SG300-28 RADIUS accounting firmware 1.0.0.27 and 1.1.2.0

Similar Messages

• SG300-28 Firmware 1.1.2.0 and 1.2.7.76 - Dynamic VLAN+freeRADIUS - Client get rejected

  Hello ladies and gentlemen,
  I am using several SG300-28 Switches with firmware version 1.1.2.0.
  I have dynamic VLAN enabled. As RADIUS server I am using freeradius 2.1.12.
  Authentication is only based on the MAC address. (I configured that on the switches)
  On the switches I created three VLANs. VLAN100 for the authenticated clients, VLAN200 for Management interface and VLAN300 as Guest VLAN. After a wrong authentication the clients should be put into this Guest VLAN immediately (I configured this on the switches).
  I am using Windows XP and Windows 7 clients in my network. I did not configure any EAP settings because I just wnat to use the MAC address.
  In most cases the dynamic VLAN assignment and authentication is working fine. The switch log says that the client is authenticated and the same I can see on freeradius log. But in some (rare) cases the client is rejected. The CISCO log says "MAC aa:bb:cc:dd:ee:ff was rejected on port ge17" but when I look at the freeradius log then this MAC address was successfully authorized.
  The problem is that the client gets an IP address based on the Guest VLAN300 but after that the switch seems to "switch" the VLAN on the port and then the client is authenticated correctly on the right VLAN but the client does not request a new IP on the new VLAN.
  If I unplug and re-plug the LAN cable in most cases the client get the correct VLAN and the correct IP.
  This is happening randomly on nearly all my PCs.
  I would really appreciate your help. Do I have to set some timers higher ? I don't think it is a problem between switch and RADIUS but a problem between communication of the host and the switch.
  Thank you very much for your help!
  Regrads
  Alexander Wilke

  This is from my CISCO log. The computer is always online but there are repeatingly rejects and then with a delay of some minutes an accept.
  2147483395
  2012-Aug-09 21:40:05
  Informational
  %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
  2147483396
  2012-Aug-09 21:38:23
  Warning
  %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
  2147483397
  2012-Aug-09 21:38:23
  Warning
  %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
  2147483398
  2012-Aug-09 21:16:05
  Informational
  %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
  2147483399
  2012-Aug-09 21:13:42
  Warning
  %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
  2147483400
  2012-Aug-09 21:13:42
  Warning
  %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
  2147483401
  2012-Aug-09 21:04:04
  Informational
  %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
  2147483402
  2012-Aug-09 21:03:50
  Warning
  %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
  2147483403
  2012-Aug-09 21:03:50
  Warning
  %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
  2147483404
  2012-Aug-09 20:52:02
  Informational
  %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
  2147483405
  2012-Aug-09 20:49:02
  Warning
  %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
  2147483406
  2012-Aug-09 20:49:02
  Warning
  %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
  2147483407
  2012-Aug-09 20:40:04
  Informational
  %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
  2147483408
  2012-Aug-09 20:39:10
  Warning
  %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
  2147483409
  2012-Aug-09 20:39:10
  Warning
  %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
  2147483410
  2012-Aug-09 20:16:06
  Informational
  %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
  2147483411
  2012-Aug-09 20:14:29
  Warning
  %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
  2147483412
  2012-Aug-09 20:14:29
  Warning
  %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
  2147483413
  2012-Aug-09 19:28:01
  Informational
  %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
  2147483414
  2012-Aug-09 19:25:08
  Warning
  %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
  2147483415
  2012-Aug-09 19:25:08
  Warning
  %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
  2147483416
  2012-Aug-09 19:15:59
  Informational
  %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
  2147483417
  2012-Aug-09 19:15:16
  Warning
  %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
  2147483418
  2012-Aug-09 19:15:16
  Warning
  %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
  2147483419
  2012-Aug-09 19:04:00
  Informational
  %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
  2147483420
  2012-Aug-09 19:00:27
  Warning
  %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
  2147483421
  2012-Aug-09 19:00:27
  Warning
  %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized       
  2147483422
  2012-Aug-09 18:27:59
  Informational
  %SEC-I-PORTAUTHORIZED: Port gi8 is Authorized       
  2147483423
  2012-Aug-09 18:25:55
  Warning
  %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:19:99:0b:8d:b3 was rejected on port gi8        
  2147483424
  2012-Aug-09 18:25:55
  Warning
  %SEC-W-PORTUNAUTHORIZED: Port gi8 is unAuthorized    
  Any ideas ?

• After ISE 1.2 upgrade I get "5413 RADIUS Accounting-Request dropped."

  Hello,
  I have a two admin node setup for ISE. I just upgraded one of my two ISE Admin nodes to Version 1.2. I still have one of my admin  nodes at 1.1.4. When I disable my Version 1.1.4 node and allow wireless authentications to be handled by the Version 1.2 node I get the message..."5413 RADIUS Accounting-Request dropped". None of my wireless edge devices will be allowed on the network during this time. When I re-enable my 1.1.4 node my wireless devices are then allowed on the network.
  I am currently using ISE to authenticate wireless connectivity.
  I also get the failure reason... "11038 RADIUS Accounting-Request header contains invalid Authentication field".
  Any ideas?
  Bob

  The 5413 RADIUS Accounting-Request dropped may be because the session was active on ISE1 and is now sending update messages to ISE2. Also, verify your shared secret radius key matches on both the wlc and ISE servers. I would try clearing the WLC connection for the test user when switching.  Just turning off wireless and back on doesn't do it.  Also, are you using PEAP-MSChapv2 or EAP-TLS for authenticating the clients.  What type of certificate is presented, public or private?

• ISE 1.2 - WLC 5508 - NAS sends RADIUS accounting update messages too frequently

  I'm getting this error in ISE referring to my Cisco 5508 WLC.  I'm not sure how to turn down the frequency.  Any ideas?
  NAS sends RADIUS accounting update messages too frequently
  Verify NAS configuration. Verify known NAS issues.

  I opened up a TAC case with Cisco yesterday and this is the response i got from them:
  There is bug on the WLC side to reduce the number acct updates:
  CSCug14713- WLC sends acct-update twice in the same millisecond
  This is fixed in 8.x on the WLC.
  So, it looks at though we just have to deal with it until they release an 8.x version for the WLC. In the meantime, you can disable the alerts in ISE.
  Administration>Settings>Alarm Settings>Misconfigured Network Device Detected
  Edit that alarm and set it to disabled

• ISE 1.2 - Error 12929 NAS sends RADIUS accounting update messages too frequently

  We are currently running Cisco ISE 1.2, and every day under the "Misconfigured Network Devices" section on the main ISE Page, I have a huge list of different devices that are all being flagged with the following error message:
  "12929 NAS sends RADIUS accounting update messages too frequently." " NAS sends RADIUS accounting update messages too frequently
  Verify NAS configuration. Verify known NAS issues."
  The list of devices seems to all be Cisco switches; albeit different models, IOS versions, ect.  
  i have searched on this issue, and the closest thing to a fix I can find is that it would be fixed in a WLC update, but that was 9 months ago.    I would like to know what causes this issue, and what needs to be altered in ISE, or on the switches to resolve this.
  Thank You.

   CSCuh20269    WLC sends acc updates too frequently, indicates user roams to itself  is the defect specifically on the WLC that is fixed in one of the 7.6 releases.
  Along with the config Jatin mentioned, you may want to try pulling an Accounting report from ISE periodically and analyze the traffic/isolate the endpoints/supplicants that may be causing  a lot of activity (For ex frequent IP changes ) which results in frequent accounting updates.
  Regards,
  Gurudatt
  Escalation engineer, SAMPG | CCIE#28227
  Cisco systems

• Cisco ISE 1.2.1 - "12929 NAS sends RADIUS accounting update messages too frequently" error message

  Hello,
  Running ISE 1.2.1 Patch 1, we get following error message: "12929 NAS sends RADIUS accounting update messages too frequently" on all NAS Devices (i.e. C-4500s running SPA.03.04.00.SG.151-2.SG.bin).
  There was a previous post on this forum (RE: https://supportforums.cisco.com/discussion/11894006/ise-12-wlc-5508-nas-sends-radius-accounting-update-messages-too-frequently) that stated that the "aaa accounting update newinfo" command doesn't solve this problem even though bug CSCuh01760 "Misconfigured NAS criteria needs to be changed" is resolved in ISE 1.2.1 as per the release notes.
  Could you please advise us on that to do now? Thank you. 
  Regards.  

