RADIUS Accounting for Subscriber Access

 

This topic provides detailed information about RADIUS accounting statistics, subscriber session accounting, duplicate reporting, and service accounting. For information about configuring servers for RADIUS accounting, see RADIUS Authentication and Accounting Basic Configuration.

RADIUS Accounting Statistics for Subscriber Access Overview

The AAA Service Framework enables you to configure how the router collects and uses accounting statistics for subscriber management.

For example, you can specify when statistics collection is terminated, the order in which different accounting methods are used, the types of statistics collected, and how often statistics are collected. You can also configure the router to request that the RADIUS server immediately update the accounting statistics when certain events occur, such as when a subscriber logs in or when a change of authorization (CoA) occurs.

Subscriber management provides two levels of subscriber accounting—subscriber session and service session. In subscriber session accounting, the router collects statistics for the entire subscriber session. In service session accounting, the router collects statistics for specific service sessions for the subscriber.

Note

Subscriber management counts forwarded packets only. Dropped traffic (for example, as a result of a filter action) and control traffic are not included in the accounting statistics.

The router uses the RADIUS attributes and Juniper Networks VSAs listed in Table 1 to provide the accounting statistics for subscriber and service sessions. If the session has both IPv4 and IPv6 families enabled, the router reports statistics for both families.

Note

RADIUS reports subscriber statistics as an aggregate of both IPv4 statistics and IPv6 statistics.

  • For an IPv4-only configuration, the standard RADIUS attributes report the IPv4 statistics and the IPv6 VSA results are all reported as 0.

  • For an IPv6-only configuration, the standard RADIUS attributes and the IPv6 VSA statistics are identical, both reporting the IPv6 statistics.

  • When both IPv4 and IPv6 are configured, the standard RADIUS attributes report the combined IPv4 and IPv6 statistics. The IPv6 VSAs report IPv6 statistics.

Table 1: RADIUS Attributes and VSAs Used for Per-Subscriber Session Accounting

Attribute Number

Attribute Name

Type of Statistics

26-151

IPv6-Acct-Input-Octets

IPv6

26-152

IPv6-Acct-Output-Octets

IPv6

26-153

IPv6-Acct-Input-Packets

IPv6

26-154

IPv6-Acct-Output-Packets

IPv6

26-155

IPv6-Acct-Input-Gigawords

IPv6

26-156

IPv6-Acct-Output-Gigawords

IPv6

47

Acct-Input-Packets

IPv4 and IPv6 aggregation

48

Acct-Output-Packets

IPv4 and IPv6 aggregation

52

Acct-Input-Gigawords

IPv4 and IPv6 aggregation

53

Acct-Output-Gigawords

IPv4 and IPv6 aggregation

RADIUS Acct-On and Acct-Off Messages

Subscriber management supports RADIUS Acct-On and Acct-Off messages to indicate the current state of RADIUS accounting support.

RADIUS Acct-On messages indicate that accounting is being supported. Subscriber management issues Acct-On messages in the following situations:

  • Accounting is enabled through configuration (for example, an accounting server is configured).

  • A new access profile is configured and committed for a logical system/routing instance context. However, no Acct-On message is sent if the accounting server exists prior to the access profile and if it is simply modified.

  • The router performs a cold reboot.

  • The router performs a warm reboot and there are no subscribers currently logged in.

  • The Authd process restarts and there are no active subscribers.

RADIUS Acct-Off messages indicate that accounting in not supported. Subscriber management issues Acct-Off messages in the following situations:

  • The Authd process is terminated and there are no active subscribers.

  • The router is shut down and accounting servers are currently configured (this action also logs out all current subscribers).

  • The router is rebooted and redundancy is disabled.

Configuring Per-Subscriber Session Accounting

To configure accounting for a subscriber session, you use an access profile, and specify how the subscriber access management feature collects and uses the accounting statistics. The router uses the RADIUS attributes and Juniper Networks VSAs discussed in RADIUS Accounting Statistics for Subscriber Access Overview to provide the accounting statistics for the subscriber session.

To configure accounting for a subscriber session:

  1. At the [edit access profile profile-name] hierarchy level, specify that you want to configure accounting.
  2. (Optional) Configure AAA to issue an Acct-Stop message if the AAA server denies access to the subscriber.
  3. (Optional) Configure AAA to send an Acct-Stop message if the subscriber fails AAA but is granted access by the AAA server.
  4. (Optional) Configure the router or switch to send an Acct-Update message to the RADIUS accounting server when a CoA occurs.
  5. (Optional) Configure subscriber management to send the RADIUS accounting report to both the wholesaler and the retailer accounting servers.
  6. (Optional) Configure the duplication filtering action you want the router to perform when the RADIUS duplication accounting operation is enabled.

  7. (Optional) Configure the router to send the RADIUS accounting report to multiple accounting servers listed in access profiles in a nondefault VRF (LS:RI).
  8. (Optional) Configure the router or switch to send an Acct-Update message to the RADIUS accounting server when the router or switch receives a response (for example, an ACK or timeout) to the Acct-Start message.

