Radius Access Req and Accounting for same session from different devices IPs

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
We are using third party wireless devices which send radius access requests to our NAC appliances which works great. Problem is the accounting packets are coming from another device / source ip to the nac gateway (all accounting proxied through another server) - so the nac gateway drops this information. Is there any trick to get these accounting information accepted by the gateway anyway? Even if the device differs?
Photo of mp2014

mp2014

  • 1,138 Points 1k badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Keene, Scott

Keene, Scott, Employee NMS/GTAC

  • 1,462 Points 1k badge 2x thumb
Hello,

NAC will only answer requests from valid RADIUS clients.  Is the device that sent the Accounting frames is not a RADIUS client of the NAC, then it will drop the frame.  Note that even if you do add the device to NAC's client list with the same shared secret etc (Switches tab in NAC Manager) this has never been tested by Q/A so Im not sure what will happen. Typically the device that is sending the RADIUS Requests for authentication, also directly sends the Accounting requests.  

Regards,

Scott Keene
Photo of mp2014

mp2014

  • 1,138 Points 1k badge 2x thumb
Hello,

both devices - the one sending the access requests and the one sending accounting packets - are valid radius clients in NAC (in switch list). But accounting and radius access requests are coming from different devices while belonging to the same session.
Both devices are radius proxies, one is responsible for the access requests, the other for accounting data. The accounting data gets dropped...
So thats not a typical setup, but would be nice to get this working.
Photo of Keene, Scott

Keene, Scott, Employee NMS/GTAC

  • 1,462 Points 1k badge 2x thumb
Hello,

I am not sure this is something we support, and as per Q/A, this scenario has never been tested. Its safe to say that perhaps this will not work, since that is what you are seeing.  Can you clarify if it works if you proxy both access requests and accounting frames through the same proxy server?  

Otherwise, you should probably get a case started with GTAC and gather some traces and debug etc if you need it pursued further.  There is nothing configuration-wise that I can think that will help here, if the source of the accounting frames is already in the switch list as you noted it is.

-Scott Keene