  For the WLC side:
  1. You are probably hitting this bug CSCug14713
  2. You can also change the "Interim Update" located under the SSID > Security AAA Servers
  For the Switch side:
  1. You might be hitting this bug:CSCuh01760
  2. Make sure that you have the following command in your config "aaa accounting update newinfo"
  Thank you for rating helpful posts!

• Radius accounting for QoS pppoe policy-map

  Hi folks
  I have a radius pushing an AVPAIR ip:sub-qos-policy-out to a virtual template for clients connected to a BRAS through PPPOE.
  The AVPAIR is correctly applied to each and every pppoe session but the following link  http://www.cisco.com/c/en/us/td/docs/ios/12_2sb/feature/guide/sbbbrs1c.html  is indicating that I should be able to push back to the RADIUS some traffic info per class-map/policy map. This would allow some Quota stuff and getting some info about traffic used per customer
  From what I have been able to configure, i'm not getting any of this stats back to the RADIUS
  the debug radius accounting :
  *Mar 12 05:29:00.419: RADIUS/ENCODE(0000000E):Orig. component type = PPPoE
  *Mar 12 05:29:00.419: RADIUS/ENCODE(0000000E): Acct-session-id pre-pended with Nas Port = 0/0/3/0
  *Mar 12 05:29:00.419: RADIUS(0000000E): Config NAS IP: 0.0.0.0
  *Mar 12 05:29:00.419: RADIUS(0000000E): sending
  *Mar 12 05:29:00.419: RADIUS/ENCODE: Best Local IP-Address 192.168.38.133 for Radius-Server 192.168.38.131
  *Mar 12 05:29:00.419: RADIUS(0000000E): Send Accounting-Request to 192.168.38.131:1813 id 1646/55, len 299
  *Mar 12 05:29:00.419: RADIUS:  authenticator ED 94 CF EE BD 73 30 7E - 93 07 A4 C3 50 A6 03 DE
  *Mar 12 05:29:00.419: RADIUS:  Acct-Session-Id     [44]  18  "0/0/3/0_00000005"
  *Mar 12 05:29:00.419: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
  *Mar 12 05:29:00.419: RADIUS:  Framed-IP-Address   [8]   6   10.10.10.2
  *Mar 12 05:29:00.419: RADIUS:  User-Name           [1]   9   "olivier"
  *Mar 12 05:29:00.419: RADIUS:  Vendor, Cisco       [26]  35
  *Mar 12 05:29:00.419: RADIUS:   Cisco AVpair       [1]   29  "connect-progress=LAN Ses Up"
  *Mar 12 05:29:00.419: RADIUS:  Vendor, Cisco       [26]  29
  *Mar 12 05:29:00.419: RADIUS:   Cisco AVpair       [1]   23  "nas-tx-speed=10000000"
  *Mar 12 05:29:00.419: RADIUS:  Vendor, Cisco       [26]  29
  *Mar 12 05:29:00.419: RADIUS:   Cisco AVpair       [1]   23  "nas-rx-speed=10000000"
  *Mar 12 05:29:00.419: RADIUS:  Acct-Session-Time   [46]  6   2582
  *Mar 12 05:29:00.419: RADIUS:  Acct-Input-Octets   [42]  6   7232
  *Mar 12 05:29:00.419: RADIUS:  Acct-Output-Octets  [43]  6   7232
  *Mar 12 05:29:00.419: RADIUS:  Acct-Input-Packets  [47]  6   517
  *Mar 12 05:29:00.419: RADIUS:  Acct-Output-Packets [48]  6   517
  *Mar 12 05:29:00.419: RADIUS:  Acct-Authentic      [45]  6   RADIUS                    [1]
  *Mar 12 05:29:00.419: RADIUS:  Acct-Status-Type    [40]  6   Watchdog                  [3]
  *Mar 12 05:29:00.419: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
  *Mar 12 05:29:00.419: RADIUS:  Vendor, Cisco       [26]  15
  *Mar 12 05:29:00.419: RADIUS:   cisco-nas-port     [2]   9   "0/0/3/0"
  *Mar 12 05:29:00.419: RADIUS:  NAS-Port            [5]   6   50331648
  *Mar 12 05:29:00.419: RADIUS:  NAS-Port-Id         [87]  9   "0/0/3/0"
  *Mar 12 05:29:00.419: RADIUS:  Vendor, Cisco       [26]  41
  *Mar 12 05:29:00.419: RADIUS:   Cisco AVpair       [1]   35  "client-mac-address=aabb.cc00.6430"
  *Mar 12 05:29:00.419: RADIUS:  Service-Type        [6]   6   Framed                    [2]
  *Mar 12 05:29:00.419: RADIUS:  NAS-IP-Address      [4]   6   192.168.38.133
  *Mar 12 05:29:00.419: RADIUS:  Ascend-Session-Svr-K[151] 10
  *Mar 12 05:29:00.419: RADIUS:   37 39 38 32 45 41 38 30          [ 7982EA80]
  *Mar 12 05:29:00.419: RADIUS:  Acct-Delay-Time     [41]  6   0
  *Mar 12 05:29:00.419: RADIUS(0000000E): Started 5 sec timeout
  *Mar 12 05:29:00.419: RADIUS: Received from id 1646/55 192.168.38.131:1813, Accounting-response, len 20
  *Mar 12 05:29:00.419: RADIUS:  authenticator A7 0E 79 40 C5 B5 CF DC - 09 46 27 48 52 BE 01 7D
  What I get in the freeradius log :
  Tue Mar 11 22:30:04 2014
          Acct-Session-Id = "0/0/3/0_00000005"
          Framed-Protocol = PPP
          Framed-IP-Address = 10.10.10.2
          User-Name = "olivier"
          Cisco-AVPair = "connect-progress=LAN Ses Up"
          Cisco-AVPair = "nas-tx-speed=10000000"
          Cisco-AVPair = "nas-rx-speed=10000000"
          Acct-Session-Time = 2646
          Acct-Input-Octets = 7428
          Acct-Output-Octets = 7428
          Acct-Input-Packets = 531
          Acct-Output-Packets = 531
          Acct-Authentic = RADIUS
          Acct-Status-Type = Interim-Update
          NAS-Port-Type = Virtual
          Cisco-NAS-Port = "0/0/3/0"
          NAS-Port = 50331648
          NAS-Port-Id = "0/0/3/0"
          Cisco-AVPair = "client-mac-address=aabb.cc00.6430"
          Service-Type = Framed-User
          NAS-IP-Address = 192.168.38.133
          X-Ascend-Session-Svr-Key = "7982EA80"
          Acct-Delay-Time = 0
          Acct-Unique-Session-Id = "523eac6ae326a778"
          Timestamp = 1394602204
          Request-Authenticator = Verified
  user config in the users file on the freeradius server :
  olivier Cleartext-Password := "olivier"
          Service-Type = Framed-User,
          Cisco-AVPair += "ip:addr-pool=pppoepool",
          Cisco-AVpair += "ip:sub-qos-policy-out=TEST"
  I see that the policy map name is pulled correctly from the radius server and applied to the session :
  #sh policy-map session uid 14
   SSS session identifier 14 -
    Service-policy output: TEST
      Class-map: TEST (match-all)
        0 packets, 0 bytes
        5 minute offered rate 0 bps, drop rate 0 bps
        Match: any
        police:
            cir 8000 bps, bc 1500 bytes
          conformed 0 packets, 0 bytes; actions:
            transmit
          exceeded 0 packets, 0 bytes; actions:
            drop
          conformed 0 bps, exceed 0 bps
      Class-map: class-default (match-any)
        0 packets, 0 bytes
        5 minute offered rate 0 bps, drop rate 0 bps
        Match: any
  Any input very welcome

