Support for Accounting Session ID

Accounting session ID

An accounting session ID is a wireless client session identifier that

  • is unique for each client session

  • identifies the accounting data for a wireless client in the AAA server, and

  • is generated by the AAA module during session establishment.

Feature history

This table provides release and related information about the feature explained in this section.

This feature is also available in all the releases subsequent to the one in which they are introduced in, unless noted otherwise.

Table 1. Feature history for Accounting session ID

Feature Name

Release Information

Feature Description

Accounting session ID

Cisco IOS XE 17.4.1

With this feature, accounting session ID is supported in the AAA access request, while authenticating wireless client using IEEE 802.1x method. From this release, the accounting session ID is sent as part of the access request too.

Accounting session ID

Cisco IOS XE 17.3.x

In the Cisco IOS XE release 17.3.x and earlier releases, the accounting session ID was sent only as part of the accounting request.

Configure an accounting session ID (CLI)

Set up an accounting session ID on your device to track accounting sessions and include session identification attributes in RADIUS packets using commands.

Procedure

Step 1

Enter the global configuration mode.

Example:

Device# configure terminal

Step 2

Send the RADIUS authentication attribute 44, in the access request packet.

Example:

Device(config)# radius-server attribute wireless 44 include-in-access-req

Step 3

Configure the accounting session identity of the AAA server.

Example:

Device(config)# aaa accounting identity accounting-list-name start-stop group AAA_GROUP_1

Step 4

Configure the WLAN policy profile.

Example:

Device(config)# wireless profile policy default-policy-profile accounting-list-name start-stop group AAA_GROUP_1

Step 5

Configure the accounting list.

Example:

Device(config-wireless-policy)# accounting-list accounting-list-name

Note

 

The accounting session ID is included in the account request only when the radius-server attribute wireless 44 include-in-access-req command is enabled and the accounting configuration is set under the wireless policy.

Step 6

Add a description for the policy profile.

Example:

Device(config-wireless-policy)# description accounting-description

Step 7

Configure the VLAN name or ID.

Example:

Device(config-wireless-policy)# vlan 40

Step 8

Save the configuration, exit configuration mode and return to privileged EXEC mode.

Example:

Device(config-wireless-policy)# no shutdown

Verify an account session ID

To verify if an account session ID is populated, use this command:

Device# show wireless pmk-cache
 
Number of PMK caches in total : 1
Type      Station             Entry Lifetime  VLAN Override         IP Override         Accounting-Session-Id   Audit-Session-Id              Username
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
RSN       6c19.c0e6.a444      1768            NA                                        0x00000006              052DA8C1000000104E634C77      cwa-user

To display the current Accounting Session ID, use this command:

Device# show wireless client mac-address <H.H.H> detail
 
Central NAT : DISABLED
Session Manager:
  Point of Attachment :CAPWAP_90000005
  IIF ID             : 0x90000005
  Authorized         : TRUE
  Session timeout    : 1800
  Common Session ID: 000000000000000B14E9130A
  Acct Session ID  : 0x0000000c
  Last Tried Aaa Server Details:
        Server IP : 192.0.2.1
  Auth Method Status List
        Method : Dot1x
                SM State         : AUTHENTICATED
                SM Bend State    : IDLE
  Local Policies:
        Service Template : wlan_svc_default-policy-profile (priority 254)
                VLAN             : 1
  Server Policies:
                Absolute-Timer   : 1800
  Resultant Policies:
                VLAN Name        : default
                VLAN             : 1
                Absolute-Timer   : 1800