Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1411
Views
5
Helpful
6
Replies

Catalyst 9800 External WebAuth AAA missing Radius Accounting

Guilherme17849
Level 1
Level 1

‎06-08-2020 04:42 PM - edited ‎07-05-2021 12:09 PM

I'm facing an issue with external Radius Accounting packages. Running WLC 9800 Catalyst v17.2.1

 

The webauth prompts to the user (at my external server), got authenticated but after that, I don't receive any Radius Accounting package at my Freeradius. 

I've set up Radius server, Radius Server group and AAA under Method List tab, on AAA menu.

Is there any option which should be activated to get it working?

1 person had this problem
Labels:
0 Helpful
6 Replies 6

Rafael E
Cisco Employee
Cisco Employee

‎06-08-2020 05:25 PM

you need to map the accounting method on the policy profile. 

also, make sure you have: 

 

aaa accounting identity <name> start-stop group <RADIUS-group>

Saludos,
Rafael - TAC

Guilherme17849
Level 1
Level 1
In response to Rafael E

‎07-08-2020 07:16 PM

I've done with no success. Still not getting start-stop packages at my Freeradius.

Do you have any other hint? 

I'm concerning there's a misconfiguration or a bug at this version of 9800 Catalyst. According to previous versions that I had contact with, at WLAN Layer 3 settings there was an option to select the Accounting method. This option its not appearing to me, as we can see in the following screenshot.

 

 image (7).png

0 Helpful

unsuspecting user
Level 1
Level 1
In response to Guilherme17849

‎09-11-2020 12:50 AM

Hello everyone,
I am also looking for the entry where I enter the Accounting Server in the SSID.
It is created under AAA Accounting.

1.PNG

 

In my opinion you should be able to select it from the Policy List under

Advanced - AAA Policy - Accounting List, but this is empty.

2.PNG

 

With the WISM it was quite simple in the AAA settings of the SSID with the drop down menu

3 wism.PNG

Maybe I'm on the 9800 but also in a wrong menu.

Hence the question where is the assignment of SSID to the Accounting Server created?

 

Cisco IOS Software [Gibraltar], C9800 Software (C9800_IOSXE-K9), Version 16.12.3

 

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to unsuspecting user

‎09-11-2020 01:10 AM

Don’t try to compare between the two as many things have changed. Take a look at the guide for 802.1x

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213919-configure-802-1x-authentication-on-catal.html
-Scott
*** Please rate helpful posts ***
0 Helpful

unsuspecting user
Level 1
Level 1
In response to Scott Fella

‎09-14-2020 05:54 AM

Hi, Scott,
i think i have found my problem, it seems to be a bug in the webUI
When I enter the created accounting list via CLI it seems to work with this guide.

see picture

accounting.PNG


Step 1
Device(config)# wireless profile policy default-policy-profile
Configures WLAN policy profile and enters wireless policy configuration mode.
Step 2
Device(config-wireless-policy)# shutdown
Disables the policy profile.
Step 3
Device(config-wireless-policy)# accounting-list user1-list
Sets the accounting list.
Step 4
Device(config-wireless-policy)# no shutdown
Enables the policy profile.

Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Amsterdam 17.3.x
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/config-guide/b_wl_17_3_cg/m_config_model.html?bookSearch=true

Now I just have to find out the right accounting type for logging to the freeradius-accounting server for the guests in the wlan
i have put on "networks" for testing, but i am not sure if it is the right one.

 

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214490-configure-radius-and-tacacs-for-gui-and.html

AAA Accounting Types

Named accounting method lists are specific to the indicated type of accounting.

  • network --To create a method list to enable authorization for all network-related service requests (including SLIP, PPP, PPP NCPs, and ARAP protocols), use the network keyword. For example, to create a method list that provides accounting information for ARAP (network) sessions, use the arap keyword.
  • exec --To create a method list that provides accounting records about user EXEC terminal sessions on the network access server, including username, date, start and stop times, use the exec keyword.
  • commands --To create a method list that provides accounting information about specific, individual EXEC commands associated with a specific privilege level, use the commandskeyword.
  • connection --To create a method list that provides accounting information about all outbound connections made from the network access server, use the connection keyword.
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to unsuspecting user

‎09-14-2020 06:28 AM

There are a lot of documentation and blogs on aaa references that also show what others might configure or not. Typically I have seen accounting for Tacacs or vpn not much for wireless. You can have multiple in the method list also.
-Scott
*** Please rate helpful posts ***
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card