Accounting in Radius !

Similar Messages

• Command accounting w/ RADIUS

  Not having much luck getting this to work and searching the forums here everybody seems to say it is not possible unless TACACS+ is used. Is this still the case? I see the AAA/ACCT/CMD in the debug on the local switch but the RADIUS server never receives the data string except for the authentication entry.
  Any way to re-classify the AAA/ACCT/CMDs and send in a syslog trap/log?
  Looking for creative solutions here, TACACS+ is not available in this case.
  Thanks

  Hi,
  Unfortunately you can not log any AAA information to syslog.
  Now you may ask why IOS CLI allows to configure command accounting via RADIUS when it is not supported. Well, this is indeed an IOS caveat which is described in CSCdp57020 'parser should not show radius as an aaa accounting commands option' and resolved in 12.2 based IOS trains (ref. Bug Toolkit on Cisco.com).
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?caller=pluginredirector&method=fetchBugDetails&bugId=CSCdp57020
  Regards,
  ~JG
  Do rate helpful posts

• Cisco 2960-X & ISE accounting- username Radius attribute missing

  Hi,
  I'm facing an issue with cisco 2960 switch radius accounting with Cisco ISE1.2.1 .here is my senario:
  - Username (vendor1) is configured in ISE local database, under  group (VENDOR)
  - Authentication protocol : wired  MAB 
  - Authentication method : webauth  using guest portal  , the user is a  vendor  , so no dot1x configured on his NIC .
  the problem is that , the switch is not sending the username as a part of radius attribute , in the authentication log , the username shown as the MAC address of the user machine , therefor , I can not configure my authorization condition using  internaluser:Name  Equal  vendor1
  while if  I configure the condition using the identity group condition  IdentityGroup:Name  Equal  VENDOR  , it works .
  The same configuration is working on 3750 switch  with no issue .
  Here is my Switch config:
  aaa authentication login default local
  aaa authentication dot1x default group radius
  aaa authorization network default group radius 
  aaa authorization auth-proxy default group radius 
  aaa accounting auth-proxy default start-stop group radius
  aaa accounting dot1x default start-stop group radius
  aaa accounting update periodic 5
  username admin password 
  username radius-test password 
  aaa server radius dynamic-author
   client 172.16.2.20 server-key 7 04490A0206345F450C00
   client 172.16.2.21 server-key 7 03165A0F0F1A32474B10
  radius server ISE-RADIUS-1
   address ipv4 172.16.2.20 auth-port 1812 acct-port 1813
   automate-tester username radius-test idle-time 15
   key 7 111B18011E0718070133
  radius server ISE-RADIUS-2
   address ipv4 172.16.2.21 auth-port 1812 acct-port 1813
   automate-tester username radius-test idle-time 15
   key 7 0214055F02131C2A4957
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server attribute 31 mac format ietf upper-case
  radius-server attribute 31 send nas-port-detail
  radius-server dead-criteria time 5 tries 3
  radius-server vsa send accounting
  radius-server vsa send authentication
  any help  !!!

  Thanks for your reply , I know what's MAB , if you read my explanation again , i mentioned that the user is authenticated in the guest portal which mean that I have web authentication , and it is working fine .. The only issue is that I can not use the vendor1 username as part of authorization condition and this is because the switch is not sending the radius attribute type 1 to the ISE , thus , on the ise authentication log the MAC address  of the client machine is shown as a username not the actual username ( vendor1) 
  as I mentioned also , I have exactly the same setup with ise 1.2 and 3750 switch and I do not have this issue .I experience this with 2960x only . 

• Anyconnect session accounting via radius or syslog ?

  Hi
  Does anyone have a deployed accounting method to log Anyconnect session details ?  Do you do it via a radius server or via logging messages to a syslog server ?
  If so could you assist with appropriate configuration ?  I am looking to log successful and unsuccessful authentications as well as session length, log on and log off times.
  I've been playing around with Anyconnect authenticating to AD via ACS 5.1 but can't seem to get the accounting details I require.  Similarly I have tried to catch appropriate syslog messages but again without much success.
  Many thanks for any input, St.

  What all you have configured for radius accounting on ASA?
  Can you paste the o/p of show run aaa-server and show run tunnel-group
  Basically all you need to define radius server group and call that group under tunnel-group parameters.
  !--- Configure the AAA Server group.
  ciscoasa(config)# aaa-server RAD_SRV_GRP protocol RADIUS
  ciscoasa(config-aaa-server-group)# exit
  !--- Configure the AAA Server.
  ciscoasa(config)# aaa-server RAD_SRV_GRP (inside) host 192.168.1.2
  ciscoasa(config-aaa-server-host)# key secretkey
  ciscoasa(config-aaa-server-host)# exit
  !--- Configure the tunnel group to use the new AAA setup.
  ciscoasa(config)# tunnel-group ExampleGroup1 general-attributes
  ciscoasa(config)#accounting-server-group RAD_SRV_GRP.
  Once done, you can then establish a session and check radius accounting detailed packet on ACS 5.x >> Monitoring and reports > catalog > aaa protocols > radius accounting.
  In case you don't see radius accounting after following the above steps then please turn on the "debug aaa accouting and debug radius on ASA". This way we can check whether ASA is sending the accountinf session details to ACS or not.
  Regards,
  Jatin Katyal
  - Do rate helpful posts -

• Adding Local User Account Alongside RADIUS

  Greetings!
  Currently every Cisco device authenticates with a RADIUS server we have on campus. I'm trying to add a local user account onto our switches and routers so that if the RADIUS server is unavailable or the switch looses connection we are able to use another login to access what we need. However when I add aaa authorization and authentication commands (no default) I think the switch cannot identify what is a RADIUS login and what is a local login. Depending on how we move commands around local will work and RADIUS will not, or RADIUS will work and local will not. Any suggestions on how to get both to work at the same time?
  Thanks!
  -Noah

  Perhaps I do not have a correct understanding of what you are asking. But let me explain a little and if that does not address your issue then perhaps you can provide some clarification.
  You can not have Radius and the local account work at the same time - at least not in the sense that you can login and enter either one and expect it to work. What you can do (and what most people do) is to define one as primary (usually Radius) and one as backup (usually local account). Then when you attempt to login the device will attempt to use Radius, and if the Radius server is not available then it will use the local account.
  If that does not clarify your issue then please help us understand better what your issue is.
  HTH
  Rick

• OD network user accounts with radius secured wireless

  ok.
  i'd like to use radius security on my wireless network.
  i also have 300+ OD users, who log on using both wired desktops and wireless laptops.
  however, once radius is up and running, i no longer can access the "other..." user login option on the laptops, as the laptops can't conenct to the network to get the OD user info.
  how to i work around this? do i add the OD bound  laptops themselves to the allowed users?
  ta

  Well, folks, it turns out that the network user list is in fact displayed, but there's a slight catch that had me fooled. I've got a single local account set up. This local admin account is selected by default and displays the password field. When I hit ESC to clear it, that local account only is displayed for about 15-20 seconds. This fairly long delay made me think it would never happen... whoops. AFTER about 15-20 seconds, the full login list is displayed. Unless you clear that pwd prompt by hitting ESC or clicking Back, the list is never displayed.
  Now that I've created a second local user account for other reasons, the pwd prompt does NOT automatically appear, and the network user list is displayed after 15-20 seconds, despite WPA.
  Problem solved. Now we'll just see if 26 users can log in simultaneously over wireless... I won't hold my breath for too long!
  Thanks for your time.

• SG300-28 RADIUS accounting firmware 1.0.0.27 and 1.1.2.0

  Hi,
  I am using the CISCO SG300-28 with firmware version 1.0.0.27. I enabled RADIUS authentication and accounting. Authentication is working but there are no accounting requests/replys (Accounting on, accounting off, accoun ting start, accounting stop) when running RADIUS in debug mode. I also did a packetcapture and there are no accounting packets.
  So i updated the firmware image up to version 1.1.2.0.
  When I now want to configure accounting in RADIUS settings then there isn't any option to set an accounting port.
  Ich checked the data sheet of the switch and it says that accounting is supported:
  ===============================================
  802.1X: RADIUS authentication and accounting, MD5  hash; guest VLAN; unauthenticated VLAN, single/multiple host mode and  single/multiple sessions
  http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps10898/data_sheet_c78-610061.html
  ===============================================
  I did a second packet capture with the new firmware image and there are still no accounting packets.
  The RADIUS server is configured correct for accounting because when using another NAS like a WLAN-AP with DD-WRT accounting is workings. It is working with pfsense Captive Portal (an open source firewall and routing solution with a hotspot portal).
  Thank you for your feedback!
  Alexander Wilke

