Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Cisco>
  3. NAS
Accounting problem with Cisco Aironet 1200
mbenard at m6
May 17, 2005, 9:17 AM
Post #1 of 6 (3954 views)
Permalink
Hi all.

I have a problem with my Cisco Aironet and AAA.

It doesn't send the user Framed-IP-Adress in accounting packets. The
architecture is 802.1x:

FreeRADIUS <-------------------> Access Point with DHCP
<--------------------------> Client
10.88.88.150 10.88.88.1
10.88.X.X

- The user is authenticating against Freeradius server with EAP. That's
working out without problems.
- The user gets an IP Address from the Access Point. It's working too.
- The accounting is not working as I expect:
-> The accounting packets sent to radius server don't include the IP
of the Framed-User.
-> This known solution for this problem is the command "aaa
accounting delay-start", but with it, accounting packets are never sent
after the Access-Accept packet, except for telnet EXEC logins.

Am I missing something ?
Please help me..

Thanks !

ap#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C1200 Software (C1200-K9W7-M), Version 12.2(13)JA4, EARLY
DEPLOYMENT RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Fri 16-Apr-04 12:22 by cmong
Image text-base: 0x00003000, data-base: 0x0053CF74

ROM: Bootstrap program is C1200 boot loader
BOOTLDR: C1200 Boot Loader (C1200-BOOT-M) Version 12.2(8)JA, EARLY
DEPLOYMENT RELEASE SOFTWARE (fc1)

ap#sh conf
Using 2950 out of 32768 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
enable secret 5 $1$/obN$Y7Uj9MNPbS7YGVxIO4I841
!
username root privilege 15 password 7 06140E254541011C04134658585F
ip subnet-zero
ip domain name m6.fr
ip dhcp excluded-address 10.88.88.1
!
ip dhcp pool airpool
network 10.88.0.0 255.255.0.0
lease 10
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.88.88.150 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
server 10.88.88.150 auth-port 1812 acct-port 1813
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default group radius local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization network default group radius
aaa accounting delay-start
aaa accounting update periodic 2
aaa accounting exec default start-stop group radius
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers tkip
!
ssid morgane8021X
authentication open eap eap_methods
authentication key-management wpa
accounting acc_methods
!
ssid touristes
authentication open
authentication key-management wpa
accounting acct_methods
wpa-psk ascii 7 095E4F0D100A1F170A0850797F7F
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0
36.0 48.0 54.0
rts threshold 2312
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 10.88.88.1 255.255.0.0
no ip route-cache
!
ip http server
ip http help-path
http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100
ip radius source-interface BVI1
snmp-server view dot11view ieee802dot11 included
snmp-server community open RW
snmp-server community ieee view ieee802dot11 RW
snmp-server enable traps tty
radius-server host 10.88.88.150 auth-port 1812 acct-port 1813 key 7
03074E090F1B345F
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req format %h
radius-server attribute 44 include-in-access-req
radius-server authorization permit missing Service-Type
radius-server vsa send accounting
radius-server vsa send authentication
bridge 1 route ip
!
!
line con 0
line vty 5 15
!
end
Re: Accounting problem with Cisco Aironet 1200 [ In reply to ]
Aaron at cisco
May 17, 2005, 10:43 AM
Post #2 of 6 (3851 views)
Permalink
Marina,

Please be aware that the access point is a layer two device,
not a layer three device, and does not necessarily have any
visibility into layer three information such as IP addresses.

While the access point may eventually be able to learn the
client's IP address and display it via "show dot11 associations",
it does this by sniffing packets received by the client *after*
the client has fully authenticated and associated. There is no
guarantee that the AP will ever successfully learn the client's
IP address (since the client may fail to emit IP packets for
an arbitrarily long time).

