Radius Accounting - Proxim ORiNOCO AP-4900M User Manual

Advanced Configuration
Radius Profiles

RADIUS Accounting

Using an external RADIUS server, the AP can track and record the length of client sessions on the access point by
sending RADIUS accounting messages per RFC2866. When a wireless client is successfully authenticated, RADIUS
accounting is initiated by sending an "Accounting Start" request to the RADIUS server. When the wireless client session
ends, an "Accounting Stop" request is sent to the RADIUS server.
NOTE: Each VLAN can be configured to use a separate RADIUS accounting server (and backup accounting server).
Session Length
Accounting sessions continue when a client reauthenticates to the same AP. Sessions are terminated when:
• A client disassociates.
• A client does not transmit any data to the AP for a fixed amount of time.
• A client is detected on a different interface.
• Idle-Timeout or Session-Timeout attributes are configured in the Radius server.
If the client roams from one AP to another, one session is terminated and a new session is begun.
NOTE: This feature requires RADIUS authentication using MAC Access Control or 802.1x. Wireless clients configured in
the Access Point's static MAC Access Control list are not tracked.
Authentication and Accounting Attributes
Additionally, the AP supports a number of Authentication and Accounting Attributes defined in RFC2865, RFC2866,
RFC2869, and RFC3580.
Authentication Attributes
• State: Received in Access-Accept Packet by the AP during Authentication and sent back as-is during
Re-Authentication.
• Class: Received in Access-Accept Packet by the AP during Authentication and back as in Accounting Packets.
• Session-Timeout
– If the RADIUS server does not send a Session-Timeout, the AP will set the subscriber expiration time to 0, which
means indefinite access.
– The Termination Action attribute defines how the Session-Timeout attribute will be interpreted. If the Termination
Action is DEFAULT, then the session is terminated on expiration of the Session-Timeout time interval. If
Termination Action is RADIUS-Request, then re-authentication is done on expiration on the session.
– If the RADIUS server sends a Session-Timeout, the value specified by the Session-Timeout attribute will take
precedence over the configured Authorization Lifetime value.
• Termination-Action
– Valid values are: Default (0), RADIUS-Request (1). When the value is "default," the Termination-Action attribute
sends an accounting stop message and then reauthenticates. If the value is "RADIUS-Request," the
Termination-Action attribute reauthenticates without sending an accounting stop.
• Idle Timeout
– The AP internally maintains the Idle-Timeout attribute obtained for each of the users during their authentication
process, and uses this time interval in place of accounting inactivity time for timing out clients.
• Calling Station Id
– MAC address of the client being authenticated.
• Called Station Id
– The AP sends the MAC address of its own wireless interface with which the client getting authenticated is getting
associated, appended with the SSID. If VLAN is enabled, the SSID and corresponding VLAN ID get appended.
• Acct-Interim-Interval
AP-4000/4000M/4900M User Guide
117