  Hi,
  I made some more tests with the switch and the different image versions. I did the following:
  Image 1.0.0.27
  [1.0.0.27.cap]: packetcapture (uncut to show you that I didn't cut something) between SG300-28 and freeradius 2.1.12
  [Image-version-1.0.0.27.jpg]: Screenshot of the active image
  [radius-1.0.0.27.jpg]: screenshot of the GUI which shows authentication and accounting
  Image 1.1.2.0
  [1.1.2.0.cap]: packetcapture (uncut to show you that I didn't cut something) between SG300-28 and freeradius 2.1.12
  [Image-version-1.1.2.0.jpg]: Screenshot of the active image
  [radius-1.1.2.0.jpg]: screenshot of the GUI which shows authentication without accounting
  excerpt of radiusd.conf (interfaces):
  listen {
          type = auth
          ipaddr = 192.168.0.22
          port = 1812
  listen {
          type = acct
          ipaddr = 192.168.0.22
          port = 1813
  clients.conf
  client "CISCO" {
      ipaddr = 192.168.0.19
      proto = udp
      secret = pfsense
      require_message_authenticator = no
      max_connections = 16
      shortname = CISCO
      nastype = other
      #login = !root
      #password = someadminpas
      #virtual_server = home1
      #coa_server = coa
  users file:
  "myuser" Cleartext-Password := "mypass"
      Tunnel-Type = VLAN,
      Tunnel-Medium-Type = IEEE-802,
      Tunnel-Private-Group-ID = "10"

• AAA Radius accounting command is not taking in 3750 switch

         Hi Cisco Support community,
  I am facing a issue with radius accounting in Cisco 3750 switch with version 12.2. I am unable to start accounting for radius server.
  This is the config that is on the switch for Radius.
  aaa authentication login default group radius local
  aaa authentication dot1x default group radius
  aaa authorization exec my-authradius group radius if-authenticated.
  radius-server attribute 6 on-for-login-auth
  radius-server dead-criteria time 20 tries 5
  radius-server host 10.100.1.225 auth-port 1645 acct-port 1646 key 7 14341A5801103F3904266021
  radius-server host 10.100.1.226 auth-port 1645 acct-port 1646 key 7 05280E5C2C585B1B390B4406
  When i try to add the following command for accounting, this is not saving.
  (aaa accounting commands 0 default start-stop group radius
  aaa accounting commands 1 default start-stop group radius
  aaa accounting commands 15 default start-stop group radius)
  If i do paste this command one by one after start-stop group it is showing only two options either tacacs+ or server, no radius option is there as well.
  I  tried to create a server group and add the radius server  in the group.  Even then when i am trying to implement the aaa accounting command with the server command it is not showing in show run.
  Can anyone please help me with this issue.

  Hi,
  thanks for your reply but the thing is that  i want to see the command that are being run by a user on  this particular device. If i use the network command it will only show me the  network-related service requests, including Serial Line Internet Protocol (SLIP), PPP, PPP Network Control Protocols (NCPs), and AppleTalk Remote Access Protocol (ARAP).
  I have read the document from this link and it is stating that we can use command accounting. Below is the link
  http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a1.html. 
  Can anyone please tell me if this a version issue because even in version 15.4 i was not seeing the radius option in the end
  aaa accounting commands 15 default start-stop group (radius)- in radius place it was showing only Tacacs+ or group.

• Ise 1.1 ActivatedGuest not able to authenticate using radius pap

  Hi,
  I want to create guest accounts using the sponsor portal and use radius to authenticate with these accounts; Afaik this  is supported as from 1.1mr1 (Show Version output      : 1.1.1.268)
  When we create an account with the ActivatedGuest Identity group, in the sponsor portal the account is marked as active.
  Username Status   First Name   Last Name   Email Address
  aazeaze1 ACTIVE azea azeaze
  However in ise, using radius, we receive an access-reject:
  24210  Looking up User in Internal Users IDStore - aazeaze1
  24206  User disabled
  after logging in successfully to the guest portal with this account, the radius request also succeeds.
  Questions
  1) is this scenario supported?
  2) is there anything else that should configured?
  Regards

  Hi,
  FYI it works if you don't use the fromlogin time profile , that's only for LWA/CWA.
  cheers

• Cisco ISE with TACACS+ and RADIUS both?

