Applies To:
Show VersionsBIG-IP APM
- 11.5.1
About RADIUS accounting
You can report user session information to an external RADIUS accounting server. If you select this mode only, the system assumes that you have set up another type of authentication method to authenticate and authorize your users to access their resources.
- After RADIUS accounting runs successfully in an access policy, Access Policy Manager sends an accounting start request message to the external RADIUS server. The start message typically contains the user's ID, networks address, point of attachment, and a unique session identifier.
- When the session is destroyed, Access Policy Manager issues an accounting stop message to the external RADIUS server, providing information on the final usage in terms of time, packets transferred, data transferred, and reason for disconnect, as well as other information related to the user's access.
This accounting data is used primarily for billing, statistical, and general network monitoring purposes.
About how APM handles binary values in RADIUS attributes
For RADIUS authentication, Access Policy Manager (APM) converts an attribute value to hex if it contains unprintable characters, or if it is the class attribute. APM converts the class attribute to hex even if it contains only printable values (by attribute type). No other attributes are encoded to hex if they do not contain unprintable characters.
Case 1:
Handling of attributes with single value:
1bf80e04.session.radius.last.attr.class 62 / 0x54230616000001370001ac1d423301caa87483dadf740000000000000007Case 2:
Handling of attributes with multiple values (mix of binary and non-binary values):
243be90d.session.radius.last.attr.class 119 0x6162636465666768696 / a6b6c6d6e6f707172737475767778797a | 0x54220615000001370001ac1d423301caa87483 / dadf740000000000000006If the attribute type does not require hex encoding, and some of the values are unprintable, then only those value(s) are encoded to hex.
3888eb70.session.radius.last.attr.login-lat-group 37 / 0x6d7920bda12067726f757032 | mygroup1Adding RADIUS accounting to an access policy
RADIUS authentication and accounting troubleshooting tips
You might run into problems with RADIUS authentication and accounting in some instances. Follow these tips to try to resolve any issues you might encounter.
RADIUS authentication and accounting access policy action troubleshooting
Possible error messages | Possible explanations and actions |
---|---|
Authentication failed due to timeout |
|
Authentication failed due to RADIUS access reject |
|
Additional troubleshooting tips for RADIUS authentication and accounting
Action | Steps |
---|---|
Check to see if your access policy is attempting to perform authentication |
Note: Make sure that your log level is set to the appropriate level. The default
log level is notice.
|
Check the RADIUS Server configuration |
|
Confirm network connectivity |
|
Capture a TCP dump |
Important: If you decide to escalate the issue to customer support, you must
provide a capture of the TCP dump when you encounter authentication issues that you cannot
otherwise resolve on your own.
|