SSO via Radius Accounting not working - Errors in access_server.log

Question

Hello! 
 I have configured SSO via radius accounting in my home network. I use Microsoft NPS on Server 2016 as a Radius server and three access points running OpenWRT. 
 Radius authentication on the accesspoints is working fine and the accounting is configured to end up at the Firewall XG. 
 My problem now is, that XG is not recognizing any of the users authenticated to the WIFI. In the UI i do not see any messages at all. In the access_server.log however i get lots of error messages. 10.200.254.253 is one of my APs. 
 I have tried on various versions of XG and also purposefully moved to a new hardware running on SFVH_SO01_SFOS 16.05.1 MR-1. 
 Is there any hint you could give me how to go forward in my search? 
 Thanks + best regards 
 Michael 
 
 MESSAGE Mar 12 19:41:06 [4144719680]: handle_radius_account_req: request received from radius client 10.200.254.253 ERROR Mar 12 19:41:06 [4144719680]: handle_radius_account_req: couldn't initialize dictionary MESSAGE Mar 12 19:41:10 [4144719680]: handle_radius_account_req: request received from radius client 10.200.254.253 ERROR Mar 12 19:41:10 [4144719680]: handle_radius_account_req: received radius accounting with status 1 ERROR Mar 12 19:41:10 [4144719680]: handle_radius_account_req: received radius accounting packet without login ip host MESSAGE Mar 12 19:42:06 [4144719680]: handle_radius_account_req: request received from radius client 10.200.254.253 ERROR Mar 12 19:42:06 [4144719680]: handle_radius_account_req: received radius accounting with status 3 MESSAGE Mar 12 19:43:03 [4144719680]: handle_radius_account_req: request received from radius client 10.200.254.253 ERROR Mar 12 19:43:03 [4144719680]: handle_radius_account_req: received radius accounting with status 2 MESSAGE Mar 12 19:43:05 [4144719680]: handle_radius_account_req: request received from radius client 10.200.254.253 ERROR Mar 12 19:43:05 [4144719680]: handle_radius_account_req: received radius accounting with status 1 ERROR Mar 12 19:43:05 [4144719680]: handle_radius_account_req: received radius accounting packet without login ip host MESSAGE Mar 12 19:43:19 [4144719680]: handle_radius_account_req: request received from radius client 10.200.254.253 ERROR Mar 12 19:43:19 [4144719680]: handle_radius_account_req: received radius accounting with status 1 ERROR Mar 12 19:43:19 [4144719680]: handle_radius_account_req: received radius accounting packet without login ip host MESSAGE Mar 12 19:44:05 [4144719680]: handle_radius_account_req: request received from radius client 10.200.254.253 ERROR Mar 12 19:44:05 [4144719680]: handle_radius_account_req: received radius accounting with status 3 MESSAGE Mar 12 19:44:19 [4144719680]: handle_radius_account_req: request received from radius client 10.200.254.253 ERROR Mar 12 19:44:19 [4144719680]: handle_radius_account_req: received radius accounting with status 3 MESSAGE Mar 12 19:45:05 [4144719680]: handle_radius_account_req: request received from radius client 10.200.254.253

Michael Cicogna · Accepted Answer

Hello again! 
 With some help I was able to verify that XG is actually doing what it is supposed to. 
 XG seems to expect either Login-IP-Host or Framed-IP-Adress to be included in any of the Radius packets. It does not need to be in the start - an IP adress in any of the update packets is enough. I tested that with NTRadPing Utility and the SSO authentication captures the data that i sent in. 
 In conclusion my APs are not sending any of these fields to XG - which is somewhat logical as they don't do DHCP themself but rather let an external DHCP server do the work. There seems to be some DHCP Snooping code in the hostapd package but so far i was not able to get it to work properly. If somebody got that setup working I would really like to know how you did it :) 
 Sorry for bothering you in the first place - Thanks again for your support 
 best regards 
 Michael

Aditya Patel · Answer

HI Michael, 
 It would seem the issue with Segmentation fault or some issue with the service , Could you check the status of the service in Shell access Console > option 5 > Option 3 
 service -S | grep access 
 output :Access_server |running/dead/stopped 
 If possible restart the service for the same if not running 
 service access_server:restart -ds nosync 
 Output fail or 200 Ok 
 This should resolve your issue , if not you may post the output of your authentication service and also provide me a scenario which this event would reproduce easily.