  Hello,
  I am initiating wired authentication on an existing network using Cisco ISE. I have been studying the requirements for this. I know I have to turn on RADIUS on the Cisco switches on the network. The switches on the network are already programmed for TACACS+. Does anybody know if they can both operate on the same network at the same time?
  Bob

  Hello Robert,
  I believe NO, they both won't work together as both TACACS and Radius are different technologies.
  It's just because that TACACS encrypts the whole message and Radius just the password, so I believe it won't work.
  For your reference, I am sharing the link for the difference between TACACS and Radius.
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
  Moreover, Please review the information as well.
  Compare TACACS+ and RADIUS
  These sections compare several features of TACACS+ and RADIUS.
  UDP and TCP
  RADIUS uses UDP while TACACS+ uses TCP. TCP offers several advantages over UDP. TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a
  TCP transport offers:
  TCP usage provides a separate acknowledgment that a request has been received, within (approximately) a network round-trip time (RTT), regardless of how loaded and slow the backend authentication mechanism (a TCP acknowledgment) might be.
  TCP provides immediate indication of a crashed, or not running, server by a reset (RST). You can determine when a server crashes and returns to service if you use long-lived TCP connections. UDP cannot tell the difference between a server that is down, a slow server, and a non-existent server.
  Using TCP keepalives, server crashes can be detected out-of-band with actual requests. Connections to multiple servers can be maintained simultaneously, and you only need to send messages to the ones that are known to be up and running.
  TCP is more scalable and adapts to growing, as well as congested, networks.
  Packet Encryption
  RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party.
  TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body of the packet is fully encrypted for more secure communications.
  Authentication and Authorization
  RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.
  TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.
  During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.
  Multiprotocol Support
  RADIUS does not support these protocols:
  AppleTalk Remote Access (ARA) protocol
  NetBIOS Frame Protocol Control protocol
  Novell Asynchronous Services Interface (NASI)
  X.25 PAD connection
  TACACS+ offers multiprotocol support.
  Router Management
  RADIUS does not allow users to control which commands can be executed on a router and which cannot. Therefore, RADIUS is not as useful for router management or as flexible for terminal services.
  TACACS+ provides two methods to control the authorization of router commands on a per-user or per-group basis. The first method is to assign privilege levels to commands and have the router verify with the TACACS+ server whether or not the user is authorized at the specified privilege level. The second method is to explicitly specify in the TACACS+ server, on a per-user or per-group basis, the commands that are allowed.
  Interoperability
  Due to various interpretations of the RADIUS Request for Comments (RFCs), compliance with the RADIUS RFCs does not guarantee interoperability. Even though several vendors implement RADIUS clients, this does not mean they are interoperable. Cisco implements most RADIUS attributes and consistently adds more. If customers use only the standard RADIUS attributes in their servers, they can interoperate between several vendors as long as these vendors implement the same attributes. However, many vendors implement extensions that are proprietary attributes. If a customer uses one of these vendor-specific extended attributes, interoperability is not possible.
  Traffic
  Due to the previously cited differences between TACACS+ and RADIUS, the amount of traffic generated between the client and server differs. These examples illustrate the traffic between the client and server for TACACS+ and RADIUS when used for router management with authentication, exec authorization, command authorization (which RADIUS cannot do), exec accounting, and command accounting (which RADIUS cannot do).

