JavaScript is disabled

Some parts of the site utilize JavaScript for enhanced delivery of content, please enable JavaScript and refresh this page to see all content.

RADIUS Accounting

An explanation of RADIUS accounting behavior in AOS-10 deployments, capturing general differences with AOS-8, and specifically with Acct-Multi-Session-Id and Acct-Session-Id behavior during fast roaming.

13 minute read

RADIUS accounting is a method of collecting resource consumption data to be forwarded to a RADIUS server. This data can be used for trend analysis, capacity planning, billing, auditing, and cost analysis. The Network Access Server (NAS) is a RADIUS client responsible for passing user accounting information to the RADIUS server. The server receives this request and returns a response to the NAS.

In AOS-8 campus deployments, RADIUS accounting messages are always sent directly from the controller that functions as the NAS. When a client device roams between APs, the controller continues sending interim updates without the need for a stop and a new start message.

In AOS-10 deployments, the accounting behavior differs based on the deployment scenario:

Bridge mode - A deployment with only APs.
Tunneled and mixed modes - Deployments that involve gateways.

For RADIUS accounting in AOS-10, two key attributes are explored.

Acct-Multi-Session-Id: Identifier remains constant across related sessions, such as during client roaming and links multiple events into a single logical session for seamless tracking.
Acct-Session-Id: Unique identifier changes with each new session, such as when a client re-authenticates with a different AP, helping to track individual session events.

Note

Certain third-party RADIUS servers may not support multi-session IDs, and may require an update to ensure compatibility with an AOS-10 deployment which supports this attribute per RFC standards.

Bridge mode - no roaming

In bridge mode without client roaming, each access point (AP) handles traffic forwarding directly to the local VLAN where the client resides. The AP acts as the NAS for the client, and is responsible for initiating and managing RADIUS communications.

Bridge mode communication without client roaming.

In this scenario, RADIUS accounting messages are sent by the AP. Since there is no roaming involved, a single Acct-Session-Id is used for the duration of the connection, and no changes to the Acct-Multi-Session-Id is necessary.

Accounting start: When the client connects to the AP, the AP sends a ‘Start’ message to the RADIUS server.

A Wireshark capture showing Accounting-Request “Start” sent from AP (NAS):10.82.74.202 to the RADIUS server:10.82.75.11

Accounting interim update: If interim updates are enabled, the AP sends an ‘Alive’ update to the RADIUS server.

A Wireshark capture showing Accounting-Request “Alive” sent from AP (NAS):10.82.74.202 to the RADIUS server:10.82.75.11

Accounting stop: When the client disconnects with the AP, a ‘Stop’ message is sent from the AP to the RADIUS server.

A Wireshark capture showing Accounting-Request “Stop” sent from AP (NAS):10.82.74.202 to the RADIUS server:10.82.75.11

Buffer trace of this process:

AP-8-635# show ap debug auth-trace-buf

Auth Trace Buffer
-----------------
Nov  4 15:15:14.651  rad-acct-start   ->                  1a:3a:2c:f7:f5:75  74:9e:75:41:7c:70/clearpass  -   -   
Nov  4 15:23:32.051  rad-acct-int-update   ->             1a:3a:2c:f7:f5:75  74:9e:75:41:7c:70            -   -       
Nov  4 15:24:06.517  eap-logoff   ->                      1a:3a:2c:f7:f5:75  74:9e:75:41:7c:70            -   -    
Nov  4 15:24:06.517  dot1x-timeout *                      1a:3a:2c:f7:f5:75  74:9e:75:41:7c:70            11  512  station timeout
Nov  4 15:24:06.527  rad-acct-stop   ->                   1a:3a:2c:f7:f5:75  74:9e:75:41:7c:70/clearpass  -   -    
AP-8-635# show clock                  

Current Time     :2024-11-04 15:24:32
AP-8-635#

Callout

Note that both the Acct-Session-Id and Acct-Multi-Session-Id remain consistent throughout the client’s session. Additionally, the NAS is the Access Point.

Tunnel mode - no roaming

In tunnel mode without client roaming, traffic from the client is tunneled from the AP to the gateway. The gateway acts as a RADIUS proxy and forwards authentication and accounting requests for all tunnel-mode clients. To learn more about Tunnel forwarding mode, refer to Tunnel Forwarding.

