A user reports that the RADIUS accounting packets are not being seen on the Cisco ISE server. Which command is the user missing in the switch's configuration?
A.
aaa accounting resource default start-stop group radius
B.
radius-server vsa send accounting
C.
aaa accounting network default start-stop group radius
D.
aaa accounting exec default start-stop group radius
The correct answer is aaa accounting network default start-stop group radius.
The command aaa accounting network default start-stop group radius enables RADIUS accounting for all network activity on the switch. This includes both inbound and outbound traffic. The start-stop keyword tells the switch to send a RADIUS accounting packet at the beginning and end of each network activity. The group radius keyword tells the switch to send the RADIUS accounting packets to the RADIUS server that is configured in the radius-server command.
I go with B to iceise provided a very useful link:
https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_troubleshooting.html#wp1050265
he Cisco ISE network enforcement device (switch) is missing the radius-server vsa send accounting command.
For me in this case is B:
You can configure the device to send Cisco vendor-specific attributes (VSAs) to the RADIUS server.
Before VSAs can be sent in the accounting records you must configure this command:
radius-server vsa send accounting
Here they are asking about the switch that needs to send these packets.
BTW in every reference guide the configuration provided by Cisco is this:
You must configure the RADIUS server to perform accounting tasks.
Router# configure terminal
Router(config)# aaa new-model
Router(config)# radius-server host 172.20.39.46 auth-port 1812 acct-port 1813 key rad123
Router(config)# aaa accounting dot1x default start-stop group radius
Router(config)# aaa accounting system default start-stop group radius
Router(config)# end
Router#
BTW THE COMMAND aaa accounting network deafult start-stop group radius EXISTS TRY IT!
Link for answer:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/15-sy/sec-usr-8021x-15-sy-book/sec-ieee-802x-rad-account.pdf
Link for provided accounting configuration cisco:
https://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_8021x/configuration/15-2mt/sec-ieee-802x-rad-account.html
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/xe-3se/3850/sec-user-8021x-xe-3se-3850-book/sec-ieee-802x-rad-account.pdf
guys! Watch out! The commands related to the network function are needed for this purpose only:
Accounting method lists are specific to the type of accounting being requested. AAA supports six different types of accounting:
Network--Provides information for all PPP, SLIP, or ARAP sessions, including packet and byte counts.
The AAA server checks if a PPP session by the client is allowed. Moreover, PPP options can be requested by the client: callback, compression, IP address, and so on. These options have to be configured on the user profile on the AAA server. Moreover, for a specific client, the AAA profile can contain idle-timeout, access-list and other per-user attributes which will be downloaded by the Cisco IOS software and applied for this client.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-3s/sec-usr-aaa-xe-3s-book/sec-cfg-accountg.html
https://www.certificationkits.com/cisco-certification/ccna-security-certification-topics/ccna-security-aaa-on-cisco-routers/ccna-security-configuring-aaa/
For me the valid option is still B if the documentation provided by Cisco is right the aaa accounting network provide only informations related to PPP, SLIP, or ARAP sessions.
radius-server vsa send accounting - > Enables the gateway to recognize and use accounting VSAs as defined by RADIUS attribute 26.
aaa accounting network default start-stop group radius - > Enable accounting for all network-related service requests and list the default method to use for all start-stop accounting services.
I would go for C too, refer to the below link explaining that B is not serving exactly the purpose mentioned here.
https://www.cisco.com/c/en/us/td/docs/ios/voice/cdr/developer/manual/cdrdev/cdradius.html
https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_troubleshooting.html#wp1050265
RADIUS Accounting Packets (Attributes) Not Coming from Switch
Possible Causes
The Cisco ISE network enforcement device (switch) is missing the radius-server vsa send accounting command.
Choosing B because the correct command for enabling accounting on switch is as below:
aaa accounting system default start-stop group radius
aaa accounting dot1x default start-stop group radius
The answers dont show any such command. Whilst the VSA attributes are sent by default in newer OS versions, B still is more valid answer than the others
Sorry changing answer to C. A google search of the other command revealed that it is does exist:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9200/software/release/16-10/configuration_guide/sec/b_1610_sec_9200_cg/configuring_accounting.html
aaa accounting network default start-stop group loginrad (where loginrad is the name of group of radius servers). Correct answer is C
CORRECT IS C
Cause Beginning from Cisco IOS version 15.2(1)E / XE 3.5.0E , the VSA commands are enabled by default. To disbale VSA, the “no” option must be used.
Correct answer is the command in answer C
This section is not available anymore. Please use the main Exam Page.300-715 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
denverfly
Highly Voted 1 year, 7 months agoNikoTomas
10 months, 2 weeks agoNikoTomas
10 months, 2 weeks agoNullNull88
Most Recent 10 months, 1 week agoNikoTomas
11 months agoXBfoundX
1 year, 1 month agoXBfoundX
1 year, 1 month agoXBfoundX
1 year, 1 month agoXBfoundX
1 year, 1 month agoXBfoundX
1 year, 1 month agoIETF1
1 year, 2 months agoLeogxn
1 year, 5 months agoCnoteone
1 year, 9 months agoYmerG
1 year, 10 months agoiceise
2 years, 2 months agohisho72
2 years, 4 months agogetafix
2 years, 6 months agogetafix
2 years, 6 months agoMrCalifornia
3 years, 9 months agoPipi
3 years, 9 months ago