Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

show network-access aaa statistics

Syntax

Description

Display AAA accounting, address-assignment, dynamic request statistics, RADIUS settings and statistics, Security Assertion Markup Language (SAML) authentication statistics, and subscriber session limit statistics.

Options

accounting (detail)

(Optional) Display AAA accounting statistics. The detail keyword displays additional accounting information

address-assignment (client | pool pool-name)

(Optional) Display AAA address-assignment client and pool statistics.

dynamic-requests

(Optional) Display AAA dynamic requests.

radius

(Optional) Display RADIUS settings and statistics.

saml

(Optional) Display SAML authentication statistics.

session-limit-per-username

Maximum number of sessions allowed for a username per access profile. Use the brief option to display only active users with blocked requests. Use the detail option to display all active users.

Required Privilege Level

view

Output Fields

Table 1 lists the output fields for the show network-access aaa statistics command. Output fields are listed in the approximate order in which they appear.

Table 1: show network-access aaa statistics Output Fields

Field Name

Field Description

Level of Output

Requests received

  • Number of accounting requests generated by the AAA framework.

  • Number of dynamic requests received from the external server.

Does not include requests sent from backup accounting.

All levels

Accounting request failures

Number of accounting requests that failed to be sent or queued from a client to a RADIUS accounting server.

Does not include requests sent from backup accounting.

detail

Accounting request success

Number of accounting requests successfully sent or queued from a client to a RADIUS accounting server.

Does not include requests sent from backup accounting.

detail

Account on requests

Number of accounting on requests sent from a client to a RADIUS accounting server.

detail

Accounting start requests

Number of accounting start requests sent from a client to a RADIUS accounting server.

detail

Accounting interim requests

Number of accounting interim requests sent from a client to a RADIUS accounting server.

detail

Accounting stop requests

Number of accounting stop requests sent from a client to a RADIUS accounting server.

Does not include requests sent from backup accounting.

detail

Accounting request timeouts

Number of accounting requests to the accounting server that timed out. This field was named Timed out requests in releases before Junos OS Release 16.1.

Does not include requests sent from backup accounting.

All levels

Accounting Response failures

Number of accounting requests not acknowledged (NAK) by the accounting server.

Does not include requests sent from backup accounting.

All levels

Accounting response success

Number of accounting requests acknowledged by the accounting server.

Does not include requests sent from backup accounting.

All levels

Account on responses

Number of accounting on requests acknowledged by the RADIUS accounting server.

detail

Accounting start responses

Number of accounting start requests acknowledged by the RADIUS accounting server.

detail

Accounting interim responses

Number of accounting interim requests acknowledged by the RADIUS accounting server.

detail

Accounting stop responses

Number of accounting stop requests acknowledged by the RADIUS accounting server.

Does not include requests sent from backup accounting.

detail

Accounting rollover requests

Number of accounting requests coming to a RADIUS accounting server after a previous server timing out.

detail

Accounting unknown requests

Number of unknown accounting requests sent from a client to a RADIUS accounting server (for example, when the header has invalid or unsupported information).

detail

Accounting radius pending requests

Number of accounting requests sent from a client to a RADIUS accounting server that are waiting for a response from the server.

detail

Accounting malformed responses

Number of accounting responses from a RADIUS accounting server that have invalid or unexpected attributes.

detail

Accounting retransmissions

Number of accounting requests made by a client to the RADIUS sever that were retransmitted.

Does not include requests sent from backup accounting.

detail

Accounting bad authenticators

Number of accounting responses from a RADIUS accounting server that have an incorrect authenticator (for example, the client and server RADIUS secret do not match).

detail

Accounting packets dropped

Number of accounting responses from a RADIUS accounting server that are dropped by a client.

detail

Accounting backup record creation requests

Number of accounting stop requests from a client to a RADIUS accounting server that were forwarded to be backed up.

detail

Accounting backup replay request success

Number of backup accounting stop requests successfully created by clients after each timeout for replay to a RADIUS accounting server.

detail

Accounting backup request failures

Number of backup accounting requests that failed to be sent or queued from a client to a RADIUS accounting server.

detail

Accounting backup request success

Number of backup accounting requests successfully sent or queued from a client to a RADIUS accounting server.

detail

Accounting backup timeouts

Number of backup accounting requests that timed out after being sent to a RADIUS accounting server.

detail

Accounting backup in-flight requests

Number of backup accounting requests that were successfully sent or queued to a RADIUS accounting server for which no response or error has been received yet.

