Applies To:Show Versions
- 15.0.1, 15.0.0
About RADIUS accounting
- After RADIUS accounting runs successfully in an access policy, Access Policy Manager sends an accounting start request message to the external RADIUS server. Thestartmessage typically contains the user's ID, networks address, point of attachment, and a unique session identifier.
- When the session is destroyed, Access Policy Manager issues an accountingstopmessage to the external RADIUS server, providing information on the final usage in terms of time, packets transferred, data transferred, and reason for disconnect, as well as other information related to the user's access.
About how APM handles
binary values in RADIUS attributes
1bf80e04.session.radius.last.attr.class 62 / 0x54230616000001370001ac1d423301caa87483dadf740000000000000007
243be90d.session.radius.last.attr.class 119 0x6162636465666768696 / a6b6c6d6e6f707172737475767778797a | 0x54220615000001370001ac1d423301caa87483 / dadf740000000000000006
3888eb70.session.radius.last.attr.login-lat-group 37 / 0x6d7920bda12067726f757032 | mygroup1
Configuring a RADIUS
Accounting server in APM
- On the Main tab, click.The RADIUS servers screen opens.
- ClickCreate.The New Server properties screen opens.
- In theNamefield, type a unique name for the authentication server.
- From theModelist, selectAccounting.
- For theServer Connectionsetting, select one of these options:
- SelectUse Poolto set up high availability for the AAA server.
- SelectDirectto set up the AAA server for standalone functionality.
- If you selectedUse Pool, type a name in theServer Pool Namefield.You create a pool of servers on this screen.
- Provide the addresses required for your server connection:
- If you selectedDirect, type an IP address in theServer Addressfield.
- If you selectedUse Pool, for each pool member you want to add, type an IP address in theServer Addressesfield and clickAdd.When you configure a pool, you have the option to type the server address in route domain format:.IPAddress%RouteDomain
- If you selectedUse Pool, you have the option to select aServer Pool Monitorto track the health of the server pool.
- In theAccounting Service Portfield, type the service port for your accounting server if the default value is not appropriate.The default is1813.
- In theSecretfield, type the shared secret password of the server.
- In theConfirm Secretfield, re-type the shared secret password of the server.
- In theTimeoutfield, type a timeout interval (in seconds) for the AAA server.This setting is optional.If you use theTimeoutsetting, you can also use theRetriessetting. If these settings are enabled, the Access Policy Manager attempts to reach the AAA server within the specified time frame, in seconds. If the server does not respond, the Access Policy Manager retries the authentication attempt, depending on how many retries you specify.
- In theRetriesfield, type the number of times the BIG-IP system should try to make a connection to the server after the first attempt fails.This setting is optional.
- ClickFinished.The new server displays on the list.
Adding RADIUS accounting to an access policy
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen opens.
- In the Per-Session Policy column, click theEditlink for the access profile you want to configure.The visual policy editor opens the access policy in a separate screen.
- Click the(+)icon anywhere in the access policy to add a new item.Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
- From the Authentication tab, selectRADIUS Acctand clickAdd Item.The popup screen closes. A properties popup screen opens.
- From theAAA Serverlist, select a RADIUS accounting server and clickSave.The properties popup screen closes and the visual policy editor displays.
- ClickApply Access Policyto save your configuration.
RADIUS authentication and accounting troubleshooting tips
RADIUS authentication and accounting access policy action
Possible error messages
Possible explanations and actions
Authentication failed due to timeout
Authentication failed due to RADIUS access reject
Additional troubleshooting tips for RADIUS authentication and
Check to see if your access policy is attempting to perform authentication
Make sure that your log level is set to the appropriate level. The default log level is
Check the RADIUS Server configuration
Confirm network connectivity
Capture a TCP dump
If you decide to escalate the issue to customer support, you must provide a capture of the TCP dump when you encounter authentication issues that you cannot otherwise resolve on your own.