EX-SSLVPN: How to enable Radius Accounting on SMA Products? Common issues and limitation's re

03/26/2020 6 10851

DESCRIPTION:
EX-SSLVPN: How to enable Radius Accounting on SMA Products? Common issues and limitation's related to Radius Accounting.

RESOLUTION:

Question:

How to enable Radius Accounting?  What are common issue or queries arise while working with Radius Accounting?

Answer:

How to Enable Radius Accounting on SonicWall E-Class VPN device?

Launch Secure Mobile Access Management Console->Authentication Servers->Other Servers->"Edit"
(default Port  used by appliance to communicate for  Radius Accounting is 1646).



In addition you need to enable Radius Accounting for every realm, Management Console->Realms->



Common Issues / Queries related to Radius Accounting:


RADIUS ACCOUNTING PORTS

One very common mistake is to use the wrong RADIUS ports for authentication or accounting. The second round of RADIUS RFCs published in 2000 changed the default ports to 1812 for authentication and 1813 for accounting. Unfortunately AMC still defaults to the old ports (1646). If you are talking to a recent/strict RADIUS server (FreeRADIUS for example) it will be using the newer ports and none of your accounting records will be logged. If you are not seeing ANY RADIUS accounting events make sure that the port has been specified correctly in the AMC /configRadiusAcctg.do page (select 'Authentication Servers' on the left-hand navigation bar,then 'Radius Accounting').

MISSING RADIUS-STOP EVENTS RADIUS accounting is currently tied to the lifetime of a user session and has nothing to do with whether they are currently consuming a license. When a user first logs in a RADIUS-START event will be generated, and when they log out a RADIUS-STOP event is generated. There are some instances where a RADIUS-STOP even will not be generated, or will not be generated when some people expect.  A 'graceful logout' happens when the user manually disconnects Connect Tunnel or Mobile Connect VPN connection, or clicks on the 'Logout' button when using ExtraWeb/Workplace. Even when this happens there are instances where the RADIUS-STOP event is not generated. 

Exceeding Session Lifetime  

The session / credential lifetime defaults to 12 hours (this can be changed in AMC https://internal-ip:8443/configGeneralSummary.do). tunnels by default are allowed to exceed this lifetime -- if a user's tunnel lasts longer than 12 hours when they go to log out the internal session database will know nothing about the session and cannot look up the RADIUS accounting token to generate the RADIUS-STOP event.  

A similar situation exists for ExtraWeb users. If someone is idle and comes back to their workstation/browser after their session has timed out and clicks the 'logout' button the session database information will be missing and no RADIUS-STOP will be sent.  

This problem can be mitigated by using EPC rules to enforce idle timeouts. 

Network disconnects / timeouts The various tunnel clients do their best to reuse their session credentials when the VPN is dropped for an unknown reason (usually network disconnects). If this happens and the session cannot be reused then no RADIUS-STOP event will be generated.  

Appliance crash / hard stop When the appliance is shutting down it does not delete the session records. In an HA installation the other node will simply pick up the sessions and continue on, so deleting them would be the wrong thing to do. Unfortunately in a single node case, an appliance shutdown or hard crash will wipe out the session database and no RADIUS-STOP event will be generated.   

 See Also:

Tracking ID: 145819