Regards,

Aaron

---

>Hi all.
>
>I have a problem with my Cisco Aironet and AAA.
>
>It doesn't send the user Framed-IP-Adress in accounting packets. The
>architecture is 802.1x:
>
>FreeRADIUS <-------------------> Access Point with DHCP
><--------------------------> Client
>10.88.88.150 10.88.88.1
> 10.88.X.X
>
>- The user is authenticating against Freeradius server with EAP. That's
>working out without problems.
>- The user gets an IP Address from the Access Point. It's working too.
>- The accounting is not working as I expect:
> -> The accounting packets sent to radius server don't include the IP
>of the Framed-User.
> -> This known solution for this problem is the command "aaa
>accounting delay-start", but with it, accounting packets are never sent
>after the Access-Accept packet, except for telnet EXEC logins.
>
>Am I missing something ?
>Please help me..
>
>Thanks !
>
>ap#sh ver
>Cisco Internetwork Operating System Software
>IOS (tm) C1200 Software (C1200-K9W7-M), Version 12.2(13)JA4, EARLY
>DEPLOYMENT RELEASE SOFTWARE (fc1)
>Technical Support: http://www.cisco.com/techsupport
>Copyright (c) 1986-2004 by cisco Systems, Inc.
>Compiled Fri 16-Apr-04 12:22 by cmong
>Image text-base: 0x00003000, data-base: 0x0053CF74
>
>ROM: Bootstrap program is C1200 boot loader
>BOOTLDR: C1200 Boot Loader (C1200-BOOT-M) Version 12.2(8)JA, EARLY
>DEPLOYMENT RELEASE SOFTWARE (fc1)
>
>ap#sh conf
>Using 2950 out of 32768 bytes
>!
>version 12.2
>no service pad
>service timestamps debug datetime msec
>service timestamps log datetime msec
>service password-encryption
>!
>hostname ap
>!
>enable secret 5 $1$/obN$Y7Uj9MNPbS7YGVxIO4I841
>!
>username root privilege 15 password 7 06140E254541011C04134658585F
>ip subnet-zero
>ip domain name m6.fr
>ip dhcp excluded-address 10.88.88.1
>!
>ip dhcp pool airpool
> network 10.88.0.0 255.255.0.0
> lease 10
>!
>aaa new-model
>!
>!
>aaa group server radius rad_eap
>server 10.88.88.150 auth-port 1812 acct-port 1813
>!
>aaa group server radius rad_mac
>!
>aaa group server radius rad_acct
>server 10.88.88.150 auth-port 1812 acct-port 1813
>!
>aaa group server radius rad_admin
>!
>aaa group server tacacs+ tac_admin
>!
>aaa group server radius rad_pmip
>!
>aaa group server radius dummy
>!
>aaa authentication login default group radius local
>aaa authentication login eap_methods group rad_eap
>aaa authentication login mac_methods local
>aaa authorization network default group radius
>aaa accounting delay-start
>aaa accounting update periodic 2
>aaa accounting exec default start-stop group radius
>aaa accounting network acct_methods start-stop group rad_acct
>aaa session-id common
>!
>bridge irb
>!
>!
>interface Dot11Radio0
>no ip address
>no ip route-cache
>!
>encryption mode ciphers tkip
>!
>ssid morgane8021X
> authentication open eap eap_methods
> authentication key-management wpa
> accounting acc_methods
>!
>ssid touristes
> authentication open
> authentication key-management wpa
> accounting acct_methods
> wpa-psk ascii 7 095E4F0D100A1F170A0850797F7F
>!
>speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0
>36.0 48.0 54.0
>rts threshold 2312
>station-role root
>bridge-group 1
>bridge-group 1 subscriber-loop-control
>bridge-group 1 block-unknown-source
>no bridge-group 1 source-learning
>no bridge-group 1 unicast-flooding
>bridge-group 1 spanning-disabled
>!
>interface FastEthernet0
>no ip address
>no ip route-cache
>duplex auto
>speed auto
>bridge-group 1
>no bridge-group 1 source-learning
>bridge-group 1 spanning-disabled
>!
>interface BVI1
>ip address 10.88.88.1 255.255.0.0
>no ip route-cache
>!
>ip http server
>ip http help-path
>http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100
>ip radius source-interface BVI1
>snmp-server view dot11view ieee802dot11 included
>snmp-server community open RW
>snmp-server community ieee view ieee802dot11 RW
>snmp-server enable traps tty
>radius-server host 10.88.88.150 auth-port 1812 acct-port 1813 key 7
>03074E090F1B345F
>radius-server attribute 8 include-in-access-req
>radius-server attribute 32 include-in-access-req format %h
>radius-server attribute 44 include-in-access-req
>radius-server authorization permit missing Service-Type
>radius-server vsa send accounting
>radius-server vsa send authentication
>bridge 1 route ip
>!
>!
>line con 0
>line vty 5 15
>!
>end
>
>
>_______________________________________________
>cisco-nas mailing list
>cisco-nas@puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nas
>
>
Re: Accounting problem with Cisco Aironet 1200 [ In reply to ]
mbenard at m6
May 18, 2005, 1:32 AM
Post #3 of 6 (3830 views)
Permalink
Aaron,

Thanks for your answer. I'm OK with the fact that there is not guarantee
that the AP will ever successfully know the IP address. But let's
consider a case where it manages to know it and to display it with the
show dot11 associations command, then it sould be able to send it in
RADIUS packets (?).

