IEEE 802.1X RADIUS accounting relays important events to the RADIUS server (such as the supplicant’s connection session). This session is defined as the interval beginning when the supplicant is authorized to use the port and ending when the supplicant stops using the port.
After the supplicant is authenticated, the switch sends accounting-request packets to the RADIUS server, which responds with accounting-response packets to acknowledge the receipt of the request.
A RADIUS accounting-request packet contains one or more Attribute-Value (AV) pairs to report various events and related information to the RADIUS server. The following events are tracked:
User successfully authenticates.
User logs off.
Link-down occurs on an IEEE 802.1X port.
Reauthentication succeeds.
Reauthentication fails.
When the port state transitions between authorized and unauthorized, the RADIUS messages are transmitted to the RADIUS server.
The switch does not log any accounting information. Instead, it sends such information to the RADIUS server, which must be configured to log accounting messages.
The following is the IEEE 802.1X RADIUS accounting process:
A user connects to a port on the router.
Authentication is performed.
VLAN assignment is enabled, as appropriate, based on the RADIUS server configuration.
The router sends a start message to an accounting server.
Reauthentication is performed, as necessary.
The port sends an interim accounting update to the accounting server that is based on the result of reauthentication.
The user disconnects from the port.
The router sends a stop message to the accounting server.
The switch port does not log IEEE 802.1X accounting information. Instead, it sends this information to the RADIUS server, which must be configured to log accounting messages.
To configure IEEE 802.1X accounting, you need to perform the following tasks:
Note |
See the “Enabling 802.1X Accounting" section for more specific configuration information.
|
Enabling AAA system accounting along with IEEE 802.1X accounting allows system reload events to be sent to the accounting RADIUS server for logging. When the accounting RADIUS server receives notice of a system reload event, the server can infer that all active IEEE 802.1X sessions are appropriately closed.
Because RADIUS uses the unreliable transport protocol UDP, accounting messages may be lost due to poor network conditions. If the switch does not receive the accounting response message from the RADIUS server after a configurable number of retransmissions of an accounting request, the following system message appears:
Accounting message %s for session %s failed to receive Accounting Response.
When the stop message is not transmitted successfully, a message like the following appears:
00:09:55: %RADIUS-3-NOACCOUNTINGRESPONSE: Accounting message Start for session 172.20.50.145 sam 11/06/03 07:01:16 11000002 failed to receive Accounting Response.
Note |
Use the
debug radius command or
debug radius accounting command to enable the %RADIUS-3-NO ACCOUNTING RESPONSE message.
|
Use the
show radius statistics command to display the number of RADIUS messages that do not receive the accounting response message.