Table Of Contents
RADIUS Attribute 44 (Accounting Session ID) in Access Requests
Related Features and Technologies
Supported Standards, MIBs, and RFCs
Configuring RADIUS Attribute 44 in Access Requests
Verifying RADIUS Attribute 44 in Access Requests
RADIUS Attribute 44 in Access Requests Configuration Example
Access Request Containing RADIUS Attribute 44 Example
radius-server attribute 44 include-in-access-req
RADIUS Attribute 44 (Accounting Session ID) in Access Requests
This feature module describes the RADIUS Attribute 44 (Accounting Session ID) in Access Requests feature. It includes information on the benefits of the new feature, supported platforms, and related documents.
This document includes the following sections:
•
Supported Standards, MIBs, and RFCs
Feature Overview
The RADIUS Attribute 44 (Accounting Session ID) in Access Requests feature allows the RADIUS daemon to track a call from the beginning of the call to the end of the call (for example, from the preauthentication stage to the accounting stop-record stage). Specifically, this feature allows RADIUS attribute 44 to be generated and sent in all access requests to the RADIUS server before the generation of accounting packets (including access requests for preauthentication).
Benefits
The Accounting Session ID is a unique identifier used to calculate the session context. It is the only identifier provided by the RADIUS protocol that can relate authentication and accounting requests to one another with absolute certainty.
The radius-server attribute 44 include-in-access-req command, introduced in this feature, triggers the sending of RADIUS attribute 44 (Accounting Session ID) in all RADIUS packets, not just in accounting packets sent after user authentication. This method of operation allows service providers to track all packets associated with a given call by the Accounting Session ID.
When used with the Preauthentication with ISDN PRI feature and a preauthentication RADIUS server application, attribute 44 allows user authentication on the basis of the Calling Line Identification (CLID) number in the same transaction with DNIS authentication. This feature set enables service providers to add Cisco dial ports to their existing networks and to manage the ports with the installed base of RADIUS server solutions.
Restrictions
This feature works for ISDN calls only. A later release of Cisco IOS software will add support for channel associated signaling (CAS) calls.
Related Features and Technologies
Related Documents
The following documents provide information related to this feature:
•
•
•
•
Supported Platforms
This feature is supported on any platform running Cisco IOS Release 12.0(7)T software or later, including the following:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Supported Standards, MIBs, and RFCs
Standards
This feature supports the following IETF draft standard: RADIUS Accounting, draft-ietf-radius-accounting-v2-05.txt.
MIBs
No new or modified MIBs are supported by this feature.
For descriptions of supported MIBs and how to use MIBs, see the Cisco MIB web site on Cisco Connection Online (CCO) at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
RFCs
No new or modified RFCs are supported by this feature.
Configuration Tasks
See the following section for configuration tasks for the RADIUS Attribute 44 (Accounting Session ID) in Access Requests feature: Configuring RADIUS Attribute 44 in Access Requests (required).
Configuring RADIUS Attribute 44 in Access Requests
To send RADIUS attribute 44 in access-request packets, use the following global configuration command:
Router(config)# radius-server attribute 44 include-in-access-req
Sends RADIUS attribute 44 in access-request packets.
Verifying RADIUS Attribute 44 in Access Requests
To verify that RADIUS attribute 44 is being sent in access requests, use the following commands in privileged EXEC mode. Attribute 44 should be present in all call-specific access requests, and its values should be the same for all access requests and accounting requests for the call link.
Troubleshooting Tips
Configuration Examples
This section provides the following configuration examples:
•
•
RADIUS Attribute 44 in Access Requests Configuration Example
The following example shows a configuration that sends RADIUS attribute 44 in access-request packets:
aaa new-modelaaa authentication ppp default group radiusradius-server host 10.100.1.34radius-server attribute 44 include-in-access-reqAccess Request Containing RADIUS Attribute 44 Example
The following example shows an access request that contains RADIUS attribute 44:
13:26:32.645597 radius-server > 10.100.1.34.radius: Access-Request ID: 49 PLen: 90NAS-IP-Address [4] Len:006 10.100.1.2NAS-Port-Type [61] Len:006 Async [0]User-Name [1] Len:012 "2025551212"Called-Station-Id [30] Len:012 "2025551212"User-Password [2] Len:018 1a a9 81 17 cc 55 e9 56 e7 a8 9b 9b 4b 36 cc 77Service-Type [6] Len:006 Outbound [5]Acct-Session-Id [44] Len:010 "00000027"13:26:32.646559 10.100.1.34.radius > radius-server: Access-Accept ID: 49 PLen: 33Class [25] Len:007 "ISP01"Service-Type [6] Len:006 Outbound [5]The same Accounting Session ID (for example, the attribute 44 value 00000027 above) will be used in all subsequent access requests and accounting requests as a result of a call. (For interactive login calls, accounting requests for the network layer are treated internally as a different session; therefore, they will have a different Accounting Session ID from that for access requests and accounting requests before the stop accounting record for the NAS-Prompt.)
Command Reference
This section documents new commands. All other commands used with this feature are documented in the Cisco IOS Release 12.1 command reference publications.
radius-server attribute 44 include-in-access-req
radius-server attribute 44 include-in-access-req
To send RADIUS attribute 44 (Accounting Session ID) in access-request packets before user authentication (including requests for preauthentication), use the radius-server attribute 44 include-in-access-req global configuration command. To remove this command from your configuration, use the no form of this command.
radius-server attribute 44 include-in-access-req
no radius-server attribute 44 include-in-access-req
Syntax Description
This command has no arguments or keywords.
Defaults
This command is disabled by default.
Command Modes
Global configuration
Command History
Usage Guidelines
There is no guarantee that the Accounting Session IDs will increment uniformly and consistently. In other words, between two calls, the Accounting Session ID can increase by more than one.
Examples
The following example shows a configuration that sends RADIUS attribute 44 in access-request packets:
aaa new-modelaaa authentication ppp default group radiusradius-server host 10.100.1.34radius-server attribute 44 include-in-access-reqGlossary
Caller ID—See CLID.
Calling Line Identification—See CLID.
CAS—channel associated signaling. Call signaling that enables the access server to send or receive analog calls.
channel associated signaling—See CAS.
CLID—Calling Line Identification. Also called Caller ID. CLID provides the number from which a call originates.
Dialed Number Identification Service—See DNIS.
DNIS—Dialed Number Identification Service. DNIS provides the number that is dialed.
Integrated Services Digital Network—See ISDN.
ISDN—Integrated Services Digital Network. Communications protocol, offered by telephone companies, that permits telephone networks to carry data, voice, and other source traffic.
NAS—network access server. Cisco platform (or collection of platforms such as an AccessPath system) that interfaces between the packet world (for example, the Internet) and the circuit world (for example, the Public Switched Telephone Network).
network access server—See NAS.
RADIUS—Remote Authentication Dial-In User Service. Database for authenticating modem and ISDN connections and for tracking connection time.
Remote Authentication Dial-In User Service—See RADIUS.
virtual private dial network—See VPDN.
virtual private dial-up network—See VPDN.
VPDN—virtual private dial network. A VPDN is a network that extends remote access to a private network using a shared infrastructure. VPDNs use Layer 2 tunnel technologies (L2F, L2TP, and PPTP) to extend the Layer 2 and higher parts of the network connection from a remote user across an ISP network to a private network. VPDNs are a cost effective method of establishing a long distance, point-to-point connection between remote dial users and a private network. Also known as virtual private dial-up network.
Guest