03-07-2022 07:07 AM
I have a Catalyst 2960X switch tah has Radius server configuration and aaa accounting dot1x default start-stop.
On the switch there are multiple interfaces configure for dot1x but some have no dot1x configured.
Is it normal behavior that the switch will send update packets to the radius server for an interface not having any dot1x configured on it?
aaa new-model
aaa group server radius TestLab
aaa accounting dot1x default start-stop group TestLab
aaa accounting update periodic 5
aaa session-id common
radius-server attribute 44 extend-with-addr
radius-server attribute 11 default direction in
radius-server dead-criteria time 5 tries 2
radius-server retransmit 2
radius-server deadtime 5
radius-server unique-ident 11
radius-server vsa send accounting
radius-server vsa send authentication
Interface configuration:
interface GigabitEthernet1/0/2
description *** Test port for Radius Accounting ***
switchport access vlan 42
switchport mode access
switchport voice vlan 250
ip arp inspection trust
mls qos trust dscp
spanning-tree portfast
spanning-tree bpduguard enable
ip dhcp snooping trust
end
Debug radius accounting output:
Mar 4 15:03:18.720: RADIUS(000000AA): Send Accounting-Request to 172.17.38.69:1646 id 1646/101, len 259
Mar 4 15:03:18.720: RADIUS: authenticator BC B6 14 0D DE B8 E1 87 - 49 57 9F 68 35 62 AC A8
Mar 4 15:03:18.720: RADIUS: Acct-Session-Id [44] 26 "AC1205640B000000000000A0"
Mar 4 15:03:18.720: RADIUS: Vendor, Cisco [26] 49
Mar 4 15:03:18.720: RADIUS: Cisco AVpair [1] 43 "audit-session-id=AC1205640000009E00223102"
Mar 4 15:03:18.720: RADIUS: Calling-Station-Id [31] 19 "00-1A-E2-2B-12-55"
Mar 4 15:03:18.720: RADIUS: Vendor, Cisco [26] 32
Mar 4 15:03:18.720: RADIUS: Cisco AVpair [1] 26 "connect-progress=Call Up"
Mar 4 15:03:18.720: RADIUS: Acct-Session-Time [46] 6 317
Mar 4 15:03:18.720: RADIUS: Acct-Input-Octets [42] 6 17508
Mar 4 15:03:18.720: RADIUS: Acct-Output-Octets [43] 6 438120
Mar 4 15:03:18.720: RADIUS: Acct-Input-Packets [47] 6 181
Mar 4 15:03:18.720: RADIUS: Acct-Output-Packets [48] 6 1354
Mar 4 15:03:18.720: RADIUS: Acct-Authentic [45] 6 Local [2]
Mar 4 15:03:18.720: RADIUS: Acct-Status-Type [40] 6 Watchdog [3]
Mar 4 15:03:18.720: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Mar 4 15:03:18.720: RADIUS: NAS-Port [5] 6 50102
Mar 4 15:03:18.720: RADIUS: NAS-Port-Id [87] 22 "GigabitEthernet1/0/2"
Mar 4 15:03:18.720: RADIUS: Called-Station-Id [30] 19 "64-D8-14-C0-76-02"
Mar 4 15:03:18.720: RADIUS: Service-Type [6] 6 Framed [2]
Mar 4 15:03:18.720: RADIUS: NAS-IP-Address [4] 6 172.18.5.100
Mar 4 15:03:18.725: RADIUS: Acct-Delay-Time [41] 6 0
03-07-2022 07:22 AM
do show auth session g1/0/2
check account-id is same as appear in debug?
03-07-2022 07:44 AM
No auth done through Radius.
03-07-2022 07:49 AM
As a side note, the packets seem to be generated every 5 minutes ( following the aaa accounting update periodic 5 )
03-07-2022 09:26 AM
aaa accounting dot1x default start-stop group TestLab<- change the default to List-name
try this way where the default send account log for all interface, and for periodic 5 there are three
start
stop
interim.<- periodic time need here
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide