Policy center fails to authenticate users from wireless network due to no accounting configuration

Publication Date:  2015-04-23 Views:  468 Downloads:  0
Issue Description
A customer installed an AC6005 with 2 APs, and configured portal authentication on Policy center, AR acted as gateway and had authentication configuration, so AC6605 only managed APs . At first end users can login SSID and access internet, but after a period, new users failed to login.

The software version of policy center is V100R003.
This is the topology:

Alarm Information
None
Handling Process

(1) Since at first end users can login SSID and pass portal authentication, so the route between the network device is OK, and the basic configuration should be OK.
(2) Login Policy center to check the login log. And found that there are many logs of “Identify authentication failed” for anonymous user.


(3) Check the license information, we found that the customer purchased license quantity of 200 users, but the used license quantity is 210. That is the cause that new users can’t pass portal authentication.


(4) But the customer replied that the concurrent users are much less than 200. We checked the radius online user, and found that too many users login from several days ago. The current date is 2015-04-12, but there are too many users still online since several days ago. The project is belongs a restaurant, so it’s impossible for so many users to be online for so many days. It’s abnormal.


(5) Check the configuration of AR2200, and found the accounting scheme is configured.

 aaa
authentication-scheme default
authentication-scheme TSM
  authentication-mode radius
authorization-scheme default
accounting-scheme default
accounting-scheme TSM
  accounting-mode radius
  accounting realtime 6
domain default 
  authentication-scheme TSM
  accounting-scheme TSM
  radius-server TSM
domain default_admin


(6) Check the accounting configuration in Policy Center.
Choose Access Control Policy > Access Device > Access Device Management > Device. And found that the account parameter is not configured.

Root Cause
In policy center, the accounting parameter is not configured, and the “real-time charging interval” should be same as that configured in AR. If not, policy center doesn’t know when the online user will be offline, so it just waits the session expired. That is why we can see so many users online, but many users are actually not online. Those users occupy the license item number, when the license number reaches the purchased license quantity, new users can’t login SSID with portal authentication.
Solution
In policy center, change the “Real-time charging interval” to same as that configured in AR.

After the change, the customer replied the issue had been resolved. Now new user can access SSID with portal authentication.
Suggestions
When you configure authentication parameter in policy center, don’t forget to configure “Real-time charging interval”, and the value should be same as that configured on interconnect device.

END