Configuring AAA for Cisco Voice Gateways Configuration Guide, Cisco IOS Release 15M&T
Overview of AAA on Voice Gateways
Downloads: This chapterpdf (PDF - 1.41MB) The complete bookPDF (PDF - 2.54MB) | The complete bookePub (ePub - 794.0KB) | Feedback

Overview of AAA on Voice Gateways

Overview of AAA on Voice Gateways

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Authentication Authorization and Accounting

For a gateway to provide authentication and accounting services, enable and configure it to support authentication, authorization, and accounting (AAA) services. AAA enables the gateway to interact with a RADIUS security server to authenticate users (typically incoming calls) and to perform accounting services. For more information about RADIUS and AAA security services, refer to the Cisco IOS Security Configuration Guide .

AAA Authentication

The gateway normally uses AAA with interactive voice response (IVR) to check the legitimacy of a prospective gateway user on the basis of an account number (collected by IVR) or Automatic Number Identification (ANI). When the gateway uses AAA with IVR, the IVR application collects the user account and personal identification number (PIN) information and then passes it to the AAA interface. The AAA interface makes a RADIUS authentication request using the given information and, based on the information received from the RADIUS server, forwards either a pass message or a fail message to the IVR application.

For more information about authentication services using AAA, refer to the "Configuring Authentication" chapter in the Cisco IOS Security Configuration Guide .

AAA Accounting

A call leg is a discrete segment of a call connection that lies between two points in the connection. Each call made through the gateway consists of two call legs: incoming and outgoing. The RADIUS server collects basic start-stop connection accounting data or syslog accounting information during the accounting process for each call leg created on the gateway.

To collect basic start-stop connection accounting data, the gateway must be configured to support gateway-specific H.323 accounting functionality. The gateway sends accounting data to the RADIUS server in one of four ways, as is shown in the following sections:

Using RADIUS AV Pairs

Basic start-stop connection accounting data and standard RADIUS attributes are used where possible using standard Internet Engineering Task Force (IETF) RADIUS attribute/value (AV) pairs. The table below shows the accounting-related IETF RADIUS attributes supported in Cisco IOS Release 12.2.

Table 1 Supported IETF RADIUS Accounting Attributes

Number

Attribute

Description

30

Called-Station-Id

Allows the network access server to send the called telephone number as part of the Access-Request packet (using Dialed Number Identification Service [DNIS] or similar technology). This attribute is only supported on ISDN and on modem calls on the Cisco ASR1000, Cisco AS5200, and Cisco AS5300 routers if used with ISDN PRI.

31

Calling-Station-Id

Allows the network access server to send the calling telephone number as part of the Access-Request packet (using ANI or similar technology). This attribute has the same value as the remote-addr attribute from TACACS+. This attribute is supported only on ISDN and on modem calls on the Cisco ASR1000, Cisco AS5200, and Cisco AS5300 routers if used with ISDN PRI.

40

Acct-Status-Type

(Accounting) Indicates whether this Accounting-Request marks the beginning of the user service (start) or the end (stop).

41

Acct-Delay-Time

(Accounting) Indicates how many seconds the client has been trying to send a particular record.

42

Acct-Input-Octets

(Accounting) Indicates how many octets have been received from the port over the course of this service being provided.

43

Acct-Output-Octets

(Accounting) Indicates how many octets have been sent to the port in the course of delivering this service.

44

Acct-Session-Id

(Accounting) A unique accounting identifier that makes it easy to match start and stop records in a log file. Acct-Session ID numbers restart at 1 each time the router is power cycled or the software is reloaded. To send this attribute in access-request packets, use the radius-server attribute 44 include-in-access-req command in global configuration mode.

45

Acct-Authentic

(Accounting) Indicates how the user was authenticated, whether by RADIUS, the network access server itself, or another remote authentication protocol. This attribute is set to "radius" for users authenticated by RADIUS; "remote" for TACACS+ and Kerberos; or "local" for local, enable, line, and if-needed methods. For all other methods, the attribute is omitted.

46

Acct-Session-Time

(Accounting) Indicates how long (in seconds) the user has received service.

47

Acct-Input-Packets

(Accounting) Indicates how many packets have been received from the port over the course of this service being provided to a framed user.

48

Acct-Output-Packets

(Accounting) Indicates how many packets have been sent to the port in the course of delivering this service to a framed user.