  9. (Optional) Configure the order in which multiple accounting methods are used.
  10. (Optional) Configure the types of statistics to gather. You can specify that the router or switch collect both volume and time statistics or only time statistics for subscriber sessions. When you change the type of statistics being collected, current subscribers continue to use the previous collection specification. Subscribers who log in after the change use the new specification.
  11. (Optional) Override the default behavior and specify that, after a CoA action that changes the RADIUS Class attribute, accounting reports for the subscriber’s service sessions continue to use the original Class attribute that was assigned when the service sessions were created. The new Class attribute value is used in accounting reports for the subscriber session only. By default, the accounting reports for both the subscriber session and the subscriber’s service sessions use the new Class attribute value.
  12. (Optional) Configure the number of minutes between accounting updates. You can configure an interval from 10 through 1440 minutes. All values are rounded up to the next higher multiple of 10. For example, the values 811 through 819 are all accepted by the CLI, but are all rounded up to 820.
  13. (Optional) Configure AAA to send an immediate interim accounting update to the RADIUS server when AAA receives a rate change notification from the ANCP agent on the router.
  14. (Optional) Configure the authd process to wait for an Acct-On-Ack response message from RADIUS before sending any new authentication and accounting updates to the RADIUS server. This configuration ensures that when a new subscriber session starts, the authentication and accounting information for the new session does not get deleted when RADIUS clears previously existing session state information.
  15. (Optional) Configure the authd process to send accounting messages when the RADIUS server status changes for an access profile. It sends an Acct-On message when the first RADIUS server is added to the access profile and sends an Acct-Off message when the last RADIUS server is removed from the access profile. This configuration enables you to monitor whether the access profile has an active RADIUS server.

Enabling the Reporting of Accurate Subscriber Accounting Statistics to the CLI

You can configure the router to display accurate statistics for subscriber sessions on dynamic interfaces. By default, aggregate statistics (byte and packet counts) for interfaces displayed by the show interfaces extensive command do not accurately reflect customer traffic. These counters include overhead bytes that represent the encapsulation overhead added to the actual subscriber data bytes. The aggregate counters also include dropped packets in the total, so the values represent transit statistics rather than the actual subscriber traffic on the interface.

Inclusion of the overhead bytes and dropped packets can have a significant effect on the final reported values. You can exclude dropped packets from the count by including the interface-transmit-statistics statement for an interface, but this has no effect on the overhead bytes.

To display accurate subscriber statistics, include the actual-transmit-statistics statement for the logical interface in the dynamic profile. This statement enables the show subscribers command to display aggregate byte and packet counts for a specified subscriber session or for all subscriber sessions on a specified interface. The displayed statistics match the values that are reported to RADIUS for the subscribers. The statistics are collected after traffic shaping is applied and they do not include overhead bytes, control packets, or dropped packets.

Note

Starting in Junos OS Release 18.4R1, you must enable actual-transit-statistics to collect subscriber statistics. If you do not configure this statement, subscriber statistics are not collected; the show subscribers accounting-statistics command displays a value of 0 for subscriber statistics; and the subscriber statistics are reported to RADIUS with values of zero.

Note

Service accounting statistics are not included.

To configure the reporting of accurate subscriber session statistics:

  • Enable actual transit statistics.

You can display the subscriber accounting statistics in two ways:

  • Display subscriber statistics by session ID with the show subscribers id session-id accounting-statistics command.

  • Display subscriber statistics by dynamic interface for all session IDs with the show subscribers interfaces interface-name accounting-statistics command.

Understanding RADIUS Accounting Duplicate Reporting

When you configure RADIUS accounting, by default the router sends the accounting reports to the accounting servers in the context in which the subscriber was last authenticated. You can configure RADIUS accounting to send duplicate accounting reports to other servers in the same context or in other contexts.

Layer 3 Wholesale Scenarios

In a Layer 3 wholesale network environment, the wholesaler and retailer might use different RADIUS accounting servers, and both might want to receive accounting reports. In this situation, you can configure RADIUS accounting duplicate reporting, which sends reports to both the wholesaler and the retailer accounting servers. The target to which the duplicate accounting records are sent must be in the default:default logical system:routing instance combination (LS:RI) , also called the default VRF.

Table 2 shows where subscriber management sends the accounting reports when you enable duplicate reporting. Subscriber management sends duplicate reports based on the access profile in which you configure the duplication statement at the [edit access profile profile-name accounting] hierarchy level, where the subscriber resides, and how the subscriber is authenticated.

Note

You can also enable accounting duplicate reporting based on the domain map configuration—you configure subscribers to authenticate with a nondefault routing instance and a target logical system:routing instance of default:default. The accounting reports are then sent to both the authentication context and the default:default context.

