Table Of Contents
New Vendor-Specific Attributes
Configuring Authentication, Authorization, and Accounting for Per VRF AAA
Configuring RADIUS-Specific Commands for Per VRF AAA
Configuring Interface-Specific Commands for Per VRF AAA
Configuring Per VRF AAA Using Local Customer Templates
Configuring Authentication, Authorization, and Accounting for Per VRF AAA
Configuring Authorization for Per VRF AAA with Local Customer Templates
Configuring Local Customer Templates
Configuring Per VRF AAA Using Remote Customer Templates
Configuring Authentication for Per VRF AAA with Remote Customer Profiles
Configuring Authorization for Per VRF AAA with Remote Customer Profiles
Configuring the RADIUS Profile on the SP RADIUS Server
Verifying VRF Routing Configurations
Troubleshooting Per VRF AAA Configurations
Configuration Examples for Per VRF AAA
Per VRF Configuration: Examples
Per VRF AAA Using a Locally Defined Customer Template: Example
Per VRF AAA Using a Remote RADIUS Customer Template: Example
AAA Accounting Stop Records: Examples
AAA Accounting Stop Record and Successful Call: Example
AAA Accounting Stop Record and Rejected Call: Example
aaa accounting send stop-record authentication
ip vrf forwarding (server-group)
radius-server attribute 44 include-in-access-req
radius-server domain-stripping
Per VRF AAA
First Published: June 4, 2001Last Updated: March 20, 2006The Per VRF AAA feature allows authentication, authorization, and accounting (AAA) on the basis of Virtual Private Network (VPN) routing and forwarding (VRF) instances. For Cisco IOS Release 12.2(15)T or later releases, you can use a customer template, which may be stored either locally or remotely, and AAA services can be performed on the information that is stored in the customer template.
History for the Per VRF AAA Feature
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Prerequisites for Per VRF AAA
•
Information About Per VRF AAA
•
Configuration Examples for Per VRF AAA
Prerequisites for Per VRF AAA
Before configuring the Per VRF AAA feature, you must enable AAA. (For information on completing this task, refer to the AAA chapters of the "Cisco IOS Security Configuration Guide", Release 12.4)
Restrictions for Per VRF AAA
•
This feature is supported only for RADIUS servers.
•
Operational parameters should be defined once per VRF rather than set per server group, because all functionalities must be consistent between the network access server (NAS) and the AAA servers.
•
The ability to configure a customer template either locally or remotely is available only for Cisco IOS Release 12.2(15)T and later releases.
Information About Per VRF AAA
When you use the Per VRF AAA feature, AAA services can be based on VRF instances. This feature permits the Provider Edge (PE) or Virtual Home Gateway (VHG) to communicate directly with the customer's RADIUS server, which is associated with the customer's Virtual Private Network (VPN), without having to go through a RADIUS proxy. Thus, ISPs can scale their VPN offerings more efficiently because they no longer have to use RADIUS proxies and ISPs can also provide their customers with additional flexibility.
•
New Vendor-Specific Attributes
How Per VRF AAA Works
To support AAA on a per customer basis, some AAA features must be made VRF aware. That is, ISPs must be able to define operational parameters—such as AAA server groups, method lists, system accounting, and protocol-specific parameters—and bind those parameters to a particular VRF instance. Defining and binding the operational parameters can be accomplished using one or more of the following methods:
•
Virtual private dialup network (VPDN) virtual template or dialer interfaces that are configured for a specific customer
•
Locally defined customer templates—Per VPN with customer definitions. The customer template is stored locally on the VHG. This method can be used to associate a remote user with a specific VPN based on the domain name or dialed number identification service (DNIS) and provide the VPN-specific configuration for virtual access interface and all operational parameters for the customer AAA server.
•
Remotely defined customer templates—Per VPN with customer definitions that are stored on the service provider AAA server in a RADIUS profile. This method is used to associate a remote user with a specific VPN based on the domain name or DNIS and provide the VPN-specific configuration for the virtual access interface and all operational parameters for the AAA server of the customer.
Note
The ability to configure locally or remotely defined customer templates is available only with Cisco IOS Release 12.2(15)T and later releases.
Benefits
Configuration Support
ISPs can partition AAA services on a per VRF basis. Thus, ISPs can allow their customers to control some of their own AAA services.
Server Group List Extension
The list of servers in server groups is extended to include the definitions of private servers in addition to references to the hosts in the global configuration, allowing access to both customer servers and global service provider servers simultaneously.
AAA Accounting Records
The Cisco implementation of AAA accounting provides "start" and "stop" record support for calls that have passed user authentication. Start and stop records are necessary for users employing accounting records to manage and monitor their networks.
New Vendor-Specific Attributes
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the network access server and the RADIUS server by using the vendor-specific attribute (VSA) attribute 26. Attribute 26 encapsulates VSAs, thereby, allowing vendors to support their own extended attributes otherwise not suitable for general use.
The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco's vendor-ID is 9, and the supported option has vendor-type 1, which is named "cisco-avpair." The value is a string of the following format:
protocol : attribute sep value *"Protocol" is a value of the Cisco "protocol" attribute for a particular type of authorization. "Attribute" and "value" are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and "sep" is "=" for mandatory attributes and "*" for optional attributes. This format allows the full set of features available for TACACS+ authorization to be used also for RADIUS.
Table 1 summarizes the VSAs that are now supported with Per VRF AAA.
Table 1 VSAs supported with Per VRF AAA
How to Configure Per VRF AAA
The following sections contain procedures for possible deployment scenarios for using the Per VRF AAA feature.
•
Configuring Per VRF AAA (required)
•
Configuring Per VRF AAA Using Local Customer Templates (optional)
•
Configuring Per VRF AAA Using Remote Customer Templates (optional)
•
Verifying VRF Routing Configurations (optional)
•
Troubleshooting Per VRF AAA Configurations (optional)
Configuring Per VRF AAA
This section contains the following procedures.
•
Configuring Authentication, Authorization, and Accounting for Per VRF AAA
•
Configuring RADIUS-Specific Commands for Per VRF AAA
•
Configuring Interface-Specific Commands for Per VRF AAA
Configuring AAA
To enable AAA you need to complete the following steps.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
aaa new-model
DETAILED STEPS
Configuring Server Groups
To configure server groups you need to complete the following steps.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
aaa new-model
4.
aaa group server radius groupname
5.
server-private ip-address [auth-port port-number | acct-port port-number] [non-standard] [timeout seconds] [retransmit retries] [key string]
6.
exit
DETAILED STEPS
Configuring Authentication, Authorization, and Accounting for Per VRF AAA
To configure authentication, authorization, and accounting for Per VRF AAA, you need to complete the following steps.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
aaa new-model
4.
aaa authentication ppp {default | list-name} method1 [method2...]
5.
aaa authorization {network | exec | commands level | reverse-access | configuration} {default | list-name} method1 [method2...]
6.
aaa accounting system default [vrf vrf-name] {start-stop | stop-only | none} [broadcast] group groupname
7.
aaa accounting delay-start [vrf vrf-name]
8.
aaa accounting send stop-record authentication {failure | success {remote-server}} [vrf vrf-name]
DETAILED STEPS
Configuring RADIUS-Specific Commands for Per VRF AAA
To configure RADIUS-specific commands for Per VRF AAA you need to complete the following steps.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
ip radius source-interface subinterface-name [vrf vrf-name]
4.
radius-server attribute 44 include-in-access-req [vrf vrf-name]
DETAILED STEPS
Configuring Interface-Specific Commands for Per VRF AAA
To configure interface-specific commands for Per VRF AAA, you need to complete the following steps.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
interface type number [name-tag]
4.
ip vrf forwarding vrf-name
5.
ppp authentication {protocol1 [protocol2...]} listname
6.
ppp authorization list-name
7.
ppp accounting default
8.
exit
DETAILED STEPS
Configuring Per VRF AAA Using Local Customer Templates
This section contains the following procedures:
•
Configuring Authentication, Authorization, and Accounting for Per VRF AAA
•
Configuring Authorization for Per VRF AAA with Local Customer Templates
•
Configuring Local Customer Templates
Configuring AAA
Perform the tasks as outlined in the "Configuring Per VRF AAA" section.
Configuring Server Groups
Perform the tasks as outlined in the "Configuring Server Groups" section.
Configuring Authentication, Authorization, and Accounting for Per VRF AAA
Perform the tasks as outlined in the "Configuring Authentication, Authorization, and Accounting for Per VRF AAA" section.
Configuring Authorization for Per VRF AAA with Local Customer Templates
To configure authorization for Per VRF AAA with local templates, you need to complete the following steps.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
aaa authorization template
4.
aaa authorization network default local
DETAILED STEPS
Configuring Local Customer Templates
To configure local customer templates, you need to complete the following steps.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
vpdn search-order domain
4.
template name [default | exit | multilink | no | peer | ppp]
5.
peer default ip address pool pool-name
6.
ppp authentication {protocol1 [protocol2...]} [if-needed] [list-name | default] [callin] [one-time]
7.
ppp authorization [default | list-name]
8.
aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] group groupname
9.
exit
DETAILED STEPS
Configuring Per VRF AAA Using Remote Customer Templates
This section contains the following procedures:
•
Configuring Authentication for Per VRF AAA with Remote Customer Profiles
•
Configuring Authorization for Per VRF AAA with Remote Customer Profiles
•
Configuring the RADIUS Profile on the SP RADIUS Server
Configuring AAA
Perform the tasks as outlined in the "Configuring Per VRF AAA" section.
Configuring Server Groups
Perform the tasks as outlined in the "Configuring Server Groups" section.
Configuring Authentication for Per VRF AAA with Remote Customer Profiles
To configure authentication for Per VRF AAA with remote customer profiles, you need to perform the following steps.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
aaa authentication ppp {default | list-name} method1 [method2...]
4.
aaa authorization {network | exec | commands level | reverse-access | configuration} {default | list-name} [[method1 [method2...]
DETAILED STEPS
Configuring Authorization for Per VRF AAA with Remote Customer Profiles
To configuring authorization for Per VRF AAA with remote customer profiles, you need to perform the following step.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
aaa authorization template
4.
aaa authorization {network | exec | commands level | reverse-access | configuration} {default | list-name} [[method1 [method2...]
DETAILED STEPS
Configuring the RADIUS Profile on the SP RADIUS Server
Configure the RADIUS profile on the SP RADIUS server. See the "Per VRF AAA Using a Remote RADIUS Customer Template: Example" for an example of how to update the RADIUS profile.
Verifying VRF Routing Configurations
To verify VRF routing configurations, you need to complete the following steps:
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
show ip route vrf vrf-name
DETAILED STEPS
Troubleshooting Per VRF AAA Configurations
To troubleshoot the Per VRF AAA feature, use at least one of the following commands in EXEC mode:
Configuration Examples for Per VRF AAA
This section provides the following configuration examples:
•
Per VRF Configuration: Examples
•
AAA Accounting Stop Records: Examples
Per VRF Configuration: Examples
This section provides the following configuration examples:
•
Per VRF AAA Using a Locally Defined Customer Template: Example
•
Per VRF AAA Using a Remote RADIUS Customer Template: Example
Per VRF AAA: Example
The following example shows how to configure the Per VRF AAA feature using a AAA server group with associated private servers:
aaa new-modelaaa authentication ppp method_list_v1.55.com group v1.55.comaaa authorization network method_list_v1.55.com group v1.55.comaaa accounting network method_list_v1.55.com start-stop group v1.55.comaaa accounting system default vrf v1.55.com start-stop group v1.55.comaaa accounting delay-start vrf v1.55.comaaa accounting send stop-record authentication failure vrf v1.55.comaaa group server radius v1.55.comserver-private 10.10.132.4 auth-port 1645 acct-port 1646 key wwip vrf forwarding v1.55.comip radius source-interface loopback55radius-server attribute 44 include-in-access-req vrf v1.55.comPer VRF AAA Using a Locally Defined Customer Template: Example
The following example shows how to configure the Per VRF AAA feature using a locally defined customer template with a AAA server group that has associated private servers:
aaa new-modelaaa authentication ppp method_list_v1.55.com group v1.55.comaaa authorization network method_list_v1.55.com group v1.55.comaaa authorization network default localaaa authorization templateaaa accounting network method_list_v1.55.com start-stop group v1.55.comaaa accounting system default vrf v1.55.com start-stop group v1.55.comaaa group server radius V1_55_comserver-private 10.10.132.4 auth-port 1645 acct-port 1646 key wwip vrf forwarding V1.55.comtemplate V1.55.compeer default ip address pool V1_55_com_poolppp authentication chap callin V1_55_comppp authorization V1_55_comppp accounting V1_55_comaaa accounting delay-startaaa accounting send stop-record authentication failureradius-server attribute 44 include-in-access-reqip vrf forwarding v1.55.comip radius source-interface Loopback55Per VRF AAA Using a Remote RADIUS Customer Template: Example
The following examples shows how to configure the Per VRF AAA feature using a remotely defined customer template on the SP RADIUS server with a AAA server group that has associated private servers:
aaa new-modelaaa authentication ppp default group radiusaaa authorization templateaaa authorization network default group spaaa group server radius spserver 10.3.3.3radius-server host 10.3.3.3 auth-port 1645 acct-port 1646 key sp_keyThe following RADIUS server profile is configured on the SP RADIUS server:
cisco-avpair = "aaa:rad-serv#1=10.10.132.4 key ww"cisco-avpair = "aaa:rad-serv-vrf#1=V1.55.com"cisco-avpair = "aaa:rad-serv-source-if#1=Loopback 55"cisco-avpair = "template:ppp-authen-list=group 1"cisco-avpair = "template:ppp-author-list=group 1"cisco-avpair = "template:ppp-acct-list= start-stop group 1"cisco-avpair = "template:account-delay=on"cisco-avpair = "template:account-send-stop=on"cisco-avpair = "template:rad-attr44=access-req"cisco-avpair = "template:peer-ip-pool=V1.55-pool"cisco-avpair = "template:ip-vrf=V1.55.com"cisco-avpair = "template:ip-unnumbered=Loopback 55"framed-protocol = pppservice-type = framedCustomer Template: Examples
This section provides the following configuration examples:
Locally Configured Customer Template with RADIUS Attribute Screening and Broadcast Accounting: Example
The following example shows how to create a locally configured template for a single customer, configuring additional features including RADIUS attribute screening and broadcast accounting:
aaa authentication ppp default local group radiusaaa authentication ppp V1_55_com group V1_55_comaaa authorization templateaaa authorization network default local group radiusaaa authorization network V1_55_com group V1_55_comaaa accounting network V1_55_com start-stop broadcast group V1_55_com group SP_AAA_serveraaa group server radius SP_AAA_serverserver 10.10.100.7 auth-port 1645 acct-port 1646aaa group server radius V1_55_comserver-private 10.10.132.4 auth-port 1645 acct-port 1646authorization accept min-authoraccounting accept usage-onlyip vrf forwarding V1.55.comip vrf V1.55.comrd 1:55route-target