49

Acct-Terminate-Cause

(Accounting) Reports details on why the connection was terminated. Termination causes are indicated by a numeric value as follows:

  1. User request
  2. Lost carrier
  3. Lost service
  4. Idle timeout
  5. Session timeout
  6. Admin reset
  7. Admin reboot
  8. Port error
  9. NAS error
  10. NAS request
  11. NAS reboot
  12. Port unneeded
  13. Port pre-empted
  14. Port suspended
  15. Service unavailable
  16. Callback
  17. User error
  18. Host request
Note   

For attribute 49, Cisco IOS supports values 1 to 6, 9, 12, and 15 to 18.

50

Acct-Multi-Session-Id

(Accounting) A unique accounting identifier used to link multiple related sessions in a log file.

Each linked session in a multilink session has a unique Acct-Session-Id value, but shares the same Acct-Multi-Session-Id.

51

Acct-Link-Count

(Accounting) Indicates the number of links known in a given multilink session at the time an accounting record is generated. The network access server can include this attribute in any accounting request that might have multiple links.

52

Acct-Input-Gigawords

Indicates how many times the Acct-Input-Octets counter has wrapped around 2^32 over the course of the provided service.

53

Acct-Output-Gigawords

Indicates how many times the Acct-Output-Octets counter has wrapped around 2^32 while delivering service.

55

Event-Timestamp

Records the time that the event occurred on the NAS; the timestamp sent in attribute 55 is in seconds since January 1, 1970 00:00 UTC. T o send RADIUS attribute 55 in accounting packets , use the radius-server attribute 55 include-in-acct-reqcommand .

Note   

Before the Event-Timestamp attribute can be sent in accounting packets, you >must configure the clock on the router. (For information on setting the clock on your router, refer to the Cisco IOS Configuration Fundamentals Configuration Guide .) To avoid configuring the clock on the router every time the router is reloaded, you can enable the clock calendar-valid command. (For information on this command, refer to the Cisco IOS Config uration Fundamentals Command Reference.

For complete information about RADIUS and the use of IETF-defined attributes, refer to the Cisco IOS Security Configuration Guide .

Overloading the Acct-Session-Id Field

Attributes that cannot be mapped to standard RADIUS attributes are packed into the Acct-Session-Id attribute field as ASCII strings separated by the "/" character. The Acct-Session-Id attribute contains the RADIUS account session ID, a unique identifier that links accounting records associated with the same login session for a user. To support additional fields, the following string format has been defined for this field:

<session id>/<call leg setup time>/<gateway id>/<connection id>/<call origin>/
<call type>/<connect time>/<disconnect time>/<disconnect cause>/<remote ip address>

The table below shows the field attributes to be used with the Overloaded Acct-Session-Id method and provides a brief description of each.

Table 2 Field Attributes in Overloaded Acct-Session-Id

Field Attribute

Description

SESSION-ID

Specifies the standard RADIUS account session ID.

SETUP-TIME

Provides the Q.931 setup time for this connection in Network Time Protocol (NTP) format. NTP time formats are displayed as %H:%M:%S.%k %Z %tw %tn %td %Y where:

  • %H is hour (00 to 23).
  • %M is minutes (00 to 59).
  • %S is seconds (00 to 59).
  • %k is milliseconds (000 to 999).
  • %Z is time zone string.
  • %tw is day of week (Saturday through Sunday).
  • %tn is month name (January through December).
  • %td is day of month (01 to 31).
  • %Y is year including century (for example, 1998).

GATEWAY-ID

Indicates the name of the underlying gateway in the form of "gateway.domain_name."

CALL-ORIGIN

Indicates the origin of the call relative to the gateway. Possible values are originate and answer.

CALL-TYPE

Indicates call leg type. Possible values are telephony and VoIP.

CONNECTION-ID

Specifies the unique global identifier used to correlate call legs that belong to the same end-to-end call. The field consists of 4 long words (128 bits). Each long word is displayed as a hexadecimal value and is separated by a space character.

CONNECT-TIME

Provides the Q.931 connect time for this call leg, in NTP format.

DISCONNECT-TIME

Provides the Q.931 disconnect time for this call leg, in NTP format.

DISCONNECT-CAUSE

Specifies the reason a call was taken offline as defined in the Q.931 specification.

REMOTE-IP-ADDRESS

Indicates the address of the remote gateway port where the call is connected.

Because of the limited size of the Acct-Session-Id string, it is not possible to embed many information elements in it. Therefore, this feature supports only a limited set of accounting information elements.

Use the gw-accounting h323command to configure the overloaded session ID method of applying H.323 gateway-specific accounting.

Using Vendor-Specific RADIUS Attributes

The IETF draft standard specifies a method for communicating vendor-specific information between the network access server (NAS) and the RADIUS server by using the vendor-specific attribute (Attribute 26). Vendor-specific attributes (VSAs) allow vendors to support their own extended attributes that are not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. The Cisco vendor-ID is 9, and the supported option has vendor-type 1, which is named "cisco-avpair." The value is a string of the format:

protocol: attribute sep value *

"Protocol" is a value of the Cisco "protocol" attribute for a particular type of authorization. "Attribute" and "value" are an appropriate AV pair defined in the Cisco TACACS+ specification, and "sep" is "=" for mandatory attributes and "*" for optional attributes. The full set of features available for TACACS+ authorization can also be used for RADIUS.

For complete and current information on voice-related vendor-specific RADIUS attributes, refer to the RADIUS Vendor-Specific Attributes Voice Implementation Guide at the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_serv/vapp_dev/vsaig3.htm

Some of the VSA fields and their ASCII values are listed in the table below. You can review the rest at the location noted above.

Table 3 VSA Fields and Their ASCII Values

IETF RADIUS Attribute

Vendor- Specific Company Code

Subtype Number

Attribute Name

Description

26

9

23

h323-remote-address

Indicates the IP address of the remote gateway.

26

9

24

h323-conf-id

Identifies the conference ID.

26

9

25

h323-setup-time

Indicates the setup time for this connection in Coordinated Universal Time (UTC), formerly known as Greenwich Mean Time (GMT) and Zulu time.

26

9

26

h323-call-origin

Indicates the origin of the call relative to the gateway. Possible values are originating and terminating, which are equivalent to originate and answer in the Call-Origin field.

26

9

27

h323-call-type

Indicates call leg type. Possible values are telephony and VoIP.

26

9

28

h323-connect-time

Indicates the connection time for this call leg in UTC.

26

9

29

h323-disconnect-time

Indicates the time this call leg was disconnected in UTC.

26

9

30

h323-disconnect-cause

Specifies the reason a connection was taken offline per the Q.931 specification.

26

9

31

h323-voice-quality

Specifies the impairment/calculated planning impairment factor (ICPIF) affecting voice quality for a call.

26

9

33

h323-gw-id

Indicates the name of the underlying gateway.

Use the gw-accounting h323 vsa command to configure the VSA method of applying H.323 gateway-specific accounting.

Using Syslog Records

The syslog accounting option exports the information elements associated with each call leg through a system log message, which can be captured by a syslog daemon on the network. The syslog output consists of the following:

<server timestamp> <gateway id> <message number> : <message label> : <list of AV pairs>

The syslog message fields are listed in the table below.

Table 4 Syslog Message Output Fields

Field

Description

server timestamp

The time stamp created by the server when it receives the message to log.

gateway id

The name of the gateway that emits the message.

message number

The number assigned to the message by the gateway.

message label

A string that identifies the message category.

list of AV pairs

A string consisting of <attribute name> <attribute value> pairs separated by commas.

Use the gw-accounting h323 syslog command to configure the syslog record method of gathering H.323 accounting data.

AAA Requests to Multiple RADIUS Servers

AAA requests can be made to different RADIUS servers based on account number, called party number, and incoming trunk groups.

Consider the topology shown in the figure below.

Figure 1. RADIUS/Billing Selection Based on DNIS and Card Number

In the figure above, the gateway identifies the TCL IVR application to be invoked based on:

  • The access number dialed by the caller, or
  • The account number or card number

Calling party A has a different access number compared to calling parties B and C. Because calling parties B and C use the same access number, the service provider can use the TCL IVR script to manipulate the call and direct the AAA information to the appropriate billing/RADIUS server based on the individual card numbers entered by callers B and C. If a caller is using an account number instead of a prepaid calling card, the service provider can use the caller’s account number to direct the AAA information to the appropriate RADIUS/billing server that is used to authorize calls based on account numbers.

The figure below shows RADIUS/Billing server selections based on T1/E1 trunk groups. For example, if caller A is using a pre-paid application, the service provider directs AAA information to the appropriate RADIUS/Billing server based on the T1/E1 trunk group that is assigned to receive prepaid application calls.

Figure 2. RADIUS/Billing Server Selection Based on T1/E1 Trunk Groups

Customizing Accounting Records

You can create an accounting template to customize your accounting records based on your billing needs. An accounting template is a text-based interface that allows you to customize and define the content of that template and helps reduce billing traffic from the gateway to the accounting servers.

A sample accounting template applicable to POTS and VoIP dial-peers is shown below.

Vendor specific attributes (VSAs) used in session applications such as h323-ivr-out, h323-credit-amount, h323-credit-time, h323-billing-model, are only controlled in the TCL script and not in the accounting template. If you specify these VSAs in the accounting template, they are ignored and no error messages are reported. You cannot control h323-conf-id and h323-incoming-conf-id; they are mandatory VSAs required for co-relating accounting messages on the incoming and outgoing legs.

