Access Security Guide K/KA/KB.15.15
Table 13 Client records provided under port-based access control (continued)
• Nas-Port
• •Acct-Terminate-Cause NAS-Identifier
• Acct-Output-Octets
• •Acct-Authentic Calling-Station-Id
• Acct-Session-Time
• •Acct-Delay-Time HP-acct-terminate-cause
• User-Name
• •Acct-Input-Packets MS-RAS-Vendor
• Exec accounting
Provides records holding the information listed below about login sessions (console, Telnet,
and SSH) on the switch:
• NAS-IP-Address• Acct-Delay-Time• Acct-Session-Id
• ••Acct-Status-Type NAS-IdentifierAcct-Session-Time
•• •User-NameAcct-Terminate-Cause Calling-Station-Id
••• MS-RAS-VendorService-TypeAcct-Authentic
• System accounting
Provides records containing the information listed below when system events occur on the
switch, including system reset, system boot, and enabling or disabling of system accounting.
• NAS-Identifier• Acct-Delay-Time• Acct-Session-Id
• ••Acct-Status-Type Calling-Station-IdUsername
•• •Service-TypeAcct-Terminate-Cause Acct-Session-Time
••• MS-RAS-VendorNAS-IP-AddressAcct-Authentic
• Commands accounting
Provides records containing information on CLI command execution during user sessions.
• Calling-Station-Id• User-Name• Acct-Session-Id
• ••Acct-Status-Type HP-Command-StringNAS-IP-Address
•• •NAS-IdentifierService-Type Acct-Delay-Time
•• NAS-Port-TypeAcct-Authentic
• RADIUS accounting with IP attribute
The RADIUS Attribute 8 (Framed-IP-Address) feature provides the RADIUS server with information
about the client's IP address after the client is authenticated. DHCP snooping is queried for
the IP address of the client, so DHCP snooping must be enabled for the VLAN of which the
client is a member.
When the switch begins communications with the RADIUS server it sends the IP address of the
client requesting access to the RADIUS server as RADIUS Attribute 8 (Framed-IP-Address) in
the RADIUS accounting request. The RADIUS server can use this information to build a map
of usernames and addresses.
It may take a minute or longer for the switch to learn the IP address and then send the
accounting packet with the Framed-IP-Address attribute to the RADIUS server. If the switch
does not learn the IP address after a minute, it sends the accounting request packet to the
RADIUS server without the Framed-IP-Address attribute. If the IP address is learned at a later
time, it will be included in the next accounting request packet sent.
186 RADIUS Authentication, Authorization, and Accounting