RADIUS Accounting

RADIUS accounting of AP events

RADIUS accounting of AP events is a network monitoring mechanism that

  • Tracks the status transitions of APs within a wireless controller environment

  • Records AP join and disjoin events

  • Provides historical visibility into AP downtime and uptime through accounting messages sent to a RADIUS server.

Feature History

This table provides release and related information for the feature explained in this module.

This feature is also available in all the releases subsequent to the one in which they are introduced in, unless noted otherwise.

Table 1. Feature history table

Feature Name

Release

Description

Device Ecosystem Data

Cisco IOS XE 17.10.1

This feature sends device analytics data that is present in the RADIUS accounting request to Cisco ISE to profile endpoints

The command is introduced:

  • dot11-tlv-accounting

Chargeable User Identity in RADIUS Accounting

Cisco IOS XE 17.9.1

Chargeable User Identity (CUI) is a unique identifier for a client visiting a network. This attribute can be used as an alternative for the client’s username as part of the authentication process.

The command is introduced:

  • dot11-tlv-accounting

Improved Logging in RADIUS Accounting

Cisco IOS XE 17.1.1

Prior to Cisco IOS XE Amsterdam 17.1.1 release, the controller did not send accounting messages for AP join and disjoin events during network issues. From Cisco IOS XE Amsterdam 17.1.1 Release and later, the RADIUS server keeps a record of all APs that were down and have come up.

Configure accounting method-list for an AP profile

Define an accounting method list within an access point (AP) profile to enable or disable accounting for AP operations.

Use this task to specify how accounting is managed for an AP profile on your device. This allows tracking of AP events and assists with auditing and troubleshooting

Before you begin

  • Identify the AP profile name you want to configure. The default AP profile name is default-ap-profile.

  • Determine the accounting method list name you wish to apply.

Procedure


Step 1

Enter global configuration mode.

Example:

Device#configure terminal

Step 2

Configures the AP profile. The default AP join profile name is default-ap-profile.

Example:

Device(config)# ap profile ap-profile-name
                    

Step 3

Configures the accounting method list for the AP profile.

Example:

Device(config-ap-profile)# [no] accounting method-list method-list-name
                    

Use the no form of this command to disable the accounting method list.


The system associates the specified accounting method list with the AP profile, enabling or disabling accounting

Verify the AP accounting information

Verify the AP accounting information including MAC address, packets sent, packets received, and the method list.

Device#show wireless stats ap accounting
Base MAC 	     Total packet Send    Total packet Received Methodlist
----------------------------------------------------------------------------------------
00b0.e192.0f20     4 				   3 				abc
38ed.18cc.5788     8 				   8 				ML_M
70ea.1ae0.af08     0 				   0 				ML_A

View the details of a method list that is configured for an AP profile.

Device#show ap profile name Method-list detailed
AP Profile Name               : test-profile
Description                   : 
.
.
.
Method-list name              : Method-list
Packet Sequence Jump DELBA    : ENABLED
Lag status                    : DISABLED
.
Client RSSI Statistics
  Reporting                   : ENABLED
  Reporting Interval          : 30 seconds

AAA Accounting

Configure AAA accounting using default method list (CLI)

Set up command accounting on controller using the default AAA method list.

Use this task to monitor and record user command activity on devices through AAA accounting features

Before you begin

  • Confirm that AAA is enabled on the device.

Procedure


Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Create an accounting method list and enables accounting.

Example:

Device(config)# aaa accounting commands 15 default start-stop group group-name
  • privilege_level : AAA accounting level. The valid range is from zero to 15.

  • group-name: AAA accounting group that supports only TACACS+ group.

Step 3

Return to privileged EXEC mode.

Example:

Device(config)# end

The controller records user command activities according to the configured accounting method

Configure HTTP command accounting using named method list (CLI)

Set up command accounting on your device using the default AAA method list.

Use this task to monitor and record user command activity on devices through AAA accounting features.

Before you begin

  • Use this task to monitor and record user command activity on devices through AAA accounting features.

Procedure


Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure HTTP command accounting using the named method list.

Example:

Device(config)# ip http accounting commands 1 oneacct
  • level: Privilege value from 0 to 15. By default, the command privilege levels available on the controller are:

    • 0 : Includes the disable, enable, exit, help, and logout commands.

    • 1 : Includes all the user-level commands at the controller prompt (>).

    • 15 : Includes all the enable-level commands at the controller prompt (>).

  • named-accounting-method-list : Name of the predefined command accounting method list.

Step 3

Return to privileged EXEC mode.

Example:

Device(config)# end

The device records user command activities in accordance with the configured accounting method.

Feature History for Device Ecosystem Data

This table provides release and related information for the feature explained in this module.

This feature is also available in all the releases subsequent to the one in which they are introduced in, unless noted otherwise.

Table 2. Feature History for Device Ecosystem Data

Release

Feature

Feature Information

Cisco IOS XE Dublin 17.10.1

Device Ecosystem Data

This feature sends device analytics data in the RADIUS accounting request to Cisco ISE to profile the endpoints.

Information About Device Ecosystem Data

Edge analytics is the process of collecting, processing, and analyzing data from devices in a network. The controller learns about endpoint attributes, such as model number, operating system version, and other information from a set of endpoints using device analytics. The device analytics data is further shared with Cisco Identity Services Engine (ISE) to profile the endpoints. This information sharing is in addition to the DHCP and HTTP attributes already being shared with Cisco ISE using RADIUS accounting messages.

Enable Device Ecosystem Data


Note


Before proceeding with the configuration, ensure that device classifier and accounting features are enabled.


Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

wireless profile policy policy-profile-name

Example:

Device(config)# wireless profile policy default-policy-profile

Configures a wireless policy profile.

Step 3

shutdown

Example:

Device(config-wireless-policy)# shutdown

Disables the wireless policy profile.

Step 4

radius-profiling

Example:

Device(config-wireless-policy)# radius-profiling

Configures client radius profiling.

Step 5

dot11-tlv-accounting

Example:

Device(config-wireless-policy)# dot11-tlv-accounting

Configures the controller to send device analytics data that is found in the RADIUS accounting request to Cisco ISE in order to profile the endpoints. The no form of this command disables the feature.

Step 6

no shutdown

Example:

Device(config-wireless-policy)# no shutdown

Enables the wireless policy profile.

Step 7

end

Example:

Device(config-wireless-policy)# end

Returns to privileged EXEC mode.

Verify Device Ecosystem Data

Use the following command to verify device ecosystem data in RADIUS accounting configuration:

Device# show wireless profile policy detailed <name>

.
.
.
WLAN Local Profiling
  Subscriber Policy Name            : Not Configured
  RADIUS Profiling                  : ENABLED
  HTTP TLV caching                  : DISABLED
  DHCP TLV caching                  : DISABLED
  DOT11 TLV accounting              : ENABLED
.
.
.