Session applications also use some VSAs for authentication and authorization which are not controlled by the accounting template. For example, h323-ivr-out, h323-credit-amount, h323-credit-time, and h323-billing-model are only controlled by the TCL script. The VSAs listed in this template are voice-specific only. Non-voice specific attributes cannot be controlled through this template. To add new attributes not defined in this template, contact your Cisco marketing representative.

To delete an attribute, add the # sign in front of the attribute name.

Accounting Template

You can create a custom accounting template by selecting only those VSAs that are applicable to your billing needs. The list below shows some VSAs that can be used to create custom accounting templates.

Each accounting template attribute is unique. For example, the attribute disconnect-time is applied to a stop message because you can only get that information at the end of a call and not at the start of that call.

If you want to generate individual accounting templates for different incoming trunk calls on an accounting server, you can define multiple templates and associate them with different sets of incoming dial-peers. You can customize the template by deleting attributes that are not required for your specific template.


Note


For the latest list of VSAs, refer to the RADIUS Vendor-Specific Attributes Voice Implementation Guide .


Attribute Name

Usage and Restrictions

h323-gw-id

h323-call-origin

h323-call-type

h323-setup-time

h323-connect-time

h323-disconnect-time

h323-disconnect-cause

h323-remote-address

h323-voice-quality-subscriber

ICPIF

Detail CallHistory

acom-level

#POTS leg only

noise-level

#POTS leg only

img-pages-count

#POTS leg only

voice-tx-duration

#POTS leg only

tx-duration

#POTS leg only

charged-units

#

disconnect-text

#

peer-if-index

#

logical-if-index

#

codec-type-rate

#

codec-bytes

#IP leg only

session-protocol

#IP leg only

vad-enable

#IP leg only

remote-udp-port

#IP leg only

hiwater-playout-display

#IP leg only

lowater-playout-display

#IP leg only

receive-delay

#IP leg only

round-trip-delay

#IP leg only

ontime-rv-playout

#IP leg only

gapfill-with-silence

#IP leg only

gapfill-with-prediction

#IP leg only

gapfill-with-interpolation

#IP leg only

gapfill-with-redundancy

#IP leg only

lost-packets

#IP leg only

early-packets

#IP leg only

late-packets

#IP leg only

Related Features and Technologies

  • Service Provider feature set for VoIP uses the IVR for interaction with the caller; collects digits for accounting and billing purposes.
  • Authentication, Authorization, and Accounting (AAA) feature is used in conjunction with IVR.
  • Settlement for Packet Telephony on Cisco Access Platforms uses the TCL IVR scripts for the billing process.
  • Debit Card for Packet Telephony on Cisco Access Platforms uses TCL IVR extensively for interoperability.
  • Enhanced Multi-Language Support for Cisco IOS Interactive Voice Response allows you to implement and add support for new languages and text-to-speech (TTS) notations to the core IVR infrastructure on Cisco voice gateways.

Related Documents

For related information on the features described in this document, refer to the following documents:

  • Internetworking Terms and Acronyms
  • Hardware and software guides for Cisco 5000 series universal voice gateways for information on installing the hardware and performing basic configuration
  • Platform Specific Information for Cisco 2600 Series Routers
  • Platform Specific Information for Cisco 3600 Series Routers
  • Voice over IP for the Cisco AS5300 , the section "VFC Management" provides VCWare download instructions
  • Enhanced Multi-Language Support for Cisco IOS Interactive Voice Response, Cisco IOS Release 12.2(2)T feature module, describes multi-language support for dynamic prompts
  • Configuring Debit Card Applications , for information on debit card applications that work in conjunction with Cisco interactive voice response (IVR) software, AAA, RADIUS, and an integrated third party billing system
  • Cisco IOS Voice, Video, and Fax Configuration Library , Cisco IOS Release 12.3
  • Cisco IOS Voice, Video, and Fax Command Reference, Cisco IOS Release 12.3, for command reference information on Cisco IOS commands
  • "Authentication, Authorization, and Accounting (AAA)" chapter in the Cisco IOS Security Configuration Guide , Cisco IOS Release 12.2, for information on configuring accounting records
  • RADIUS Vendor-Specific Attributes Voice Implementation Guide
  • http:/​/​www.cisco.com/​univercd/​cc/​td/​doc/​product/​access/​acs_serv/​vapp_dev/​tclivrv2.htm TCL IVR API Version 2.0 Programmer's Guide for information about creating and implementing Tool Command Language (TCL) IVR scripts
  • Cisco Prepaid Debitcard Multi-language Programmer’s Reference
  • Enhanced Multi-Language Support for Cisco IOS Interactive Voice Response