Radius Accounting Issue

Hi

We have a number of XV2 and XV3 APs. One of our SSIDs is using Radius authentication (Windows NPS) to facilitate connectivity. We also have a Fortigate firewall which is fed accounting messages and creates user sessions including username, IP address and a ‘class’ which identifies user group for web filtering e.g. staff or student. We only use IPv4.

After upgrading to any version upward from 6.5.2-r12 I’m seeing user auth events including IPv6 router addresses, either alongside the IPv4 address or on their own. I’ve ran a packet capture and can see a difference in the radius accouting packets which now includes a framed IPv6 field. As we don’t use IPv6 I’m not sure where it’s obtaining this from and why it’s included.

I’ve downgraded to firmware 6.5.1-r11 which has stopped the IPv6 field being sent. We have a small number of external APs which still appear to be sending IPv6 so I need to try downgrading them further.

Has anybody else seen this issue or perhaps could offer some advice on how to resolve this please?

Many thanks

Neil

@Neil_Orr ,
Let me check this and update you.

@Neil_Orr @nirajlochan Any updates on this? almost a year past and im having the same issue, random IPv6 addresses on my FGT unit when none is used, this results on users failing to get their network privilegies

Update - I’ve been using the same firmware (6.5.1-r11) until the recent vulnerability has forced us to be upgraded to 6.6.0.3-r9. We’re now experiencing the same issue which is impacting on our radius BYOD. Random IPv6 addresses (I think these are the local link IPv6 device addresses and not assigned IPv6 addresses - we don’t utilise IPv6). Our Fortigate is not generating the correct authentication logs when the IPv6 records are sent which means they cannot connect to the internet. Disabling WiFi and re-enabling often rectifies the issue, but as soon as the users roams the issue occurs again. It’s not sustainable like this.

How can I prevent IPv6 details (local link) from being included in the accounting packets please?

1 Like

Let me check this and update you.

Thank you. I’ve been asked to try the following from support - but I’m not sure where I go to enter these commands:

We have the option for framed IP preference between v4 and v6.
Could you try the below commands in the corresponding WLAN and let us know if it rectifies the issue ?

wireless wlan
radius-server accounting framed-ip-preference v4

Any advice please?

1 Like

We are on the exact same boat here, only difference is we are getting blank groups, and thats causing the same issue that the user cant access to the internet, disabling wifi for a minute solves it sometimes

1 Like

@nirajlochan Please do look onto our issue here, today i tried the suggestion

wireless wlan
radius-server accounting framed-ip-preference v4

and this turned into caos, we need a solution for wrong accounting packets

Hi Gabriel, Please help me with support ticket to get more detail of this… or AP techdump, packet capture if u have any… I will a take a look in this.

@Gabriel_Castro

Apologies if you already know this:

I think you need to specify the wireless wlan number of your specific WLAN. Mine was 2 but yours may be different. If you go to an AP in CNMaestro and click ‘Configuration’ then half way down there is an option for ‘View Device Configuration’. In here browse down and it will show you your wireless wlan numbers.

Additionally I’ve had another update from support and this is my new user-defined-overrides which I’ve applied to a test AP group with one AP. This is the exact code I’ve copied into the box (including exclamation marks):

!
wireless wlan 2
radius-server accounting framed-ip-preference v4
!
!
filter global-filter
application-control
air-cleaner all
filter precedence 11
layer3-filter deny ip6 any any any // block all ipv6 packets in and out wlan direction
exit
!

I’ll update this with some results as I roll it out to more APs.

Hi Sanjay, just got one tech dump from one of the 24 APs in production, again biggest issue is accounting packets missing the USER GROUP, just like my last post shows. Please help me out with your email

@Neil_Orr thanks for the update on the test, yeah i did find the proper wlan number for the 802.1x ssid, but after i changed it affected the whole network, couldn’t tell if its related or not, hows the test doing?

Hi Gabriel,

sanjay.jadhav@cambiumnetworks.com

Good news! I’ve come in this morning and no one single fe80:: (IPv6) address on our Fortigate.

This is great! would you mind sharing your configs on the Fortigate side and NPS? im trying to fix this

Apologies, I was out of the office at a conference yesterday.

Under User-Defined Overrides I have the following:

!
wireless wlan 2
radius-server accounting framed-ip-preference v4
!
!
filter global-filter
application-control
air-cleaner all
filter precedence 11
layer3-filter deny ip6 any any any // block all ipv6 packets in and out wlan direction
exit
!

I’ve found out that this works on our XV2 and XV3 APs but it’s not supported on our e series APs (external), but we only have three of those. I’m hoping support can assist with a fix for those ones though.

AAA Servers settings (CNMaestro) are standard:

Host - Secret - Port
Accounting Mode = Start-Stop
Accounting Packet = ticked
Dynamic VLAN = ticked
Called Station ID = AP-MAC:SSID

NPS Server:

NPS → Policies → Network Policies → Policy_name → Properties → Radius Attributes - Standard → Class = desired fortigate group name, Framed-Protocol = PPP, Service -Type = Framed.