• 802.1x accounting does not reflect correct port status

  Hi,
  I've just discovered an issue when trying to use MSFT supplicant and Cisco 802.1x accounting. This makes 802.1x accounting completely unusable.
  Facts:
  1. MSFT supplicant does not send EAPOL-Logoff messages and there's no way to enable this (btw. Aegis client does not send it either, except when disabling interface).
  2. I am doing machine authentication along with domain authentication.
  3. Windows XP SP2 is used with EAP registry hacks applied.
  4. PEAP/MS-CHAPv2 method is used.
  Now when the computer is started it is logged into 802.1x with 'host/machine' account and RADIUS accounting start is sent by the switch. That's fine.
  When a user logs on with its 'domain\user' identity, then EAPOL-Start is sent from the host triggering new EAP message exchange and the user is authenticated correctly. However the switch sends Interim Accounting still using 'host/machine' credentials which is obviously wrong.
  Even more bizarre accounting happens when the user subsequently logs off from the machine. The EAPOL-Start is sent from the host triggering new authentication process for 'host/machine' identity and the host is authenticated ok. The accounting being sent is:
  - first Accounting Stop for 'host/machine' User-Name
  - then strange Interim Accounting with most attributes empty or missing
  256970: Jul 10 15:56:41.211 MET-DST: RADIUS: authenticator 68 CA 1A 46 85 4F F5 95 - 87 B4 84 61 72 85 42 F3
  256971: Jul 10 15:56:41.211 MET-DST: RADIUS: Acct-Session-Id [44] 10 "013F0000"
  256972: Jul 10 15:56:41.211 MET-DST: RADIUS: Vendor, Cisco [26] 34
  256973: Jul 10 15:56:41.211 MET-DST: RADIUS: Cisco AVpair [1] 28 "connect-progress=Auth Open"
  256974: Jul 10 15:56:41.211 MET-DST: RADIUS: Acct-Session-Time [46] 6 0
  256975: Jul 10 15:56:41.211 MET-DST: RADIUS: Acct-Input-Octets [42] 6 0
  256976: Jul 10 15:56:41.211 MET-DST: RADIUS: Acct-Output-Octets [43] 6 0
  256977: Jul 10 15:56:41.211 MET-DST: RADIUS: Acct-Input-Packets [47] 6 0
  256978: Jul 10 15:56:41.211 MET-DST: RADIUS: Acct-Output-Packets [48] 6 0
  256979: Jul 10 15:56:41.211 MET-DST: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
  256980: Jul 10 15:56:41.211 MET-DST: RADIUS: Acct-Status-Type [40] 6 Watchdog [3]
  256981: Jul 10 15:56:41.211 MET-DST: RADIUS: Vendor, Cisco [26] 24
  256982: Jul 10 15:56:41.211 MET-DST: RADIUS: cisco-nas-port [2] 18 "FastEthernet0/11"
  256983: Jul 10 15:56:41.211 MET-DST: RADIUS: NAS-Port [5] 6 50011
  256984: Jul 10 15:56:41.211 MET-DST: RADIUS: NAS-Port-Type [61] 6 Eth [15]
  256985: Jul 10 15:56:41.211 MET-DST: RADIUS: Class [25] 27
  256986: Jul 10 15:56:41.215 MET-DST: RADIUS: 43 41 43 53 3A 30 2F 32 39 32 66 2F 61 38 31 38 [CACS:0/292f/a818]
  256987: Jul 10 15:56:41.215 MET-DST: RADIUS: 30 32 38 2F 35 30 30 31 31 [028/50011]
  256988: Jul 10 15:56:41.215 MET-DST: RADIUS: Service-Type [6] 6 Framed [2]
  256989: Jul 10 15:56:41.215 MET-DST: RADIUS: NAS-IP-Address [4] 6 10.129.128.40
  256990: Jul 10 15:56:41.215 MET-DST: RADIUS: Acct-Delay-Time [41] 6 0
  256991: Jul 10 15:56:41.239 MET-DST: RADIUS: Received from id 1646/238 10.129.128.38:1813, Accounting-response, len 20
  256992: Jul 10 15:56:41.239 MET-DST: RADIUS: authenticator ED 8E 8B 15 28 5F E4 37 - BF A8 F5 9E 10 43 5E A8
  So that the accounting sent from the switch does not reflect current status of the authenticated user on a given port.
  How to deal with this issue? Any ideas?
  thanks,
  robert

  Does your radius proxy-table is populated wrong for EAP- SIM users ?