Like I said before, with the "aaa accounting delay-start" activated
command in my conf, no accounting packets are sent at all (that means
the AP consider that the IP negociation has not ended yet), but the AP
actually knows the IP address of the user (as I can verify it with the
following command):

ap#show dot11 associations

802.11 Client Stations on Dot11Radio0:

SSID [morgane8021X] :

MAC Address IP address Device Name
Parent State
0011.5034.3388 10.88.0.1 4500-radio -
self EAP-Assoc

That's unexpected behavior. Is something wrong in my conf ?

Thanks in advance

Marina


Aaron Leonard a écrit :

> Marina,
>
> Please be aware that the access point is a layer two device,
> not a layer three device, and does not necessarily have any
> visibility into layer three information such as IP addresses.
>
> While the access point may eventually be able to learn the
> client's IP address and display it via "show dot11 associations",
> it does this by sniffing packets received by the client *after*
> the client has fully authenticated and associated. There is no
> guarantee that the AP will ever successfully learn the client's
> IP address (since the client may fail to emit IP packets for
> an arbitrarily long time).
>
> Regards,
>
> Aaron
>
> ---
>
>> Hi all.
>>
>> I have a problem with my Cisco Aironet and AAA.
>>
>> It doesn't send the user Framed-IP-Adress in accounting packets. The
>> architecture is 802.1x:
>>
>> FreeRADIUS <-------------------> Access Point with DHCP
>> <--------------------------> Client
>> 10.88.88.150
>> 10.88.88.1
>> 10.88.X.X
>>
>> - The user is authenticating against Freeradius server with EAP.
>> That's working out without problems.
>> - The user gets an IP Address from the Access Point. It's working too.
>> - The accounting is not working as I expect:
>> -> The accounting packets sent to radius server don't include the
>> IP of the Framed-User.
>> -> This known solution for this problem is the command "aaa
>> accounting delay-start", but with it, accounting packets are never
>> sent after the Access-Accept packet, except for telnet EXEC logins.
>>
>> Am I missing something ?
>> Please help me..
>>
>> Thanks !
>>
>> ap#sh ver
>> Cisco Internetwork Operating System Software
>> IOS (tm) C1200 Software (C1200-K9W7-M), Version 12.2(13)JA4, EARLY
>> DEPLOYMENT RELEASE SOFTWARE (fc1)
>> Technical Support: http://www.cisco.com/techsupport
>> Copyright (c) 1986-2004 by cisco Systems, Inc.
>> Compiled Fri 16-Apr-04 12:22 by cmong
>> Image text-base: 0x00003000, data-base: 0x0053CF74
>>
>> ROM: Bootstrap program is C1200 boot loader
>> BOOTLDR: C1200 Boot Loader (C1200-BOOT-M) Version 12.2(8)JA, EARLY
>> DEPLOYMENT RELEASE SOFTWARE (fc1)
>>
>> ap#sh conf
>> Using 2950 out of 32768 bytes
>> !
>> version 12.2
>> no service pad
>> service timestamps debug datetime msec
>> service timestamps log datetime msec
>> service password-encryption
>> !
>> hostname ap
>> !
>> enable secret 5 $1$/obN$Y7Uj9MNPbS7YGVxIO4I841
>> !
>> username root privilege 15 password 7 06140E254541011C04134658585F
>> ip subnet-zero
>> ip domain name m6.fr
>> ip dhcp excluded-address 10.88.88.1
>> !
>> ip dhcp pool airpool
>> network 10.88.0.0 255.255.0.0
>> lease 10
>> !
>> aaa new-model
>> !
>> !
>> aaa group server radius rad_eap
>> server 10.88.88.150 auth-port 1812 acct-port 1813
>> !
>> aaa group server radius rad_mac
>> !
>> aaa group server radius rad_acct
>> server 10.88.88.150 auth-port 1812 acct-port 1813
>> !
>> aaa group server radius rad_admin
>> !
>> aaa group server tacacs+ tac_admin
>> !
>> aaa group server radius rad_pmip
>> !
>> aaa group server radius dummy
>> !
>> aaa authentication login default group radius local
>> aaa authentication login eap_methods group rad_eap
>> aaa authentication login mac_methods local
>> aaa authorization network default group radius
>> aaa accounting delay-start
>> aaa accounting update periodic 2
>> aaa accounting exec default start-stop group radius
>> aaa accounting network acct_methods start-stop group rad_acct
>> aaa session-id common
>> !
>> bridge irb
>> !
>> !
>> interface Dot11Radio0
>> no ip address
>> no ip route-cache
>> !
>> encryption mode ciphers tkip
>> !
>> ssid morgane8021X
>> authentication open eap eap_methods
>> authentication key-management wpa
>> accounting acc_methods
>> !
>> ssid touristes
>> authentication open
>> authentication key-management wpa
>> accounting acct_methods
>> wpa-psk ascii 7 095E4F0D100A1F170A0850797F7F
>> !
>> speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0
>> 36.0 48.0 54.0
>> rts threshold 2312
>> station-role root
>> bridge-group 1
>> bridge-group 1 subscriber-loop-control
>> bridge-group 1 block-unknown-source
>> no bridge-group 1 source-learning
>> no bridge-group 1 unicast-flooding
>> bridge-group 1 spanning-disabled
>> !
>> interface FastEthernet0
>> no ip address
>> no ip route-cache
>> duplex auto
>> speed auto
>> bridge-group 1
>> no bridge-group 1 source-learning
>> bridge-group 1 spanning-disabled
>> !
>> interface BVI1
>> ip address 10.88.88.1 255.255.0.0
>> no ip route-cache
>> !
>> ip http server
>> ip http help-path
>> http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100
>>
>> ip radius source-interface BVI1
>> snmp-server view dot11view ieee802dot11 included
>> snmp-server community open RW
>> snmp-server community ieee view ieee802dot11 RW
>> snmp-server enable traps tty
>> radius-server host 10.88.88.150 auth-port 1812 acct-port 1813 key 7
>> 03074E090F1B345F
>> radius-server attribute 8 include-in-access-req
>> radius-server attribute 32 include-in-access-req format %h
>> radius-server attribute 44 include-in-access-req
>> radius-server authorization permit missing Service-Type
>> radius-server vsa send accounting
>> radius-server vsa send authentication
>> bridge 1 route ip
>> !
>> !
>> line con 0
>> line vty 5 15
>> !
>> end
>>
>>
>> _______________________________________________
>> cisco-nas mailing list
>> cisco-nas@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nas
>>
>>
>
>
>
Re: Accounting problem with Cisco Aironet 1200 [ In reply to ]
Aaron at cisco
May 18, 2005, 9:30 AM
Post #4 of 6 (3832 views)
Permalink
Marina,

