show network-access aaa statistics
Syntax
show network-access aaa statistics
<accounting (detail)>
<address-assignment (client | pool pool-name)>
<dynamic-requests>
<radius>
<saml>
<session-limit-per-username>
Description
Display AAA accounting, address-assignment, dynamic request statistics, RADIUS settings and statistics, Security Assertion Markup Language (SAML) authentication statistics, and subscriber session limit statistics.
Options
accounting (detail) |
(Optional) Display AAA accounting statistics. The |
address-assignment (client | pool pool-name) |
(Optional) Display AAA address-assignment client and pool statistics. |
dynamic-requests |
(Optional) Display AAA dynamic requests. |
radius |
(Optional) Display RADIUS settings and statistics. |
saml |
(Optional) Display SAML authentication statistics. |
session-limit-per-username |
Maximum number of sessions allowed for a username per access profile. Use the
|
Required Privilege Level
view
Output Fields
Table 1 lists the output fields for the show network-access aaa statistics
command. Output fields are listed in the approximate order in which they appear.
Field Name |
Field Description |
Level of Output |
---|---|---|
|
Does not include requests sent from backup accounting. |
All levels |
|
Number of accounting requests that failed to be sent or queued from a client to a RADIUS accounting server. Does not include requests sent from backup accounting. |
|
|
Number of accounting requests successfully sent or queued from a client to a RADIUS accounting server. Does not include requests sent from backup accounting. |
|
|
Number of accounting on requests sent from a client to a RADIUS accounting server. |
|
|
Number of accounting start requests sent from a client to a RADIUS accounting server. |
|
|
Number of accounting interim requests sent from a client to a RADIUS accounting server. |
|
|
Number of accounting stop requests sent from a client to a RADIUS accounting server. Does not include requests sent from backup accounting. |
|
|
Number of accounting requests to the accounting server that timed out. This field
was named Does not include requests sent from backup accounting. |
All levels |
|
Number of accounting requests not acknowledged (NAK) by the accounting server. Does not include requests sent from backup accounting. |
All levels |
|
Number of accounting requests acknowledged by the accounting server. Does not include requests sent from backup accounting. |
All levels |
|
Number of accounting on requests acknowledged by the RADIUS accounting server. |
|
|
Number of accounting start requests acknowledged by the RADIUS accounting server. |
|
|
Number of accounting interim requests acknowledged by the RADIUS accounting server. |
|
|
Number of accounting stop requests acknowledged by the RADIUS accounting server. Does not include requests sent from backup accounting. |
|
|
Number of accounting requests coming to a RADIUS accounting server after a previous server timing out. |
|
|
Number of unknown accounting requests sent from a client to a RADIUS accounting server (for example, when the header has invalid or unsupported information). |
|
|
Number of accounting requests sent from a client to a RADIUS accounting server that are waiting for a response from the server. |
|
|
Number of accounting responses from a RADIUS accounting server that have invalid or unexpected attributes. |
|
|
Number of accounting requests made by a client to the RADIUS sever that were retransmitted. Does not include requests sent from backup accounting. |
|
|
Number of accounting responses from a RADIUS accounting server that have an incorrect authenticator (for example, the client and server RADIUS secret do not match). |
|
|
Number of accounting responses from a RADIUS accounting server that are dropped by a client. |
|
|
Number of accounting stop requests from a client to a RADIUS accounting server that were forwarded to be backed up. |
|
|
Number of backup accounting stop requests successfully created by clients after each timeout for replay to a RADIUS accounting server. |
|
|
Number of backup accounting requests that failed to be sent or queued from a client to a RADIUS accounting server. |
|
|
Number of backup accounting requests successfully sent or queued from a client to a RADIUS accounting server. |
|
|
Number of backup accounting requests that timed out after being sent to a RADIUS accounting server. |
|
|