Backup requests are replayed only in the following circumstances:

  • When the request being replayed receives a positive response, the next request can be replayed.

  • When the request being replayed receives a timeout response, it can be replayed again.

Consequently this intermediate timer displays 1 or 0. The value eventually drops to 0 as requests are responded to positively or fail due to error.

detail

Accounting backup responses success

Number of backup records that were successfully acknowledged with a positive response from a RADIUS accounting server.

detail

Accounting backup radius requests

Number of backup requests sent to UDP level.

This is a RADIUS-level counter and increments rapidly based on the configured retries and timeouts and the RADIUS-level retransmissions. An observation that the value is increasing is more significant than the exact value of the counter.

detail

Accounting backup radius responses

Number of responses received at the UDP level for backup requests.

This is a RADIUS-level counter and increments rapidly based on the configured retries and timeouts and the RADIUS-level retransmissions. Observation that the value is increasing is more significant than the exact value of the counter.

detail

Accounting backup radius timeouts

Number of backup requests that timed out after being sent to UDP.

This is a RADIUS-level counter and increments rapidly based on the configured retries and timeouts and the RADIUS-level retransmissions. Observation that the value is increasing is more significant than the exact value of the counter.

detail

Accounting backup radius pending requests

Number of backup requests sent to a RADIUS accounting server that are waiting for a response from the server.

This is an intermediate state counter that eventually drops to zero as requests are responded to or failed due to error.

detail

Accounting backup radius retransmissions

Sum of backup request retransmissions for each RADIUS accounting server.

This is a RADIUS-level counter and increments rapidly based on the configured retries and timeouts and the RADIUS-level retransmissions. Observation that the value is increasing is more significant than the exact value of the counter.

detail

Accounting backup malformed responses

Sum of malformed responses received for backup requests sent to each RADIUS accounting server at the UDP level.

detail

Accounting backup bad authenticators

Sum of responses received for backup accounting requests for each RADIUS accounting server where authenticators were mismatched.

detail

Accounting backup responses dropped

Sum of responses for backup accounting requests for each RADIUS accounting server that were dropped due to various sanity checks.

detail

Accounting backup rollover requests

Sum of backup accounting requests rolled over for each RADIUS accounting server.

detail

Accounting backup unknown responses

Sum of unknown responses for backup accounting requests for each RADIUS accounting server.

detail

Client

Client type; for example, DHCP, Mobile IP, PPP.

none specified

Out of Memory

Number of times an address was not given to the client due to memory issues.

none specified

No Matches

Number of times there were no network matches for the pool.

none specified

Pool Name

Name of the address-assignment pool for this client.

none specified

Out of Addresses

Number of times there were no available addresses in the pool.

none specified

Address total

Number of addresses in the pool.

none specified

Addresses in use

Number of addresses in use.

none specified

Addresses excluded

Number of addresses excluded from being allocated from the pool with the excluded-address or excluded-range statements.

none specified

Address Usage (percent)

Percentage of total addresses in use. This value does not take excluded addresses into account.

none specified

Assertion attributes missing

Number of SAML assertions where mandatory attributes like username configured at the identity-provider object are not present in the assertion.

none specified

Assertion decryption fail

Instances where the identity provider (IdP) could not decrypt the assertion it had encrypted in SAML.

none specified

Assertion node missing

Instances when the SAML assertion or the encrypted-assertion node is missing in the assertion response.

none specified

Assertion parse fail

Instances when the firewall failed to parse SAML assertion.

none specified

Assertion received

Number of SAML assertion responses received from IdP.

none specified

Assertion sanity fail

Instances when the issuer node value failed the sanity checks because it does not match the configured IdP entity-id in SAML.

none specified

Assertion signature verify fail

Count of SAML assertion message signature verification failures.

none specified

Assertion timeout

Number of requests that did not receive a response from the IdP before the assertion wait time expired in SAML.

