Configuring RADIUS user accounting
NetScaler Gateway can send user-session start and stop messages to your RADIUS accounting server. The messages, which are sent for each user session, include a subset of the attributes defined in RFC2866. Table 1 lists the supported attributes and the types of RADIUS accounting messages (RAD_START and RAD_STOP) in which they are sent. Table 2 lists the predefined values that can be assigned to the Acct-Terminate-Cause
attribute, and the corresponding NetScaler Gateway events.
Table 1. Supported RADIUS Attributes
Attribute | Meaning | RAD_START | RAD_STOP |
---|---|---|---|
User-Name | Name of user associated with the session. | X | X |
Session-Id | The NetScaler session ID. | X | X |
Acct-Session-Time | Session duration seconds. | X | |
Acct-Terminate-Cause | Reason for account termination. | X |
Table 2. RADIUS Termination Causes
NetScaler Logout Method | RADIUS Termination Cause |
---|---|
LOGOUT_SESSN_TIMEDOUT | RAD_TERM_SESSION_TIMEOUT |
LOGOUT_SESSN_INITIATEDBYUSER | RAD_TERM_USER_REQUEST |
LOGOUT_SESSN_KILLEDBYADMIN | RAD_TERM_ADMIN_RESET |
LOGOUT_SESSN_TLOGIN | RAD_TERM_NAS_REQUEST |
LOGOUT_SESSN_MAXLICRCHD | RAD_TERM_NAS_REQUEST |
LOGOUT_SESSN_CLISECCHK_FAILED | RAD_TERM_NAS_REQUEST |
LOGOUT_SESSN_PREAUTH_CHANGED | RAD_TERM_NAS_REQUEST |
LOGOUT_SESSN_COOKIE_MISMATCH | RAD_TERM_NAS_REQUEST |
LOGOUT_SESSS_DHT | RAD_TERM_NAS_REQUEST |
LOGOUT_SESSS_2FACTOR_FAIL | RAD_TERM_NAS_REQUEST |
LOGOUT_SESSN_ICALIC | RAD_TERM_NAS_REQUEST |
LOGOUT_SESSN_INTERNALERR | RAD_TERM_NAS_ERROR |
Other | RAD_TERM_NAS_ERROR |
Configuration of RADIUS user accounting requires the creation of a pair of policies. The first policy is a RADIUS authentication policy that designates a RADIUS server to which to send accounting messages. The second is a session policy that uses the RADIUS accounting policy as its action.
To configure RADIUS user accounting, you must:
- Create a RADIUS policy to define the RADIUS accounting server. The accounting server can be the same server that you use for RADIUS authentication.
- Create a session policy, using the RADIUS policy as an action that specifies the RADIUS user accounting server.
- Bind the session policy either globally, so that it applies to all traffic, or to a NetScaler Gateway virtual server, so that it applies only to traffic flowing through that virtual server.
To create a RADIUS policy
- In the configuration utility, in the navigation pane, expand the NetScaler Gateway node, and then Policies.
- Expand Authentication and select RADIUS.
- In the details pane, on the Policies tab, click Add.
- Enter a name for the policy.
- Select a server from the Server menu, or click the + icon and follow the prompts to add a new RADIUS server.
- In the Expression pane, from the Saved Policy Expressions menu, select ns_true.
- Click Create.
To create a session policy
After configuring a RADIUS policy that specifies the RADIUS accounting server, create a session policy that applies this accounting server in an action, as follows:
- In the configuration utility, in the navigation pane, expand the NetScaler Gateway node, and then Policies.
- Select Session.
- In the main details pane, select Add.
- Enter a name for the policy.
- In the Action menu, click the + icon to add a new session action.
- Enter a name for the session action.
- Click the Client Experience tab.
- In the Accounting Policy menu, select the RADIUS policy that you created earlier.
- Click Create.
- In the Expression pane, from the Saved Policy Expressions menu, select ns_true.
- Click Create.
To bind the session policy globally
- In the configuration utility, in the navigation pane, expand the NetScaler Gateway node, and then Policies.
- Select Session.
- From the Action menu in the main details pane, select Global Bindings.
- Click Bind.
- In the Policies pane, select the session policy that you created earlier, and then click Insert.
- In the Policies listings, click the Priority entry for the session policy and enter a value from 0 to 64000.
- Click OK.
To bind the session policy to a NetScaler Gateway virtual server
- In the configuration utility, in the navigation pane, expand the NetScaler Gateway node, and then select Virtual Servers.
- In the main details pane, select a virtual server, and then click Edit.
- In the Policies pane, click the + icon to select a policy.
- From the Choose Policy menu, select Session, and make sure that Request is selected in the Choose Type menu.
- Click Continue.
- Click Bind.
- In the Policies pane, select the session policy that you created earlier, and then click Insert.
- Click OK.