export 1:55route-target import 1:55template V1.55.compeer default ip address pool V1.55-poolppp authentication chap callin V1_55_comppp authorization V1_55_comppp accounting V1_55_comaaa accounting delay-startaaa accounting send stop-record authentication failureradius-server attribute 44 include-in-access-reqvpdn-group V1.55accept-dialinprotocol l2tpvirtual-template 13terminate-from hostname lac-lb-V1.55source-ip 10.10.104.12lcp renegotiation alwaysl2tp tunnel password 7 060506324F41interface Virtual-Template13ip vrf forwarding V1.55.comip unnumbered Loopback55ppp authentication chap callinppp multilinkip local pool V1.55-pool 10.1.55.10 10.1.55.19 group V1.55-groupip radius source-interface Loopback0ip radius source-interface Loopback55 vrf V1.55.comradius-server attribute list min-authorattribute 6-7,22,27-28,242radius-server attribute list usage-onlyattribute 1,40,42-43,46radius-server host 10.10.100.7 auth-port 1645 acct-port 1646 key wwradius-server host 10.10.132.4 auth-port 1645 acct-port 1646 key wwRemotely Configured Customer Template with RADIUS Attribute Screening and Broadcast Accounting: Example
The following example shows how to create a remotely configured template for a single customer, configuring additional features including RADIUS attribute screening and broadcast accounting:
aaa authentication ppp default local group radiusaaa authorization templateaaa authorization network default local group radiusip vrf V1.55.comrd 1:55route-target export 1:55route-target import 1:55vpdn-group V1.55accept-dialinprotocol l2tpvirtual-template 13terminate-from hostname lac-lb-V1.55source-ip 10.10.104.12lcp renegotiation alwaysl2tp tunnel password 7 060506324F41interface Virtual-Template13no ip addressppp authentication chap callinppp multilinkip local pool V1.55-pool 10.1.55.10 10.1.55.19 group V1.55-groupradius-server attribute list min-authorattribute 6-7,22,27-28,242radius-server attribute list usage-onlyattribute 1,40,42-43,46The customer template is stored as a RADIUS server profile for v1.55.com.
cisco-avpair = "aaa:rad-serv#1=10.10.132.4 key ww"cisco-avpair = "aaa:rad-serv-vrf#1=V1.55.com"cisco-avpair = "aaa:rad-serv-source-if#1=Loopback 55"cisco-avpair = "aaa:rad-serv#2=10.10.100.7 key ww"cisco-avpair = "aaa:rad-serv-source-if#2=Loopback 0"cisco-avpair = "template:ppp-authen-list=group 1"cisco-avpair = "template:ppp-author-list=group 1"cisco-avpair = "template:ppp-acct-list= start-stop group 1 group 2 broadcast"cisco-avpair = "template:account-delay=on"cisco-avpair = "template:account-send-stop=on"cisco-avpair = "template:rad-attr44=access-req"cisco-avpair = "aaa:rad-serv-filter#1=authorization accept min-author"cisco-avpair = "aaa:rad-serv-filter#1=accounting accept usage-only"cisco-avpair = "template:peer-ip-pool=V1.55-pool"cisco-avpair = "template:ip-vrf=V1.55.com"cisco-avpair = "template:ip-unnumbered=Loopback 55"framed-protocol = pppservice-type = framedAAA Accounting Stop Records: Examples
The following AAA accounting stop record examples show how to configure the aaa accounting send stop-record authentication command to control the generation of "stop" records when the aaa accounting command is issued with the start-stop or stop-only keyword.
Note
The success and remote-server keywords are available in Cisco IOS Release 12.4(2)T and later releases.
This section provides the following configuration examples:
•
AAA Accounting Stop Record and Successful Call: Example
•
AAA Accounting Stop Record and Rejected Call: Example
AAA Accounting Stop Record and Successful Call: Example
The following example shows "start" and "stop" records being sent for a successful call when the aaa accounting send stop-record authentication command is issued with the failure keyword.
