Table of Contents
Advertisement
Understanding 802.1X and RADIUS Accounting on EX Series Switches
Related
Documentation
Copyright © 2010, Juniper Networks, Inc.
Juniper Networks EX Series Ethernet Switches support IETF RFC 2866, RADIUS Accounting.
Configuring RADIUS accounting on an EX Series switch permits statistical data about
users logging onto or off a LAN to be collected and sent to a RADIUS accounting server.
The statistical data gathered can be used for general network monitoring, to analyze and
track usage patterns, or to bill a user based upon the amount of time or type of services
accessed.
To configure RADIUS accounting, specify one or more RADIUS accounting servers to
receive the statistical data from the switch, and select the type of accounting data to be
collected.
The RADIUS accounting server you specify can be the same server used for RADIUS
authentication, or it can be a separate RADIUS server. You can specify a list of RADIUS
accounting servers. In the event that the primary server (the first one configured) is
unavailable, each RADIUS server in the list is tried in the order in which they are configured
in the Juniper Networks Junos operating system (Junos OS).
The RADIUS accounting process between a switch and a RADIUS server works like this:
A RADIUS accounting server listens for User Datagram Protocol (UDP) packets on a
1.
specific port. For example, on FreeRADIUS, the default port is 1813.
The switch forwards an accounting-request packet containing an event record to the
2.
accounting server. For example, a supplicant is authenticated through 802.1X
authentication and connected to the LAN. The event record associated with this
supplicant contains an Acct-Status-Type attribute whose value indicates the beginning
of user service for this supplicant. When the supplicant's session ends, the accounting
request will contain an Acct-Status-Type attribute value indicating the end of user
service. The RADIUS accounting server records this as a stop-accounting record
containing session information and the length of the session.
The RADIUS accounting server logs these events as start-accounting or
3.
stop-accounting records. The records are in a file. On FreeRADIUS, the file name is
the server's address; for example, 122.69.1.250.
The accounting server sends an accounting-response packet back to the switch
4.
confirming it has received the accounting request.
If the switch does not receive a response from the server, it continues to send
5.
accounting requests until an accounting response is returned from the accounting
server.
The statistics collected through this process can be displayed from the RADIUS server;
to see those statistics, the user accesses the log file configured to receive them.
Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch on page 2545
802.1X for EX Series Switches Overview on page 2531
Configuring 802.1X RADIUS Accounting (CLI Procedure) on page 2617
Chapter 81: 802.1X and MAC RADIUS Authentication Overview
2539
Advertisement
Chapters
Table of Contents
Troubleshooting