  Cisco sever is working fine. When you do use non-standard or non-RFC requests from your NAS to the AAA server for instance, you have to configure your server accordingly to instruct it how to handle this kind of requests.
  This is typically done with something called "dictionary", which should be included in your radius server. The server typically decodes all RFC 2865 VSAs (or should), but when a new NAS model is introduced into the network, you can modify it to add any VSAs not appearing in the dictionary, which is your case.
  As an example, imagine you want to change the attribute cisco-vsa-port-string to tagged-string, your dictionary will look somethign similar than:
  And finally you will have to modify with a text editor, or XML editor and change type="tagged-string" supposing your device comply with RFC 2868. Probably
  the AAA server will have to restarted for taking this
  changes into account.
  Also,since this does apply to all devices for this vendor, you've got other option more, which is define your own dictionary for a specific vendor, or even if you wish for a specific NAS or group or NASes.
  In NavisRadius you could associate a dictionary to a
  device adding a client-class:
  # Client-IP Client-Secret Client-Class
  10.0.0.1 secret taos-old
  And then specifying the dictionary later in client_properties for this device:
  # This file contains information about client classes # and is used to set per-client specific information.
  # TAOS Devices in OLD mode with RFC conflicts
  taos-old
  Client-Dictionary=max_dictionary
  # Other devices now, etc.
  Hope it helps

• No RADIUS accounting with SF 302?

  Hello all,
  I have configured my SF 302-08P switch to perform 802.1X & MAC authentication. This works fine in both cases but I cannot get the switch to send accounting requests to my RADIUS server. Even when the server sends back an Acct-Interim-Interval attribute in the Access-Accept message, the switch doesn't generate accounting requests. Is it a known restriction or am I missing something?
  I'm a little bit surprised since the datasheet claims that both RADIUS authentication and accounting are supported for 802.1X. The switch version is 1.0.0.27.
  Regards,
  Simon

  Hi Simon,
  Yep according to the RFC2866 it states"
  When a client is configured to use RADIUS Accounting, at the start of
     service delivery it will generate an Accounting Start packet
     describing the type of service being delivered and the user it is
     being delivered to, and will send that to the RADIUS Accounting
     server, which will send back an acknowledgement that the packet has
     been received.  At the end of service delivery the client will
     generate an Accounting Stop packet describing the type of service
     that was delivered and optionally statistics such as elapsed time,
     input and output octets, or input and output packets.  It will send
     that to the RADIUS Accounting server, which will send back an
     acknowledgement that the packet has been received."
  The delay in my response was trying to simulate the scenario, but I don't have all the pieces here.
  Have a Chat to the boys/gals at SBSC to get some clarification.
  http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
  regards Dave

• WLC 5508 Radius accounting issue

  I have a WLAN configured with 802.1x PEAP pointing to an external RADIUS server.  It works fine for the most part, but I'm having problem closing accounting sessions in RADIUS.  I've found this is related to the client table in the WLC.  The user session does not end in RADIUS unless the WLC officially removes the client from the db, which takes 5-6 minutes from what I can see (probably due to the default idle timeout of 300 seconds). 
  For example:
  1.  I connect my tablet to the test WLAN.  It associates and authenticates successfully and the WLC sends the accounting info to my RADIUS server, opening up a user session.  If I turn off the wifi in the tablet, the client entry stays in the WLC client table until it times out.  The WLC removes my tablet from the client table after 5-6 minutes, and then the session closes in the accounting table.  I can force the session to close much earlier by manually removing the client from the WLC.
  2.  Same as #1, but this time instead of turning of the wifi in the tablet, I choose to connect to a different WLAN in the WLC.  The user session in the accounting DB never closes.  If I reconnect back to the original test WLAN with 802.1x, it opens up yet another user session in RADIUS accounting.  Now I have a "dead" user session in accounting that is going to be open forever unless I delete it from SQL.
  Is this an issue with the end user client not sending the disassociation frame properly, or a config problem with the WLC?  How can I make it so that every time a client drops from an AP or moves to a different WLAN, the WLC would immediately send accounting updates to my RADIUS server and close the user session properly?
  Thanks,
  Wil

  Well like you said, the WLC will keep the client in the DB until the idle timer expires. This is normal and I don't think you will be able to change this unless you set the idle timer to a lower value.
  Sent from Cisco Technical Support iPhone App