Table 2: Duplicate RADIUS Accounting Reporting

Access Profile in Which Duplication Is Configured

Where Subscriber Is Authenticated

Subscriber’s Target Logical System/Routing Instance

Accounting Servers Where Accounting Reports Are Sent

retailer A

wholesaler

retailer A

wholesaler and retailer A

retailer A

retailer A

retailer A

wholesaler (default/default context)

Note: This is the domain map configuration described in the Note preceding this table.

wholesaler

wholesaler and retailer A

retailer A

wholesaler and retailer A

wholesaler and retailer B

wholesaler and retailer A

retailer B

wholesaler, retailer A, and retailer B

not configured (default)

any

any

single report sent to accounting servers in the context in which subscriber was last authenticated

Other Scenarios

For scenarios that are not in a Layer 3 wholesale network environment, you might want to send duplicate accounting records to a different set of RADIUS servers that reside in either the same or a different routing context. Unlike the Layer 3 wholesale scenario, the target for the duplicate RADIUS accounting records does not have to be the default VRF. You can specify a single nondefault VRF—that is, other than the default:default LS:RI combination—as the target. Additionally, you can specify up to five access profiles in the target VRF that list the RADIUS accounting servers that receive the duplicate reports.

For example, you might have a lawful intercept scenario where the subscriber is authenticated in the default domain. An authorized law enforcement organization needs duplicate accounting records for the subscriber to be sent to a mediation device that resides in the organization’s networking domain, which lies in a nondefault VRF.

Subscriber management sends duplicate reports to the VRF that you specify with the vrf-name statement at the [edit access profile profile-name accounting duplication-vrf] hierarchy level. Include the access-profile-name statement at the same level to designate the access profiles that in turn specify the RADIUS servers that receive the duplicate reports.

Filters for Duplicate Accounting Reports

Subscriber management provides a duplication filter feature that enables you to specify which accounting servers receive the RADIUS accounting interim reports when RADIUS accounting duplicate reporting is active. You configure the filters in the AAA access profile, and the router then applies the filters to subscribers associated with that profile.

Subscriber management supports the following filtering for RADIUS accounting duplicate reporting:

  • Duplicated accounting interim messages— The router filters duplicate accounting messages. The accounting messages are sent only to RADIUS accounting servers in the subscriber’s access profile.

  • Original accounting interim messages—The router filters accounting messages destined for original RADIUS accounting servers, which are accounting servers in the subscriber’s access profile. The accounting messages are sent only to duplication accounting servers (servers in a duplication access profile other than the subscriber’s access profile).

  • Excluded RADIUS attributes—The router filters the RADIUS attributes in the accounting messages based on the exclude statement configuration in the access profile under the duplication context. You can use the exclude filter alone, or with the duplicated or original accounting message filters.

Configuring Duplication Filters for RADIUS Accounting Duplicate Reporting

You can use duplication filters to specify the RADIUS accounting servers that receive RADIUS accounting interim reports when accounting duplicate reporting is enabled. You configure the filters in a AAA access profile, and the router applies the filters to subscribers associated with that profile.

To configure duplication filters for accounting duplicate reporting:

  1. At the [edit access profile profile-name] hierarchy level, specify that you want to configure accounting.
  2. Configure the duplication filter you want the router to use.

    The following examples show the three types of filters and describe the results for each filter:

    • Specify that the router does not send the accounting interim messages to duplicate RADIUS accounting servers.

      Duplicate RADIUS accounting servers are those that are not in the subscriber’s access profile. The router still sends the accounting interim messages to accounting servers that reside in the subscriber’s access profile.

    • Specify that the router does not send the accounting interim messages to original RADIUS accounting servers.

      Original accounting servers are those that reside in the subscriber’s AAA routing context. The router still sends the accounting interim messages to duplicate accounting servers, which are those servers that do not reside in a duplication context other than the subscriber’s access profile.

    • Specify how the router uses the exclude statement configuration to filter RADIUS attributes from accounting interim messages.

      The router uses the configuration for the exclude statement in the duplication access profile to determine which RADIUS attributes are not included in the accounting interim messages.

Configuring Per-Service Session Accounting

Subscriber management enables you to configure the router to collect statistics on a per-service session basis for subscribers. Per-service session accounting requires two operations. First, RADIUS must be configured to provide the name of the service, the accounting interval to use, and the type of statistics to collect (either time statistics or a combination of time and volume statistics). Second, if RADIUS VSA 26-69 is configured for time and volume statistics, you must also configure a firewall or fast update firewall filter that counts service packets—the service packet information provides the volume statistics.

The router uses the RADIUS attributes and Juniper Networks VSAs discussed in RADIUS Accounting Statistics for Subscriber Access Overview to provide the accounting statistics for the subscriber session.

Note

The collection of time-only service statistics is supported for all service sessions. However, time and volume statistics are provided for only firewall and fast update firewall service sessions.

To configure the router to provide per-service accounting statistics:

  1. Ensure that the required RADIUS VSAs are configured.

    See Table 3 for the VSAs that the router uses for per-service accounting.

