FortiWLC – RADIUS Accounting for Clients

RADIUS Accounting for Clients

If you have a RADIUS accounting server in your network, you can configure the controller to act as a RADIUS client, allowing the controller to send accounting records to the RADIUS accounting server. The controller sends accounting records either for clients who enter the wireless network as 802.1X authorized users or for the clients that are Captive Portal authenticated.

When using RADIUS accounting, set up a separate RADIUS profile for the RADIUS accounting server and point the ESS profile to that RADIUS profile. So, for example, you could have a RADIUS profile called radiusprofile1 that uses UDP port 1645 or 1812 (the two standard ports for RADIUS authentication) and your security profiles would point to radiusprofile1. To support RADIUS accounting, configure a new RADIUS profile (like radiusprofile1_acct) even if the RADIUS accounting server is the same as the RADIUS authentication server. Set its IP and key appropriately and set its port to the correct RADIUS accounting port (1646, 1813 for example). Then point ESS profiles) to this new RADIUS profile radiusprofile1_acct.

Accounting records are sent for the duration of a client session, which is identified by a unique session ID. You can configure a RADIUS profile for the primary RADIUS accounting server and another profile for a secondary RADIUS accounting server, which serves as a backup should the primary server be offline. The switch to the backup RADIUS server works as follows. After 30 seconds of unsuccessful Primary RADIUS server access, the secondary RADIUS server becomes the default. The actual attempt that made it switch is discarded and the next RADIUS access that occurs goes to the Secondary RADIUS server. After about fifteen minutes, access reverts to the Primary RADIUS Server.

In every RADIUS message (Start, Interim Update and Stop), the following attributes are included:

TABLE 17: RADIUS Accounting Attributes

RADIUS Attribute Description
Session-ID Client IP Address-Current Time – The session time returned from the RADIUS server has priority. If the RADIUS server doesn’t return the session time, the configured value is used.
Status Type Accounting Start/Accounting Stop/Interim-Update
Authentication RADIUS authentication
User-Name Username
User-Name Station Mac Address (station info)
NAS-IP Address Controller IP Address
NASPort Unique value (system generated)
Called Station-ID Controller MAC Address
Called Station-ID Controller MAC Address:ESSID Name (Used to enforce what ESS a station can connect to)
Calling Station-ID Station MAC address
Connect Info Radio Band of Station
Class Class Attribute
NAS-Identifier Any string to identify controller (self) in Access Request Packet. Min value 3 chars.
Acct-Input-Octets* Number of octets received on this port (interface) and sent in AccountingRequest when Accounting status type is STOP
Acct-Input-Packets* Number of packets received on this port (interface) and sent in AccountingRequest when Accounting status type is STOP
Acct-Output-Packets* Number of packets sent on this port (interface) and sent in Accounting-Request when Accounting status type is STOP
Acct-Output-Octets* Number of octets sent on this port (interface) and sent in Accounting-Request when Accounting status type is STOP

TABLE 17: RADIUS Accounting Attributes

RADIUS Attribute Description
Acct-Terminate-Cause Used to get the reason for session termination and sent in Accounting-Request when Accounting status type is STOP
Acct-Delay-Time Sent to indicate the number of seconds we have been waiting to send this record.
AP ID Vendor specific info: the AP ID to which client connected. Sent when accounting starts
AP ID Vendor specific info: the AP ID from which client disconnected from. Sent when accounting stops
AP Name Vendor specific info: The AP Name to which client connected. Sent when accounting starts
AP Name Vendor specific info: the AP ID from which client disconnected from. Sent when accounting stops
Session-Time Number of seconds between start and stop of session

TABLE 18: RADIUS Authentication Attributes

RADIUS Attribute Description
User-Name Username
NAS-IP-Address Controller IP Address
NAS-Port Unique value = essid << 11 | Sta AID
NAS-Port-Type Type of the physical port used for authentication = 19
Called-Station-Id Own MAC Address: ESSID Name
Called-Station-Id Own MAC Address
Calling-Station-Id STA MAC Address
Framed-MTU Max RADIUS MTU = 1250
Connect-Info Radio Band of Station

TABLE 18: RADIUS Authentication Attributes

RADIUS Attribute Description
VLAN ID Vlan Id of the ESS profile to which client is trying to connect. Only available for 802.1x clients and is sent only if its configured on the controller
Service-Type Send the types of service requested = 8 (Authenticate Only)
Service-Type Send the types of service requested = 1 (Login)
User-Password User Password
Session-Timer Number of seconds the user must be allowed to remain in the network
Class Returned by RADIUS Server and to be sent in Accounting Request message
Vlan-Id The Vlan ID returned by the RADIUS server
Filter-Id Used with Per User Firewall (PEM); privilege level (1, 10, 15) sent as filter id in RADIUS response
Message-Authenticator Returned by RADIUS server
EAP Message Returned by RADIUS server
Tunnel-Medium-Type Indicates the transport medium like ipv4, ipv6. In CP, valid only if VPN is set. Also sent in Access-Request in case of CP.
Tunnel-Type The type of tunnel, in our case should be VLAN i.e. 13. If anything else is received, treat as ACCESS-REJECT. In CP, valid only if VPN is set. Also sent in Access-Request in case of CP.
Tunnel-Private-Group Receives the Vlan ID from this attribute (Does not apply for Captive Portal)
Framed-Compression Indicates the compression protocol that is being used. In our case, NONE
Idle-Timeout Use this to calculate client idle time and knock the client off.
This entry was posted in Administration Guides, FortiWLC on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.