Configuring RADIUS System Accounting

With RADIUS accounting enabled, Juniper Networks routers or switches, acting as RADIUS clients, can notify the RADIUS server about user activities such as software logins, configuration changes, and interactive commands. The framework for RADIUS accounting is described in RFC 2866.

Tasks for configuring RADIUS system accounting are:

  1. Configuring Auditing of User Events on a RADIUS Server
  2. Specifying RADIUS Server Accounting and Auditing Events
  3. Configuring RADIUS Server Accounting

Configuring Auditing of User Events on a RADIUS Server

To audit user events, include the following statements at the [edit system accounting] hierarchy level:

[edit system accounting]
destination {radius {server {server-address {accounting-port port-number;max-outstanding-requests value;port port-number;retry value;secret password;source-address address;timeout seconds;}}}}

Specifying RADIUS Server Accounting and Auditing Events

To specify the events you want to audit when using a RADIUS server for authentication, include the events statement at the [edit system accounting] hierarchy level:

[edit system accounting]events [ events ];

events is one or more of the following:

Configuring RADIUS Server Accounting

To configure RADIUS server accounting, include the server statement at the [edit system accounting destination radius] hierarchy level:

server {server-address {accounting-port port-number;max-outstanding-requests value;port port-number;retry value;secret password;source-address address;timeout seconds;}}

server-address specifies the address of the RADIUS server. To configure multiple RADIUS servers, include multiple server statements.

Note: If no RADIUS servers are configured at the [edit system accounting destination radius] statement hierarchy level, the Junos OS uses the RADIUS servers configured at the [edit system radius-server] hierarchy level.

accounting-port port-number specifies the RADIUS server accounting port number.

The default port number is 1813.

Note: If you enable RADIUS accounting at the [edit access profile profile-name accounting-order] hierarchy level, accounting is triggered on the default port of 1813 even if you do not specify a value for the accounting-port statement.

You must specify a secret (password) that the local router or switch passes to the RADIUS client by including the secret statement. If the password contains spaces, enclose the entire password in quotation marks (“ “).

In the source-address statement, specify a source address for the RADIUS server. Each RADIUS request sent to a RADIUS server uses the specified source address. The source address is a valid IPv4 or IPv6 address configured on one of the router or switch interfaces.

Optionally, you can specify the number of times that the router or switch attempts to contact a RADIUS authentication server by including the retry statement. By default, the router or switch retries three times. You can configure the router or switch to retry from 1 through 10 times.

Optionally, you can specify the length of time that the local router or switch waits to receive a response from a RADIUS server by including the timeout statement. By default, the router or switch waits 3 seconds. You can configure the timeout to be from 1 through 90 seconds.

If you use the enhanced-accounting statement at the [edit system radius-options] hierarchy level, the RADIUS attributes such as access method, remote port, and access privileges can be audited. You can limit the number of attribute values to be displayed for auditing by using the enhanced-avs-max <number> statement at the [edit system accounting] hierarchy level.

[edit system radius-options]enhanced-accounting;
[edit system accounting]enhanced-avs-max <number>;

When a Juniper Networks router or switch is configured with RADIUS accounting, it sends Accounting-Start and Accounting-Stop messages to the RADIUS server. These messages contain information about user activities such as software logins, configuration changes, and interactive commands. This information is typically used for monitoring a network, collecting usage statistics, and ensuring that users are billed properly.

The following example shows three servers (10.5.5.5, 10.6.6.6, and 10.7.7.7) configured for RADIUS accounting:

system {accounting {events [ login change-log interactive-commands ];destination {radius {server {10.5.5.5 {accounting-port 3333;secret $9$dkafeqwrew;source-address 10.1.1.1;retry 3;timeout 3;}10.6.6.6 secret $9$fe3erqwrez;10.7.7.7 secret $9$f34929ftby;}}}}}