  2. Configure the classic firewall filter or fast update filter to count the service packets.

    See Configuring Service Packet Counting for Volume Statistics.

Table 3: Juniper Networks VSAs Used for Per-Service Session Accounting

Attribute Number

Attribute Name

Description

Value

26-69

Service-Statistics

Enable or disable statistics for the service

  • 0 = disable

  • 1 = enable time statistics

  • 2 = enable time and volume statistics

26-83

Service-Session

Service string sent in accounting stop and start messages from the router to the RADIUS server

string: service-name, with parameter values that are sent from RADIUS server in attribute 26-65.

26-140

Service-Interim-Acct-Interval

Amount of time between interim accounting updates for this service

  • range = 600–86400 seconds

  • 0 = disabled

Note: Values are rounded up to the next higher multiple of 10 minutes. For example, a setting of 900 seconds (15 minutes) is rounded up to 20 minutes (1200 seconds).

Processing Cisco VSAs in RADIUS Messages for Service Provisioning

You can use Cisco VSAs in RADIUS messages to provision and manage services in a subscriber access network. In the topology for this deployment, the broadband network gateway (BNG) is connected to:

  • A RADIUS server, such as the Steel-Belted Radius Carrier (SBRC), that is used to authentication and accounting.

  • A Cisco BroadHop application that is used as the Policy Control and Charging Rules Function (PCRF) server for provisioning services using RADIUS change of authorization (CoA) messages.

Cisco BroadHop does not support Juniper VSAs. It uses the Cisco VSA, Cisco-AVPair (26-1, IANA private enterprise number 9) with different values to activate and deactivate the services.

To activate a service, use the Cisco-AVPair VSA (26-1) with each of the following values:

  • Value of the .subscriber:command=activate-service parameter.

  • Value of the subscriber:service-name=service-name parameter.

To deactivate a service, use the Cisco-AVPair VSA (26-1) with each of the following values:

  • Value of the subscriber:command=deactivate-service parameter.

  • Value of the subscriber:service-name=service-name parameter.

You cannot modify any attributes in authentication, accounting, or CoA responses in the RADIUS messages that the BNG sends. Any Cisco VSAs other than the ones used to provision the services are considered as unsupported attributes.

To configure service accounting for an access profile for a subscriber:

  1. Specify that you want to configure service accounting.
  2. (Optional) Enable interim service accounting updates and configure the amount of time that the router or switch waits before sending a new service accounting update. You can configure an interval from 10 through 1440 minutes. All values are rounded up to the next higher multiple of 10. For example, the values 811 through 819 are all accepted by the CLI, but are all rounded up to 820.
  3. (Optional) Configure the types of statistics to gather. You can specify that the router or switch collect both volume and time statistics or only time statistics for subscriber sessions. When you change the type of statistics being collected, current subscribers continue to use the previous collection specification. Subscribers who log in after the change use the new specification.

You can also define the UDP port number to configure the port on which the router that functions as the RADIUS dynamic-request server must receive requests from RADIUS servers. By default, the router listens on UDP port 3799 for dynamic requests from remote RADIUS servers. You can configure the UDP port number to be used for dynamic requests for a specific access profile or for all of the access profiles on the router. To define the UDP port number, include the dynamic-request-port port-number statement at the [edit access profile profile-name radius-server server-address] or the [edit access radius-server server-address] hierarchy level.

To specify the UDP port globally for all access profiles:

To specify the UDP port for a specific access profile:

Configuring Service Packet Counting for Volume Statistics

Subscriber management uses service packet counting to report volume statistics for subscribers on a per-service session basis. To configure service packet counting, you specify the accounting action, and subscriber management then applies the results to a specific named counter (__junos-dyn-service-counter) for use by RADIUS.

The accounting action you configure specifies the counting mechanism that subscriber management uses when capturing statistics—either inline counters or deferred counters. Inline counters are captured when the event occurs, and do not include any additional packet processing that might occur after the event. Deferred counters (also called accurate accounting) are not incremented until the packet is queued for transmission, and therefore include the entire packet processing. Deferred counters provide a more accurate count of the packets than inline counters, and are more useful for subscriber accounting and billing.

You configure the accounting mechanism by specifying either the service-accounting-deferred action (for deferred counters) or the service-accounting action (for inline counters) at the [edit firewall family family-name filter filter-name term term-name then] hierarchy level.

The two accounting mechanisms are mutually exclusive, both on a per-term basis and a per-filter basis. Also, both accounting actions are mutually exclusive with the count action on a per-term basis.

Note

You can define deferred counters for the inet and inet6 families for classic filters only. Fast update filters do not support deferred counters.

To enable service packet counting:

  1. Configure any match conditions that you want to count using the service accounting action. For example:
  2. Specify the accounting action for the filter.

    To use deferred counters:

    To use inline counters:

When the match conditions for the filter are met, the packet is counted and applied to the well-known service counter (__junos-dyn-service-counter) for use by the RADIUS server. This counter provides the volume statistics for per-service accounting.

