Configuring AAA for Cisco Voice Gateways Configuration Guide, Cisco IOS Release 15M&T
Cisco IOS Configuration
Downloads: This chapterpdf (PDF - 136.0KB) The complete bookPDF (PDF - 600.0KB) | The complete bookePub (ePub - 794.0KB) | Feedback

Cisco IOS Configuration

Cisco IOS Configuration

Last Updated: December 11, 2012

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisite Configuration

The following general tasks are prerequisites to configuring the Cisco IOS features described in this document:

  • Establish a working IP network. For more information about configuring IP, refer to the >Cisco IOS IP Configuration Guide .
  • Configure Voice over IP. For more information about configuring Voice over IP, refer to the >Cisco IOS Voice Configuration Library.
  • Program and configure the interface between the RADIUS server and the Cisco voice gateway to operate with vendor specific attributes (VSAs). Refer to the RADIUS Vendor-Specific Attributes Voice Implementation Guide.
  • Download the TCL scripts that are not embedded in Cisco IOS from the Cisco CCO software support URL: http://www.cisco.com/public/sw-center/
  • Define and apply IVR applications on the dial peer to direct AAA requests to a RADIUS server. For more information, see the Cisco IOS TCL and VoiceXML Application Guide

Configuring AAA Basics

You must follow these steps to set up AAA before you start directing AAA requests to a RADIUS server:

SUMMARY STEPS

1.    Enable authentication, authorization, and accounting (AAA) security services:

2.    Define a RADIUS server host by entering the following command:

3.    Use the RADIUS server defined in Step 2 to define a AAA group.

4.    Exit group server configuration mode.

5.    To specify the password for use between the gateway and the RADIUS serier, enter the following command in global configuration mode:

6.    Use the AAA group defined in Step 2 above to define an AAA method list.


DETAILED STEPS
Step 1   Enable authentication, authorization, and accounting (AAA) security services:

Example:
Router(config)# aaa new-model

Example:



Example:
aaa new-model
Step 2   Define a RADIUS server host by entering the following command:

Example:
Router(config)# radius server host
 
ipaddress
 auth-port
 
port-number
 acct-port
 
port-number
 

Example:



Example:
radius server host 1.5.35.10 auth-port 2001 acct-port 2002 
Step 3   Use the RADIUS server defined in Step 2 to define a AAA group.
  1. To define a group name, enter the following command in global configuration mode:

    Example:
    Router(config)# aaa group server radius
     
    group-name
     
    
    Note    For the argument group-name in the command, enter the name of the specific RADIUS server (for example server1) you want to authenticate, or enter the argument radius if you want to authenticate all RADIUS servers.

    Example:



    Example:
    aaa group server radius
     
    server1
    
  2. To configure the IP address of the RADIUS server for the group server, enter the following command in group server configuration mode:

    Example:
    Router(config-sg-radius)# server
     
    ip-addres
    s auth-port
     
    port-number
     acct-port
     
    port-number
     
    

    Example:



    Example:
    server 
    1.5.35.10 auth-port 2001 acct-port 2002
    
Step 4   Exit group server configuration mode.

Example:
Router(config-sg-radius)# exit
Step 5   To specify the password for use between the gateway and the RADIUS serier, enter the following command in global configuration mode:
Router(config)#
 radius-server key key
 

Example:



Example:
radius-server key 1user23
Step 6   Use the AAA group defined in Step 2 above to define an AAA method list.
  1. For voice authentication, enter the aaa authentication login command.