Number of backup accounting requests that were successfully sent or queued to a RADIUS accounting server for which no response or error has been received yet. Backup requests are replayed only in the following circumstances:
Consequently this intermediate timer displays 1 or 0. The value eventually drops to 0 as requests are responded to positively or fail due to error. |
|
|
Number of backup records that were successfully acknowledged with a positive response from a RADIUS accounting server. |
|
|
Number of backup requests sent to UDP level. This is a RADIUS-level counter and increments rapidly based on the configured retries and timeouts and the RADIUS-level retransmissions. An observation that the value is increasing is more significant than the exact value of the counter. |
|
|
Number of responses received at the UDP level for backup requests. This is a RADIUS-level counter and increments rapidly based on the configured retries and timeouts and the RADIUS-level retransmissions. Observation that the value is increasing is more significant than the exact value of the counter. |
|
|
Number of backup requests that timed out after being sent to UDP. This is a RADIUS-level counter and increments rapidly based on the configured retries and timeouts and the RADIUS-level retransmissions. Observation that the value is increasing is more significant than the exact value of the counter. |
|
|
Number of backup requests sent to a RADIUS accounting server that are waiting for a response from the server. This is an intermediate state counter that eventually drops to zero as requests are responded to or failed due to error. |
|
|
Sum of backup request retransmissions for each RADIUS accounting server. This is a RADIUS-level counter and increments rapidly based on the configured retries and timeouts and the RADIUS-level retransmissions. Observation that the value is increasing is more significant than the exact value of the counter. |
|
|
Sum of malformed responses received for backup requests sent to each RADIUS accounting server at the UDP level. |
|
|
Sum of responses received for backup accounting requests for each RADIUS accounting server where authenticators were mismatched. |
|
|
Sum of responses for backup accounting requests for each RADIUS accounting server that were dropped due to various sanity checks. |
|
|
Sum of backup accounting requests rolled over for each RADIUS accounting server. |
|
|
Sum of unknown responses for backup accounting requests for each RADIUS accounting server. |
|
|
Client type; for example, DHCP, Mobile IP, PPP. |
none specified |
|
Number of times an address was not given to the client due to memory issues. |
none specified |
|
Number of times there were no network matches for the pool. |
none specified |
|
Name of the address-assignment pool for this client. |
none specified |
|
Number of times there were no available addresses in the pool. |
none specified |
|
Number of addresses in the pool. |
none specified |
|
Number of addresses in use. |
none specified |
|
Number of addresses excluded from being allocated from the pool with the
|
none specified |
|
Percentage of total addresses in use. This value does not take excluded addresses into account. |
none specified |
|
Number of SAML assertions where mandatory attributes like username configured at the identity-provider object are not present in the assertion. |
none specified |
|
Instances where the identity provider (IdP) could not decrypt the assertion it had encrypted in SAML. |
none specified |
|
Instances when the SAML assertion or the encrypted-assertion node is missing in the assertion response. |
none specified |
Assertion parse fail |
Instances when the firewall failed to parse SAML assertion. |
none specified |
|
Number of SAML assertion responses received from IdP. |
none specified |
Assertion sanity fail |
Instances when the issuer node value failed the sanity checks because it does not match the configured IdP entity-id in SAML. |
none specified |
Assertion signature verify fail |
Count of SAML assertion message signature verification failures. |
none specified |
|
Number of requests that did not receive a response from the IdP before the assertion wait time expired in SAML. |
none specified |
Assertion username mismatch |
Instances when the username differs in the authentication request and the assertion response in SAML. |
none specified |
|
Number of SAML-based authentication requests received. |
none specified |
|
Number of authentication responses sent in SAML. |
none specified |
|