Having the AP support "aaa accounting delay-start" and include
the Framed-IP-Address attribute would be a new feature - if you
want such a thing, you would need to pursue this with your
Cisco account team and help them make a business case for it.

I would want to roll such a feature into a more comprehensive
L3 relationship between the AP (or wireless controller) and the
client. For example, I could imagine that the AP/controller
could implement DHCP server functionality which could dynamically
choose to supply a given client with a given IP address based upon
a RADIUS-supplied Framed-IP-Address. Possibly we could implement
per-user virtual interfaces (using RBE as a model, perhaps?) to
which individual access lists and QoS policies could be a applied.

Meantime, the best practice would be to assign different classes
of users to different VLANs (as mentioned in my last posting).

Regards,

Aaron

---

> Aaron,
>
> Thanks for your answer. I'm OK with the fact that there is not
> guarantee that the AP will ever successfully know the IP address. But
> let's consider a case where it manages to know it and to display it
> with the show dot11 associations command, then it sould be able to
> send it in RADIUS packets (?).
>
> Like I said before, with the "aaa accounting delay-start" activated
> command in my conf, no accounting packets are sent at all (that means
> the AP consider that the IP negociation has not ended yet), but the AP
> actually knows the IP address of the user (as I can verify it with the
> following command):
>
> ap#show dot11 associations
>
> 802.11 Client Stations on Dot11Radio0:
>
> SSID [morgane8021X] :
>
> MAC Address IP address Device Name
> Parent State
> 0011.5034.3388 10.88.0.1 4500-radio -
> self EAP-Assoc
>
> That's unexpected behavior. Is something wrong in my conf ?
>
> Thanks in advance
>
> Marina
>
>
> Aaron Leonard a écrit :
>
>> Marina,
>>
>> Please be aware that the access point is a layer two device,
>> not a layer three device, and does not necessarily have any
>> visibility into layer three information such as IP addresses.
>>
>> While the access point may eventually be able to learn the
>> client's IP address and display it via "show dot11 associations",
>> it does this by sniffing packets received by the client *after*
>> the client has fully authenticated and associated. There is no
>> guarantee that the AP will ever successfully learn the client's
>> IP address (since the client may fail to emit IP packets for
>> an arbitrarily long time).
>>
>> Regards,
>>
>> Aaron
>>
>> ---
>>
>>> Hi all.
>>>
>>> I have a problem with my Cisco Aironet and AAA.
>>>
>>> It doesn't send the user Framed-IP-Adress in accounting packets. The
>>> architecture is 802.1x:
>>>
>>> FreeRADIUS <-------------------> Access Point with DHCP
>>> <--------------------------> Client
>>> 10.88.88.150
>>> 10.88.88.1
>>> 10.88.X.X
>>>
>>> - The user is authenticating against Freeradius server with EAP.
>>> That's working out without problems.
>>> - The user gets an IP Address from the Access Point. It's working too.
>>> - The accounting is not working as I expect:
>>> -> The accounting packets sent to radius server don't include the
>>> IP of the Framed-User.
>>> -> This known solution for this problem is the command "aaa
>>> accounting delay-start", but with it, accounting packets are never
>>> sent after the Access-Accept packet, except for telnet EXEC logins.
>>>
>>> Am I missing something ?
>>> Please help me..
>>>
>>> Thanks !
>>>
>>> ap#sh ver
>>> Cisco Internetwork Operating System Software
>>> IOS (tm) C1200 Software (C1200-K9W7-M), Version 12.2(13)JA4, EARLY
>>> DEPLOYMENT RELEASE SOFTWARE (fc1)
>>> Technical Support: http://www.cisco.com/techsupport
>>> Copyright (c) 1986-2004 by cisco Systems, Inc.
>>> Compiled Fri 16-Apr-04 12:22 by cmong