• AAA Radius accounting command is not taking in 3750 switch

         Hi Cisco Support community,
  I am facing a issue with radius accounting in Cisco 3750 switch with version 12.2. I am unable to start accounting for radius server.
  This is the config that is on the switch for Radius.
  aaa authentication login default group radius local
  aaa authentication dot1x default group radius
  aaa authorization exec my-authradius group radius if-authenticated.
  radius-server attribute 6 on-for-login-auth
  radius-server dead-criteria time 20 tries 5
  radius-server host 10.100.1.225 auth-port 1645 acct-port 1646 key 7 14341A5801103F3904266021
  radius-server host 10.100.1.226 auth-port 1645 acct-port 1646 key 7 05280E5C2C585B1B390B4406
  When i try to add the following command for accounting, this is not saving.
  (aaa accounting commands 0 default start-stop group radius
  aaa accounting commands 1 default start-stop group radius
  aaa accounting commands 15 default start-stop group radius)
  If i do paste this command one by one after start-stop group it is showing only two options either tacacs+ or server, no radius option is there as well.
  I  tried to create a server group and add the radius server  in the group.  Even then when i am trying to implement the aaa accounting command with the server command it is not showing in show run.
  Can anyone please help me with this issue.

  Hi,
  thanks for your reply but the thing is that  i want to see the command that are being run by a user on  this particular device. If i use the network command it will only show me the  network-related service requests, including Serial Line Internet Protocol (SLIP), PPP, PPP Network Control Protocols (NCPs), and AppleTalk Remote Access Protocol (ARAP).
  I have read the document from this link and it is stating that we can use command accounting. Below is the link
  http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a1.html. 
  Can anyone please tell me if this a version issue because even in version 15.4 i was not seeing the radius option in the end
  aaa accounting commands 15 default start-stop group (radius)- in radius place it was showing only Tacacs+ or group.

• How to identify used AP in RADIUS Accounting

  We are using 5508 WLC with 3602 APs.
  Looks like in RADIUS Authentication Called-Station-Id is the MAC address of the AP,
  but in RADIUS Accounting Called-Station-Id is the MAC address of the WLC.
  How can we change that behaviour so that Called-Station-Id will always be the MAC address of the AP?
  Or is there some other way to identify the actual AP to which the user is connected?
  Regards
  Timo

  Hmm, I did some trial and error and solved the problem.
  On the WLC, go to Security > AAA > RADIUS > Authentication and set the Call Station ID Type to "AP MAC Address:SSID". Even tho that seems to be for RADIUS Authentication, it changes the Called-Station-Id also for RADIUS Accounting.
  Thx anyway
  Timo

• TACACS auth and RADIUS accounting with ACS

  I am having RADIUS accounting issues with an ASA 5520 that uses TACACS for authentication. Both are hosted on the same ACS server. I can send RADIUS info to my Microsoft IAS box but get Syslog ID 113022 errors when trying to send to the ACS RADIUS. A packet capture shows the RADIUS accounting request getting to the ACS box (Windows Server 2003 R2) but syslog shows failedauth. Any ideas?

  Thank you for the response. I did verify the syslog explanation you gave below and the AAA server is online as TACACS message are getting to it. My configuration for the ASA for RADIUS is as follows
  Server Group - RADIUS
  Protocol - RADIUS
  Accounting Mode - Simultaneous
  Reactivation Mode - Timed
  Max Failed attempts - 3
  Two servers in the Server Group
  ACS - Not working
  Microsoft IAS - Working
  I have tried removing the IAS server and changing the accounting mode to single and still getting auth failures.
  ACS is configured as follows
  Network Configuration
  AAA Clients - ASA authenticate using TACACS+
  AAA Servers - None listed. When I tried to add the ACS machine the error said the server already existed (In another Network Device Group)

• ACSv5.1, lack of clarity on radius accounting logs

  Hi,
  We are using an ACS 5.1 for remote VPN customers for radius authentication and accounting purposes.
  When I check the radius accounting logs, there are certain entries that do not make sense to me.
  For instance, there are certain Accounting session ids (refer 'Acct_Session_Id') with only a STOP record. But I do not see a START record corresponding to the session id. I am able to see many such entries.
  Can anybody throw some light on this information??
  Note - The customer environment consists of remote users who try to access the central NAS using IPSec. Requests that come to the NAS get directed to the ACS for AAA purposes.
  Also provided are some sample ACS logs [refer highlighted section]
  Regards,
  Abishek

