The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The IEEE 802.1X RADIUS Accounting feature is used to relay important events to the RADIUS server (such as the supplicant's connection session). The information in these events is used for security and billing purposes.
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
The following tasks must be completed before implementing the IEEE 802.1X RADIUS Accounting feature:
The RADIUS Accounting feature is available only on Cisco 89x and 88x series integrated switching routers (ISRs) that support switch ports.
The following ISR-G2 routers are supported:
The following cards or modules support switch ports:
Note | Not all Cisco ISR routers support all the components listed. For information about module compatibility with a specific router platform, see Cisco EtherSwitch Modules Comparison. |
To determine whether your router has switch ports that can be configured with the IEEE 802.1X port-based authentication feature, use the show interfaces switchport command.
IEEE 802.1X RADIUS accounting relays important events to the RADIUS server (such as the supplicant’s connection session). This session is defined as the interval beginning when the supplicant is authorized to use the port and ending when the supplicant stops using the port.
After the supplicant is authenticated, the switch sends accounting-request packets to the RADIUS server, which responds with accounting-response packets to acknowledge the receipt of the request.
A RADIUS accounting-request packet contains one or more Attribute-Value (AV) pairs to report various events and related information to the RADIUS server. The following events are tracked:
When the port state transitions between authorized and unauthorized, the RADIUS messages are transmitted to the RADIUS server.
The switch does not log any accounting information. Instead, it sends such information to the RADIUS server, which must be configured to log accounting messages.
The following is the IEEE 802.1X RADIUS accounting process:
The switch port does not log IEEE 802.1X accounting information. Instead, it sends this information to the RADIUS server, which must be configured to log accounting messages.
Note | See the “Enabling 802.1X Accounting" section for more specific configuration information. |
Enabling AAA system accounting along with IEEE 802.1X accounting allows system reload events to be sent to the accounting RADIUS server for logging. When the accounting RADIUS server receives notice of a system reload event, the server can infer that all active IEEE 802.1X sessions are appropriately closed.
Because RADIUS uses the unreliable transport protocol UDP, accounting messages may be lost due to poor network conditions. If the switch does not receive the accounting response message from the RADIUS server after a configurable number of retransmissions of an accounting request, the following system message appears:
Accounting message %s for session %s failed to receive Accounting Response.
When the stop message is not transmitted successfully, a message like the following appears:
00:09:55: %RADIUS-3-NOACCOUNTINGRESPONSE: Accounting message Start for session 172.20.50.145 sam 11/06/03 07:01:16 11000002 failed to receive Accounting Response.
Note | Use the debug radius command or debug radius accounting command to enable the %RADIUS-3-NO ACCOUNTING RESPONSE message. |
Use the show radius statistics command to display the number of RADIUS messages that do not receive the accounting response message.
The information sent to the RADIUS server is represented in the form of AV pairs. These AV pairs provide data for different applications. (For example, a billing application might require information that is in the Acct-Input-Octets or the Acct-Output-Octets attributes of a RADIUS packet.)
AV pairs are automatically sent by a router that is configured for IEEE 802.1X accounting. Three types of RADIUS accounting packets are sent by a router:
The following table lists the AV pairs and when they are sent by the router.
Note | The Framed-IP-Address AV pair (Attribute 8) is sent only if a valid Dynamic Host Control Protocol (DHCP) binding exists for the host in the DHCP snooping bindings table. |
Note | With CSCtz66183, the Service-Type AV pair (Attribute 6) is not displayed in the Accounting-Request records. |
Attribute Number |
AV Pair Name |
START |
INTERIM |
STOP |
---|---|---|---|---|
Attribute [1] |
User-Name |
Always |
Always |
Always |
Attribute [4] |
NAS-IP-Address |
Always |
Always |
Always |
Attribute [5] |
NAS-Port |
Always |
Always |
Always |
Attribute [6] |
Service-Type |
Always |
Always |
Always |
Attribute [8] |
Framed-IP-Address |
Never |
Sometimes |
Sometimes 1 |
Attribute [25] |
Class |
Always |
Always |
Always |
Attribute [30] |
Called-Station-ID |
Always |
Always |
Always |
Attribute [31] |
Calling-Station-ID |
Always |
Always |
Always |
Attribute [40] |
Acct-Status-Type |
Always |
Always |
Always |
Attribute [41] |
Acct-Delay-Time |
Always |
Always |
Always |
Attribute [42] |
Acct-Input-Octets |
Never |
Always |
Always |
Attribute [43] |
Acct-Output-Octets |
Never |
Always |
Always |
Attribute [44] |
Acct-Session-ID |
Always |
Always |
Always |
Attribute [45] |
Acct-Authentic |
Always |
Always |
Always |
Attribute [46] |
Acct-Session-Time |
Never |
Never |
Always |
Attribute [47] |
Acct-Input-Packets |
Never |
Always |
Always |
Attribute [48] |
Acct-Output-Packets |
Never |
Always |
Always |
Attribute [49] |
Acct-Terminate-Cause |
Never |
Never |
Always |
Attribute [61] |
NAS-Port-Type |
Always |
Always |
Always |
You can configure the device to send Cisco vendor-specific attributes (VSAs) to the RADIUS server. The following table lists the available Cisco AV pairs.
Note | Before VSAs can be sent in the accounting records you must configure the radius-server vsa send accounting command. |
Attribute Number |
AV Pair Name |
START |
INTERIM |
STOP |
---|---|---|---|---|
Attribute [26,9,1] |
Cisco-Avpair: connect-progress |
Always |
Always |
Always |
Attribute [26,9,2] |
cisco-nas-port |
Always |
Always |
Always |
Attribute [26,9,1] |
Cisco-Avpair: disc-cause |
Never |
Never |
Always |
You can display the AV pairs that are being sent by the router by entering the debug radius accounting privileged EXEC command. For more information about this command, see the Cisco IOS Debug Command Reference. For more information about AV pairs, see Cisco IOS RFC 3580, IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines.
1.
enable
2.
configure terminal
3.
aaa new-model
4.
radius-server host {hostname |
ip-address}
auth-port
port-number
acct-port
port-number
5.
aaa accounting dot1x default start-stop group radius
6.
aaa accounting system default start-stop group radius
7.
end
This example shows how to specify the server with IP address 172.20.39.46 as the RADIUS server. The first command configures the RADIUS server, specifying port 1812 as the authorization port, 1813 as the UDP port for accounting, and rad123 as the encryption key:
Note | You must configure the RADIUS server to perform accounting tasks. |
Router# configure terminal Router(config)# aaa new-model Router(config)# radius-server host 172.20.39.46 auth-port 1812 acct-port 1813 key rad123 Router(config)# aaa accounting dot1x default start-stop group radius Router(config)# aaa accounting system default start-stop group radius Router(config)# end Router#
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Security commands |
Standard/RFC | Title |
---|---|
IEEE 802.1X |
Port Based Network Access Control |
RFC 3580 |
IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines |
MIB |
MIBs Link |
---|---|
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
IEEE 802.1X RADIUS Accounting |
Cisco IOS 12.4(11)T Cisco IOS 15.3(1)S |
This feature is used to relay important events to the RADIUS server (such as the supplicant's connection session). The information in these events is used for security and billing purposes. |