In this configuration, RADIUS accounting messages originating from the AP is sent to and forwarded by the gateway, ensuring consistent tracking and accounting of client sessions. Since there is no client roaming involved, the accounting behavior is straightforward, with a single Acct-Session-Id and Acct-Multi-Session-Id assigned and maintained for the duration of the client’s session.

Tunnel mode RADIUS communication without client roaming.

Accounting start: When a client associates to an AP, an accounting ‘Start’ request is sent from the AP and forwarded by the gateway to the RADIUS server.

A Wireshark capture showing Accounting-Request “Start” forwarded by the gateway (RADIUS Proxy):172.30.32.21 to the RADIUS server:10.82.75.11.

Accounting interim update: If interim updates are enabled, the gateway forwards an ‘Alive’ update to the RADIUS server.

A Wireshark capture showing Accounting-Request “Alive” forwarded by the gateway (RADIUS Proxy):172.30.32.21 to the RADIUS server:10.82.75.11.

Accounting stop: When the client disconnects from the AP, an accounting ‘Stop’ request is sent from the AP and forwarded by the gateway to the RADIUS server.

A Wireshark capture showing Accounting-Request “Stop” forwarded by the gateway (RADIUS Proxy):172.30.32.21 to the RADIUS server:10.82.75.11.

Buffer trace of this process:

AP-8-635# show ap debug auth-trace-buf

Auth Trace Buffer
-----------------
Nov  4 15:38:32.494  rad-acct-start   ->                  26:08:2c:70:91:b9  74:9e:75:41:7c:71/__gw_172.30.32.21  -   - 
Nov  4 15:38:33.605  rad-acct-int-update   ->             26:08:2c:70:91:b9  74:9e:75:41:7c:71                    -   -   
Nov  4 15:41:36.080  eap-logoff   ->                      26:08:2c:70:91:b9  74:9e:75:41:7c:71                    -   -    
Nov  4 15:41:36.081  dot1x-timeout *                      26:08:2c:70:91:b9  74:9e:75:41:7c:71                    11  512  station timeout
Nov  4 15:41:36.093  rad-acct-stop   ->                   26:08:2c:70:91:b9  74:9e:75:41:7c:71/__gw_172.30.32.21  -   -    
AP-8-635# show clock

Current Time     :2024-11-04 15:42:06
AP-8-635#

Callout

Note that both the Acct-Session-Id and Acct-Multi-Session-Id remain consistent throughout the client’s session. Additionally, the NAS is the gateway.

Mixed mode - no roaming

In mixed mode with no client roaming, both tunneled and bridged client sessions rely on the gateway as the RADIUS proxy. In this scenario, with no client roaming, Acct-Session-Id and Acct-Multi-Session-Id remain stable, simplifying RADIUS accounting and maintaining a consistent session context throughout the client’s connection. To learn more about mixed mode, refer to Mixed Forwarding.

Bridged client sessions

When the mixed mode WLAN client session is handled as bridged, client traffic is bridged at the AP level, with user VLANs assigned directly on the AP. However, the gateway still forwards all RADIUS communications as the proxy, including accounting messages.

RADIUS communication in a mixed mode WLAN with a bridged client session without client roaming.

Accounting start: When a client associates to an AP, an accounting start request is sent from the AP and forwarded by the gateway to the RADIUS server.

A Wireshark capture showing Accounting-Request “Start” forwarded by the gateway (RADIUS Proxy):172.30.32.22 to the RADIUS server:10.82.75.11.

Accounting interim update: If interim updates are enabled, the gateway forwards an ‘Alive’ update to the RADIUS server.

A Wireshark capture showing Accounting-Request “Alive” forwarded by the gateway (RADIUS Proxy):172.30.32.22 to the RADIUS server:10.82.75.11.

Accounting stop: When the client disconnects from the AP, an accounting ‘Stop’ request is sent from the AP and forwarded by the gateway to the server.

A Wireshark capture showing Accounting-Request “Stop” forwarded by the gateway (RADIUS Proxy):172.30.32.22 to the RADIUS server:10.82.75.11.

