This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Send radius accounting interim-updates when User-Name Changes

lyubomir_trayko
New Contributor II

‎05-11-2021 04:18 AM

Hello, I am trying to configure ICX7450 with FortiGate Firewall Radius SSO. It is working ok for most of the cases. The only problem I have is on Windows 10 domain computer using User or computer authentication dot1x. The behaviour is as fallows:

1. The computer authenticates with the Computer Domain account. The switch sends radius accounting START packet and INTERIM packet with the computer User-Name and IP. Till this point everything is working as expected.

2. The User logs in and performs Authentication Request. The switch is not sending Accounting START, STOP or INTERIM packet to the firewall and the accounting session continues. Because of this the User-Name in the firewall is not updated.

3. When some time passes INTERIM Update is sent with the new User-Name by the switch to the firewall and the firewall updates the User-Name.

Question: How to configure the switch to send INTERIM Update immediately after the User logs in. 

5 REPLIES 5

Orlando_Elias
RUCKUS Team Member

‎05-11-2021 07:43 AM

Hello lyubomir_traykov

The interval in which interim updates for RADIUS accounting are sent can be configured and modified using these commands, 

device(config)# radius-server accounting interim-updates
device(config)# radius-server accounting interim-interval 1

Please refer to the below guide for further details,

https://docs.commscope.com/bundle/fastiron-08080-commandref/page/GUID-3C0F31FB-CED5-47BC-8588-A8219B...

Please let me know if you had any comments or concerns.

With regards,
--
Orlando Elias
Technical Support

lyubomir_trayko
New Contributor II

‎05-11-2021 10:20 PM

Thanks for the suggestion, but the minimum  interim-interval is 5 minutes. Also this will put a lot of unnecessary load to our radius server.

Orlando_Elias
RUCKUS Team Member

‎05-12-2021 06:32 AM

Hello lyubomir_traykov

I am concerned that you mention the ICX switch is not sending any START/STOP messages.

That is something we should definitely double-check.

An Accounting Start packet is sent to the RADIUS server when a user is successfully authenticated.

To enable start/stop packets for accounting, we should run this command:

device(config)# aaa accounting dot1x default start-stop radius

device(config)# aaa accounting mac-auth default start-stop radius

We can debug any AAA action/packet with the following command:
device#ptrace aaa
To stop this debug, run the command again.
I hope this information is useful.
If you noticed any irregularity that you think we should check in detail, please don't hesitate to open a support case.
We'll be happy to look into it.
With regards,
--
Orlando Elias
Technical Support
0 Kudos

lyubomir_trayko
New Contributor II

‎05-12-2021 10:57 PM

The switch is not sending accounting information only when the User logs in. As you can see from the LOG the computer authentication is sending accounting information.

0 Kudos
Copyright © 2024 Khoros, LLC