Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
329
Views
4
Helpful
5
Replies

Send radius accounting to a server that isn't ISE

ryan14
Level 1
Level 1

‎05-29-2024 01:17 PM

What is the drawback or what will break if I authenticate my machines to ISE via radius, but send the accounting information to another server that isn't an ISE node? A server of ours requires raw accounting data to function, and ISE can only send the data in syslog format. The NAD can only send to one radius acct server at a time (not multiple).

0 Helpful
5 Replies 5

MHM Cisco World
VIP
VIP

‎05-29-2024 01:28 PM - edited ‎05-29-2024 02:02 PM

I think you can assign specific server and send all accounts to it.

Yes the NAD can support multi AAA server' servers for authc/authz and server for accout.

MHM

0 Helpful

Arne Bier
VIP
VIP
In response to MHM Cisco World

‎05-29-2024 02:00 PM

@MHM Cisco World - are you sure that IOS supports sending RADIUS Accounting to more than one RADIUS server?  When I look at the command on the IOS device, e.g.

aaa accounting identity default start-stop group danc-client-radius-group

it specifies the AAA group (which can contain one or more servers)- but in the traffic flow, I only see the IOS sending RADIUS Accounting to ONE of the servers. It's always the current server that is Alive/Active according to the SMD.

Is there an IOS command to tell the device to send to multiple servers?   I know that with IBNS 2.0 you can split the Authentication traffic to use one Group of servers, and the accounting to use another Group of servers.

I recall this question from my service provider days (Cisco Prime Access Registrar) and it support it either (back in the day). The solution was to send accounting traffic to an app that would duplicate the UDP traffic to various destinations.  A load balancer can do that. Even nginx could do this (as an open source suggestion). 

 

MHM Cisco World
VIP
VIP
In response to Arne Bier

‎05-29-2024 02:04 PM

Interesting' I will check and update you.

MHM

0 Helpful

andrewswanson
Level 7
Level 7

‎05-30-2024 02:19 AM

Does your NAD support AAA Broadcast Accounting? According to Cisco documentation:

AAA broadcast accounting allows accounting information to be sent to multiple AAA servers at the same time; that is, accounting information can be broadcast to one or more AAA servers simultaneously

I've not tried this myself, but maybe something like this would work (with ISE defined in one group and the other server in the second group)

aaa accounting identity default start-stop broadcast group grp1 group grp2

hth
Andy

Arne Bier
VIP
VIP

‎05-30-2024 01:25 PM

Excellent - that looks like it would do the trick. Thanks for sharing that.

0 Helpful
Customers Also Viewed These Support Documents