RADIUS Accounting with SZ100 NAS-IP

  • 1
  • Question
  • Updated 2 years ago
Hi there,

We are currently implementing a public hot spot scenario in midsize city with approx 50 access points. As controller we have a Smartzone 100 controller. As part of the implemenation we have build a captive portal in conjunction with a RADUIS server. Authentication over 1812 works as a charm. What we don’t reach is a proper accounting. We have selected under AAA the proxy Authentication server as per manual. Because of this we are unable to properly limit bandwith nor are we able to cut of a user when the maximum time or volume has been reached. A Wireshark cature shows that the accounting request is not coming from the controller as we would expect but from a single AP. Does that mean we have to enter each AP IP as a NAS in our RADUIS server? If yes – what about APs which are behind one or two additional routers and there4 behind several NATs. We don’t exclusively operate direct IP networks.

Regards

Ralf
Photo of Ralf Herzog

Ralf Herzog

  • 2 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of Sid Sok

Sid Sok, Official Rep

  • 102 Posts
  • 48 Reply Likes
Hi Ralf,

You mentioned that you enable Proxy Authentication, but you did not indicate if you enable Proxy for accounting as well?

Accounting should be configured the same way as Authentication.

Sid
Photo of Ralf Herzog

Ralf Herzog

  • 2 Posts
  • 0 Reply Likes
Hi Sid, we added proxy accounting in the "AAA Server => Proxy AAA" menu.
Further, the created proxy accounting profile is linked to a wifi network. The accounting messages will be send from the Controllers IP to the intended destination. But the NAS-IP RADIUS field indicates the IP of the AP. The captive portal now sends all client-related RADIUS requests to the AP IP directly. This is not possible in all cases (Router NAT).
It's like the controller acts like a distributor for the RADIUS packets but does not modify the contents.