to 6.2 there was no configuration changes done but after upgrade we are not recieveing any Accounting request though its configured in RADIUS Accounting Server Group.

Any help its quite urgent

Thanks in advance

Your best bet is to open a support case, because you have provided little information where we can make a determination.  ArubaOS 3.x did not have interim accounting so the only time you would see it is on authentication and when the user leaves the user table.  ArubaOS 6.1 added interim accounting, but it is off by default.  You would see accounting start and stop messages in the auth-tracebuf:

Sep  2 07:05:07  rad-resp              <-  e8:99:c4:92:c9:5b  00:1a:1e:1d:bc:41/cppm-192.168.1.32  10    113   
Sep  2 07:05:07  eap-req               <-  e8:99:c4:92:c9:5b  00:1a:1e:1d:bc:41                    10    43    
Sep  2 07:05:07  eap-resp              ->  e8:99:c4:92:c9:5b  00:1a:1e:1d:bc:41                    10    80    
Sep  2 07:05:07  rad-req               ->  e8:99:c4:92:c9:5b  00:1a:1e:1d:bc:41/cppm-192.168.1.32  11    300   
Sep  2 07:05:07  rad-accept            <-  e8:99:c4:92:c9:5b  00:1a:1e:1d:bc:41/cppm-192.168.1.32  11    264   
Sep  2 07:05:07  eap-success           <-  e8:99:c4:92:c9:5b  00:1a:1e:1d:bc:41                    10    4     
Sep  2 07:05:07  assg-vlan-req          *  e8:99:c4:92:c9:5b  00:1a:1e:1d:bc:41                    1000  1     new vlan: dot1x for wireless
Sep  2 07:05:07  assg-vlan-resp         *  e8:99:c4:92:c9:5b  00:1a:1e:1d:bc:41                    -     1     
Sep  2 07:05:07  wpa2-key1             <-  e8:99:c4:92:c9:5b  00:1a:1e:1d:bc:41                    -     117   
Sep  2 07:05:07  wpa2-key2             ->  e8:99:c4:92:c9:5b  00:1a:1e:1d:bc:41                    -     117   
Sep  2 07:05:07  wpa2-key3             <-  e8:99:c4:92:c9:5b  00:1a:1e:1d:bc:41                    -     151   
Sep  2 07:05:07  wpa2-key4             ->  e8:99:c4:92:c9:5b  00:1a:1e:1d:bc:41                    -     95    
Sep  2 07:05:08  rad-acct-start        ->  e8:99:c4:92:c9:5b  00:1a:1e:1d:bc:41                    -     -     

Thank you guys for your quick response

In 3.4 version it didnt supported RADIUS Interim - update requests but RADIUS Accounting(Start & Stop) were recieved correctly. But after recent OS upgrade broke this functionality whichis very crucial for us. Here is AAA profile and Server Group configs snipet;

CONFIG:

user-role login_Portal
captive-portal "Portal"
access-list session Portal-logon-policy

user-role Portal_initial_role
captive-portal "Portal"
access-list session captiveportal

aaa xml-api server "172.X.X.X"
key <VALUE>

access-list session control

aaa authentication-server radius "AAAServer"

host "172.X.X.X"
key <VALUE>

aaa server-group "AAA"
auth-server AAAServer

aaa profile "AAATCPortal"
initial-role "Portal_initial_role"
radius-accounting "AAA"
xml-api-server "172.X.X.X"

aaa authentication captive-portal "Portal"
default-role "login_Portal"
login-page "<External Portal URL>"
no enable-welcome-page

In firewall for IP session there any to any permit, Please let me know if above config is enough to understand the issue.

Thanks in Advance

Veerat

Question:

Do you use to XML API server to move clients into their proper role, or do you use a radius server to authenticate them?

The user authentication happening via XML API using 'authenticate' command which is happening as expected. Our use case is once user is authenticated we should recieve start request subsequently Interim update request and Stop request.

I hope the given configuration is correct , we have configured it as mentioned in 6.2 UG;

Using the WebUI (ArubaOS 6.2 | User Guide Authentication Servers | 186  & 187 | Authentication Servers ArubaOS 6.2 | User Guide)
1. Navigate to the Configuration > Security > Authentication > AAA Profiles page.
2. Select AAA Profile, then select the AAA profile instance.
3. (Optional) In the Profile Details pane, select RADIUS Interim Accounting to allow the controller to send Interim-
Update messages with current user statistics to the server at regular intervals. This option is disabled by default,
allowing the controller to send only start and stop messages RADIUS accounting server.
4. In the profile list, scroll down and select the Radius Accounting Server Group for the AAA profile. Select the
server group from the drop-down menu.
You can add additional servers to the group or configure server rules.
5. Click Apply.

We are using a external captive portal for authentiation hence a XML API server is used, Please find our expected flow;

1. User connects to configured SSID ( having External Captive portal cofiguration).

2. User goes to browser and type any site in response user gets redirected to external captive portal page.

3. User enters the login credentails where Login button send a XML API request to WLC and in response WLC converts the API request and sends auth to configured RADIUS Server.

4. If User successfully authenticated by RADIUS Server then WLC should send an Accounting-Start request.

5. An Stop request should be sent to RADIUS Server when Session-Timeout is reached which is replied back in auth request .

Please let me know if you need any more info on the flow;

Regards,

Veerat

Are you  using user_add or user_authenticate to change the role of the user via the XML api?

user_authenticate 

User_authenticate should generate radius accounting packets.  Please open a TAC case.

Thanks 

It was really quick response on this forum, really it rocks :)