How to Enable RADIUS Accounting

---

This Help topic describes how to use RADIUS accounting to provide real-time end-system connection status in NAC Manager. RADIUS accounting collects various end-system session data that NAC Manager uses to determine connection status for each end-system session. This can be useful for compliance purposes, allowing you to determine both when an end-system session started and when it was terminated.

RADIUS accounting is also used to monitor switches for Auto Tracking, CEP (Convergence End Point), and Switch Quarantine authentication sessions, when used in conjunction with the Monitoring or Network Access switch authentication access types. (For more information, see the Auth. Access Type section of the Add/Edit Switch Window Help topics.)

You must be running NAC Appliance version 4.0 or higher to take advantage of RADIUS accounting functionality in NAC.

For Extreme Networks stackable and standalone devices (A-Series, B-Series, C-Series, D-Series, G-Series, and I-Series), NAC uses a combination of SNMP and CLI (command line interface) to configure RADIUS accounting on the switch. Before enabling RADIUS accounting on these devices, please read through Considerations for Fixed Switching Devices below.

	NOTES:	RADIUS accounting is not supported on the NAC Controller. If RADIUS accounting is not desired, or if it is not supported on certain devices on your network, you can use the Session Deactivate Timeout option to provide more up-to-date information about which end-systems are still active on the network. This option is enabled on the Reauthentication Tab in the Appliance Settings window.

Use the following steps to enable RADIUS accounting:

1. Enable RADIUS accounting on your switches and controllers using the instructions appropriate for your devices.
   
   For Extreme Networks devices or ExtremeWireless Controller devices running firmware version 9.21.x.x or newer:
   1. If you are editing an existing device: In the right-panel Switches tab, select the devices you want to perform RADIUS accounting and click the Edit button. The Edit Switches in NAC Appliance Group window opens.
      If you are adding a new device: Click Add in the right-panel Switches tab and the Add Switches to NAC Appliance Group window opens.

   	NOTE:	Wireless Controllers must be running in Strict mode to use RADIUS accounting.

   2. Set the RADIUS Accounting option to Enabled. Click OK.
   3. Enforce to your appliances.
   
   For ExtremeWireless Controller devices running firmware versions older than 9.21.x.x:
   1. RADIUS accounting must be enabled manually on the controller using the ExtremeWireless Assistant or the device CLI (command line interface).
   2. Be sure to configure the NAC appliance IP address as the IP address of the RADIUS server. Refer to your wireless controller User Guide for instructions on enabling RADIUS accounting via the ExtremeWireless Assistant, or the CLI Reference Guide for the exact CLI command syntax to use.
   
   For third-party switching devices:
   1. RADIUS accounting must be enabled manually on the device using the device CLI (command line interface).
   2. Be sure to configure the NAC appliance IP address as the RADIUS accounting server. Refer to your device documentation for the exact command syntax.
2. If you are doing RADIUS accounting in a NAC environment where the primary RADIUS server is being used for redundancy in a single NAC appliance configuration (Basic AAA configuration only), then you must enable the Proxy RADIUS Accounting Requests option in the Edit RADIUS Server window.
   1. In the Edit Basic AAA Configurations window, use the Configuration Menu button in the Primary RADIUS Server field to open the Manage RADIUS Servers window.
   2. Select the RADIUS Server and click Edit.
   3. Enable the Proxy RADIUS Accounting Requests option. Click OK.
   4. Enforce to your appliance.

With RADIUS accounting enabled, you will now see real-time connection status in the NAC Manager End-Systems tab and Dashboard.

Considerations for Fixed Switching Devices

NAC uses a combination of SNMP and CLI (command line interface) to configure RADIUS accounting on Extreme Networks stackable and standalone devices (A-Series, B-Series, C-Series, D-Series, G-Series, and I-Series). Due to a limitation on the SNMP interface, the configuration can be read via SNMP, but must be written to the device via CLI. Before enabling RADIUS accounting on these devices, read through the following considerations.

NOTE:

These considerations do not apply to A4, B5, and C5 devices running firmware version 6.81 and higher. Those devices support RADIUS accounting configuration using SNMP.

• The devices must be assigned a Device Access profile that provides Write access and includes CLI credentials for Telnet or SSH. Profiles and CLI credentials are configured using the Authorization/Device Access tool's Profile/Credentials tab.
• Before you enforce a new RADIUS server configuration to your fixed switching devices, you should verify that your CLI credentials are configured according to the settings in your new configuration. This is because the Enforce process first writes the RADIUS server configuration to the switch using SNMP, and then writes the RADIUS accounting configuration to the switch using Telnet or SSH. If CLI credentials are not configured according to the new RADIUS server configuration, then the RADIUS accounting configuration will not be written to the switches.
  
  For example, by default you can Telnet to a fixed switching device using username=admin (with no password or a blank password). But, if you configure a new RADIUS configuration with an Auth Access Type (or Realm Type)=Any, then you may need to change the Device Access for the switches to use the IAS credentials, in order for NAC Manager to successfully write the RADIUS accounting information to the switches during Enforce.

Fixed switches only allow one accounting server to be configured. If a primary and secondary NAC gateway are configured for the switch, only the primary gateway's accounting configuration will be written to the switch. If a secondary gateway is configured, a warning will be displayed.

Considerations for ExtremeXOS Devices

NAC uses CLI access to perform RADIUS accounting configuration operations on ExtremeXOS devices. CLI credentials for the device are obtained from the device profile and must be configured in the Authorization/Device Access tool.

---

Related Information

• Add Switches to NAC Appliance Group Window
• Edit Switches in NAC Appliance Group Window
• Add/Edit RADIUS Server Window