• RADIUS Authentication

  Hi Everyone,
  I would like to implement RADIUS authentication for my companies Cisco devices. Could anybody give me some configuration examples of how to point my switches and routers at a RADIUS server, and also to attempt authentication against RADIUS. Only using a locally configured account if RADIUS fails?
  My undertsnading would be to use the following configuration;
  aaa new-model
  aaa authentication login default group radius local
  aaa accounting network default start-stop group radius
  radius-server host 1.1.1.1 auth-port 1812 acct-port 1813 key radius
  radius-server retransmit 3
  Thanks in advance,
  Dan

  Hello Dan,
  yours configuration seems to be OK..
  more info you can find here
  http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7ab.html

• Radius Attribute Issue

  Hi,
  I'm having some issues on implementing radius accounting. Below are my configurations
  aaa group server radius ClearBox
  server 192.168.111.8 auth-port 1812 acct-port 1813
  accounting accept ClearBox
  aaa accounting exec default start-stop group ClearBox
  aaa accounting network default start-stop group ClearBox
  aaa accounting connection h323 start-stop group ClearBox
  aaa accounting resource default start-stop group ClearBox
  aaa session-id common
  gw-accounting aaa
  radius-server attribute list ClearBox
  attribute 1,4-6,25-26,28-31,40-41,44,46,49,61
  radius-server host 192.168.111.8 auth-port 1812 acct-port 1813
  radius-server key 7 12481603171B5B55
  radius-server vsa send accounting
  I am using ClearBox as my radius server. It seems that the ff attributes (h323-connect-time,h323-disconnect-time,h323-disconnect-cause,) was not recorded on the ClearBox. See attached file for the screenshot. May be you can help me on this issue.

  Try to enable the following debugs:
  debug isdn q931
  debug ppp negotiation
  debug aaa authen
  debug aaa accounting
  debug radius

• WLC Management Admin via RADIUS

  I am trying to have a management user authenticate via radius and have full admin privileges.
  For a WCS I can simply set the radius attribute of "Cisco-AVPair.attr|Wireless-WCS:role0=Admin" and that user will get full admin rights. I found this doc to grant a user lobby admin:
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080871921.shtml
  but, it is specific to the using the Cisco ACS as a radius server. What attributes do I need to set for a user to get full admin rights to a WLC when authenticating via radius?  Thanks.

  My problem: I have a local management user profile defined on my WLC and it works fine when the Priority Order is set to LOCAL.  When I change the Priority Order to make RADIUS first and LOCAL second, I can't get logged into the WLC using CLI, GUI, or the console.  The last time this happened I had to reset the WLC and start over.  I don't want to do that again, so I need some way to get into the WLC.
  Once I can get back into the WLI would prefer using Active Directory to authenticate the management user but that doesn't seem to work.  My RADIUS acts as a front end for the Active Directory database and works well for many of our Cisco LAN switches andd Routers. Now I'm trying to set up the WLC to authenticate the management user with RADIUS.  I have set the RADIUS (MS IAS) to return two attributes;
  1. Vendor-Specific -Vendor Code 14179, Value=management
  2. Service-Type - Value=Login
  When I try to login using my AD account, the RADIUS server log shows an Access Request record, then an Access-Accept record that makes it appear RADIUS has successfully authenticated the user.  But the login prompt for the GUI comes back as if it has failed.  Same with the CLI login.  Now I can't get logged into the WLC.  How can I get into the box to manage it again?
  Thanks

• H323-remote-address in START radius packet

  Hi,
  I do have Cisco 3945 running as ip-to-ip sip device (IOS 15.1)
  I would like to have all sip calls accounted in remote billingg server i already bought.
  Here is a snippet from my config:
  aaa new-model
  aaa group server radius biling
  server 77.77.77.77 auth-port 1812 acct-port 1813
  aaa accounting send stop-record authentication failure
  aaa accounting connection h323 start-stop group biling
  voice class aaa 1
  accounting template mybiling
  gw-accounting aaa
  radius-server host 77.77.77.77auth-port 1812 acct-port 1813 key 7 093126371BA2312
  radius-server vsa send accounting
  radius-server vsa send authentication
  call accounting-template voice mybiling flash:mybiling.cdr
  dial-peer voice 1 voip
  voice-class aaa 1
  Radius START and STOP are produced by CUBE, but unfortunately START message hasn't got h323-remote-address.
  Aforementioned vsa is incorporated in STOP message.
  What is more, of course h323-remote-address is included in mybiling.cdr file
  Is there any way to force Cisco to send h323-remote-address in START message?
  This is important because billing system have to set concurrent call limitation & make active calls visible.
  Thanks in advance,
  Maciej

  Hi ,
  Try using:
  aaa accounting delay-start
  Regards,
  ~JG
  Do rate helpful posts