Buffer trace of this process:

AP-8-635# show ap debug auth-trace-buf

Auth Trace Buffer
-----------------
Nov  4 16:40:10.729  rad-acct-start   ->                  ba:bd:6f:c2:d6:50  74:9e:75:41:7c:72/__gw_172.30.32.22  -    -  
Nov  4 16:40:10.950  rad-acct-int-update   ->             ba:bd:6f:c2:d6:50  74:9e:75:41:7c:72                    -    -  
Nov  4 16:41:47.646  rad-acct-stop   ->                   ba:bd:6f:c2:d6:50  74:9e:75:41:7c:72/__gw_172.30.32.22  -    -

Callout

Note that both the Acct-Session-Id and Acct-Multi-Session-Id remain consistent throughout the client’s session. Additionally, the NAS is the gateway.

Tunneled client sessions

For mixed mode WLAN client sessions handled as tunneled, the gateway acts as the RADIUS proxy, with the gateway’s IP address used as the NAS IP. RADIUS accounting messages for these clients is forwarded by the gateway, centralizing session and accounting management.

RADIUS communication in a mixed mode WLAN with a tunneled client session without client roaming.

Accounting start: When a client associates to an AP, an accounting ‘Start’ request is sent from the AP and forwarded by the gateway to the RADIUS server.

Accounting interim update: If interim updates are enabled, the gateway forwards an ‘Alive’ update to the RADIUS server.

Accounting stop: When the client disconnects with the AP, an accounting ‘Stop’ request is sent from the AP and forwarded by the gateway to the server.

Buffer trace of this process:

AP-8-635# show ap debug auth-trace-buf

Auth Trace Buffer
-----------------
Nov  4 16:40:10.729  rad-acct-start   ->                  ba:bd:6f:c2:d6:50  74:9e:75:41:7c:72/__gw_172.30.32.22  -    -   
Nov  4 16:40:10.950  rad-acct-int-update   ->             ba:bd:6f:c2:d6:50  74:9e:75:41:7c:72                    -    -  
Nov  4 16:41:47.646  rad-acct-stop   ->                   ba:bd:6f:c2:d6:50  74:9e:75:41:7c:72/__gw_172.30.32.22  -    -

Callout

Note that both the Acct-Session-Id and Acct-Multi-Session-Id remain consistent throughout the client’s session. Additionally, the NAS is the gateway.

Bridge mode with roaming

In bridge mode with client roaming, user traffic is locally bridged to the VLAN at each AP. As the client moves between APs, each AP independently acts as the NAS for its connected clients and handles RADIUS communications.

RADIUS Accounting Behavior: When a client roams from one AP to another, the new AP takes over as the NAS, and a new RADIUS accounting start message is generated by this AP. The initial AP sends an accounting stop message to indicate the AP’s end of session management for that client. This ensures accurate tracking and accounting of client sessions across multiple APs.

Bridge mode RADIUS communication when a client roams from AP-1 to AP-2.

Typically, each new connection triggers a change to the Acct-Session-Id, while a consistent Acct-Multi-Session-Id can link these related events for session continuity tracking.

Here’s how accounting messages are exchanged during a client roam from one AP to another:

Accounting start with the Initial AP: When the client connects to the initial AP, the AP sends an accounting start message to the RADIUS server. This message includes updated information about the AP the client is connected to.

A Wireshark capture showing Accounting-Request “Start” from the initial AP:10.82.74.202 to the RADIUS server:10.82.75.11.

Similarly, for interim updates:

A Wireshark capture showing Accounting-Request “Alive” from the initial AP:10.82.74.202 to the RADIUS server:10.82.75.11.

Accounting stop for Initial AP: After the client has roamed, the AP sends an Accounting stop message for the session associated with the initial AP (AP-8-635). This closes out the session tied to that AP.

A Wireshark capture showing Accounting-Request “Stop” from the initial AP:10.82.74.202 to the RADIUS server:10.82.75.11.

