Solved: Cisco 9800 RADIUS Accounting

jdemuth@dce.k12.wi.us · ‎08-05-2022

I'm replacing my Cisco 5520 with a 9800 and am having an issue with RADIUS accounting. On the 5520 I was able to create an accounting server with the IP address of my web content filter. That way, when a user connects to the wireless using their AD credentials, the 5520 would pass the accounting info to the content filter and I was able to filter users based on their AD account (see attached screenshot. 10.16.1.100 is the IP address of the content filter). On the 9800 I am able to create the RADIUS server for authentication, but I can't find a way to pass the accounting info to the content filter. There isn't an option to add just the accounting serve with an IP address different from the RADIUS server like there is on the 5520. Is this no longer an option.

Rich R · ‎08-06-2022

It is a bit different and in my opinion a bit stupidly done on 9800 but the bit missing from @ammahend 's answer is that you must configure "accounting-list <name>" under the "wireless profile policy <name>".
And then "aaa accounting identity <name> start-stop group <name>"
The group can be the same one you're using for authentication or a different one like you want.

We couldn't work it out at first and had to open a TAC case for TAC to tell us how to do it because it wasn't very well documented either (not sure if it's better now but TAC agreed that it could be improved).

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

View solution in original post

ammahend · ‎08-05-2022

Checkout this link

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/accounting.html#task_k2c_nps_xfb

or through CLI I think you can add another radius server, call it into a group and add the group as part of accounting config, something like below, I have tried it but its pretty standard for AAA.

radius server ACCT_SERVER

address ipv4 x.x.x.x auth 1812 acct 1813

key <password>

aaa server group ACCT

server name ACCT_SERVER

aaa accounting default dot1x start-stop group ACCT

hope this helps

-hope this helps-

Rich R · ‎08-06-2022

It is a bit different and in my opinion a bit stupidly done on 9800 but the bit missing from @ammahend 's answer is that you must configure "accounting-list <name>" under the "wireless profile policy <name>".
And then "aaa accounting identity <name> start-stop group <name>"
The group can be the same one you're using for authentication or a different one like you want.

We couldn't work it out at first and had to open a TAC case for TAC to tell us how to do it because it wasn't very well documented either (not sure if it's better now but TAC agreed that it could be improved).

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

jdemuth@dce.k12.wi.us · ‎08-06-2022

Thanks, I was missing the accounting-list statement under the wireless profile. Its working now.