Authentication Authorization and Accounting Configuration Guide Cisco IOS XE Release 3S
RADIUS Packet of Disconnect
Downloads: This chapterpdf (PDF - 1.31MB) The complete bookPDF (PDF - 4.13MB) | The complete bookePub (ePub - 696.0KB) | Feedback

RADIUS Packet of Disconnect

RADIUS Packet of Disconnect

The RADIUS Packet of Disconnect feature is used to terminate a connected voice call.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for RADIUS Packet of Disconnect

Configure AAA as described in the Cisco IOS XE Security Configuration Guide: Securing User Services , Release 2.

Restrictions for RADIUS Packet of Disconnect

Proper matching identification information must be communicated by the following:

  • Billing server and gateway configuration
  • Gateway’s original accounting start request
  • Server’s POD request

Information About RADIUS Packet of Disconnect

The Packet of Disconnect (POD) is a RADIUS access_request packet and is intended to be used in situations where the authenticating agent server wants to disconnect the user after the session has been accepted by the RADIUS access_accept packet.

When the POD is Needed

The POD may be needed in at least two situations:

  • Detection of fraudulent use, which cannot be performed before accepting the call. A price structure so complex that the maximum session duration cannot be estimated before accepting the call. This may be the case when certain types of discounts are applied or when multiple users use the same subscription simultaneously.
  • To prevent unauthorized servers from disconnecting users, the authorizing agent that issues the POD packet must include three parameters in its packet of disconnect request. For a call to be disconnected, all parameters must match their expected values at the gateway. If the parameters do not match, the gateway discards the packet of disconnect packet and sends a NACK (negative acknowledgement message) to the agent.

POD Parameters

The POD has the following parameters:

  • An h323-conf-id vendor-specific attribute (VSA) with the same content as received from the gateway for this call.
  • An h323-call-origin VSA with the same content as received from the gateway for the leg of interest.
  • A 16-byte MD5 hash value that is carried in the authentication field of the POD request.
  • Cisco IOS XE software allocates POD code 50 as the code value for the Voice POD Request based on RFC 3576 Dynamic Authorization Extensions to RADIUS, which extends RADIUS standards to officially support both a Disconnect Message (DM) and Change-of-Authorization (CoA) that are supported through the POD.

RFC 3576 specifies the following POD codes:

    • 40 - Disconnect-Request
    • 41 - Disconnect-ACK
    • 42 - Disconnect-NAK
    • 43 - CoA-Request
    • 44 - CoA-ACK
    • 45 - CoA-NAK

How to Configure the RADIUS Packet of Disconnect

Configuring the RADIUS POD

Use the following tasks to configure the RADIUS POD:

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    Router (config)# aaa pod server [port port-number] [auth-type {any| all| session-key}] server-key [encryption-type] string

    4.    Router# end

    5.    Router# show running-configuration


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Router> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.
     
    Step 2 configure terminal


    Example:
    Router# configure terminal
     

    Enters global configuration mode.

     
    Step 3 Router (config)# aaa pod server [port port-number] [auth-type {any| all| session-key}] server-key [encryption-type] string

    Example:
    Router(config)# aaa pod server server-key xyz123
     

    Enables inbound user sessions to be disconnected when specific session attributes are presented, where:

    • port port-number --(Optional) The network access server User Datagram Protocol (UDP) port to use for POD requests. Default value is 1700.
    • auth-type --(Optional) The type of authorization required for disconnecting sessions.
      • any--Session that matches all of the attributes sent in the POD packet is disconnected. The POD packet may contain one or more of four key attributes (user-name, framed-IP-address, session-ID, and session-key).
      • all--Only a session that matches all four key attributes is disconnected. Allis the default.
      • session-key--Session with a matching session-key attribute is disconnected. All other attributes are ignored.
    • server-key-- Configures the shared-secret text string.
    • encryption-type --(Optional) Single-digit number that defines whether the text immediately following is encrypted, and, if so, what type of encryption is used. Defined encryption types are 0, which means that the text immediately following is not encrypted, and 7, which means that the text is encrypted using an encryption algorithm defined by Cisco.
    • string-- The shared-secret text string that is shared between the network access server and the client workstation. This shared-secret string must be the same on both systems.
     