Buffer trace of this process:

AP-8-635# show ap debug auth-trace-buf

Auth Trace Buffer
-----------------
Nov  5 16:52:54.440  rad-acct-start   ->                  1a:3a:2c:f7:f5:75  74:9e:75:41:7c:70/clearpass  -   -    
Nov  5 16:56:13.211  rad-acct-int-update   ->             1a:3a:2c:f7:f5:75  74:9e:75:41:7c:70            -   -    
Nov  5 17:01:13.804  rad-acct-int-update   ->             1a:3a:2c:f7:f5:75  74:9e:75:41:7c:70            -   -    
Nov  5 17:04:30.932  rad-acct-stop   ->                   1a:3a:2c:f7:f5:75  74:9e:75:41:7c:70/clearpass  -   -    
AP-8-635#

Note the multi Acct-Session-Id: val=26082C7091B9-1730847899 and the Acct-Session-Id : val=749E75417C71-26082C7091B9-672AA529-2D70E

Accounting start from the new AP: Once, the client connects to the new AP, the AP sends an Accounting Start msg for the new session with the new AP (AP-3-635).

A Wireshark capture showing Accounting-Request “Start” from the new-ap:172.30.32.31 to the RADIUS server:10.82.75.11.

Interim updates will proceed from the new AP as usual.

A Wireshark capture showing Accounting-Request “Alive” from the new-ap:172.30.32.31 to the RADIUS server:10.82.75.11.

Buffer trace of this process:

AP-6-635# show ap debug auth-trace-buf

Auth Trace Buffer
-----------------
Nov  5 17:04:43.601  rad-acct-start   ->                  1a:3a:2c:f7:f5:75  74:9e:75:41:79:70/clearpass          -   -    
Nov  5 17:05:25.700  rad-acct-int-update   ->             1a:3a:2c:f7:f5:75  74:9e:75:41:79:70                    -   -      
AP-6-635#

Acct-Session-Id and Acct-Multi-Session-Id Behavior: If the roam is a fast roam, the Acct-Multi-Session-Id remains the same, indicating the same client session. However, the Acct-Session-Id changes to reflect the transition to a new AP.

Note

If the client roaming is not a fast roam, the client has to re-establish a full four-way handshake. As a result, the session and Acct-Multi-Session-Ids will be regenerated.

Acct-Multi-Session-Id on the Initial AP : val=1A3A2CF7F575-1730854373
Acct-Multi-Session-Id on the New AP : val=1A3A2CF7F575-1730854373

Acct-Session-Id on the Initial AP : val=749E75417C70-1A3A2CF7F575-672ABDE6-6B51D
Acct-Session-Id on the New AP : val=74975417970-1A3A2CF7F575-672ACOAB-92AFB

Tunnel mode with roaming

In tunnel mode with client roaming, traffic from the client is tunneled from the AP to the gateway. The gateway acts as a RADIUS proxy and forwards authentication and accounting requests for all tunnel-mode clients.

RADIUS Accounting Behavior: When a client roams from one AP to another, the user designated gateway (UDG) forwards a new RADIUS accounting start message reflecting the updated AP information and an accounting stop message for the initial AP.

Tunnel mode RADIUS communication when a client roams from AP-1 to AP-2.

For fast roaming scenarios, the Acct-Multi-Session-Id remains consistent, linking all related session events to the same logical session, while the Acct-Session-Id changes to reflect the new session context. Here’s the accounting messages being exchanged:

Accounting start with the Initial AP: As the client connects to the initial AP (AP-8-635), the gateway (UDG) forwards an Accounting start message to the RADIUS server. This message includes updated information about the AP the client is connected to.

A Wireshark capture showing Accounting-Request “Start” from the initial User Designated Gateway (UDG):172.30.32.21 to the RADIUS server:10.82.75.11.

Similarly, for interim updates:

A Wireshark capture showing Accounting-Request “Alive” from the initial User Designated Gateway (UDG):172.30.32.21 to the RADIUS server:10.82.75.11.

Accounting stop for initial AP: After the client has roamed, the gateway forwards an Accounting stop message for the session associated with the initial AP (AP-8-635). This closes out the session tied to that AP.

A Wireshark capture showing Accounting-Request “Stop” from the initial User Designated Gateway (UDG):172.30.32.21 to the RADIUS server:10.82.75.11.