    Example:
    Router(config)# aaa authentication login
     
    list-name method1 
    [
    method2...
    ]
    

    Examples:



    Example:
    aaa authentication login h323 group server2
    aaa authentication login MIS-access group radius
    
  2. For voice authorization, enter the aaa authorization command.

    Example:
    Router(config)# aaa authorization exec
     
    list-name method1 
    [
    method2...
    ] 
    

    Examples:



    Example:
    aaa authorization exec h323 group server2 
    aaa authorization exec MIS-access group radius 
    
  3. For voice accounting, enter the aaa accounting command in global cofiguration mode.

    Example:
    Router(config)# aaa accounting connection 
    list-name start-stop method1 
    [
    method2..
    ] 
    

    Example:



    Example:
    aaa accounting connection h323 start-stop group server1 

Directing AAA Requests to a RADIUS Server

You can use TCL scripts or the CLI to direct AAA requests to a specific RADIUS server based on:

  • Customer account number
  • Called party number
  • Trunk group

Directing AAA Requests by Using Account Numbers

It is easier to use TCL scripts instead of the CLI to direct AAA requests using account numbers.

To use TCL scripts for directing AAA requests using account numbers, follow the steps below:

SUMMARY STEPS

1.    Before you start using TCL scripts to direct AAA requests using account numbers, you must define and apply the interactive voice response (IVR) application on the dial peer.

2.    Use the authentication, authorization, and accounting TCL verbs to customize your TCL scripts. Refer to the Accounting Template, page 21 in Chapter 1, "Overview of AAA on Voice Gateways" for an example of a TCL script.

3.    (Optional). If you use the accounting TCL verb, then use the accounting suppress command to suppress accounting on the same dial peer on which you have specified your application.


DETAILED STEPS
Step 1   Before you start using TCL scripts to direct AAA requests using account numbers, you must define and apply the interactive voice response (IVR) application on the dial peer.
Step 2   Use the authentication, authorization, and accounting TCL verbs to customize your TCL scripts. Refer to the Accounting Template, page 21 in Chapter 1, "Overview of AAA on Voice Gateways" for an example of a TCL script.

The authentication, accounting, and authorization TCL verbs are:

  1. Authentication: Use the following TCL verb:

    Example:
    aaa authenticate
     
    account password 
    [
    -a avlistSend
    ][
    -s servertag
    ] 
    
  2. Authorization: Use the following TCL verb:

    Example:
    aaa authorize
     
    account password ani destination 
    {
    legID
    |
    info-tag
    }
     
    [
    -s servertag
    ]> 
    
  3. Accounting: Use the following TCL verbs to start or update accounting messages:

    Example:
    aaa accounting start
     {
    legID
    |
    info-tag
    }
     
    [
    -s servertag
    ]> 
    
Step 3   (Optional). If you use the accounting TCL verb, then use the accounting suppress command to suppress accounting on the same dial peer on which you have specified your application.

Follow the steps below to suppress accounting on the dial peer:

  1. Enter the voice class aaacommandin global configuration mode.

    Example:
    Router(config)# voice-class aaa
     
    tag
    

    Example:



    Example:
    voice-class aaa 1001 
    
  2. Enter the accounting suppress command in voice class configuration mode.

    Example:
    Router(config-class)# accounting suppress 
    
  3. Enter the voice class aaa command in dial peer configuration mode.

    Example:
    Router(config)# dial-peer
     voice
     
    tag
     {pots
    |voip
    }
    Router(config-dial-peer)# voice class aaa
     
    tag
    

    Example:



    Example:
    dial-peer voice 101 voip
    voice class aaa 1001

Directing AAA Requests using Called Party Number

You can use the called party number to direct AAA requests in dial peer configuration mode as follows:

SUMMARY STEPS

1.    Define a dial peer.

2.    Define the voice class.


DETAILED STEPS
Step 1   Define a dial peer.
  1. Enter dial peer configuration mode using the dial peer voice command. The argument number defines a particular dial peer.

    Example:
    Router(config)# dial-peer voice
     
    tag
     {pots
    |voip
    } 
    

    Example:



    Example:
    dial-peer voice 202 pots
    
  2. Specify the incoming called number using the incoming called number command in dial peer configuration mode. The argument string is a series of digits that specifies the incoming called number.

