802.1X and RADIUS Accounting
EX Series Switches support RADIUS accounting. You can configure RADIUS accounting on an EX Series switch to collect statistical data about users logging in to or out of a LAN and send that data to a RADIUS accounting server. The data gathered is used for network monitoring purpose.
Understanding 802.1X and RADIUS Accounting on Switches
Juniper Networks EX Series Ethernet Switches support IETF RFC 2866, RADIUS Accounting. By configuring RADIUS accounting on an EX Series switch, you can collect statistical data about users logging in to or out of a LAN and send that data to a RADIUS accounting server. The statistical data gathered can be used to perform general network monitoring, to analyze and track usage patterns, or to bill a user based on the amount of time or type of services accessed.
RADIUS Accounting Process
RADIUS accounting is based on a client/server model in which the switch, operating as the network access server (NAS), is the client. The client forwards user accounting statistics to a designated RADIUS accounting server. The RADIUS accounting server must send a response to the client when it has successfully received and recorded the accounting statistics.
The RADIUS accounting process between a switch and a RADIUS server is based on the exchange of two types of RADIUS messages—Accounting-Request and Accounting-Response. Accounting-Request messages are sent from the switch to the server and convey information used to account for a service provided to a user. Accounting-Response messages are sent from the server to acknowledge receipt of the Accounting-Request packets. The exchange of messages between the switch and the server proceeds as follows:
- A RADIUS accounting server listens for User Datagram Protocol (UDP) packets on a specific port. For example, on FreeRADIUS, the default port is 1813.
- When a supplicant is authenticated through 802.1X authentication and then connected to the LAN, the switch forwards an Accounting-Request message with a record of the event to the accounting server. The Accounting-Request message sent by the switch includes the RADIUS attribute Acct-Status-Type with a value of Start, which indicates the beginning of user service for this supplicant. The accounting server records this event in the accounting log file as a start record.
- The accounting server sends an Accounting-Response message back to the switch confirming that it received the accounting request. If the switch does not receive a response from the server, it continues to send accounting requests until an accounting response is returned from the accounting server.
- The switch might send an interim message to the accounting server to periodically update the server with information pertaining to a specific session. Interim messages are sent as Accounting-Request messages with the Acct-Status-Type attribute value of Interim-Update. The accounting server sends an Accounting-Response messae back to the switch to confirm receipt of an interim update.
- When the supplicant's session ends, the switch forwards an Accounting-Request message with the Acct-Status-Type attribute value set to Stop, indicating the end of user service. The accounting server records this event in the accounting log file as a stop record that contains session information and the length of the session.
The statistics collected through this process can be displayed from the RADIUS server. To view those statistics, the user needs to access the accounting log file configured to receive them. On FreeRADIUS, the filename is the server's address—for example, 22.214.171.124.
Supported RADIUS Attributes
RADIUS accounting statistics are conveyed through the attributes included in each Accounting-Request message sent from the NAS to the server. Table 1 list the RADIUS attributes supported for Accounting-Request messages.
Table 1: RADIUS Accounting Request Attributes
The name of the authenticated user.
The physical port number of the NAS that authenticates the user. Either NAS-Port or NAS-Port-ID must be contained in the packet.
The IP address of the authenticated user.
Note: The Framed-IP-Address attribute is sent only if a valid DHCP binding exists for the host in the DHCP snooping table.
The name of the filter list for the user.
The maximum transmission unit that can be configured for the user.
Vendor-specific attribute (VSA) used to indicate the client’s hostname. Supported for LLDP-capable devices only.
Sets the maximum time (in seconds) that a session stays active before it terminates or a prompt is issued notifying its termination.
The maximum number of consecutive seconds of idle connection allowed to the user before termination of the session or prompt.
Enables the NAS to identify the phone number that the user called, using Dialed Number Identification (DNIS) or a similar technology.
Enables the NAS to identify the phone number that the call came from, using Automatic Number Identification (ANI) or a similar technology.
Contains a string identifying the NAS originating the Accounting-Request message.
Indicates whether this Accounting-Request message marks the beginning (Start) or the end (Stop) of the user session. Can also be used for an interim update (Interim-Update).
A unique ID for a specific accounting session that can be used to match start and stop records for a session in the log file.
Indicates whether the user was authenticated locally, by the RADIUS server, or by another remote authentication protocol.
Records the time an event occurred.
Text string that identifies the port that authenticates the user. Either NAS-Port or NAS-Port-ID must be present in the packet.
Configuring 802.1X RADIUS Accounting (CLI Procedure)
RADIUS accounting enables statistical data about users logging in to or out of a LAN to be collected and sent to a RADIUS accounting server. The statistical data gathered can be used to perform general network monitoring, to analyze and track usage patterns, or to bill a user based upon the amount of time or type of services accessed.
RADIUS accounting is based on a client/server model in which the switch, operating as the network access server (NAS), is the client. The client is responsible for forwarding user accounting statistics to a designated RADIUS accounting server. To configure RADIUS accounting, specify one or more RADIUS accounting servers to receive the statistical data from the switch, and select the type of accounting data to be collected.
The RADIUS accounting server you specify can be the same server used for RADIUS authentication, or it can be a separate RADIUS server. You can specify a list of RADIUS accounting servers. If the primary server (the first one configured) is unavailable, then each RADIUS server in the list is tried in the order in which the servers are configured in Junos OS.
To configure RADIUS accounting by using the CLI:
- Configure an access profile and specify the accounting servers to which the switch forwards accounting statistics:
- Define the address of RADIUS accounting servers and configure
the secret password (the secret password on the switch must match
the secret password on the server):
user@switch# set radius-server server-address secret password
- Enable accounting for the access profile:
- Configure the accounting order, making RADIUS the first method for sending accounting messages and updates:
- Configure the statistics to be collected on the switch and forwarded to the accounting server:
- (Optional) Configure the switch to send periodic updates for a user session at a specified interval to the accounting server:
- Display accounting statistics collected on the switch
using the show network-access aaa statistics accounting command, for example:
user@switch> show network-access aaa statistics accounting
Accounting module statistics Requests received: 1 Accounting Response failures: 0 Accounting Response Success: 1 Requests timedout: 0
- Open an accounting log on the RADIUS accounting server
by using the server's address, and view accounting statistics, for
[root@freeradius]# cd /usr/local/var/log/radius/radacct/192.168.0.1
[root@freeradius 192.168.0.1]# ls
[root@freeradius 192.168.0.1]# vi details-20071214
User-Name = "000347e1bab9" NAS-Port = 67 Acct-Status-Type = Stop Acct-Session-Id = "8O2.1x811912" Acct-Input-Octets = 17454 Acct-Output-Octets = 4245 Acct-Session-Time = 1221041249 Acct-Input-Packets = 72 Acct-Output-Packets = 53 Acct-Terminate-Cause = Lost-Carrier Acct-Input-Gigawords = 0 Acct-Output-Gigawords = 0 Called-Station-Id = "00-19-e2-50-52-60" Calling-Station-Id = "00-03-47-e1-ba-b9" Event-Timestamp = "Sep 10 2008 16:52:39 PDT" NAS-Identifier = "esp48t-1b-01" NAS-Port-Type = Virtual User-Name = "000347e1bab9" NAS-Port = 67 Acct-Status-Type = Start Acct-Session-Id = "8O2.1x811219" Called-Station-Id = "00-19-e2-50-52-60" Calling-Station-Id = "00-03-47-e1-ba-b9" Event-Timestamp = "Sep 10 2008 18:58:52 PDT" NAS-Identifier = "esp48t-1b-01" NAS-Port-Type = Virtual