none specified

Assertion username mismatch

Instances when the username differs in the authentication request and the assertion response in SAML.

none specified

Authentication request received

Number of SAML-based authentication requests received.

none specified

Authentication response sent

Number of authentication responses sent in SAML.

none specified

Logout parse fail

Instances of failures in parsing in the logout request message in SAML.

none specified

Logout request received

Number of user logout requests received from the IdP in SAML.

none specified

Logout response sent

Number of user logout responses sent to the IdP in SAML.

none specified

Logout sanity fail

Count of logout request failed sanity checks such as issuer node value does not match configured IdP entity-id in SAML.

none specified

Logout signature verify fail

Count of logout request signature validation failures in SAML.

none specified

Memory allocation fail

Number of memory allocation failure while processing SAML request/responses.

none specified

Request hit cache

Count of SAML requests that hit the assertion cache.

none specified

Request sent to IdP

SAML requests miss assertion cache and sent to IdP.

none specified

Pool drain configured

Configuration state of active drain for the specified local address pool, yes or no.

none specified

Pool Usage

Percentage of allocated addresses in the specified address pool.

none specified

processed successfully

Number of dynamic requests processed successfully by the AAA framework.

All levels

errors during processing

Number of dynamic requests that resulted in processing errors by the AAA framework.

All levels

Link Name

Name of the secondary address-assignment pool to which the primary pool is linked.

silently dropped

Number of dynamic requests dropped by the AAA framework due to multiple back-to-back or duplicate requests.

All levels

RADIUS Server

IPv4 or IPv6 address of the RADIUS server to which the router is sending requests.

All levels

Profile

Name of the RADIUS profile associated with the RADIUS server. A RADIUS server can be associated with more than one RADIUS profile.

All levels

Configured

Configured maximum number of outstanding requests from the router to the RADIUS server for a specific profile. An outstanding request is a request to which the RADIUS server has not yet responded. The range of values is 0 through 2000 outstanding requests. The default value is 1000.

All levels

Current

Current number of outstanding requests from the router to the RADIUS server for a specific profile. An outstanding request is a request to which the RADIUS server has not yet responded.

All levels

Peak

Highest number of outstanding requests from the router to the RADIUS server for a specific profile at any point in time since the router was started or since the counter was last cleared.

Note:

If the value of this field is equal to the value of the Configured field, you may want to increase the value of the Configured field.

All levels

Exceeded

Number of times that the router attempted to send requests to the RADIUS server in excess of the configured maximum value for a specific profile.

Note:

If the value of this field is nonzero, you may want to increase the value of the Configured field.

All levels

Username

Username for a subscriber with one or more active sessions for an access profile.

briefdetail

Access-profile

Name of the access profile where the username is active.

briefdetail

Blocked requests

Number of session requests that have been blocked for the username for an access profile. A request is blocked when it exceeds the configured session limit.

briefdetail

Session count

Number of active sessions for the username for an access profile.

briefdetail

Total usernames

Number of active usernames for all access profiles.

none summary

Total usernames exceeding session limit

Number of usernames that have attempted sessions greater than the limit configured for the username.

none summary

Total blocked requests

Number of session requests that have been blocked because the session limit is exceeded.

none summary

Sample Output

show network-access aaa statistics accounting

show network-access aaa statistics accounting detail

show network-access aaa statistics address-assignment client

show network-access aaa statistics address-assignment pool

show network-access aaa statistics address-assignment pool (Excluded Addresses)

show network-access aaa statistics dynamic-requests

show network-access aaa statistics radius

show network-access aaa statistics saml

show network-access aaa statistics session-limit-per-username (Users with Blocked Requests)

show network-access aaa statistics session-limit-per-username (All Active Users)

show network-access aaa statistics session-limit-per-username

Release Information

Command introduced in Junos OS Release 9.1.

address-assignment option introduced in Junos OS Release 10.0.

radius option introduced in Junos OS Release 11.4.

detail option introduced in Junos OS Release 13.3.

session-limit-per-username option introduced in Junos OS Release 18.4R1 on MX Series routers.

Support for saml option added in Junos OS Release 24.4R1.