Instances of failures in parsing in the logout request message in SAML. |
none specified |
|
Number of user logout requests received from the IdP in SAML. |
none specified |
|
Number of user logout responses sent to the IdP in SAML. |
none specified |
|
Count of logout request failed sanity checks such as issuer node value does not match configured IdP entity-id in SAML. |
none specified |
|
Count of logout request signature validation failures in SAML. |
none specified |
|
Number of memory allocation failure while processing SAML request/responses. |
none specified |
|
Count of SAML requests that hit the assertion cache. |
none specified |
|
SAML requests miss assertion cache and sent to IdP. |
none specified |
|
Configuration state of active drain for the specified local address pool,
|
none specified |
|
Percentage of allocated addresses in the specified address pool. |
none specified |
|
Number of dynamic requests processed successfully by the AAA framework. |
All levels |
|
Number of dynamic requests that resulted in processing errors by the AAA framework. |
All levels |
|
Name of the secondary address-assignment pool to which the primary pool is linked. |
|
|
Number of dynamic requests dropped by the AAA framework due to multiple back-to-back or duplicate requests. |
All levels |
|
IPv4 or IPv6 address of the RADIUS server to which the router is sending requests. |
All levels |
|
Name of the RADIUS profile associated with the RADIUS server. A RADIUS server can be associated with more than one RADIUS profile. |
All levels |
|
Configured maximum number of outstanding requests from the router to the RADIUS server for a specific profile. An outstanding request is a request to which the RADIUS server has not yet responded. The range of values is 0 through 2000 outstanding requests. The default value is 1000. |
All levels |
|
Current number of outstanding requests from the router to the RADIUS server for a specific profile. An outstanding request is a request to which the RADIUS server has not yet responded. |
All levels |
|
Highest number of outstanding requests from the router to the RADIUS server for a specific profile at any point in time since the router was started or since the counter was last cleared. Note:
If the value of this field is equal to the value of the
|
All levels |
|
Number of times that the router attempted to send requests to the RADIUS server in excess of the configured maximum value for a specific profile. Note:
If the value of this field is nonzero, you may want to increase the value of
the |
All levels |
|
Username for a subscriber with one or more active sessions for an access profile. |
|
|
Name of the access profile where the username is active. |
|
|
Number of session requests that have been blocked for the username for an access profile. A request is blocked when it exceeds the configured session limit. |
|
|
Number of active sessions for the username for an access profile. |
|
|
Number of active usernames for all access profiles. |
none |
|
Number of usernames that have attempted sessions greater than the limit configured for the username. |
none |
|
Number of session requests that have been blocked because the session limit is exceeded. |
none |
Sample Output
- show network-access aaa statistics accounting
- show network-access aaa statistics accounting detail
- show network-access aaa statistics address-assignment client
- show network-access aaa statistics address-assignment pool
- show network-access aaa statistics address-assignment pool (Excluded Addresses)
- show network-access aaa statistics dynamic-requests
- show network-access aaa statistics radius
- show network-access aaa statistics saml
- show network-access aaa statistics session-limit-per-username (Users with Blocked Requests)
- show network-access aaa statistics session-limit-per-username (All Active Users)
- show network-access aaa statistics session-limit-per-username
show network-access aaa statistics accounting
user@host> show network-access aaa statistics accounting Accounting module statistics Accounting module statistics Requests received: 5000 Accounting request timeouts: 2000 Accounting response failures: 0 Accounting response success: 3000
show network-access aaa statistics accounting detail
user@host> show network-access aaa statistics accounting detail Accounting module statistics Accounting module statistics Requests received: 5000 Accounting request failures: 0 Accounting request success: 5000 Account on requests: 0 Accounting start requests: 3000 Accounting interim requests: 0 Accounting stop requests: 2000 Accounting request timeouts: 2000 Accounting response failures: 0 Accounting response success: 3000 Account on responses: 0 Accounting start responses: 3000 Accounting interim responses: 0 Accounting stop responses: 0 Accounting rollover requests: 0 Accounting unknown responses: 0 Accounting radius pending requests: 0 Accounting malformed responses: 0 Accounting retransmissions: 6000 Accounting bad authenticators: 0 Accounting packets dropped: 0 Accounting backup record creation requests: 3000 Accounting backup request replay success: 9808 Accounting backup request failures: 0 Accounting backup request success: 3006 Accounting backup timeouts: 6 Accounting backup in-flight requests: 0 Accounting backup responses success: 3000 Accounting backup radius requests: 3006 Accounting backup radius responses: 3000 Accounting backup radius timeouts: 99 Accounting backup radius pending requests: 0 Accounting backup radius retransmissions: 99 Accounting backup malformed responses: 0 Accounting backup bad authenticators: 0 Accounting backup responses dropped: 0 Accounting backup rollover requests: 0 Accounting backup unknown responses: 0
show network-access aaa statistics address-assignment client
user@host> show network-access aaa statistics address-assignment client Address-assignment statistics Client: jdhcpd Out of Memory: 0 No Matches: 2
show network-access aaa statistics address-assignment pool
user@host> show network-access aaa statistics address-assignment pool isp_1 Address-assignment statistics Pool Name: isp_1 Pool Name: (all pools in chain) Out of Memory: 0 Out of Addresses: 9 Address total: 47 Addresses in use: 47 Address Usage (percent): 100 Pool drain configured: yes
show network-access aaa statistics address-assignment pool (Excluded Addresses)
user@host> show network-access aaa statistics address-assignment pool isp_1 Address-assignment statistics Pool Name: isp_1 Pool Name: (all pools in chain) Out of Memory: 0 Out of Addresses: 0 Address total: 24000 Addresses in use: 12000 Addresses excluded: 1000 Address Usage (percent): 50 Pool drain configured: yes
show network-access aaa statistics dynamic-requests
user@host> show network-access aaa statistics dynamic-requests requests received: 0 processed successfully: 0 errors during processing: 0 silently dropped: 0
show network-access aaa statistics radius
user@host> show network-access aaa statistics radius Outstanding Requests RADIUS Server Profile Configured Current Peak Exceeded 198.51.100.239 prof1 1000 0 1000 14 prof2 500 17 432 0 198.51.100.211 myprof 200 0 200 27 203.0.113.254 pppoe-auth 111 0 1 0 2001:db8:0:f101::2 xyz-profile11 1000 10 135 0
show network-access aaa statistics saml
user@host> show network-access aaa statistics saml SAML Authentication statistics Authentication request received 13 Authentication response sent 13 Request hit cache 1 Request sent to IdP 3 Assertion received 3 Assertion timeout 0 Assertion parse fail 0 Assertion sanity fail 0 Assertion signature verify fail 0 Assertion decryption fail 1 Assertion node missing 0 Assertion atributes missing 0 Assertion username mismatch 0 Logout request received 0 Logout response sent 0 Logout parse fail 0 Logout sanity fail 0 Logout signature verify fail 0 Memory allocation fail 0
show network-access aaa statistics session-limit-per-username (Users with Blocked Requests)
user@host> show network-access aaa statistics session-limit-per-username brief Username Access-profile Blocked requests Session count xyz@example.net BNG1 3 5 abc@example.net BNG2 2 5
show network-access aaa statistics session-limit-per-username (All Active Users)
user@host> show network-access aaa statistics session-limit-per-username detail Username Access-profile Blocked requests Session count rkv@example.net BNG1 0 4 xyz@example.net BNG1 3 5 abc@example.net BNG2 2 5 pqr@example.net BNG2 0 1
show network-access aaa statistics session-limit-per-username
user@host> show network-access aaa statistics on-limit-per-username Total usernames: 15 Total usernames exceeding session limit: 2 Total blocked requests: 5
Release Information
Command introduced in Junos OS Release 9.1.
address-assignment
option introduced in Junos OS Release 10.0.
radius
option introduced in Junos OS Release 11.4.
detail
option introduced in Junos OS Release 13.3.
session-limit-per-username
option introduced in Junos OS Release 18.4R1 on
MX Series routers.
Support for saml
option added in Junos OS Release 24.4R1.