Tip

You cannot use the service-accounting action or the service-accounting-deferred action in the same term as a count action.

Configuring Service Accounting

Service accounting is disabled by default. You can configure service accounting by using RADIUS attributes received from the external RADIUS server or by using the CLI top configure accounting locally on the router. If you configure both, the RADIUS setting takes precedence over the CLI setting.

In some networks, you must use the CLI to enable and disable service accounting and to specify the interim accounting interval. For example, the BNG might be connected to both a RADIUS server and a third-party device using an application uses RADIUS CoAs for service provisioning but does not support Juniper Networks VSAs. For more information about an this use case, see Processing Cisco VSAs in RADIUS Messages for Service Provisioning.

Table 4 indicates the type of service accounting statistics that are collected when various combinations of local CLI and RADIUS service accounting configuration are present:

Table 4: Type of Service Accounting Statistics Collected Based On CLI and RADIUS Configurations

CLI Configuration Present for Service Statistics

RADIUS Configuration Present for Service Statistics

Service Statistics Collected

None

RADIUS configuration

CLI configuration

RADIUS configuration

Explicitly disabled with a value of 0

None

Table 5 indicates the service interim accounting interval value that is used when various combinations of local CLI and RADIUS service accounting configuration are present:

Table 5: Service Interim Accounting Interval Value Based on CLI and RADIUS Configurations

CLI Configuration Present for Service Interim Accounting Interval

RADIUS Configuration Present for Service Interim Accounting Interval

Service Interim Accounting Interval Value Used

No service interim accounting

RADIUS value

CLI value

RADIUS value

Explicitly disabled with a value of 0

No service interim accounting

Table 6 shows the results for two example combinations of CLI and RADIUS configurations.

Table 6: Example of Values Used for Different Configurations

CLI

RADIUS

Value Used

update-interval = 400

statistics = time

Acct-Interim-Interval (85) = 600

Service-Statistics (26-69) not set

600

time

update-interval = 400

statistics = time

Acct-Interim-Interval (85) not set

Service-Statistics (26-69) = 2, time and volume

400

time and volume

To configure service accounting for an access profile for a subscriber:

  1. Specify that you want to configure service accounting.
  2. (Optional) Enable interim service accounting updates and configure the amount of time that the router or switch waits before sending a new service accounting update. You can configure an interval from 10 through 1440 minutes. All values are rounded up to the next higher multiple of 10. For example, the values 811 through 819 are all accepted by the CLI, but are all rounded up to 820.
  3. (Optional) Configure the types of statistics to gather. You can specify that the router or switch collect both volume and time statistics or only time statistics for subscriber sessions. When you change the type of statistics being collected, current subscribers continue to use the previous collection specification. Subscribers who log in after the change use the new specification.

Preservation of RADIUS Accounting Information During an Accounting Server Outage

If the router loses contact with the RADIUS accounting server, as represented in Figure 1, whether due to a server outage or a problem in the network connecting to the server, you can lose all the billing information that would have been received by the server. RADIUS accounting backup preserves the accounting data that accumulates during the outage. If you have not configured RADIUS accounting backup, the accounting data is lost for the duration of the outage from the time when the router has exhausted its attempts to resume contact with the RADIUS server. The configurable retry value determines the number of times the router attempts to contact the server.

Figure 1: Topology with Loss of Access to Accounting Server
Topology with Loss
of Access to Accounting Server

By default, the router must wait until the revert timer expires before it can attempt to contact the non-responsive server again. However, when you configure accounting backup, the revert timer is disabled and the router immediately retries its accounting requests as soon as the router fails to receive accounting acknowledgments. Accounting backup follows this sequence:

  1. The router fails to receive accounting acknowledgments from the server.

  2. The router immediately attempts to contact the accounting server and marks the server as offline if the router does not receive an acknowledgment before exhausting the number of retries.

  3. The router next attempts to contact in turn each additional accounting server configured in the RADIUS profile.

    If a server is reached, then the router resumes sending accounting requests to this server.

  4. If none of the servers responds or if no other servers are in the profile, the router declares a timeout and begins backing up the accounting data. It withholds all accounting stop messages and does not forward new accounting requests to the server.

  5. During the outage, the router sends a single pending accounting stop message to the servers at periodic intervals.

  6. If one of the servers acknowledges receipt, then the router sends all the pending stop messages to that server in batches at the same interval until all the stored stop messages have been sent. However, any new accounting requests are sent immediately rather being held and sent periodically.

The router replays accounting stop messages to the server in the correct order because it preserves both the temporal order among subscribers and the causal order between service and session stop requests for each subscriber. Only accounting stop messages are backed up, because they include the start time and duration of sessions and all the accounting statistics. This makes it unnecessary to withhold the accounting start messages, which eventually time out. Interim updates are not backed up and time out as well; if the session remains active, then the next interim update after the server connection is restored provides the interim accounting information.

