RADIUS Accounting for Clients
If you have a RADIUS accounting server in your network, you can configure the controller to act as a RADIUS client, allowing the controller to send accounting records to the RADIUS accounting server. The controller sends accounting records either for clients who enter the wireless network as 802.1X authorized users or for the clients that are Captive Portal authenticated.
When using RADIUS accounting, set up a separate RADIUS profile for the RADIUS accounting server and point the ESS profile to that RADIUS profile. So, for example, you could have a RADIUS profile called radiusprofile1 that uses UDP port 1645 or 1812 (the two standard ports for RADIUS authentication) and your security profiles would point to radiusprofile1. To support RADIUS accounting, configure a new RADIUS profile (like radiusprofile1_acct) even if the RADIUS accounting server is the same as the RADIUS authentication server. Set its IP and key appropriately and set its port to the correct RADIUS accounting port (1646, 1813 for example). Then point ESS profiles) to this new RADIUS profile radiusprofile1_acct.
Accounting records are sent for the duration of a client session, which is identified by a unique session ID. You can configure a RADIUS profile for the primary RADIUS accounting server and another profile for a secondary RADIUS accounting server, which serves as a backup should the primary server be offline. The switch to the backup RADIUS server works as follows. After 30 seconds of unsuccessful Primary RADIUS server access, the secondary RADIUS server becomes the default. The actual attempt that made it switch is discarded and the next RADIUS access that occurs goes to the Secondary RADIUS server. After about fifteen minutes, access reverts to the Primary RADIUS Server.
In every RADIUS message (Start, Interim Update and Stop), the following attributes are included:
TABLE 17: RADIUS Accounting Attributes
| RADIUS Attribute | Description |
| Session-ID | Client IP Address-Current Time – The session time returned from the RADIUS server has priority. If the RADIUS server doesn’t return the session time, the configured value is used. |
| Status Type | Accounting Start/Accounting Stop/Interim-Update |
| Authentication | RADIUS authentication |
| User-Name | Username |
| User-Name | Station Mac Address (station info) |
| NAS-IP Address | Controller IP Address |
| NASPort | Unique value (system generated) |
| Called Station-ID | Controller MAC Address |
| Called Station-ID | Controller MAC Address:ESSID Name (Used to enforce what ESS a station can connect to) |
| Calling Station-ID | Station MAC address |
| Connect Info | Radio Band of Station |
| Class | Class Attribute |
| NAS-Identifier | Any string to identify controller (self) in Access Request Packet. Min value 3 chars. |
| Acct-Input-Octets* | Number of octets received on this port (interface) and sent in AccountingRequest when Accounting status type is STOP |
| Acct-Input-Packets* | Number of packets received on this port (interface) and sent in AccountingRequest when Accounting status type is STOP |
| Acct-Output-Packets* | Number of packets sent on this port (interface) and sent in Accounting-Request when Accounting status type is STOP |
| Acct-Output-Octets* | Number of octets sent on this port (interface) and sent in Accounting-Request when Accounting status type is STOP |
TABLE 17: RADIUS Accounting Attributes
| RADIUS Attribute | Description |
| Acct-Terminate-Cause | Used to get the reason for session termination and sent in Accounting-Request when Accounting status type is STOP |
| Acct-Delay-Time | Sent to indicate the number of seconds we have been waiting to send this record. |
| AP ID | Vendor specific info: the AP ID to which client connected. Sent when accounting starts |
| AP ID | Vendor specific info: the AP ID from which client disconnected from. Sent when accounting stops |
| AP Name | Vendor specific info: The AP Name to which client connected. Sent when accounting starts |
| AP Name | Vendor specific info: the AP ID from which client disconnected from. Sent when accounting stops |
| Session-Time | Number of seconds between start and stop of session |
TABLE 18: RADIUS Authentication Attributes
| RADIUS Attribute | Description |
| User-Name | Username |
| NAS-IP-Address | Controller IP Address |
| NAS-Port | Unique value = essid << 11 | Sta AID |
| NAS-Port-Type | Type of the physical port used for authentication = 19 |
| Called-Station-Id | Own MAC Address: ESSID Name |
| Called-Station-Id | Own MAC Address |
| Calling-Station-Id | STA MAC Address |
| Framed-MTU | Max RADIUS MTU = 1250 |
| Connect-Info | Radio Band of Station |
TABLE 18: RADIUS Authentication Attributes
| RADIUS Attribute | Description |
| VLAN ID | Vlan Id of the ESS profile to which client is trying to connect. Only available for 802.1x clients and is sent only if its configured on the controller |
| Service-Type | Send the types of service requested = 8 (Authenticate Only) |
| Service-Type | Send the types of service requested = 1 (Login) |
| User-Password | User Password |
| Session-Timer | Number of seconds the user must be allowed to remain in the network |
| Class | Returned by RADIUS Server and to be sent in Accounting Request message |
| Vlan-Id | The Vlan ID returned by the RADIUS server |
| Filter-Id | Used with Per User Firewall (PEM); privilege level (1, 10, 15) sent as filter id in RADIUS response |
| Message-Authenticator | Returned by RADIUS server |
| EAP Message | Returned by RADIUS server |
| Tunnel-Medium-Type | Indicates the transport medium like ipv4, ipv6. In CP, valid only if VPN is set. Also sent in Access-Request in case of CP. |
| Tunnel-Type | The type of tunnel, in our case should be VLAN i.e. 13. If anything else is received, treat as ACCESS-REJECT. In CP, valid only if VPN is set. Also sent in Access-Request in case of CP. |
| Tunnel-Private-Group | Receives the Vlan ID from this attribute (Does not apply for Captive Portal) |
| Framed-Compression | Indicates the compression protocol that is being used. In our case, NONE |
| Idle-Timeout | Use this to calculate client idle time and knock the client off. |
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!