>>> Image text-base: 0x00003000, data-base: 0x0053CF74
>>>
>>> ROM: Bootstrap program is C1200 boot loader
>>> BOOTLDR: C1200 Boot Loader (C1200-BOOT-M) Version 12.2(8)JA, EARLY
>>> DEPLOYMENT RELEASE SOFTWARE (fc1)
>>>
>>> ap#sh conf
>>> Using 2950 out of 32768 bytes
>>> !
>>> version 12.2
>>> no service pad
>>> service timestamps debug datetime msec
>>> service timestamps log datetime msec
>>> service password-encryption
>>> !
>>> hostname ap
>>> !
>>> enable secret 5 $1$/obN$Y7Uj9MNPbS7YGVxIO4I841
>>> !
>>> username root privilege 15 password 7 06140E254541011C04134658585F
>>> ip subnet-zero
>>> ip domain name m6.fr
>>> ip dhcp excluded-address 10.88.88.1
>>> !
>>> ip dhcp pool airpool
>>> network 10.88.0.0 255.255.0.0
>>> lease 10
>>> !
>>> aaa new-model
>>> !
>>> !
>>> aaa group server radius rad_eap
>>> server 10.88.88.150 auth-port 1812 acct-port 1813
>>> !
>>> aaa group server radius rad_mac
>>> !
>>> aaa group server radius rad_acct
>>> server 10.88.88.150 auth-port 1812 acct-port 1813
>>> !
>>> aaa group server radius rad_admin
>>> !
>>> aaa group server tacacs+ tac_admin
>>> !
>>> aaa group server radius rad_pmip
>>> !
>>> aaa group server radius dummy
>>> !
>>> aaa authentication login default group radius local
>>> aaa authentication login eap_methods group rad_eap
>>> aaa authentication login mac_methods local
>>> aaa authorization network default group radius
>>> aaa accounting delay-start
>>> aaa accounting update periodic 2
>>> aaa accounting exec default start-stop group radius
>>> aaa accounting network acct_methods start-stop group rad_acct
>>> aaa session-id common
>>> !
>>> bridge irb
>>> !
>>> !
>>> interface Dot11Radio0
>>> no ip address
>>> no ip route-cache
>>> !
>>> encryption mode ciphers tkip
>>> !
>>> ssid morgane8021X
>>> authentication open eap eap_methods
>>> authentication key-management wpa
>>> accounting acc_methods
>>> !
>>> ssid touristes
>>> authentication open
>>> authentication key-management wpa
>>> accounting acct_methods
>>> wpa-psk ascii 7 095E4F0D100A1F170A0850797F7F
>>> !
>>> speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0
>>> 24.0 36.0 48.0 54.0
>>> rts threshold 2312
>>> station-role root
>>> bridge-group 1
>>> bridge-group 1 subscriber-loop-control
>>> bridge-group 1 block-unknown-source
>>> no bridge-group 1 source-learning
>>> no bridge-group 1 unicast-flooding
>>> bridge-group 1 spanning-disabled
>>> !
>>> interface FastEthernet0
>>> no ip address
>>> no ip route-cache
>>> duplex auto
>>> speed auto
>>> bridge-group 1
>>> no bridge-group 1 source-learning
>>> bridge-group 1 spanning-disabled
>>> !
>>> interface BVI1
>>> ip address 10.88.88.1 255.255.0.0
>>> no ip route-cache
>>> !
>>> ip http server
>>> ip http help-path
>>> http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100
>>>
>>> ip radius source-interface BVI1
>>> snmp-server view dot11view ieee802dot11 included
>>> snmp-server community open RW
>>> snmp-server community ieee view ieee802dot11 RW
>>> snmp-server enable traps tty
>>> radius-server host 10.88.88.150 auth-port 1812 acct-port 1813 key 7
>>> 03074E090F1B345F
>>> radius-server attribute 8 include-in-access-req
>>> radius-server attribute 32 include-in-access-req format %h
>>> radius-server attribute 44 include-in-access-req
>>> radius-server authorization permit missing Service-Type
>>> radius-server vsa send accounting
>>> radius-server vsa send authentication
>>> bridge 1 route ip
>>> !
>>> !
>>> line con 0
>>> line vty 5 15
>>> !
>>> end
>>>
>>>
>>> _______________________________________________
>>> cisco-nas mailing list
>>> cisco-nas@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nas
>>>
>>>
>>
>>
>>
Re: Accounting problem with Cisco Aironet 1200 [ In reply to ]
mbenard at m6
May 19, 2005, 2:08 AM
Post #5 of 6 (3840 views)
Permalink
Aaron Leonard wrote :