You can configure the number of accounting stop messages that the router can queue pending restoration of contact with the accounting server. To preserve current accounting data in preference to collecting new accounting data, subscriber logins fail as soon as the maximum number of messages has been withheld. Subscriber logins resume immediately when the pending queue drops below the queue limit.

Note

Service accounting stop messages are withheld for a maximum of ten services per subscriber. If a subscriber attempts to activate an eleventh service while that accounting server is offline, the activation fails.

The router can hold the pending accounting messages for up to 24 hours. When the configurable maximum holding period passes, all accounting stop messages still in the pending queue are flushed, even if the accounting server has come back online. A consequence of this is that subscriber logins resume immediately if they were failing because the maximum pending limit had been reached.

All pending messages are also flushed in either of the following circumstances:

  • If you remove the last accounting server from the access profile, because then there is no place to send the messages.

  • If you remove the accounting backup configuration.

While the router is withholding accounting stop messages, you can force the router to attempt contact with the accounting server immediately, rather than allowing it to wait until the periodic interval has expired. When you do so, the router first replays a batch of stop messages to the server, with one of the following outcomes:

  • If the router receives an acknowledgment of receipt, then it marks the server as online and begins replaying all remaining pending stop messages in batches.

  • If the router does not receive the acknowledgment, then it resumes sending a single pending accounting stop message at the periodic interval.

When a subscriber logs out while the accounting server is offline, the accounting stop requests for the subscriber and the session are queued and replayed to the server when it comes online. In this case, the subscriber session and service session information is retained, so that the router can send a correct accounting request when the server comes back online.

In the event of a graceful Routing Engine switchover while the accounting server is offline, the pending stop messages can be replayed from the active Routing Engine when the server is online again.

Note

When RADIUS accounting backup is configured, you must use different servers for RADIUS authentication and accounting. Subscriber authentication fails when the same server is configured for both authentication and accounting.

If the RADIUS server acts on behalf of other back-end RADIUS accounting or authentication servers and forwards requests to them, subscribers can be authenticated but accounting requests are not sent out.

Use the show network-access aaa statistics command to view backup accounting statistics.

Configuring Back-up Options for RADIUS Accounting

You can configure RADIUS accounting backup to preserve accounting data when the accounting server is unavailable because of a server or network outage. When backup is configured, RADIUS accounting stop messages are withheld and queued to be sent when connectivity is restored. You can specify the maximum number of stop messages that can be queued. When this maximum is reached, subsequent new subscriber logins fail because there is no remaining capacity to preserve accounting data for new sessions.

You can also configure how long the queued messages can be held. When this period expires, all pending accounting stops are flushed from the queue, even if the accounting server has come back online.

Note

Configuring accounting backup disables the revert timer. An error message is generated if you attempt to configure the revert-interval statement at the [edit access profile profile-name options] or [edit access radius-options] hierarchy levels.

Caution

Before you configure RADIUS accounting backup, ensure that RADIUS accounting and RADIUS authentication are configured on different servers. Subscriber authentication fails when the same server is configured for both authentication and accounting.

  1. Enable accounting backup to use the default values.
  2. (Optional) Configure the number of accounting stops that the router can preserve while the accounting server is offline.
  3. (Optional) Configure how long the router holds pending accounting stops before flushing them.

For example, the following statements configure the backup options for all subscriber accounting; these statements specify that the router holds no more than 32,000 pending accounting stops—at which point all subsequent subscriber logins fail—and holds them no longer than 6 hours—at which point all pending messages are flushed and subscriber logins resume if they were failing:

Use the show network-access aaa statistics command to view backup accounting statistics.

Forcing the Router to Contact the Accounting Server Immediately

In the event of an accounting server outage while RADIUS accounting backup is enabled, by default the router waits for a time interval to expire before contacting the offline server. Rather than waiting for that interval to pass, you can force the router to immediately contact the server by issuing the request network-access aaa replay pending-accounting-stops command. The router sends a batch of pending accounting stop requests to the server. If the router receives an acknowledgment from the server, then the router continues to replay the pending messages to the server in batches at the periodic interval. If the router does not get that acknowledgment, then it resumes sending a single pending accounting stop message at the periodic interval.

To force the router to immediately contact the offline accounting server:

  • Request the messages to be replayed.

Monitoring Pending RADIUS Accounting Stop Messages

Purpose

Display information about RADIUS accounting stop messages that are being withheld due to an inability to contact the RADIUS accounting server.

Action

When you want to know whether the number of pending accounting-stop messages is nearing the maximum, you can display a simple count of pending requests:

user@host> show network-access aaa statistics pending-accounting-stops

You can use other commands to display more information about the accounting messages. The next example displays information for all services in the accounting session for the user, vjshah29@example.com. Although this example shows only one user, this command actually displays the information for all subscribers for whom accounting is being backed up.

