The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The RFC-2867 RADIUS Tunnel Accounting introduces six new RADIUS accounting types that are used with the RADIUS accounting attribute Acct-Status-Type (attribute 40), which indicates whether an accounting request marks the beginning of user service (start) or the end (stop).
This feature also introduces two new virtual private virtual private dialup network (VPDN) commands that help users better troubleshoot VPDN session events.
For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for RFC-2867 RADIUS Tunnel Accounting" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
•Restrictions for RFC-2867 RADIUS Tunnel Accounting
•Information About RFC-2867 RADIUS Tunnel Accounting
•How to Configure RADIUS Tunnel Accounting
•Configuration Examples for RADIUS Tunnel Accounting
•Feature Information for RFC-2867 RADIUS Tunnel Accounting
RADIUS tunnel accounting works only with L2TP tunnel support.
To use RADIUS tunnel attributes and commands, you should understand the following concepts:
•Benefits of RFC-2867 RADIUS Tunnel Accounting
•RADIUS Attributes Support for RADIUS Tunnel Accounting
Without RADIUS tunnel accounting support, VPDN with network accounting, which allows users to determine tunnel-link status changes, did not report all possible attributes to the accounting record file. Now that all possible attributes can be displayed, users can better verify accounting records with their Internet Service Providers (ISPs).
Table 1 outlines the new RADIUS accounting types that are designed to support the provision of compulsory tunneling in dialup networks; that is, these attribute types allow you to better track tunnel status changes.
Note The accounting types are divided into two separate tunnel types so users can decide if they want tunnel type, tunnel-link type, or both types of accounting.
|
|
|
|
---|---|---|---|
Tunnel-Start |
9 |
Marks the beginning of a tunnel setup with another node. |
•User-Name (1)—from client •NAS-IP-Address (4)—from AAA •Acct-Delay-Time (41)—from AAA •Event-Timestamp (55)—from AAA •Tunnel-Type (64)—from client •Tunnel-Medium-Type (65)—from client •Tunnel-Client-Endpoint (66)—from client •Tunnel-Server-Endpoint (67)—from client •Acct-Tunnel-Connection (68)—from client |
Tunnel-Stop |
10 |
Marks the end of a tunnel connection to or from another node. |
•User-Name (1)—from client •NAS-IP-Address (4)—from AAA •Acct-Delay-Time (41)—from AAA •Acct-Input-Octets (42)—from AAA •Acct-Output-Octets (43)—from AAA •Acct-Session-Id (44)—from AAA •Acct-Session-Time (46)—from AAA •Acct-Input-Packets (47)—from AAA •Acct-Output-Packets (48)—from AAA •Acct-Terminate-Cause (49)—from AAA •Acct-Multi-Session-Id (51)—from AAA •Event-Timestamp (55)—from AAA •Tunnel-Type (64)—from client •Tunnel-Medium-Type (65)—from client •Tunnel-Client-Endpoint (66)—from client •Tunnel-Server-Endpoint (67)—from client •Acct-Tunnel-Connection (68)—from client •Acct-Tunnel-Packets-Lost (86)—from client |
Tunnel-Reject |
11 |
Marks the rejection of a tunnel setup with another node. |
•User-Name (1)—from client •NAS-IP-Address (4)—from AAA •Acct-Delay-Time (41)—from AAA •Acct-Terminate-Cause (49)—from client •Event-Timestamp (55)—from AAA •Tunnel-Type (64)—from client •Tunnel-Medium-Type (65)—from client •Tunnel-Client-Endpoint (66)—from client •Tunnel-Server-Endpoint (67)—from client •Acct-Tunnel-Connection (68)—from client |
Tunnel-Link-Start |
12 |
Marks the creation of a tunnel link. Only some tunnel types (Layer 2 Transport Protocol [L2TP]) support the multiple links per tunnel; this value should be included only in accounting packets for tunnel types that support multiple links per tunnel. |
•User-Name (1)—from client •NAS-IP-Address (4)—from AAA •NAS-Port (5)—from AAA •Acct-Delay-Time (41)—from AAA •Event-Timestamp (55)—from AAA •Tunnel-Type (64)—from client •Tunnel-Medium-Type (65)—from client •Tunnel-Client-Endpoint (66)—from client •Tunnel-Server-Endpoint (67)—from client •Acct-Tunnel-Connection (68)—from client |
Tunnel-Link-Stop |
13 |
Marks the end of a tunnel link. Only some tunnel types (L2TP) support the multiple links per tunnel; this value should be included only in accounting packets for tunnel types that support multiple links per tunnel. |
•User-Name (1)—from client •NAS-IP-Address (4)—from AAA •NAS-Port (5)—from AAA •Acct-Delay-Time (41)—from AAA •Acct-Input-Octets (42)—from AAA •Acct-Output-Octets (43)—from AAA •Acct-Session-Id (44)—from AAA •Acct-Session-Time (46)—from AAA •Acct-Input-Packets (47)—from AAA •Acct-Output-Packets (48)—from AAA •Acct-Terminate-Cause (49)—from AAA •Acct-Multi-Session-Id (51)—from AAA •Event-Timestamp (55)—from AAA •NAS-Port-Type (61)—from AAA •Tunnel-Type (64)—from client •Tunnel-Medium-Type (65)—from client •Tunnel-Client-Endpoint (66)—from client •Tunnel-Server-Endpoint (67)—from client •Acct-Tunnel-Connection (68)—from client •Acct-Tunnel-Packets-Lost (86)—from client |
Tunnel-Link-Reject |
14 |
Marks the rejection of a tunnel setup for a new link in an existing tunnel. Only some tunnel types (L2TP) support the multiple links per tunnel; this value should be included only in accounting packets for tunnel types that support multiple links per tunnel. |
•User-Name (1)—from client •NAS-IP-Address (4)—from AAA •Acct-Delay-Time (41)—from AAA •Acct-Terminate-Cause (49)—from AAA •Event-Timestamp (55)—from AAA •Tunnel-Type (64)—from client •Tunnel-Medium-Type (65)—from client •Tunnel-Client-Endpoint (66)—from client •Tunnel-Server-Endpoint (67)—from client •Acct-Tunnel-Connection (68)—from client |
1 If the specified tunnel type is used, these attributes should also be included in the accounting request packet. |
This section contains the following procedures
•Enabling Tunnel Type Accounting Records
•Verifying RADIUS Tunnel Accounting
Use this task to configure your LAC to send tunnel and tunnel-link accounting records to be sent to the RADIUS server.
Two new command line interfaces (CLIs)—vpdn session accounting network (tunnel-link-type records) and vpdn tunnel accounting network (tunnel-type records)—are supported to help identify the following events:
•A VPDN tunnel is brought up or destroyed
•A request to create a VPDN tunnel is rejected
•A user session within a VPDN tunnel is brought up or brought down
•A user session create request is rejected
Note The first two events are tunnel-type accounting records: authentication, authorization, and accounting (AAA) sends Tunnel-Start, Tunnel-Stop, or Tunnel-Reject accounting records to the RADIUS server. The next two events are tunnel-link-type accounting records: AAA sends Tunnel-Link-Start, Tunnel-Link-Stop, or Tunnel-Link-Reject accounting records to the RADIUS server.
1. enable
2. configure terminal
3. aaa accounting network {default | list-name} {start-stop | stop-only | wait-start | none} group groupname
4. vpdn enable
5. vpdn tunnel accounting network list-name
6. vpdn session accounting network list-name
After you have enabled RADIUS tunnel accounting, you can verify your configuration via the following optional task "Verifying RADIUS Tunnel Accounting" section.
Use either one or both of the following optional steps to verify your RADIUS tunnel accounting configuration.
1. enable
2. show accounting
3. show vpdn [session | tunnel]
This section provides the following configuration examples:
•Configuring RADIUS Tunnel Accounting on LAC: Example
•Configuring RADIUS Tunnel Accounting on LNS: Example
The following example shows how to configure your L2TP access concentrator (LAC) to send tunnel and tunnel-link accounting records to the RADIUS server:
aaa new-model
!
!
aaa authentication ppp default group radius
aaa authorization network default local
aaa accounting network m1 start-stop group radius
aaa accounting network m2 stop-only group radius
aaa session-id common
enable secret 5 $1$IDjH$iL7puCja1RMlyOM.JAeuf/
enable password lab
!
username ISP_LAC password 0 tunnelpass
!
!
resource-pool disable
!
!
ip subnet-zero
ip cef
no ip domain-lookup
ip host dirt 172.16.1.129
!
vpdn enable
vpdn tunnel accounting network m1
vpdn session accounting network m1
vpdn search-order domain dnis
!
vpdn-group 1
request-dialin
protocol l2tp
domain cisco.com
initiate-to ip 10.1.26.71
local name ISP_LAC
!
mta receive maximum-recipients 0
!
interface GigabitEthernet0/0/0
ip address 10.1.27.74 255.255.255.0
no ip mroute-cache
duplex half
speed auto
no cdp enable
!
interface FastEthernet0/0/1
no ip address
no ip mroute-cache
shutdown
duplex auto
speed auto
no cdp enable
!
ip default-gateway 10.1.27.254
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.27.254
no ip http server
ip pim bidir-enable
!
no cdp run
!
!
radius-server host 172.19.192.26 auth-port 1645 acct-port 1646 key rad123
radius-server retransmit 3
call rsvp-sync
!
The following example shows how to configure your L2TP network server (LNS) to send tunnel and tunnel-link accounting records to the RADIUS server:
aaa new-model
!
!
aaa accounting network m1 start-stop group radius
aaa accounting network m2 stop-only group radius
aaa session-id common
enable secret 5 $1$ftf.$wE6Q5Yv6hmQiwL9pizPCg1
!
username ENT_LNS password 0 tunnelpass
username user1@cisco.com password 0 lab
username user2@cisco.com password 0 lab
spe 1/0 1/7
firmware location system:/ucode/mica_port_firmware
spe 2/0 2/9
firmware location system:/ucode/mica_port_firmware
!
!
resource-pool disable
clock timezone est 2
!
ip subnet-zero
no ip domain-lookup
ip host CALLGEN-SECURITY-V2 172.24.80.28 10.47.0.0
ip host dirt 172.16.1.129
!
vpdn enable
vpdn tunnel accounting network m1
vpdn session accounting network m1
!
vpdn-group 1
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname ISP_LAC
local name ENT_LNS
!
mta receive maximum-recipients 0
!
interface Loopback0
ip address 192.168.70.101 255.255.255.0
!
interface Loopback1
ip address 192.168.80.101 255.255.255.0
!
interface FastEthernet0/0/0
ip address 10.1.26.71 255.255.255.0
no ip mroute-cache
no cdp enable
!
interface Virtual-Template1
ip unnumbered Loopback0
peer default ip address pool vpdn-pool1
ppp authentication chap
!
interface Virtual-Template2
ip unnumbered Loopback1
peer default ip address pool vpdn-pool2
ppp authentication chap
!
interface FastEthernet0/0/1
no ip address
no ip mroute-cache
shutdown
duplex auto
speed auto
no cdp enable
!
ip local pool vpdn-pool1 192.168.70.1 192.168.70.100
ip local pool vpdn-pool2 192.168.80.1 192.168.80.100
ip default-gateway 10.1.26.254
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.26.254
ip route 10.90.1.2 255.255.255.255 10.1.26.254
no ip http server
ip pim bidir-enable
!
no cdp run
!
radius-server host 172.19.192.80 auth-port 1645 acct-port 1646 key rad123
radius-server retransmit 3
call rsvp-sync
The following sections provide references related to RFC-2867 RADIUS Tunnel Accounting.
|
|
---|---|
RADIUS attributes |
"RADIUS Attributes Overview and RADIUS IETF Attributes" in the Cisco IOS XE Security Configuration Guide: Securing User Services, Release 2 |
VPDN |
Cisco IOS XE VPDN Configuration Guide, Release 2 |
Network accounting |
"Configuring Accounting" in the Cisco IOS XE Security Configuration Guide: Securing User Services, Release 2 |
Commands |
•Cisco IOS Security Command Reference |
|
|
---|---|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
— |
|
|
---|---|
RFC 2867 |
RADIUS Accounting Modifications for Tunnel Protocol Support |
Table 2 lists the release history for this feature.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS XE software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
Note Table 2 lists only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS XE software release train. Unless noted otherwise, subsequent releases of that Cisco IOS XE software release train also support that feature.