Buffer trace of this process:

AP-8-635# show ap debug auth-trace-buf

Auth Trace Buffer
-----------------
Nov  5 15:07:21.187  rad-acct-start   ->                  26:08:2c:70:91:b9  74:9e:75:41:7c:71/__gw_172.30.32.21  -    - 
Nov  5 15:11:01.515  rad-acct-int-update   ->             26:08:2c:70:91:b9  74:9e:75:41:7c:71                    -    - 
Nov  5 15:11:09.949  rad-acct-stop   ->                   26:08:2c:70:91:b9  74:9e:75:41:7c:71/__gw_172.30.32.21  -    -   
AP-8-635#

Note the multi Acct-Session-Id: val=26082C7091B9-1730847899 and the Acct-Session-Id : val=749E75417C71-26082C7091B9-672AA529-2D70E

Accounting start from the new AP: Once the client connects to the new AP, the gateway (UDG) forwards an Accounting Start msg for the new session with the new AP (AP-3-635).

A Wireshark capture showing Accounting-Request “Start” from the User Designated Gateway (UDG):172.30.32.21 to the RADIUS server:10.82.75.11.

Buffer trace of this process:

AP-3-635# show ap debug auth-trace-buf

Auth Trace Buffer
-----------------
                                                                                                                        
                                                                                                                        
Nov  5 15:11:10.176  station-up *                         26:08:2c:70:91:b9  74:9e:75:41:25:d0                    -  -  wpa2 aes
Nov  5 15:11:10.189  rad-acct-start   ->                  26:08:2c:70:91:b9  74:9e:75:41:25:d0/__gw_172.30.32.21  -  -  
Nov  5 15:11:10.190  rad-acct-int-update   ->             26:08:2c:70:91:b9  74:9e:75:41:25:d0                    -  -  
Nov  5 15:14:35.753  rad-acct-int-update   ->             26:08:2c:70:91:b9  74:9e:75:41:25:d0                    -  -  
AP-3-635#

A Wireshark capture showing Accounting-Request “Alive” from the UDG: 172.30.32.21 to the RADIUS server:10.82.75.11.

Acct-Session-Id and Acct-Multi-Session-Id Behavior: If the roam is a fast roam, the Acct-Multi-Session-Id remains the same, indicating it pertains to the same client session. However, the Acct-Session-Id changes to reflect the transition to a new AP.

Acct-Multi-Session-Id on the Initial AP : val=26082C7091B9-1730847899
Acct-Multi-Session-Id on the New AP : val=26082C7091B9-1730847899

Acct-Session-Id on the Initial AP : val=749E75417C71-26082C7091B9-672AA529-2D70E
Acct-Session-Id on the New AP : val=749E754125D0-26082C7091B9-672AA60E-2DD81

This approach in tunnel mode allows the RADIUS server to track the client’s AP changes while keeping the session continuous through the Acct-Multi-Session-Id.

Mixed mode with roaming

In mixed mode when a client roams, both tunneled and bridged client sessions rely on the gateway as the RADIUS proxy. In this scenario, when a client roams the Acct-Session-Id changes while the Acct-Multi-Session-Id remains the same, simplifying RADIUS accounting and maintaining a consistent Acct-Multi-Session-Id throughout the client’s connection. To learn more about mixed mode, refer to Mixed Forwarding.

Summary

Scenario	Acct-Multi-Session-Id Behavior	NAS
Bridge with no roaming	Acct-Multi-Session-Id and Acct-Session-Id remain the same	AP
Tunnel with no roaming	Acct-Multi-Session-Id and Acct-Session-Id remain the same	Gateway
Mixed with no roaming	Acct-Multi-Session-Id and Acct-Session-Id remain the same	Gateway (for both types)
Bridge with roaming	Acct-Multi-Session-Id remains the same, Acct-Session-Id changes	AP
Tunnel with roaming	Acct-Multi-Session-Id remains the same, Acct-Session-Id changes	Gateway
Mixed with roaming (bridge & tunnel)	Acct-Multi-Session-Id remains the same, Acct-Session-Id changes	Gateway (for both types)

Note

Using RadSec between the NAS and AAA server does not change the existing functionality or behavior.

In summary, a consistent Acct-Multi-Session-Id across a client’s session, including during roaming, provides several benefits. The Acct-Multi-Session-Id enables seamless tracking of a user’s activity, ensuring that all session data is unified even if the client moves between APs. This simplifies session management, billing, and accounting, as all activity is associated with one session, reducing administrative complexity. Additionally, security monitoring is enhanced by creating a clear and consistent record of user activity across the network.

Feedback

Was this page helpful?

Glad to hear it!

Sorry to hear that.

Last modified: January 15, 2025 (f0f1d1b)