Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

802.1X and RADIUS Accounting

 

EX Series Switches support RADIUS accounting. You can configure RADIUS accounting on an EX Series switch to collect statistical data about users logging in to or out of a LAN and send that data to a RADIUS accounting server. The data gathered is used for network monitoring purpose.

Understanding 802.1X and RADIUS Accounting on Switches

Juniper Networks EX Series Ethernet Switches support IETF RFC 2866, RADIUS Accounting. By configuring RADIUS accounting on an EX Series switch, you can collect statistical data about users logging in to or out of a LAN and send that data to a RADIUS accounting server. The statistical data gathered can be used to perform general network monitoring, to analyze and track usage patterns, or to bill a user based on the amount of time or type of services accessed.

RADIUS Accounting Process

RADIUS accounting is based on a client/server model in which the switch, operating as the network access server (NAS), is the client. The client forwards user accounting statistics to a designated RADIUS accounting server. The RADIUS accounting server must send a response to the client when it has successfully received and recorded the accounting statistics.

The RADIUS accounting process between a switch and a RADIUS server is based on the exchange of two types of RADIUS messages—Accounting-Request and Accounting-Response. Accounting-Request messages are sent from the switch to the server and convey information used to account for a service provided to a user. Accounting-Response messages are sent from the server to acknowledge receipt of the Accounting-Request packets. The exchange of messages between the switch and the server proceeds as follows:

  1. A RADIUS accounting server listens for User Datagram Protocol (UDP) packets on a specific port. For example, on FreeRADIUS, the default port is 1813.
  2. When a supplicant is authenticated through 802.1X authentication and then connected to the LAN, the switch forwards an Accounting-Request message with a record of the event to the accounting server. The Accounting-Request message sent by the switch includes the RADIUS attribute Acct-Status-Type with a value of Start, which indicates the beginning of user service for this supplicant. The accounting server records this event in the accounting log file as a start record.
  3. The accounting server sends an Accounting-Response message back to the switch confirming that it received the accounting request. If the switch does not receive a response from the server, it continues to send accounting requests until an accounting response is returned from the accounting server.
  4. The switch might send an interim message to the accounting server to periodically update the server with information pertaining to a specific session. Interim messages are sent as Accounting-Request messages with the Acct-Status-Type attribute value of Interim-Update. The accounting server sends an Accounting-Response messae back to the switch to confirm receipt of an interim update.
  5. When the supplicant's session ends, the switch forwards an Accounting-Request message with the Acct-Status-Type attribute value set to Stop, indicating the end of user service. The accounting server records this event in the accounting log file as a stop record that contains session information and the length of the session.

The statistics collected through this process can be displayed from the RADIUS server. To view those statistics, the user needs to access the accounting log file configured to receive them. On FreeRADIUS, the filename is the server's address—for example, 122.69.1.250.

Supported RADIUS Attributes

RADIUS accounting statistics are conveyed through the attributes included in each Accounting-Request message sent from the NAS to the server. Table 1 list the RADIUS attributes supported for Accounting-Request messages.

Table 1: RADIUS Accounting Request Attributes

Type

Attribute

Description

1

User-Name

The name of the authenticated user.

5

NAS-Port

The physical port number of the NAS that authenticates the user. Either NAS-Port or NAS-Port-ID must be contained in the packet.

8

Framed-IP-Address

The IP address of the authenticated user.

Note: The Framed-IP-Address attribute is sent only if a valid DHCP binding exists for the host in the DHCP snooping table.

11

Filter-ID

The name of the filter list for the user.

12

Framed-MTU

The maximum transmission unit that can be configured for the user.

26

Client-System-Name

Vendor-specific attribute (VSA) used to indicate the client’s hostname. Supported for LLDP-capable devices only.

27

Session-Timeout

Sets the maximum time (in seconds) that a session stays active before it terminates or a prompt is issued notifying its termination.

28

Idle-Timeout

The maximum number of consecutive seconds of idle connection allowed to the user before termination of the session or prompt.

30

Called-Station-ID

Enables the NAS to identify the phone number that the user called, using Dialed Number Identification (DNIS) or a similar technology.

31

Calling-Station-ID

Enables the NAS to identify the phone number that the call came from, using Automatic Number Identification (ANI) or a similar technology.

32

NAS-Identifier

Contains a string identifying the NAS originating the Accounting-Request message.

40

Acct-Status-Type

Indicates whether this Accounting-Request message marks the beginning (Start) or the end (Stop) of the user session. Can also be used for an interim update (Interim-Update).

44

Acct-Session-ID

A unique ID for a specific accounting session that can be used to match start and stop records for a session in the log file.

45

Acct-Authentic

Indicates whether the user was authenticated locally, by the RADIUS server, or by another remote authentication protocol.

55

Event-Timestamp

Records the time an event occurred.

87

NAS-Port-ID

Text string that identifies the port that authenticates the user. Either NAS-Port or NAS-Port-ID must be present in the packet.

Configuring 802.1X RADIUS Accounting (CLI Procedure)

RADIUS accounting enables statistical data about users logging in to or out of a LAN to be collected and sent to a RADIUS accounting server. The statistical data gathered can be used to perform general network monitoring, to analyze and track usage patterns, or to bill a user based upon the amount of time or type of services accessed.

RADIUS accounting is based on a client/server model in which the switch, operating as the network access server (NAS), is the client. The client is responsible for forwarding user accounting statistics to a designated RADIUS accounting server. To configure RADIUS accounting, specify one or more RADIUS accounting servers to receive the statistical data from the switch, and select the type of accounting data to be collected.

The RADIUS accounting server you specify can be the same server used for RADIUS authentication, or it can be a separate RADIUS server. You can specify a list of RADIUS accounting servers. If the primary server (the first one configured) is unavailable, then each RADIUS server in the list is tried in the order in which the servers are configured in Junos OS.

To configure RADIUS accounting by using the CLI:

  1. Configure an access profile and specify the accounting servers to which the switch forwards accounting statistics:
    [edit access]

    user@switch# set profile profile-name radius accounting-server [server-addresses]
  2. Define the address of RADIUS accounting servers and configure the secret password (the secret password on the switch must match the secret password on the server):
    [edit access]

    user@switch# set radius-server server-address secret password


  3. Enable accounting for the access profile:
    [edit access]

    user@switch# set profile profile-name accounting
  4. Configure the accounting order, making RADIUS the first method for sending accounting messages and updates:
    [edit access]

    user@switch# set profile profile-name accounting order radius
  5. Configure the statistics to be collected on the switch and forwarded to the accounting server:
    [edit access]

    user@switch# set profile profile-name accounting accounting-stop-on-access-deny

    user@switch# set profile profile-name accounting accounting-stop-on-failure
  6. (Optional) Configure the switch to send periodic updates for a user session at a specified interval to the accounting server:
    [edit access]

    user@switch# set profile profile-name accounting update-interval minutes
  7. Display accounting statistics collected on the switch using the show network-access aaa statistics accounting command, for example:
    user@switch> show network-access aaa statistics accounting
  8. Open an accounting log on the RADIUS accounting server by using the server's address, and view accounting statistics, for example:
    [root@freeradius]# cd /usr/local/var/log/radius/radacct/192.168.0.1

    [root@freeradius 192.168.0.1]# ls
    [root@freeradius 192.168.0.1]# vi details-20071214