You can display summary information for all users with a particular access profile. In the following example, only a single user, vjshah29@example.com, has the specified access profile, ce-ppp-profile:

You can also display summary information for all subscribers that have accounting-stop messages pending, regardless of access profile. The next example displays information for two users. Because the subscriber larry@example.com is not shown in the previous example, he must have a different access profile than vjshah29@example.com, even though he has received the same services.

Suspending RADIUS Accounting and Baselining Accounting Statistics Overview

In certain enterprise provider deployments, maintaining and preserving accounting records might be necessary during a control plane upgrade of a RADIUS accounting server, during an upgrade of the billing system for subscribers, or when RADIUS servers are brought down for maintenance. RADIUS accounting subscriber and service accounting are typically used in such customer topologies for volume-based usage of subscriber traffic and computation of costs. Subscribers might also be billed based on the service level and usage, rather than being charged a set rate regardless of usage.

Starting in Junos OS Release 15.1R4, you can temporarily suspend system-wide accounting until you manually resume accounting. During the suspension period, current subscribers remain logged in, but the subscribers can log out and new subscriber sessions can be initiated. RADIUS Acct-Start, Interim-Update, and Acct-Stop accounting request messages are not generated while accounting is suspended; the router does not send any accounting messages to the RADIUS server. For example, if a subscriber logs out during the suspension, no Acct-Stop request is sent to the server.

After accounting is suspended, all accounting requests are dropped, even if the router is configured to hold the pending accounting messages for up to 24 hours. When accounting resumes, new accounting requests might go into the pending queue, but the requests pending when accounting stopped are no longer available.

Note

We do not recommend that operators suspend accounting as a standard practice for system upgrades. However, some operators might find it useful in service provider environments when an upgrade of the server infrastructure is critical and needed immediately.

While accounting is suspended, statistics counters continue to update. You can optionally request a baseline operation to be performed for subscriber and service session time and volume counters. In this case, when accounting is resumed, statistics are reported relative to the baseline values. You can begin the baselining operation only after the suspension starts and before the upgrade begins. You can successfully issue the baseline request only once per suspension. The CLI reports an error if you issue the command again.

Note

Statistics are baselined only for subscribers that have interim accounting enabled.

The following RADIUS attributes might be affected for subscribers who are logged in when the baseline is requested and are still logged in when accounting resumes:

  • Acct-Session-Time

  • Acct-Input-Octets

  • Acct-Output-Octets

  • Acct-Input-Packets

  • Acct-Output-Packets

  • Acct-Input-Gigawords

  • Acct-Output-Gigawords

  • IPv6-Acct-Input-Octets

  • IPv6-Acct-Output-Octets

  • IPv6-Acct-Input-Packets

  • IPv6-Acct-Output-Packets

  • IPv6-Acct-Input-Gigawords

  • IPv6-Acct-Output-Gigawords

Sequence of Events During the Suspension, Baselining, and Resumption of Accounting

The following sequence of events occur when you suspend accounting, generate a baseline, and restart accounting processes:

  1. Issue the request network-access aaa accounting suspend command to suspend accounting.

    1. A system logging message is generated to indicate that accounting has been suspended.

    2. All accounting, including accounting-backup-options, is suspended for all accounting servers in all routing contexts.

  2. Issue the request network-access aaa accounting baseline command to generate a baseline.

    1. A system logging message is generated to indicate that baselining has started for accounting statistics.

    2. Time and volume statistics for each subscriber are set to the baseline value. The amount of time that is taken to complete the baseline process is indeterminate, depending on the number of statistical details.

    3. A system logging message is generated to indicate that baselining has completed.

  3. Issue the request network-access aaa accounting resume command when baselining is complete to restart accounting processes.

    1. A system logging message is generated to indicate that accounting has resumed.

    2. All previously configured accounting options are reenabled.

The baseline operation attempts to baseline the time and volume counters for each subscriber. Subscriber counters are set to baseline values only if interim accounting is enabled for the subscriber by using the set update-interval minutes statement at the [edit access profile profile-name accounting] hierarchy level. If interim accounting is not enabled for a subscriber, the counters of that corresponding subscriber are not mapped to baseline values.

After the baseline request is executed, an unspecified period of time elapses to baseline all subscriber records. During this interval, statistics for one subscriber can accumulate when the statistical information of another subscriber is being baselined. Sometimes, after baselining starts, counters for some services might be inaccurate and inconsistent due to traffic delivered to a subscriber while the counters of that subscriber are baselined. When the baseline command has been executed, accounting cannot be resumed until the baseline is complete. If you issue the command while accounting is not suspended or while baselining is in progress, the command fails. The command reports an error if the Accounting License is not installed.

Guidelines for Accounting Suspension and Baselining of Statistics

Keep the following points in mind when you suspend accounting and specify a baseline for statistics:

  • Accounting suspension in an environment where thresholds (or quotas) are applicable is not supported. This includes environments where Gx-Plus and Juniper Networks Session and Resource Control (SRC) thresholds or RADIUS session volume quotas are effective for any subscriber. The accounting suspend request fails if any subscriber has thresholds or quotas.