    Example:
    Router(config-dial-peer)# incoming called number
     
    string
     
    

    Example:



    Example:
    incoming called number 5550900
    
Step 2   Define the voice class.
  1. Enter the voice class aaa command in global configuration mode. The argument tag identifies the dial peer.

    Example:
    Router(config)# voice class aaa
     
    tag
     
    

    Example:



    Example:
    voice-class aaa 202 
    
  2. Define authentication, authorization, and accounting methods. Enter the authentication, authorization and accounting commands in voice class mode. The argument methodListName is used to name the list of authentication, authorization or accounting methods applicable to each command.

    Example:
    Router(config-class)# authentication method
     
    methodListName
     
    Router(config-class)# accounting method
     
    methodListName
     
    Router(config-class)# authorization method
     
    methodListName
     
    

    Example:



    Example:
    authentication method pw
    accounting method rd
    authorization method pc
    
  3. Define voice class in dial peer configuration mode. Enter dial peer configuration mode and then define the voice class in that mode. The argument tag identifes the same dial peer as in step a) above.

    Example:
    Router(config)# dial-peer
     voice
     
    tag
     {pots
    |voip
    }
    Router(config-dial-peer)# voice-class aaa
     
    tag
     
    

    Example:



    Example:
    dial-peer voice 202 pots
    voice-class aaa 202 
    

Directing AAA Requests Using Trunk Groups

To direct AAA requests using trunk groups, a trunk group must first associate with a dial peer. To use this method, group all the interfaces using one trunk group and define only one dial peer instead of individual ports for the interfaces using that trunk group.

You can direct AAA requests using trunk groups in dial-peer configuration mode as follows:

SUMMARY STEPS

1.    Define the trunk group by entering the trunk group command in global configuration mode. The argument tag is a number.

2.    Use the trunk group tag in Step 1 to group the interfaces.

3.    Use the tag defined in Step 2b) above.


DETAILED STEPS
Step 1   Define the trunk group by entering the trunk group command in global configuration mode. The argument tag is a number.

Example:
Router(config)# trunk group
 
tag
 

Example:



Example:
trunk group 303
Step 2   Use the trunk group tag in Step 1 to group the interfaces.
  1. Enter the interface serial command in global configuration mode to specify a serial interface on the channelized T1 or E1 controller. The argument slot/port denotes the slot and port number where the channelized T1 or E1 controller is located. The argument timeslot denotes the ISDN D channel timeslot which is 15 for channelized E1 and 23 for channelized T1.

    Example:
    Router(config)# interface serial
     
    slot/port: timeslot
     
    

    Example:



    Example:
    interface serial 1/1:23
    
  2. Enter the trunk group command.

    Example:
    Router(config-inter-serial)# trunk group
     
    tag
     
    

    Example:



    Example:
    trunk group 303
    
Step 3   Use the tag defined in Step 2b) above.
  1. Enter the voice class aaa command in global configuration mode.

    Example:
    Router(config)# voice-class aaa
     
    tag
     
    

    Example:



    Example:
    voice-class aaa 303
    
  2. Define authentication, accounting, and authorization methods. Enter the authentication method, accounting method, and authorization method commands in voice class mode. The argument methodListName is used to name the list of authentication, accounting, or authorization methods applicable to each command.

    Example:
    Router(config-class)# authentication method
     
    methodListName
     
    Router(config-class)# accounting method
     
    methodListName 
    Router(config-class)# authorization method
     
    methodListName
     
    

    Example:



    Example:
    authentication method ab
    accounting method cd
    authorization method ef
    
  3. Enter dial peer configuration mode using the dial peer voice command.

    Example:
    Router(config)# dial-peer
     voice
     
    tag
     {pots
    |voip
    

    Example:



    Example:
    dial-peer voice 303 pots
    
  4. Define the voice class in dial peer configuration mode. The argument tag identifes the same dial peer as in Step a above.

    Example:
    Router(config-dial-peer)# voice-class aaa
     
    tag
     
    

    Example:



    Example:
    voice-class aaa 303
    
  5. Define the trunk group in dial peer configuration mode. The argument tag is the the same number as in Step b) above.

    Example:
    Router(config-dial-peer)# trunk group
     
    tag
     
    

    Example:



    Example:
    trunk group 303
    

Enabling and Disabling Accounting for any Call Leg

Enabling voice accounting by using the gw-accounting aaacommand will send only the default list of VSAs to the accounting server.

Global Configuration Mode

To enable and disable accounting for any call leg in global configuration mode, follow these steps:

SUMMARY STEPS

1.    To enable accounting for any call leg, enter the gw-accounting aaa command in global configuration mode. Use the no form of the command to disable accounting.

2.    To disable accounting based on the type of dial peer, use the following commands:


DETAILED STEPS
Step 1   To enable accounting for any call leg, enter the gw-accounting aaa command in global configuration mode. Use the no form of the command to disable accounting.

Example:
Router (config)# gw-accounting aaa 
Router (config)# no gw-accounting aaa 

To disable accounting based on the type of dial peer, use the following command:

Step 2   To disable accounting based on the type of dial peer, use the following commands:
  1. Enter the gw-accounting aaa command.

    Example:
    Router(config)# gw-accounting aaa
    
  2. Enter the suppresscommand.

    Example:
    Router(config-gw-accounting-aaa)# suppress 
    

    You have a choice of entering pots or voip, based on the type of dial peer.



    Example:
     
  3. Enter the suppress pots or suppress voip command.

    Example:
    Router(config-gw-accounting-aaa)# suppress pots 
    

    or



    Example:
    Router(config-gw-accounting-aaa)# suppress voip
     

dial-peer configuration mode

To disable accounting in dial-peer configuration mode, follow these steps:

SUMMARY STEPS

1.    Enter the voice class aaa command in global configuration mode.

2.    Enter the accounting suppress command in voice class aaa mode.

3.    Enter the voice class aaa command in dial peer configuration mode.


DETAILED STEPS
Step 1   Enter the voice class aaa command in global configuration mode.

Example:
Router(config)# voice class aaa
 
tag
 

Example:



Example:
voice-class aaa 303
Step 2   Enter the accounting suppress command in voice class aaa mode.

Example:
Router(config-class)# accounting suppress
 [in-bound|out-bound]

Example:



Example:
accounting suppress
Step 3   Enter the voice class aaa command in dial peer configuration mode.

Example:
Router(config)# dial-peer
 voice
 
tag
 {pots
|voip
}
Router(config-dial-peer)# voice-class aaa
 
tag
 

Example:



Example:
dial-peer voice 303 pots
voice-class aaa 303 

Customizing Accounting Packets

Configuration Overview

Accounting packets for voice calls consist of voice-specific attributes as well as those that are not specific to voice. This document focuses only on voice-specific attributes. You can add some application-level attributes through the TCL script and fine tune the attribute list created by the system; the result is an accounting template that is customized to your accounting needs.

To customize your accounting packets, first create accounting templates.


Note


If you do not want to customize your accounting packets, enable voice accounting by using the gw-accounting aaa command to generate accounting packets. A specific set of attributes, which include both non voice-specific and voice-specific attributes, is automatically sent by the gateway to the RADIUS server.

To view the current list of VSAs, refer to the RADIUS Vendor Specific Attributes Voice Implementation Guide . For example, in the "Accounting Template" section on page 21 of Chapter 1, "Overview of AAA on Voice Gateways" , the default attributes are:

h323-gw-id

h323-call-origin

h323-call-type

h323-setup-time

h323-connect-time

h323-disconnect-time

h323-disconnect-cause

h323-remote-address

h323-voice-quality

ICPIF

subscriber

To send all the VSAs to the accounting server use the template callhistory-detail command in global configuration mode. The Accounting Template, page 21 in Chapter 1, "Overview of AAA on Voice Gateways" includes the default and new VSAs. Refer to the Using Callhistory-detail to Send All VSAs for configuration details.

