Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1030
Views
0
Helpful
4
Replies

No RADIUS accounting with SF 302?

simonpasquier
Level 1
Level 1

‎04-18-2011 09:30 AM

Hello all,

I have configured my SF 302-08P switch to perform 802.1X & MAC authentication. This works fine in both cases but I cannot get the switch to send accounting requests to my RADIUS server. Even when the server sends back an Acct-Interim-Interval attribute in the Access-Accept message, the switch doesn't generate accounting requests. Is it a known restriction or am I missing something?

I'm a little bit surprised since the datasheet claims that both RADIUS authentication and accounting are supported for 802.1X. The switch version is 1.0.0.27.

Regards,

Simon

Labels:
0 Helpful
4 Replies 4

David Hornstein
Level 7
Level 7

‎04-18-2011 12:06 PM

Hi Simon,

The datasheet does say;

IEEE 802.1X
(Authenticator role)

802.1X: RADIUS authentication and accounting, MD5 hash; guest VLAN; unauthenticated VLAN, single/multiple host mode and single/multiple sessions

Supports time-based 802.1X

Dynamic VLAN assignment

The switch isn't the supplicant, so the 300 series should provide radius authentication and Accounting. 

Dare I ask would it be possible to see a wireshark capture of the supplicant requesting authentication and possibly a  reuest for radius accounting after the supplicant has disconnected ?  Hope fully the capture wont be too big    somethimng sounds a bit fishy.

Or if you wish, just open a case with the Small Business Support Center.

http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html

regards Dave

0 Helpful

simonpasquier
Level 1
Level 1
In response to David Hornstein

‎04-19-2011 12:59 AM

Hi Dave,

I've attached 2 PCAP files: one is captured from the supplicant and the other one from the RADIUS server.

I'm not sure about what you mean with "a  request for radius accounting after the supplicant has disconnected". From my understanding, the switch should send an initial Acct-Start request immediatly after the RADIUS server has authenticated the supplicant. At least this is what I get with other switches...

Thanks for the help.

85094-supplicant.dot1x.pcap.zip
0 Helpful

David Hornstein
Level 7
Level 7
In response to simonpasquier

‎04-20-2011 05:53 AM

Hi Simon,

Yep according to the RFC2866 it states" 

When a client is configured to use RADIUS Accounting, at the start of
   service delivery it will generate an Accounting Start packet
   describing the type of service being delivered and the user it is
   being delivered to, and will send that to the RADIUS Accounting
   server, which will send back an acknowledgement that the packet has
   been received.  At the end of service delivery the client will
   generate an Accounting Stop packet describing the type of service
   that was delivered and optionally statistics such as elapsed time,
   input and output octets, or input and output packets.  It will send
   that to the RADIUS Accounting server, which will send back an
   acknowledgement that the packet has been received."

The delay in my response was trying to simulate the scenario, but I don't have all the pieces here.

Have a Chat to the boys/gals at SBSC to get some clarification.


http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html

regards Dave

0 Helpful

simonpasquier
Level 1
Level 1
In response to David Hornstein

‎04-20-2011 07:36 AM

Thanks for your help Dave. I'll try with the support line.

Simon

0 Helpful
Customers Also Viewed These Support Documents