    Step 4 Router# end 

    Exits global configuration mode and returns to privileged EXEC mode.

     
    Step 5 Router# show running-configuration

    Example:
    Router# show running-configuration


    Example:
    !


    Example:
    aaa authentication login h323 group radius


    Example:
    aaa authorization exec h323 group radius


    Example:
    aaa accounting update newinfo


    Example:
    aaa accounting connection h323 start-stop group radius


    Example:
    aaa pod server server-key cisco


    Example:
    aaa session-id common


    Example:
    !
     

    Verifies that the gateway is configured correctly in privileged EXEC mode.

     

    Troubleshooting Tips

    After you have configured AAA Dead-Server Detection, you should verify your configuration using the show running-config command. This verification is especially important if you have used the no form of the radius-server dead-criteria command. The output of the show running-config command must show the same values in the “Dead Criteria Details” field that you configured using the radius-server dead-criteria command.

    Verifying the RADIUS POD Configuration

    To verify the RADIUS POD configuration, use the show running configuration privileged EXEC command as shown in the following example:

    Router# show running-configuration
    !
    aaa authentication login h323 group radius
    aaa authorization exec h323 group radius
    aaa accounting update newinfo
    aaa accounting connection h323 start-stop group radius
    aaa pod server server-key cisco
    aaa session-id common
    .
    .
    .

    Additional References

    The following sections provide references related to the RADIUS Packet of Disconnect feature.

    Related Documents

    Related Topic

    Document Title

    AAA

    Authentication, Authorization, and Accounting (AAA) section of the Cisco IOS XE Security Configuration Guide, Securing User Services, Release 2.

    Security commands

    Cisco IOS Security Command Reference

    CLI Configuration

    Cisco IOS XE Configuration Fundamentals Configuration Guide, Release 2

    Standards

    Standard

    Title

    No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

    --

    MIBs

    MIB

    MIBs Link

    No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.

    To locate and download MIBs for selected platforms, Cisco IOS XE software releases, and feature sets, use Cisco MIB Locator found at the following URL:

    http:/​/​www.cisco.com/​go/​mibs

    RFCs

    RFC

    Title

    RFC 2865

    Remote Authentication Dial-in User Service

    RFC 3576

    Dynamic Authorization Extensions to RADIUS

    Technical Assistance

    Description

    Link

    The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

    To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

    Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

    http:/​/​www.cisco.com/​techsupport

    Feature Information for RADIUS Packet of Disconnect

    The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

    Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

    Table 1 Feature Information for RADIUS Packet of Disconnect

    Feature Name

    Releases

    Feature Information

    RADIUS Packet of Disconnect

    Cisco IOS XE Release 2.1

    The RADIUS Packet of Disconnect feature is used to terminate a connected voice call.

    In Cisco IOS XE Release 2.1, this feature was introduced on the on Cisco ASR 1000 Series Aggregation Services Routers.

    The following commands were introduced or modified: aaa pod server, debug aaa pod

    Glossary

    AAA --authentication, authorization, and accounting. A framework of security services that provide the method for identifying users (authentication), for remote access control (authorization), and for collecting and sending security server information used for billing, auditing, and reporting (accounting).

    L2TP --Layer 2 Tunnel Protocol. A Layer 2 tunneling protocol that enables an ISP or other access service to create a virtual tunnel to link customer remote sites or remote users with corporate home networks. In particular, a network access server (NAS) at the ISP point of presence (POP) exchanges PPP messages with the remote users and communicates by L2F or L2TP requests and responses with the customer tunnel server to set up tunnels.

    PE --Provider Edge. Networking devices that are located on the edge of a service provider network.

    RADIUS --Remote Authentication Dial-In User Service. RADIUS is a distributed client/server system that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server that contains all user authentication and network service access information.

    VPN --Virtual Private Network. A system that permits dial-in networks to exist remotely to home networks, while giving the appearance of being directly connected. VPNs use L2TP and L2F to terminate the Layer 2 and higher parts of the network connection at the LNS instead of the LAC.

    VRF --Virtual Route Forwarding. Initially, a router has only one global default routing/forwarding table. VRFs can be viewed as multiple disjoined routing/forwarding tables, where the routes of a user have no correlation with the routes of another user.