For the latest list of VSAs, refer to RADIUS Vendor-Specific Attributes Voice Implementation Guide .

To fine tune your accounting packets based on your billing needs, create accounting templates using specific VSAs that are applicable to your accounting needs. For example, to target different accounting servers for incoming calls from different trunks, you must define multiple accounting templates and associate them with different sets of incoming dial peers. To create a template, remove the attributes that are not applicable by adding the # sign in front of each of those attributes.

To tunr your accounting packets, remove attributes that do not apply to your billing needs. Deleting these attributes creates a custom accounting template that acts as a filter, allowing only the defined attributes to be sent to the accounting server. To apply acustomized template, first define the template using the call accounting template voice command in global configuration mode, and then apply it using either TCL scripts or the CLI. If you are using the CLI, you can apply the template either in global configuration or dial-peer configuration mode. Refer to the Defining and Applying Customized Accounting Templates for configuraion details.

Specific VSAs that cannot be controlled by the accounting template are sent as attribute-value (AV) pairs through the avlistSend argument of the TCL verbs used in the script, and they are:

  • h323-ivr-out
  • h323-ivr-in
  • h323-credit-amount
  • h323-return-code
  • h323-prompt-id
  • h323-time-and-delay
  • h323-redirect-number
  • h323-preferred-lang
  • h323-redirect-ip-addr
  • h323-billing-model
  • h323-currency

Configuration Tasks for Customizing Accounting Packets

Use the Configuration Overview to plan your customizing needs before you begin the applicable configuration tasks below.

Generate Accounting Packets by Enabling Voice Accounting

To automatically generate accounting packets by enabling voice accounting, enter the gw-accounting aaacommand in global configuration mode.

Router(config)# gw-accounting aaa
 
Router(gw-accounting aaa)# exit 

Using Callhistory-detail to Send All VSAs

To send all VSAs (default and new) to the accounting server:

SUMMARY STEPS

1.    Enter the gw-accounting aaa command to enter C mode.

2.    Enter the acct-template callhistory-detailcommand in V mode.


DETAILED STEPS
Step 1   Enter the gw-accounting aaa command to enter C mode.

Example:
Router(config)# gw-accounting aaa
 
Step 2   Enter the acct-template callhistory-detailcommand in V mode.

Example:
Router(config-gw-accounting-aaa)# acct-template callhistory-detail
 
Router(config-gw-accounting-aaa)# 

Defining and Applying Customized Accounting Templates

To define an accounting template:

SUMMARY STEPS

1.    Enter the call accounting-template voice command in global configuration mode. Enter the template name for acctTempName . The url is the address where you store the template. Always assign a .cdr extension to the filename in the URL.


DETAILED STEPS
Enter the call accounting-template voice command in global configuration mode. Enter the template name for acctTempName . The url is the address where you store the template. Always assign a .cdr extension to the filename in the URL.

Example:
Router(config)# call accounting-template
 voice
 
acctTempName url
 

Example:



Example:
call accounting-template voice cdr1 tftp://highway/mjs/templates/cdr1.cdr 
Note    After bootup, if the template file fails to load from the TFTP server, the system tries to automatically reload the file at five minute intervals.

You can use an accounting template through the CLI (in global configuration or dial-peer configuration mode), or by using TCL verbs.


Defining and Applying Customized Accounting Templates

To use an accounting template through the CLI in global configuration mode, use the following commands:

SUMMARY STEPS

1.    Enter the gw-accounting aaa command to enter gateway accounting AAA mode.

2.    Enter the acct-templatecommand. Assign your template name to acctTempName .


DETAILED STEPS
Step 1   Enter the gw-accounting aaa command to enter gateway accounting AAA mode.

Example:
Router(config)# gw-accounting aaa 
Step 2   Enter the acct-templatecommand. Assign your template name to acctTempName .

Example:
Router (config-gw-accounting-aaa)# acct-template
 
acctTempName

Example:



Example:
acct-template april1

Applying a Customized Accounting Template through the CLI in Dial-Peer Configuration Mode

To apply a customized accounting template through the CLI in dial peer configuration mode, follow these steps:

SUMMARY STEPS

1.    Enter the call accounting-template voicecommand in global configuration mode. Assign your template name to acctTempName and your template address (usually your tftp address) to url .

2.    Enter the voice class aaacommand in global configuration mode. Assign a numerical value to tag .

3.    Enter the accounting-template command in voice class AAA mode. Assign your template name to acctTempName .

4.    Change configuration mode from global to dial peer and using the dial peer voice command, enter the voice class aaa command in dial-peer configuration mode. The numerical value of tag is the same value of tag in Step 2 above.


DETAILED STEPS
Step 1   Enter the call accounting-template voicecommand in global configuration mode. Assign your template name to acctTempName and your template address (usually your tftp address) to url .

Example:
Router(config)# call accounting-template
 voice
 
acctTempName url
 

Example:



Example:
call accounting-template voice cdr1 tftp://highway/mjs/templates/cdr1.cdr 
Step 2   Enter the voice class aaacommand in global configuration mode. Assign a numerical value to tag .

Example:
Router(config)# voice class aaa 
tag
 

Example:



Example:
voice-class aaa 404
Step 3   Enter the accounting-template command in voice class AAA mode. Assign your template name to acctTempName .

Example:
Router(config-class)# accounting-template
 
acctTempName
 

Example:



Example:
accounting-template april1
Step 4   Change configuration mode from global to dial peer and using the dial peer voice command, enter the voice class aaa command in dial-peer configuration mode. The numerical value of tag is the same value of tag in Step 2 above.

Example:
Router(config)# dial peer voice
 number
 [pots|voip]
Router(config-dial-peer)# voice class aaa
 
tag
 

Example:



Example:
dial-peer voice 404 pots
voice-class aaa 404 

Applying a Customized Acounting Template through a TCL Script

Use the aaa accounting start TCL verb. Assign an incoming or outgoing call leg, or assign an information tag. Assign your template name to acctTempName .

aaa accounting start 
{
legID|info-tag
}
 -t acctTempName
 
Adding Attributes to Accounting Packets through TCL scripts

To add attributes to accounting packets through TCL scripts, follow these steps:

SUMMARY STEPS

1.    Use the avlistSend argument in the TCL verbs to send the following attributes:

2.    Use TCL verbs for authentication, authorization, and accounting.


DETAILED STEPS
Step 1   Use the avlistSend argument in the TCL verbs to send the following attributes:
  • h323-ivr-out
  • h323-ivr-in
  • h323-credit-amount
  • h323-return-code
  • h323-prompt-id
  • h323-time-and-delay
  • h323-redirect-number
  • h323-preferred-lang
  • h323-redirect-ip-addr
  • h323-billing-model
  • h323-currency
Step 2   Use TCL verbs for authentication, authorization, and accounting.
  1. For authentication, use the aaa authenticate TCL verb.

    Example:
    aaa authenticate
     
    account password
    > 
    [-a
     
    avlistSend
    ] 
    
  2. For authorization, use the aaa authorize TCL verb.

    Example:
    aaa
     authorize
     
    account
     
    password
     
    ani
     
    destination
     {
    legID
     | 
    info-tag
    } [-a
     
    avlistSend
    ]
    
  3. For accounting, use the aaa accounting start TCL verb.

    Example:
    aaa
     accounting
     start
     {
    legID
     | 
    info-tag
    } [-a
     
    avlistSend
    ] 
    

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2012 Cisco Systems, Inc. All rights reserved.