Skip to main content

2 Messages

 • 

80 Points

Thu, Dec 3, 2015 12:52 PM

RADIUS Accounting with SZ100 NAS-IP

Hi there,

We are currently implementing a public hot spot scenario in midsize city with approx 50 access points. As controller we have a Smartzone 100 controller. As part of the implemenation we have build a captive portal in conjunction with a RADUIS server. Authentication over 1812 works as a charm. What we don’t reach is a proper accounting. We have selected under AAA the proxy Authentication server as per manual. Because of this we are unable to properly limit bandwith nor are we able to cut of a user when the maximum time or volume has been reached. A Wireshark cature shows that the accounting request is not coming from the controller as we would expect but from a single AP. Does that mean we have to enter each AP IP as a NAS in our RADUIS server? If yes – what about APs which are behind one or two additional routers and there4 behind several NATs. We don’t exclusively operate direct IP networks.

Regards

Ralf

Responses

99 Messages

 • 

2K Points

5 years ago

Hi Ralf,

You mentioned that you enable Proxy Authentication, but you did not indicate if you enable Proxy for accounting as well?

Accounting should be configured the same way as Authentication.

Sid

2 Messages

 • 

80 Points

Hi Sid, we added proxy accounting in the "AAA Server => Proxy AAA" menu.
Further, the created proxy accounting profile is linked to a wifi network. The accounting messages will be send from the Controllers IP to the intended destination. But the NAS-IP RADIUS field indicates the IP of the AP. The captive portal now sends all client-related RADIUS requests to the AP IP directly. This is not possible in all cases (Router NAT).
It's like the controller acts like a distributor for the RADIUS packets but does not modify the contents.