> Meantime, the best practice would be to assign different classes
> of users to different VLANs (as mentioned in my last posting).

Thanks for your answer Aaron.

Correct me if I'm wrong but what you say implies: if I need to define
per-user authorizations (and not only authorizations for classes of
users), then I would have to configure some VLANs for single users ? In
this case, would not a VPN-based solution be simpler than Radius ?

Thanks

Marina
Re: Accounting problem with Cisco Aironet 1200 [ In reply to ]
Aaron at cisco
May 19, 2005, 9:33 AM
Post #6 of 6 (3848 views)
Permalink
Mathieu Benard wrote:

>Aaron Leonard wrote :
>
>
>
>>Meantime, the best practice would be to assign different classes
>>of users to different VLANs (as mentioned in my last posting).
>>
>>
>
>Thanks for your answer Aaron.
>
>Correct me if I'm wrong but what you say implies: if I need to define
>per-user authorizations (and not only authorizations for classes of
>users), then I would have to configure some VLANs for single users ?
>

Correct - and you would quickly run into our APs' 16-VLAN limitation.

>In
>this case, would not a VPN-based solution be simpler than Radius ?
>
>
>

Using an IPsec-based VPN over WLAN, rather than WLAN-based security,
does have its attractions. It would allow you to customize your security
policy on a per-user basis, and would spare you having to worry about
the myriad of EAP flavors.

Regards,

Aaron

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal