This documentation has been moved
RADIUS NAS-IP-Address Attribute Configurability
Downloads: This chapterpdf (PDF - 149.0KB) The complete bookPDF (PDF - 3.46MB) | Feedback

RADIUS NAS-IP-Address Attribute Configurability

Table Of Contents

RADIUS NAS-IP-Address Attribute Configurability

Finding Feature Information

Contents

Prerequisites for RADIUS NAS-IP-Address Attribute Configurability

Restrictions for RADIUS NAS-IP-Address Attribute Configurability

Information About RADIUS NAS-IP-Address Attribute Configurability

Using the RADIUS NAS-IP-Address Attribute Configurability Feature

How to Configure RADIUS NAS-IP-Address Attribute Configurability

Configuring RADIUS NAS-IP-Address Attribute Configurability

Monitoring and Maintaining RADIUS NAS-IP-Address Attribute Configurability

Examples

Configuration Examples for RADIUS NAS-IP-Address Attribute Configurability

Configuring a RADIUS NAS-IP-Address Attribute Configurability: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Feature Information for RADIUS NAS-IP-Address Attribute Configurability


RADIUS NAS-IP-Address Attribute Configurability


First Published: November 19, 2003
Last Updated: September 22, 2009

The RADIUS NAS-IP-Address Attribute Configurability feature allows an arbitrary IP address to be configured and used as RADIUS attribute 4, NAS-IP-Address, without changing the source IP address in the IP header of the RADIUS packets. This feature may be used for situations in which service providers are using a cluster of small network access servers (NASs) to simulate a large NAS to improve scalability. This feature allows the NASs to behave as a single RADIUS client from the perspective of the RADIUS server.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for RADIUS NAS-IP-Address Attribute Configurability" section.

Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.

Contents

Prerequisites for RADIUS NAS-IP-Address Attribute Configurability

Restrictions for RADIUS NAS-IP-Address Attribute Configurability

Information About RADIUS NAS-IP-Address Attribute Configurability

How to Configure RADIUS NAS-IP-Address Attribute Configurability

Configuration Examples for RADIUS NAS-IP-Address Attribute Configurability

Additional References

Feature Information for RADIUS NAS-IP-Address Attribute Configurability

Prerequisites for RADIUS NAS-IP-Address Attribute Configurability

The following requirements are necessary before configuring this feature:

Experience with IP Security (IPSec) and configuring both RADIUS servers and authentication, authorization, and accounting (AAA) is necessary.

RADIUS server and AAA lists must be configured.

Restrictions for RADIUS NAS-IP-Address Attribute Configurability

The following restrictions apply if a cluster of RADIUS clients are being used to simulate a single RADIUS client for scalability. Solutions, or workarounds, to the restrictions are also provided.

RADIUS attribute 44, Acct-Session-Id, may overlap among sessions from different NASs.

There are two solutions. Either the radius-server attribute 44 extend-with-addr or radius-server unique-ident command can be used on NAS routers to specify different prepending numbers for different NAS routers.

RADIUS server-based IP address pool for different NASs must be managed.

The solution is to configure different IP address pool profiles for different NASs on the RADIUS server. Different NASs use different pool usernames to retrieve them.

RADIUS request message for sessions from different NASs must be differentiated.

One of the solutions is to configure different format strings for RADIUS attribute 32, NAS-Identifier, using the radius-server attribute 32 include-in-access-req command on different NASs.

Information About RADIUS NAS-IP-Address Attribute Configurability

To simulate a large NAS RADIUS client using a cluster of small NAS RADIUS clients, as shown in Figure 1, a Network Address Translation (NAT) or Port Address Translation (PAT) device is inserted in a network. The device is placed between a cluster of NASs and the IP cloud that is connected to a RADIUS server. When RADIUS traffic from different NASs goes through the NAT or PAT device, the source IP addresses of the RADIUS packets are translated to a single IP address, most likely an IP address on a loopback interface on the NAT or PAT device. Different User Datagram Protocol (UDP) source ports are assigned to RADIUS packets from different NASs. When the RADIUS reply comes back from the server, the NAT or PAT device receives it, uses the destination UDP port to translate the destination IP address back to the IP address of the NAS, and forwards the reply to the corresponding NAS.

Figure 1 demonstrates how the source IP addresses of several NASs are translated to a single IP address as they pass through the NAT or PAT device on the way to the IP cloud.

Figure 1 NAS Addresses Translated to a Single IP Address

RADIUS servers normally check the source IP address in the IP header of the RADIUS packets to track the source of the RADIUS requests and to maintain security. The NAT or PAT solution satisfies these requirements because only a single source IP address is used even though RADIUS packets come from different NAS routers.

However, when retrieving accounting records from the RADIUS database, some billing systems use RADIUS attribute 4, NAS-IP-Address, in the accounting records. The value of this attribute is recorded on the NAS routers as their own IP addresses. The NAS routers are not aware of the NAT or PAT that runs between them and the RADIUS server; therefore, different RADIUS attribute 4 addresses will be recorded in the accounting records for users from the different NAS routers. These addresses eventually expose different NAS routers to the RADIUS server and to the corresponding billing systems.

