This Help topic describes how to use RADIUS accounting to provide real-time end-system connection status in ExtremeCloud IQ Site Engine. RADIUS accounting collects various end-system session data that ExtremeCloud IQ Site Engine uses to determine connection status for each end-system session. This can be useful for compliance purposes, enabling you to determine both when an end-system session started and when it was terminated.
RADIUS accounting is also used to monitor switches for Auto Tracking, CEP (Convergence End Point), and Switch Quarantine authentication sessions, when used in conjunction with the Monitoring or Network Access switch authentication access types. (For more information, see the Auth. Access Type section of the Add/Edit Switch Window Help topics.)
You must be running ExtremeControl engine version 4.0 or higher to take advantage of RADIUS accounting functionality in ExtremeCloud IQ Site Engine.
For Extreme Networks stackable and standalone devices (A-Series, B-Series, C-Series, D-Series, G-Series, and I-Series), ExtremeCloud IQ Site Engine uses a combination of SNMP and CLI (command line interface) to configure RADIUS accounting on the switch. Before enabling RADIUS accounting on these devices, read through Considerations for Fixed Switching Devices below.
| NOTES: | RADIUS accounting is not supported on the ExtremeControl Controller. |
|---|
Use the following steps to enable RADIUS accounting:
- Enable RADIUS accounting on your switches and controllers using the instructions appropriate
for your devices.
For Extreme Networks devices or ExtremeWireless Controller devices running firmware version 9.21.x.x or newer:- If you are editing an existing device: In the right-panel Switches tab, select the devices you want to perform
RADIUS accounting and select the Edit button. The Edit Switches in ExtremeControl Appliance Group window opens.
If you are adding a new device: Select Add in the right-panel Switches tab and the Add Switches to ExtremeControl Appliance Group window opens. - Set the RADIUS Accounting option to Enabled. Select OK.
- Enforce to your engines.
For ExtremeWireless Controller devices running firmware versions older than 9.21.x.x:- RADIUS accounting must be enabled manually on the controller using the ExtremeWireless Assistant or the device CLI (command line interface).
- Be sure to configure the ExtremeControl engine IP address as the IP address of the RADIUS server. Refer to your wireless controller User Guide for instructions on enabling RADIUS accounting via the ExtremeWireless Assistant, or the CLI Reference Guide for the exact CLI command syntax to use.
For third-party switching devices:- RADIUS accounting must be enabled manually on the device using the device CLI (command line interface).
- Be sure to configure the ExtremeControl engine IP address as the RADIUS accounting server. Refer to your device documentation for the exact command syntax.
- If you are editing an existing device: In the right-panel Switches tab, select the devices you want to perform
RADIUS accounting and select the Edit button. The Edit Switches in ExtremeControl Appliance Group window opens.
- If you are doing RADIUS accounting in an ExtremeControl environment where the primary
RADIUS server is being used for redundancy in a single ExtremeControl engine
configuration (Basic AAA configuration only), then enable the Proxy
RADIUS Accounting Requests option in the Edit RADIUS Server window.
- In the Edit Basic AAA Configurations window, use the Configuration Menu button in the Primary RADIUS Server field to open the Manage RADIUS Servers window.
- Select the RADIUS Server and select Edit.
- Enable the Proxy RADIUS Accounting Requests option. Select OK.
- Enforce to your engine.
With RADIUS accounting enabled, you now see real-time connection status in the ExtremeCloud IQ Site Engine End-Systems tab and Dashboard.
Considerations for Fixed Switching Devices
ExtremeCloud IQ Site Engine uses a combination of SNMP and CLI (command line interface) to configure RADIUS accounting on Extreme Networks stackable and standalone devices (A-Series, B-Series, C-Series, D-Series, G-Series, and I-Series). Due to a limitation on the SNMP interface, the configuration can be read via SNMP, but must be written to the device via CLI. Before enabling RADIUS accounting on these devices, read through the following considerations.
| NOTE: | These considerations do not apply to A4, B5, and C5 devices running firmware version 6.81 and higher. Those devices support RADIUS accounting configuration using SNMP. |
- The devices must be assigned a Device Access profile that provides Write access and includes CLI credentials for Telnet or SSH. Profiles and CLI credentials are configured using the Authorization/Device Access tool's Profiles tab.
- Before you enforce a new RADIUS server configuration to your fixed switching devices, you should verify that your CLI credentials are configured according to the settings in your new configuration. This is because the Enforce process first writes the RADIUS server configuration to the switch using SNMP, and then writes the RADIUS accounting configuration to the switch using Telnet or SSH. If CLI credentials are not configured according to the new RADIUS server configuration, then the RADIUS accounting configuration are not written to the switches.
For example, by default you can Telnet to a fixed switching device using username=admin (with no password or a blank password). But, if you configure a new RADIUS configuration with an Auth Access Type (or Realm Type)=Any, then change the Device Access for the switches to use the IAS credentials, in order for ExtremeCloud IQ Site Engine to successfully write the RADIUS accounting information to the switches during Enforce.
Fixed switches only permit one accounting server to be configured. If a primary and secondary ExtremeControl gateway are configured for the switch, only the primary gateway's accounting configuration is written to the switch. If a secondary gateway is configured, a warning is displayed.
Considerations for ExtremeXOS/Switch Engine Devices
ExtremeCloud IQ Site Engine uses CLI access to perform RADIUS accounting configuration operations on ExtremeXOS/Switch Engine devices. CLI credentials for the device are obtained from the device profile and must be configured in the Authorization/Device Access tool.
For information on related help topics: