Forum Discussion

el_greeko's avatar
el_greeko
Icon for Nimbostratus rankNimbostratus
Feb 15, 2023

RADIUS Authentication works but not Accounting

First time using DevCentral, so appologies in advance if I make any misstakes.

Using BIG-IP 16.1.3.3 Build 0.0.3 Point Release 3

As the title sais I've setup a F5 BIG-IP with SSL-VPN which sends the authentication to a RADIUS Server. This part is working.

In F5 the RADIUS Server is set to be used for both Authentication (1812) and Accounting (1813).

When the Access Policy looks like this Authentication works:
Start -> Logon Page -> RADIUS Auth -> Advanced Resource Assign -> Allow
So the connection between F5 and RADIUS Server is working.

When I add RADUS Accounting it fails with "Access was denied by the access policy":
Start -> Logon Page -> RADIUS Auth -> RADIUS Acct -> Advanced Resource Assign -> Allow

I ran tcpdump on port 1812 and 1813 without seeing any info regarding accounting. I even ran:
tcpdump host <IP-address of RADIUS Server>
but nothing regarding Accounting. RADIUS Authentiction (Access Request/Access Accept) is shown though.

So it seems to me like F5 isn't even trying to send the Accounting Start.

I'm quite familiar with the RADIUS Server but rather new to F5, so if anyone has an idea of what to do I greatly appreciate it.

  • You can temporarily enable debugging to see what is exactly happening that causes the session to be rejected.

    In the logging profile associated to your access profile change the log level to debugging for Access Policy logs.

    To see the debug logs for a specific session : overview > Access reports and run the All Sessions report (the default one), you'll probably get a hundreds debugging lines (you can search for terms like denied or fallback).

    Don't forget to rollback the logging level to avoid unnecessary logs.