Using the RADIUS NAS-IP-Address Attribute Configurability Feature

The RADIUS NAS-IP-Address Attribute Configurability feature allows you to freely configure an arbitrary IP address as RADIUS NAS-IP-Address, RADIUS attribute 4. By manually configuring the same IP address, most likely the IP address on the loopback interface of the NAT or PAT device, for all the routers, you can hide a cluster of NAS routers behind the NAT or PAT device from the RADIUS server.

How to Configure RADIUS NAS-IP-Address Attribute Configurability

This section contains the following procedures:

Configuring RADIUS NAS-IP-Address Attribute Configurability

Monitoring and Maintaining RADIUS NAS-IP-Address Attribute Configurability

Configuring RADIUS NAS-IP-Address Attribute Configurability

Before configuring the RADIUS NAS-IP-Address Attribute Configurability feature, you must have configured the RADIUS servers or server groups and AAA method lists.

To configure the RADIUS NAS-IP-Address Attribute Configurability feature, perform the following steps.

SUMMARY STEPS

1. enable

2. configure terminal

3. radius-server attribute 4 ip-address

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

radius-server attribute 4 ip-address

Example:

Router (config)# radius-server attribute 4 10.2.1.1

Configures an IP address to be used as the RADIUS NAS-IP-Address, attribute 4.

Monitoring and Maintaining RADIUS NAS-IP-Address Attribute Configurability

To monitor the RADIUS attribute 4 address that is being used inside the RADIUS packets, use the debug radius command.

SUMMARY STEPS

1. enable

2. debug radius

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

debug radius

Example:

Router# debug radius

Displays information associated with RADIUS.

Examples

The following sample output is from the debug radius command:

Router# debug radius

RADIUS/ENCODE(0000001C): acct_session_id: 29
RADIUS(0000001C): sending
RADIUS(0000001C): Send Access-Request to 10.0.0.10:1645 id 21645/17, len 81
RADIUS:  authenticator D0 27 34 C0 F0 C4 1C 1B - 3C 47 08 A2 7E E1 63 2F
RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
RADIUS:  User-Name           [1]   18  "shashi@pepsi.com"
RADIUS:  CHAP-Password       [3]   19  *
RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
RADIUS:  Service-Type        [6]   6   Framed                    [2]
RADIUS:  NAS-IP-Address      [4]   6   10.0.0.21
UDP: sent src=10.1.1.1(21645), dst=10.0.0.10(1645), length=109
UDP: rcvd src=10.0.0.10(1645), dst=10.1.1.1(21645), length=40
RADIUS: Received from id 21645/17 10.0.0.10:1645, Access-Accept, len 32
RADIUS:  authenticator C6 99 EC 1A 47 0A 5F F2 - B8 30 4A 4C FF 4B 1D F0
RADIUS:  Service-Type        [6]   6   Framed                    [2]
RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
RADIUS(0000001C): Received from id 21645/17

Configuration Examples for RADIUS NAS-IP-Address Attribute Configurability

This section provides the following configuration example:

Configuring a RADIUS NAS-IP-Address Attribute Configurability: Example

Configuring a RADIUS NAS-IP-Address Attribute Configurability: Example

The following example shows that IP address 10.0.0.21 has been configured as the RADIUS NAS-IP-Address attribute:

radius-server attribute 4 10.0.0.21
radius-server host 10.0.0.10 auth-port 1645 acct-port 1646 key cisco

Additional References

The following sections provide references related to RADIUS NAS-IP-Address Attribute Configurability.

Related Documents

Related Topic
Document Title

Configuring AAA

"Authentication, Authorization, and Accounting (AAA)" section of Cisco IOS Security Configuration Guide: Securing User Services

Configuring RADIUS

"Configuring RADIUS" module.

RADIUS commands

Cisco IOS Security Command Reference


Standards

Standards
Title

No new or modified standards are supported by this feature.


MIBs

MIBs
MIBs Link

No new or modified MIBs are supported by this feature.

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFCs
Title

No new or modified RFCs are supported by this feature.


Technical Assistance

Description
Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport


Feature Information for RADIUS NAS-IP-Address Attribute Configurability

Table 1 lists the release history for this feature.

Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.


Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.


Table 1 Feature Information for RADIUS NAS-IP-Address Attribute Configurability

Feature Name
Releases
Feature Information

RADIUS NAS-IP-Address Attribute Configurability

12.3(3)B
12.3(7)T
12.2(28)SB
12.2(33)SRC

This feature allows an arbitrary IP address to be configured and used as RADIUS attribute 4, NAS-IP-Address, without changing the source IP address in the IP header of the RADIUS packets.

This feature was introduced into Cisco IOS Release 12.3(3)B.

This feature was integrated into Cisco IOS Release 12.3(7)T.

This feature was integrated into Cisco IOS Release 12.2(28)SB.

This feature was integrated into Cisco IOS Release 12.2(33)SRC.

The radius-server attribute 4 command was introduced this feature.