CUI Information in RADIUS Accounting

CUI information in RADIUS accounting request

Chargeable User Identity (CUI) is a unique identifier for a client visiting a network that

  • is distinct from the outer identity or device used for login

  • serves as an obscured version of a username, and

  • can be used as an alternative for a client’s username during authentication.

Feature History

Feature Name

Release

Description

Chargeable UserIdentity in RADIUS Accounting

Cisco IOS XE 17.9.1

Chargeable User Identity (CUI) is a unique identifier for a client visiting a network. This attribute can be used as an alternative for the client’s username as part of the authentication process.

The access-session wireless cui-enable command is introduced.

Processing of CUI in RADIUS accounting requests

To handle RADIUS attribute 89 processing, attach a null value of CUI to an access request sent to a AAA server.

Use the access-session wireless cui-enable command. A CUI-capable AAA server sends the CUI string to the controller as part of an access-accept message.

The controller then sends this received CUI attribute in accounting packets and other access-request packets, if any.

Prerequisites and restrictions

Ensure that AAA override is enabled.

Restrictions

Adhere to these restrictions when configuring AAA override:

  • Only 802.1x network authentication protocol is supported.

  • Inter-Release Controller Mobility (IRCM) is not supported.

  • FlexConnect local authentication is not supported. Only local mode and FlexConnect central authentication mode is supported.

Add CUI information in a RADIUS accounting request

Enhance RADIUS accounting requests by including CUI information for better tracking and management.
This configuration is useful in environments where detailed user session information is required for auditing and reporting purposes.

Before you begin

Ensure that the RADIUS server is properly configured to handle CUI attributes.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Add CUI attribute in authentication and accounting messages sent to the AAA server.

Example:

Device(config)# access-session wireless cui-enable
The CUI information is now included in RADIUS accounting requests, allowing for enhanced tracking and management of user sessions.

Verify CUI information in a RADIUS accounting request

To view the CUI attribute in an accounting request on aAAA server, use this command:

Device# show wireless client mac-address aaa.bbb.ccc.ddd detail
.
.
.
Session Manager:
  Point of Attachment : capwap_90000005
  IIF ID             : 0x90000005
  Authorized         : TRUE
  Session timeout    : 1800
  Common Session ID: 8A45400A0000000CE0527C5F
  Acct Session ID  : 0x00000003
  Last Tried Aaa Server Details:
        Server IP : 10.64.69.141
  Auth Method Status List
        Method : Dot1x
                SM State         : AUTHENTICATED
                SM Bend State    : IDLE
  Local Policies:
        Service Template : wlan_svc_default-policy-profile_local (priority 254)
                VLAN             : 59
                Absolute-Timer   : 1800
  Server Policies:
                CUI              : 13e158006855c2ff718cc84487653f5a6ea55def
  Resultant Policies:
                CUI              : 13e158006855c2ff718cc84487653f5a6ea55def
                VLAN Name        : VLAN0059
                VLAN             : 59
                Absolute-Timer   : 1800