  Hi welshydragon,
  The Openreach Superfast Fibre Broadband rollout is still in it's early stages and the plans are always being added too. 
  So your exchange may be added to the rollout plans later in the future. 
  The build of the fibre broadband infrastructure isn't always easy and can be very complex, so needs a lot of planning to start with and can take some time. Go to http://superfast-openreach.co.uk/the-big-build/ for information on the build.
  You can register your interest for Fibre Broadband such as BT Infinity by going to http://www.superfast-openreach.co.uk/expression-ge​n.aspx
  Unfortunately BT Retail (a communication provider/ISP who operates this forum) does not have much say as to when and if you will be able to get FTTC or FTTP/H based broadband such as BT Infinity.
  I also take it from your username that you live in Wales. If this is correct then see below.
  If you live in Wales, then the Welsh Government has recently started to plan the development of Superfast Fibre broadband in Wales.
  You may want to have a look at The Welsh Government Next Generation Broadband Wales Scheme-(Click Here To View) and Here
  Also the http://superfast-cymru.com website has only just become online and will give information about the Openreach Superfast Fibre broadband rollout in Wales.
  **The Fibre-Optic Broadband Rollout is being managed and done by Openreach for all communication providers/ISPs.
  BT Retail (a communication provider/ISP) has nothing to do with the rollout of fibre broadband.**
  Hope that helps,
  Cheers
  jac_95 | BT.com Help Site | BT Service Status
  Someone Solved Your Question?
  Please let other members know by clicking on ’Mark as Accepted Solution’
  Try a Search
  See if someone in the community had the same problem and how they got it resolved.

• WLC with Multiple RADIUS Accounting Servers

  If a WLC has multiple accounting servers defined for a WLAN, will accounting packets be sent to all accounting servers ?
  The operation of authentication servers is that the WLC will only send authentication requests to a single RADIUS server. If that RADIUS server becomes unavailable, then the WLC will start to send authentication requests to the next available RADIUS server in the list configured for the WLAN.
  Is it the same mode of operation for accounting servers? Or, does the WLC send accounting records to all accounting servers that are defined against a WLAN?
  Thanks
  Nigel.

  So the WLC would use the priority list for the Radius servers for accouting.
  I have a setup that I need to send accounting to two different servers for different reasons. can this be done on the WLC?
  if not, does anyone know a good forking server for radius accounting?

• 2504 WebAuth and IPv6 RADIUS Accounting (IPv6-Framed-Address)

  Hi Board,
  I'm playing around with RADIUS Accounting in combination with local web authentication on the wireless LAN controller.
  So far so good - everything works well, but I'm missing the "IPv6-Framed-Address" in the RADIUS accounting messages.
  The only thing I can see is the v4 framed IP address and the "Framed-IPv6-Prefix". According to the configuration guide
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_0101001.html#ID807
  the "IPv6-Framed-Address" should be sent by the WLC. I took a capture on a span port of the WLC to verify this. Anybody else experiencing this behavior or is it a simple misconfiguration on my side? In the client details I can see the global IPv6 addresses and the link-local.
  I tested it on a WLC 2504 with 8.0.100.0 code.
  Cheers
  Johannes

  Hi Board,
  I'm playing around with RADIUS Accounting in combination with local web authentication on the wireless LAN controller.
  So far so good - everything works well, but I'm missing the "IPv6-Framed-Address" in the RADIUS accounting messages.
  The only thing I can see is the v4 framed IP address and the "Framed-IPv6-Prefix". According to the configuration guide
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_0101001.html#ID807
  the "IPv6-Framed-Address" should be sent by the WLC. I took a capture on a span port of the WLC to verify this. Anybody else experiencing this behavior or is it a simple misconfiguration on my side? In the client details I can see the global IPv6 addresses and the link-local.
  I tested it on a WLC 2504 with 8.0.100.0 code.
  Cheers
  Johannes