  • Activation for threshold (or quota) services is not allowed while accounting is suspended.

  • Accounting baselining is not supported when accounting is not suspended.

  • You cannot specify more than one baseline request during an accounting suspension.

  • Baselining for subscribers that are not configured with interim accounting is not supported.

  • The time it takes for the baseline operation to complete is indeterminate. It depends on the amount and depth of statistics being collected and is proportional to the number of subscriber and service sessions that are active at the time the baseline is started. The command fails if you attempt to resume accounting while baselining is still in progress.

  • You cannot use the commands to suspend, baseline, or resume accounting during a unified ISSU process. If you attempt to perform a unified ISSU while the baseline is in process, when the chassis daemon state changes to the DAEMON_ISSU_PREPARE state, the authentication and Packet Forwarding Engine processes suspend baselining on a session boundary and resume after the Routing Engine switchover to the release to which the device is upgraded.

  • If a graceful Routing Engine switchover (GRES) occurs while accounting is suspended or baselining is in progress, the state of suspension or baselining is preserved after the restart of the router. In such a scenario, accounting is suspended after the reboot of the router and the subscribers for which counters are remaining to be baselined are baselined after the router is online.

Sample Scenarios of Subscriber Accounting Suspension and Baselining

Consider the following scenario:

  1. Interim accounting is configured for subscriber X. It is not configured for subscribers Y and Z.

  2. The last interim accounting request sent before accounting is suspended includes statistics for subscriber X; 50,000 octets of traffic have so far been sent for this subscriber. Although 20,000 octets have been sent for subscriber Y and 10,000 octets for subscriber Z, that information has not yet been reported because they do not have interim accounting configured.

  3. Accounting is suspended.

  4. Baselining begins. The current count for subscriber X is 50,000 octets; this becomes the baseline value for the subscriber. No baseline value is established for subscribers X and Y, because they do not have interim accounting configured.

  5. While baselining is in progress, traffic continues to be sent for the three subscribers: 150,000 octets for subscriber X, 80,000 octets for subscriber Y, and 20,000 octets for subscriber Z.

  6. Subscriber Z logs out. No Acct-Stop request is sent because accounting is suspended. Consequently, the final accounting statistics are lost for this subscriber.

  7. Baselining completes.

  8. Accounting resumes.

  9. Subscriber X logs out. Although 200,000 total octets were sent for subscriber X, the Acct-Stop record reports only 150,000 octets: 200,000 total octets minus the 50,000 octet baseline.

  10. Subscriber Y logs out. Because 100,000 total octets were sent for subscriber Y and there is no baseline value, the Acct-Stop record reports the total of 100,000 octets.

Table 7 summarizes this scenario.

Table 7: Summary of Accounting Suspension and Baselining Scenario

Subscriber

Interim Accounting configured

Octets Before Suspension

Octets After Baselining Starts

Total Octets

Octets in Acct-Stop When Accounting Resumes

X

Yes

50,000

150,000

200,000

150,000

Y

No

20,000

80,000

100,000

100,000

Z

No

10,000

20,000

30,000

n/a

Configuring RADIUS Accounting Suspension and Baselining Accounting Statistics

You can temporarily suspend system-wide accounting for the duration of a system upgrade or maintenance action, until you manually resume accounting. During the suspension period, current subscribers remain logged in, but the subscribers can log out and new subscriber sessions can be initiated. RADIUS Acct-Start, Interim-Update, and Acct-Stop messages are not generated while accounting is suspended; the router does not send any accounting messages to the RADIUS server. For example, if a subscriber logs out during the suspension, no Acct-Stop is sent to the server.

Note

We do not recommend that operators suspend accounting as a standard practice for system upgrades. However, some operators might find it useful in service provider environments when an upgrade of the server infrastructure is critical and needed immediately.

To configure the suspension of accounting processes, create a baseline of the statistics after accounting is halted, and resume accounting after the baselining process is completed:

  1. Suspend subscriber accounting.

    A syslog message is generated to indicate that accounting is suspended. All accounting (including accounting-backup-options) is suspended for all accounting servers and all routing contexts.

  2. (Optional) Begin baselining accounting statistics for subscribers that have interim accounting configured.

    The router implements the baseline by reading and storing the statistics when the baseline is set. The baseline values are subtracted when you retrieve baseline-relative statistics after accounting resumes. A syslog message is generated to indicate the start of baselining. Time and volume statistics for each subscriber are set to the baseline value. The amount of time that is taken to complete the baseline process might vary, depending on the number of statistical details. A syslog message is generated when the baselining of statistics completes.

  3. Resume accounting after baselining completes.

    A syslog message is generated to indicate that accounting has resumed. All the previously configured accounting options are reenabled.

Release History Table
Release
Description
Starting in Junos OS Release 15.1R4, you can temporarily suspend system-wide accounting until you manually resume accounting.