Configuring AAA for Cisco Voice Gateways Configuration Guide, Cisco IOS Release 12.4T - Cisco IOS Configuration [Cisco IOS Software Releases 12.4 T]

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisite Configuration

The following general tasks are prerequisites to configuring the Cisco IOS features described in this document:

Establish a working IP network. For more information about configuring IP, refer to the >Cisco IOS IP Configuration Guide .
Configure Voice over IP. For more information about configuring Voice over IP, refer to the >Cisco IOS Voice Configuration Library.
Program and configure the interface between the RADIUS server and the Cisco voice gateway to operate with vendor specific attributes (VSAs). Refer to the RADIUS Vendor-Specific Attributes Voice Implementation Guide.
Download the TCL scripts that are not embedded in Cisco IOS from the Cisco CCO software support URL: http://www.cisco.com/public/sw-center/
Define and apply IVR applications on the dial peer to direct AAA requests to a RADIUS server. For more information, see the Cisco IOS TCL and VoiceXML Application Guide

Configuring AAA Basics

Configuring AAA Basics

You must follow these steps to set up AAA before you start directing AAA requests to a RADIUS server:

SUMMARY STEPS

1. Enable authentication, authorization, and accounting (AAA) security services:

2. Define a RADIUS server host by entering the following command:

3. Use the RADIUS server defined in Step 2 to define a AAA group.

4. Exit group server configuration mode.

5. To specify the password for use between the gateway and the RADIUS serier, enter the following command in global configuration mode:

6. Use the AAA group defined in Step 2 above to define an AAA method list.

DETAILED STEPS

Step 1

Enable authentication, authorization, and accounting (AAA) security services:

Example:

Router(config)# aaa new-model

Example:

Example:

aaa new-model

Step 2

Define a RADIUS server host by entering the following command:

Example:

Router(config)# radius server host
 
ipaddress
 auth-port
 
port-number
 acct-port
 
port-number

Example:

Example:

radius server host 1.5.35.10 auth-port 2001 acct-port 2002

Step 3

Use the RADIUS server defined in Step 2 to define a AAA group.

To define a group name, enter the following command in global configuration mode:

Example:

Router(config)# aaa group server radius
 
group-name

Note

For the argument group-name in the command, enter the name of the specific RADIUS server (for example server1) you want to authenticate, or enter the argument radius if you want to authenticate all RADIUS servers.

Example:

Example:

aaa group server radius
 
server1

To configure the IP address of the RADIUS server for the group server, enter the following command in group server configuration mode:

Example:

Router(config-sg-radius)# server
 
ip-addres
s auth-port
 
port-number
 acct-port
 
port-number

Example:

Example:

server 
1.5.35.10 auth-port 2001 acct-port 2002

Step 4

Exit group server configuration mode.

Example:

Router(config-sg-radius)# exit

Step 5

To specify the password for use between the gateway and the RADIUS serier, enter the following command in global configuration mode:

Router(config)#
 radius-server key key

Example:

Example:

radius-server key 1user23

Step 6

Use the AAA group defined in Step 2 above to define an AAA method list.

For voice authentication, enter the aaa authentication login command.

Example:

Router(config)# aaa authentication login
 
list-name method1 
[
method2...
]

Examples:

Example:

aaa authentication login h323 group server2
aaa authentication login MIS-access group radius

For voice authorization, enter the aaa authorization command.

Example:

Router(config)# aaa authorization exec
 
list-name method1 
[
method2...
]

Examples:

Example:

aaa authorization exec h323 group server2 
aaa authorization exec MIS-access group radius

For voice accounting, enter the aaa accounting command in global cofiguration mode.

Example:

Router(config)# aaa accounting connection 
list-name start-stop method1 
[
method2..
]

Example:

Example:

aaa accounting connection h323 start-stop group server1

Directing AAA Requests to a RADIUS Server

You can use TCL scripts or the CLI to direct AAA requests to a specific RADIUS server based on:

Customer account number
Called party number
Trunk group

Directing AAA Requests by Using Account Numbers
Directing AAA Requests using Called Party Number
Directing AAA Requests Using Trunk Groups

Directing AAA Requests by Using Account Numbers

It is easier to use TCL scripts instead of the CLI to direct AAA requests using account numbers.

To use TCL scripts for directing AAA requests using account numbers, follow the steps below:

SUMMARY STEPS

1. Before you start using TCL scripts to direct AAA requests using account numbers, you must define and apply the interactive voice response (IVR) application on the dial peer.

2. Use the authentication, authorization, and accounting TCL verbs to customize your TCL scripts. Refer to the Accounting Template, page 21 in Chapter 1, "Overview of AAA on Voice Gateways" for an example of a TCL script.

3. (Optional). If you use the accounting TCL verb, then use the accounting suppress command to suppress accounting on the same dial peer on which you have specified your application.

DETAILED STEPS

Step 1

Before you start using TCL scripts to direct AAA requests using account numbers, you must define and apply the interactive voice response (IVR) application on the dial peer.

Step 2

Use the authentication, authorization, and accounting TCL verbs to customize your TCL scripts. Refer to the Accounting Template, page 21 in Chapter 1, "Overview of AAA on Voice Gateways" for an example of a TCL script.

The authentication, accounting, and authorization TCL verbs are:

Authentication: Use the following TCL verb:

Example:

aaa authenticate
 
account password 
[
-a avlistSend
][
-s servertag
]

Authorization: Use the following TCL verb:

Example:

aaa authorize
 
account password ani destination 
{
legID
|
info-tag
}
 
[
-s servertag
]>

Accounting: Use the following TCL verbs to start or update accounting messages:

Example:
```
aaa accounting start
 {
legID
|
info-tag
}
 
[
-s servertag
]> 
```

Step 3

(Optional). If you use the accounting TCL verb, then use the accounting suppress command to suppress accounting on the same dial peer on which you have specified your application.

Follow the steps below to suppress accounting on the dial peer:

Enter the
voice class aaacommandin global configuration mode.

Example:
```
Router(config)# voice-class aaa
 
tag
```
Example:

Example:
```
voice-class aaa 1001 
```
Enter the accounting suppress command in voice class configuration mode.

Example:
```
Router(config-class)# accounting suppress 
```

Enter the voice class aaa command in dial peer configuration mode.

Example:

Router(config)# dial-peer
 voice
 
tag
 {pots
|voip
}
Router(config-dial-peer)# voice class aaa
 
tag

Example:

Example:

dial-peer voice 101 voip
voice class aaa 1001

Directing AAA Requests using Called Party Number

You can use the called party number to direct AAA requests in dial peer configuration mode as follows:

SUMMARY STEPS

1. Define a dial peer.

2. Define the voice class.

DETAILED STEPS

Step 1

Define a dial peer.

Enter dial peer configuration mode using the dial peer voice command. The argument number defines a particular dial peer.

Example:
```
Router(config)# dial-peer voice
 
tag
 {pots
|voip
} 
```
Example:

Example:
```
dial-peer voice 202 pots
```
Specify the incoming called number using the incoming called number command in dial peer configuration mode. The argument string is a series of digits that specifies the incoming called number.

Example:
```
Router(config-dial-peer)# incoming called number
 
string
 
```
Example:

Example:
```
incoming called number 5550900
```

Step 2

Define the voice class.

Enter the voice class aaa command in global configuration mode. The argument tag identifies the dial peer.

Example:
```
Router(config)# voice class aaa
 
tag
 
```
Example:

Example:
```
voice-class aaa 202 
```
Define authentication, authorization, and accounting methods. Enter the authentication, authorization and accounting commands in voice class mode. The argument methodListName is used to name the list of authentication, authorization or accounting methods applicable to each command.

Example:
```
Router(config-class)# authentication method
 
methodListName
 
Router(config-class)# accounting method
 
methodListName
 
Router(config-class)# authorization method
 
methodListName
 
```
Example:

Example:
```
authentication method pw
accounting method rd
authorization method pc
```
Define voice class in dial peer configuration mode. Enter dial peer configuration mode and then define the voice class in that mode. The argument tag identifes the same dial peer as in step a) above.

Example:
```
Router(config)# dial-peer
 voice
 
tag
 {pots
|voip
}
Router(config-dial-peer)# voice-class aaa
 
tag
 
```
Example:

Example:
```
dial-peer voice 202 pots
voice-class aaa 202 
```

Directing AAA Requests Using Trunk Groups

To direct AAA requests using trunk groups, a trunk group must first associate with a dial peer. To use this method, group all the interfaces using one trunk group and define only one dial peer instead of individual ports for the interfaces using that trunk group.

You can direct AAA requests using trunk groups in dial-peer configuration mode as follows:

SUMMARY STEPS

1. Define the trunk group by entering the trunk group command in global configuration mode. The argument tag is a number.

2. Use the trunk group tag in Step 1 to group the interfaces.

3. Use the tag defined in Step 2b) above.

DETAILED STEPS

Step 1

Define the trunk group by entering the trunk group command in global configuration mode. The argument tag is a number.

Example:

Router(config)# trunk group
 
tag

Example:

Example:

trunk group 303

Step 2

Use the trunk group tag in Step 1 to group the interfaces.

Enter the interface serial command in global configuration mode to specify a serial interface on the channelized T1 or E1 controller. The argument slot/port denotes the slot and port number where the channelized T1 or E1 controller is located. The argument timeslot denotes the ISDN D channel timeslot which is 15 for channelized E1 and 23 for channelized T1.

Example:
```
Router(config)# interface serial
 
slot/port: timeslot
 
```
Example:

Example:
```
interface serial 1/1:23
```

Enter the trunk group command.

Example:

Router(config-inter-serial)# trunk group
 
tag

Example:

Example:

trunk group 303

Step 3

Use the tag defined in Step 2b) above.

Enter the voice class aaa command in global configuration mode.

Example:
```
Router(config)# voice-class aaa
 
tag
 
```
Example:

Example:
```
voice-class aaa 303
```
Define authentication, accounting, and authorization methods. Enter the authentication method, accounting method, and authorization method commands in voice class mode. The argument methodListName is used to name the list of authentication, accounting, or authorization methods applicable to each command.

Example:
```
Router(config-class)# authentication method
 
methodListName
 
Router(config-class)# accounting method
 
methodListName 
Router(config-class)# authorization method
 
methodListName
 
```
Example:

Example:
```
authentication method ab
accounting method cd
authorization method ef
```
Enter dial peer configuration mode using the dial peer voice command.

Example:
```
Router(config)# dial-peer
 voice
 
tag
 {pots
|voip
```
Example:

Example:
```
dial-peer voice 303 pots
```
Define the voice class in dial peer configuration mode. The argument tag identifes the same dial peer as in Step a above.

Example:
```
Router(config-dial-peer)# voice-class aaa
 
tag
 
```
Example:

Example:
```
voice-class aaa 303
```
Define the trunk group in dial peer configuration mode. The argument tag is the the same number as in Step b) above.

Example:
```
Router(config-dial-peer)# trunk group
 
tag
 
```
Example:

Example:
```
trunk group 303
```

Enabling and Disabling Accounting for any Call Leg

Enabling voice accounting by using the gw-accounting aaacommand will send only the default list of VSAs to the accounting server.

Global Configuration Mode
dial-peer configuration mode

Global Configuration Mode

To enable and disable accounting for any call leg in global configuration mode, follow these steps:

SUMMARY STEPS

1. To enable accounting for any call leg, enter the gw-accounting aaa command in global configuration mode. Use the no form of the command to disable accounting.

2. To disable accounting based on the type of dial peer, use the following commands:

DETAILED STEPS

Step 1

To enable accounting for any call leg, enter the gw-accounting aaa command in global configuration mode. Use the no form of the command to disable accounting.

Example:

Router (config)# gw-accounting aaa 
Router (config)# no gw-accounting aaa

To disable accounting based on the type of dial peer, use the following command:

Step 2

To disable accounting based on the type of dial peer, use the following commands:

Enter the gw-accounting aaa command.

Example:
```
Router(config)# gw-accounting aaa
```
Enter the suppresscommand.

Example:
```
Router(config-gw-accounting-aaa)# suppress 
```
You have a choice of entering pots or voip, based on the type of dial peer.

Example:

Enter the suppress pots or suppress voip command.

Example:

Router(config-gw-accounting-aaa)# suppress pots

or

Example:

Router(config-gw-accounting-aaa)# suppress voip

dial-peer configuration mode

To disable accounting in dial-peer configuration mode, follow these steps:

SUMMARY STEPS

1. Enter the voice class aaa command in global configuration mode.

2. Enter the accounting suppress command in voice class aaa mode.

3. Enter the voice class aaa command in dial peer configuration mode.

DETAILED STEPS

Step 1

Enter the voice class aaa command in global configuration mode.

Example:

Router(config)# voice class aaa
 
tag

Example:

Example:

voice-class aaa 303

Step 2

Enter the accounting suppress command in voice class aaa mode.

Example:

Router(config-class)# accounting suppress
 [in-bound|out-bound]

Example:

Example:

accounting suppress

Step 3

Enter the voice class aaa command in dial peer configuration mode.

Example:

Router(config)# dial-peer
 voice
 
tag
 {pots
|voip
}
Router(config-dial-peer)# voice-class aaa
 
tag

Example:

Example:

dial-peer voice 303 pots
voice-class aaa 303

Customizing Accounting Packets

Configuration Overview
Configuration Tasks for Customizing Accounting Packets

Configuration Overview

Accounting packets for voice calls consist of voice-specific attributes as well as those that are not specific to voice. This document focuses only on voice-specific attributes. You can add some application-level attributes through the TCL script and fine tune the attribute list created by the system; the result is an accounting template that is customized to your accounting needs.

To customize your accounting packets, first create accounting templates.

Note

If you do not want to customize your accounting packets, enable voice accounting by using the gw-accounting aaa command to generate accounting packets. A specific set of attributes, which include both non voice-specific and voice-specific attributes, is automatically sent by the gateway to the RADIUS server.

To view the current list of VSAs, refer to the RADIUS Vendor Specific Attributes Voice Implementation Guide . For example, in the "Accounting Template" section on page 21 of Chapter 1, "Overview of AAA on Voice Gateways" , the default attributes are:

h323-gw-id
h323-call-origin
h323-call-type
h323-setup-time
h323-connect-time
h323-disconnect-time
h323-disconnect-cause
h323-remote-address
h323-voice-quality	ICPIF
subscriber

To send all the VSAs to the accounting server use the template callhistory-detail command in global configuration mode. The Accounting Template, page 21 in Chapter 1, "Overview of AAA on Voice Gateways" includes the default and new VSAs. Refer to the Using Callhistory-detail to Send All VSAs for configuration details.

For the latest list of VSAs, refer to RADIUS Vendor-Specific Attributes Voice Implementation Guide .

To fine tune your accounting packets based on your billing needs, create accounting templates using specific VSAs that are applicable to your accounting needs. For example, to target different accounting servers for incoming calls from different trunks, you must define multiple accounting templates and associate them with different sets of incoming dial peers. To create a template, remove the attributes that are not applicable by adding the # sign in front of each of those attributes.

To tunr your accounting packets, remove attributes that do not apply to your billing needs. Deleting these attributes creates a custom accounting template that acts as a filter, allowing only the defined attributes to be sent to the accounting server. To apply acustomized template, first define the template using the call accounting template voice command in global configuration mode, and then apply it using either TCL scripts or the CLI. If you are using the CLI, you can apply the template either in global configuration or dial-peer configuration mode. Refer to the Defining and Applying Customized Accounting Templates for configuraion details.

Specific VSAs that cannot be controlled by the accounting template are sent as attribute-value (AV) pairs through the avlistSend argument of the TCL verbs used in the script, and they are:

h323-ivr-out
h323-ivr-in
h323-credit-amount
h323-return-code
h323-prompt-id
h323-time-and-delay
h323-redirect-number
h323-preferred-lang
h323-redirect-ip-addr
h323-billing-model
h323-currency

Configuration Tasks for Customizing Accounting Packets

Use the Configuration Overview to plan your customizing needs before you begin the applicable configuration tasks below.

Generate Accounting Packets by Enabling Voice Accounting
Using Callhistory-detail to Send All VSAs
Defining and Applying Customized Accounting Templates
Defining and Applying Customized Accounting Templates

Generate Accounting Packets by Enabling Voice Accounting

To automatically generate accounting packets by enabling voice accounting, enter the gw-accounting aaacommand in global configuration mode.

Router(config)# gw-accounting aaa
 
Router(gw-accounting aaa)# exit

Using Callhistory-detail to Send All VSAs

To send all VSAs (default and new) to the accounting server:

SUMMARY STEPS

1. Enter the gw-accounting aaa command to enter C mode.

2. Enter the acct-template callhistory-detailcommand in V mode.

DETAILED STEPS

Step 1	Enter the gw-accounting aaa command to enter C mode. Example: Router(config)# gw-accounting aaa
Step 2	Enter the acct-template callhistory-detailcommand in V mode. Example: Router(config-gw-accounting-aaa)# acct-template callhistory-detail Router(config-gw-accounting-aaa)#

Defining and Applying Customized Accounting Templates

To define an accounting template:

SUMMARY STEPS

1. Enter the call accounting-template voice command in global configuration mode. Enter the template name for acctTempName . The url is the address where you store the template. Always assign a .cdr extension to the filename in the URL.

DETAILED STEPS

Enter the call accounting-template voice command in global configuration mode. Enter the template name for acctTempName . The url is the address where you store the template. Always assign a .cdr extension to the filename in the URL.

Example:

Router(config)# call accounting-template
 voice
 
acctTempName url

Example:

Example:

call accounting-template voice cdr1 tftp://highway/mjs/templates/cdr1.cdr

Note

After bootup, if the template file fails to load from the TFTP server, the system tries to automatically reload the file at five minute intervals.

You can use an accounting template through the CLI (in global configuration or dial-peer configuration mode), or by using TCL verbs.

Defining and Applying Customized Accounting Templates

To use an accounting template through the CLI in global configuration mode, use the following commands:

SUMMARY STEPS

1. Enter the gw-accounting aaa command to enter gateway accounting AAA mode.

2. Enter the acct-templatecommand. Assign your template name to acctTempName .

DETAILED STEPS

Step 1	Enter the gw-accounting aaa command to enter gateway accounting AAA mode. Example: Router(config)# gw-accounting aaa
Step 2	Enter the acct-templatecommand. Assign your template name to acctTempName . Example: Router (config-gw-accounting-aaa)# acct-template acctTempName Example: Example: acct-template april1

Applying a Customized Accounting Template through the CLI in Dial-Peer Configuration Mode
Applying a Customized Acounting Template through a TCL Script
Adding Attributes to Accounting Packets through TCL scripts

Applying a Customized Accounting Template through the CLI in Dial-Peer Configuration Mode

To apply a customized accounting template through the CLI in dial peer configuration mode, follow these steps:

SUMMARY STEPS

1. Enter the call accounting-template voicecommand in global configuration mode. Assign your template name to acctTempName and your template address (usually your tftp address) to url .

2. Enter the voice class aaacommand in global configuration mode. Assign a numerical value to tag .

3. Enter the accounting-template command in voice class AAA mode. Assign your template name to acctTempName .

4. Change configuration mode from global to dial peer and using the dial peer voice command, enter the voice class aaa command in dial-peer configuration mode. The numerical value of tag is the same value of tag in Step 2 above.

DETAILED STEPS

Step 1	Enter the call accounting-template voicecommand in global configuration mode. Assign your template name to acctTempName and your template address (usually your tftp address) to url . Example: Router(config)# call accounting-template voice acctTempName url Example: Example: call accounting-template voice cdr1 tftp://highway/mjs/templates/cdr1.cdr
Step 2	Enter the voice class aaacommand in global configuration mode. Assign a numerical value to tag . Example: Router(config)# voice class aaa tag Example: Example: voice-class aaa 404
Step 3	Enter the accounting-template command in voice class AAA mode. Assign your template name to acctTempName . Example: Router(config-class)# accounting-template acctTempName Example: Example: accounting-template april1
Step 4	Change configuration mode from global to dial peer and using the dial peer voice command, enter the voice class aaa command in dial-peer configuration mode. The numerical value of tag is the same value of tag in Step 2 above. Example: Router(config)# dial peer voice number [pots\|voip] Router(config-dial-peer)# voice class aaa tag Example: Example: dial-peer voice 404 pots voice-class aaa 404

Applying a Customized Acounting Template through a TCL Script

Use the aaa accounting start TCL verb. Assign an incoming or outgoing call leg, or assign an information tag. Assign your template name to acctTempName .

aaa accounting start 
{
legID|info-tag
}
 -t acctTempName

Adding Attributes to Accounting Packets through TCL scripts

To add attributes to accounting packets through TCL scripts, follow these steps:

SUMMARY STEPS

1. Use the avlistSend argument in the TCL verbs to send the following attributes:

2. Use TCL verbs for authentication, authorization, and accounting.

DETAILED STEPS

Step 1

Use the avlistSend argument in the TCL verbs to send the following attributes:

h323-ivr-out
h323-ivr-in
h323-credit-amount
h323-return-code
h323-prompt-id
h323-time-and-delay
h323-redirect-number
h323-preferred-lang
h323-redirect-ip-addr
h323-billing-model
h323-currency

Step 2

Use TCL verbs for authentication, authorization, and accounting.

For authentication, use the aaa authenticate TCL verb.

Example:

aaa authenticate
 
account password
> 
[-a
 
avlistSend
]

For authorization, use the aaa authorize TCL verb.

Example:

aaa
 authorize
 
account
 
password
 
ani
 
destination
 {
legID
 | 
info-tag
} [-a
 
avlistSend
]

For accounting, use the aaa accounting start TCL verb.

Example:

aaa
 accounting
 start
 {
legID
 | 
info-tag
} [-a
 
avlistSend
]

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.