CUI Information in RADIUS Accounting

CUI Information in RADIUS Accounting Request

Chargeable User Identity (CUI) is a unique identifier for a client visiting a network regardless of the outer identity or the device used for login. In other words, CUI is an obscured version of a username. A client must be authenticated and authorized before being allowed to the network. The CUI attribute can be used as an alternative for a client’s username as part of the authentication process.

To handle RADIUS attribute 89 processing, a null value of CUI is attached an access-request sent to a AAA server. This is done using the access-session wireless cui-enable command. As part of an access-accept message, a CUI-capable AAA server sends the CUI string to the controller. The controller then sends this received CUI attribute in accounting packets and other access-request packets, if any.

Prerequisites

Ensure that AAA override is enabled.

Restrictions

  • Only 802.1x network authentication protocol is supported.

  • Inter-Release Controller Mobility (IRCM) is not supported.

  • FlexConnect local authentication is not supported. Only local mode and FlexConnect central authentication mode is supported.

Adding CUI Information in a RADIUS Accounting Request

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

access-session wireless cui-enable

Example:

Device(config)# access-session wireless cui-enable

Adds CUI attribute in authentication and accounting messages sent to the AAA server.

Verifying CUI Information in a RADIUS Accounting Request

To view the CUI attribute in an accounting request on aAAA server, use the following command:

Device# show wireless client mac-address aaa.bbb.ccc.ddd detail
.
.
.
Session Manager:
  Point of Attachment : capwap_90000005
  IIF ID             : 0x90000005
  Authorized         : TRUE
  Session timeout    : 1800
  Common Session ID: 8A45400A0000000CE0527C5F
  Acct Session ID  : 0x00000003
  Last Tried Aaa Server Details:
        Server IP : 10.64.69.141
  Auth Method Status List
        Method : Dot1x
                SM State         : AUTHENTICATED
                SM Bend State    : IDLE
  Local Policies:
        Service Template : wlan_svc_default-policy-profile_local (priority 254)
                VLAN             : 59
                Absolute-Timer   : 1800
  Server Policies:
                CUI              : 13e158006855c2ff718cc84487653f5a6ea55def
  Resultant Policies:
                CUI              : 13e158006855c2ff718cc84487653f5a6ea55def
                VLAN Name        : VLAN0059
                VLAN             : 59
                Absolute-Timer   : 1800