Router# show running config | include aaa...aaa new-modelaaa authentication ppp default group radiusaaa authorization network default localaaa accounting send stop-record authentication failureaaa accounting network default start-stop group radius...*Jul 7 03:28:31.543: AAA/BIND(00000018): Bind i/f Virtual-Template2*Jul 7 03:28:31.547: ppp14 AAA/AUTHOR/LCP: Authorization succeeds trivially*Jul 7 03:28:33.555: AAA/AUTHOR (0x18): Pick method list 'default'*Jul 7 03:28:33.555: AAA/BIND(00000019): Bind i/f*Jul 7 03:28:33.555: Tnl 5192 L2TP: O SCCRQ*Jul 7 03:28:33.555: Tnl 5192 L2TP: O SCCRQ, flg TLS, ver 2, len 141, tnl 0,ns 0, nr 0C8 02 00 8D 00 00 00 00 00 00 00 00 80 08 00 0000 00 00 01 80 08 00 00 00 02 01 00 00 08 00 0000 06 11 30 80 10 00 00 00 07 4C 41 43 2D 74 756E 6E 65 6C 00 19 00 00 00 08 43 69 73 63 6F 2053 79 73 74 65 6D 73 ...*Jul 7 03:28:33.563: Tnl 5192 L2TP: Parse AVP 0, len 8, flag 0x8000 (M)*Jul 7 03:28:33.563: Tnl 5192 L2TP: Parse SCCRP*Jul 7 03:28:33.563: Tnl 5192 L2TP: Parse AVP 2, len 8, flag 0x8000 (M)*Jul 7 03:28:33.563: Tnl 5192 L2TP: Protocol Ver 256*Jul 7 03:28:33.563: Tnl 5192 L2TP: Parse AVP 3, len 10, flag 0x8000 (M)*Jul 7 03:28:33.563: Tnl 5192 L2TP: Framing Cap 0x0*Jul 7 03:28:33.563: Tnl 5192 L2TP: Parse AVP 4, len 10, flag 0x8000 (M)*Jul 7 03:28:33.567: Tnl 5192 L2TP: Bearer Cap 0x0*Jul 7 03:28:33.567: Tnl 5192 L2TP: Parse AVP 6, len 8, flag 0x0*Jul 7 03:28:33.567: Tnl 5192 L2TP: Firmware Ver 0x1120*Jul 7 03:28:33.567: Tnl 5192 L2TP: Parse AVP 7, len 16, flag 0x8000 (M)*Jul 7 03:28:33.567: Tnl 5192 L2TP: Hostname LNS-tunnel*Jul 7 03:28:33.567: Tnl 5192 L2TP: Parse AVP 8, len 25, flag 0x0*Jul 7 03:28:33.567: Tnl 5192 L2TP: Vendor Name Cisco Systems, Inc.*Jul 7 03:28:33.567: Tnl 5192 L2TP: Parse AVP 9, len 8, flag 0x8000 (M)*Jul 7 03:28:33.567: Tnl 5192 L2TP: Assigned Tunnel ID 6897*Jul 7 03:28:33.567: Tnl 5192 L2TP: Parse AVP 10, len 8, flag 0x8000 (M)*Jul 7 03:28:33.567: Tnl 5192 L2TP: Rx Window Size 20050*Jul 7 03:28:33.567: Tnl 5192 L2TP: Parse AVP 11, len 22, flag 0x8000 (M)*Jul 7 03:28:33.567: Tnl 5192 L2TP: Chlng81 13 03 F6 A8 E4 1D DD 25 18 25 6E 67 8C 7C 39*Jul 7 03:28:33.567: Tnl 5192 L2TP: Parse AVP 13, len 22, flag 0x8000 (M)*Jul 7 03:28:33.567: Tnl 5192 L2TP: Chlng Resp4D 52 91 DC 1A 43 B3 31 B4 F5 B8 E1 88 22 4F 41*Jul 7 03:28:33.571: Tnl 5192 L2TP: No missing AVPs in SCCRP*Jul 7 03:28:33.571: Tnl 5192 L2TP: I SCCRP, flg TLS, ver 2, len 157, tnl5192, ns 0, nr 1contiguous pak, size 157C8 02 00 9D 14 48 00 00 00 00 00 01 80 08 00 0000 00 00 02 80 08 00 00 00 02 01 00 80 0A 00 0000 03 00 00 00 00 80 0A 00 00 00 04 00 00 00 0000 08 00 00 00 06 11 20 80 10 00 00 00 07 4C 4E53 2D 74 75 6E 6E 65 6C ...*Jul 7 03:28:33.571: Tnl 5192 L2TP: I SCCRP from LNS-tunnel*Jul 7 03:28:33.571: Tnl 5192 L2TP: O SCCCN to LNS-tunnel tnlid 6897*Jul 7 03:28:33.571: Tnl 5192 L2TP: O SCCCN, flg TLS, ver 2, len 42, tnl6897, ns 1, nr 1C8 02 00 2A 1A F1 00 00 00 01 00 01 80 08 00 0000 00 00 03 80 16 00 00 00 0D 32 24 17 BC 6A 19B1 79 F3 F9 A9 D4 67 7D 9A DB*Jul 7 03:28:33.571: uid:14 Tnl/Sn 5192/11 L2TP: O ICRQ to LNS-tunnel 6897/0*Jul 7 03:28:33.571: uid:14 Tnl/Sn 5192/11 L2TP: O ICRQ, flg TLS, ver 2, len63, tnl 6897, lsid 11, rsid 0, ns 2, nr 1C8 02 00 3F 1A F1 00 00 00 02 00 01 80 08 00 0000 00 00 0A 80 0A 00 00 00 0F C8 14 B4 03 80 0800 00 00 0E 00 0B 80 0A 00 00 00 12 00 00 00 0000 0F 00 09 00 64 0F 10 09 02 02 00 1B 00 00*Jul 7 03:28:33.575: uid:14 Tnl/Sn 5192/11 L2TP: Parse AVP 0, len 8, flag0x8000 (M)*Jul 7 03:28:33.575: uid:14 Tnl/Sn 5192/11 L2TP: Parse ICRP*Jul 7 03:28:33.575: uid:14 Tnl/Sn 5192/11 L2TP: Parse AVP 14, len 8, flag0x8000 (M)*Jul 7 03:28:33.575: uid:14 Tnl/Sn 5192/11 L2TP: Assigned Call ID 5*Jul 7 03:28:33.575: uid:14 Tnl/Sn 5192/11 L2TP: No missing AVPs in ICRP*Jul 7 03:28:33.575: uid:14 Tnl/Sn 5192/11 L2TP: I ICRP, flg TLS, ver 2, len28, tnl 5192, lsid 11, rsid 0, ns 1, nr 3contiguous pak, size 28C8 02 00 1C 14 48 00 0B 00 01 00 03 80 08 00 0000 00 00 0B 80 08 00 00 00 0E 00 05*Jul 7 03:28:33.579: uid:14 Tnl/Sn 5192/11 L2TP: O ICCN to LNS-tunnel 6897/5*Jul 7 03:28:33.579: uid:14 Tnl/Sn 5192/11 L2TP: O ICCN, flg TLS, ver 2, len167, tnl 6897, lsid 11, rsid 5, ns 3, nr 2C8 02 00 A7 1A F1 00 05 00 03 00 02 80 08 00 0000 00 00 0C 80 0A 00 00 00 18 06 1A 80 00 00 0A00 00 00 26 06 1A 80 00 80 0A 00 00 00 13 00 0000 01 00 15 00 00 00 1B 01 04 05 D4 03 05 C2 2305 05 06 0A 0B E2 7A ...*Jul 7 03:28:33.579: RADIUS/ENCODE(00000018):Orig. component type = PPoE*Jul 7 03:28:33.579: RADIUS(00000018): Config NAS IP: 10.0.0.0*Jul 7 03:28:33.579: RADIUS(00000018): sending*Jul 7 03:28:33.579: RADIUS/ENCODE: Best Local IP-Address 10.0.1.123 forRadius-Server 172.19.192.238*Jul 7 03:28:33.579: RADIUS(00000018): Send Accounting-Request to172.19.192.238:2196 id 1646/23, len 176*Jul 7 03:28:33.579: RADIUS: authenticator 3C 81 D6 C5 2B 6D 21 8E - 19 FF43 B5 41 86 A8 A5*Jul 7 03:28:33.579: RADIUS: Acct-Session-Id [44] 10 "00000023"*Jul 7 03:28:33.579: RADIUS: Framed-Protocol [7] 6PPP [1]*Jul 7 03:28:33.579: RADIUS: Tunnel-Medium-Type [65] 600:IPv4 [1]*Jul 7 03:28:33.583: RADIUS: Tunnel-Client-Endpoi[66] 10 "10.0.0.1"*Jul 7 03:28:33.583: RADIUS: Tunnel-Server-Endpoi[67] 10 "10.0.0.2"*Jul 7 03:28:33.583: RADIUS: Tunnel-Assignment-Id[82] 5 "lac"*Jul 7 03:28:33.583: RADIUS: Tunnel-Type [64] 600:L2TP [3]*Jul 7 03:28:33.583: RADIUS: Acct-Tunnel-Connecti[68] 12 "3356800003"*Jul 7 03:28:33.583: RADIUS: Tunnel-Client-Auth-I[90] 12 "LAC-tunnel"*Jul 7 03:28:33.583: RADIUS: Tunnel-Server-Auth-I[91] 12 "LNS-tunnel"*Jul 7 03:28:33.583: RADIUS: User-Name [1] 16 "user@domain.com"*Jul 7 03:28:33.583: RADIUS: Acct-Authentic [45] 6Local [2]*Jul 7 03:28:33.583: RADIUS: Acct-Status-Type [40] 6Start [1]*Jul 7 03:28:33.583: RADIUS: NAS-Port-Type [61] 6Virtual [5]*Jul 7 03:28:33.583: RADIUS: NAS-Port [5] 60*Jul 7 03:28:33.583: RADIUS: NAS-Port-Id [87] 9 "0/0/0/0"*Jul 7 03:28:33.583: RADIUS: Service-Type [6] 6Framed [2]*Jul 7 03:28:33.583: RADIUS: NAS-IP-Address [4] 610.0.1.123*Jul 7 03:28:33.583: RADIUS: Acct-Delay-Time [41] 60*Jul 7 03:28:33.683: RADIUS: Received from id 1646/23 172.19.192.238:2196,Accounting-response, len 20*Jul 7 03:28:33.683: RADIUS: authenticator 1C E9 53 42 A2 8A 58 9A - C3 CC1D 79 9F A4 6F 3AAAA Accounting Stop Record and Rejected Call: Example
The following example shows the "stop" record being sent for a rejected call during authentication when the aaa accounting send stop-record authentication command is issued with the success keyword.
Router# show running config | include aaa...aaa new-modelaaa authentication ppp default group radiusaaa authorization network default localaaa accounting send stop-record authentication success remote-serveraaa accounting network default start-stop group radiusRouter#*Jul 7 03:39:40.199: AAA/BIND(00000026): Bind i/f Virtual-Template2*Jul 7 03:39:40.199: ppp21 AAA/AUTHOR/LCP: Authorization succeeds trivially*Jul 7 03:39:42.199: RADIUS/ENCODE(00000026):Orig. component type = PPoE*Jul 7 03:39:42.199: RADIUS: AAA Unsupported [156] 7*Jul 7 03:39:42.199: RADIUS: 30 2F 30 2F30 [0/0/0]*Jul 7 03:39:42.199: RADIUS(00000026): Config NAS IP: 10.0.0.0*Jul 7 03:39:42.199: RADIUS/ENCODE(00000026): acct_session_id: 55*Jul 7 03:39:42.199: RADIUS(00000026): sending*Jul 7 03:39:42.199: RADIUS/ENCODE: Best Local IP-Address 10.0.1.123 forRadius-Server 172.19.192.238*Jul 7 03:39:42.199: RADIUS(00000026): Send Access-Request to172.19.192.238:2195 id 1645/14, len 94*Jul 7 03:39:42.199: RADIUS: authenticator A6 D1 6B A4 76 9D 52 CF - 33 5D16 BE AC 7E 5F A6*Jul 7 03:39:42.199: RADIUS: Framed-Protocol [7] 6PPP [1]*Jul 7 03:39:42.199: RADIUS: User-Name [1] 16 "user@yahoo.com"*Jul 7 03:39:42.199: RADIUS: CHAP-Password [3] 19 **Jul 7 03:39:42.199: RADIUS: NAS-Port-Type [61] 6Virtual [5]*Jul 7 03:39:42.199: RADIUS: NAS-Port [5] 60*Jul 7 03:39:42.199: RADIUS: NAS-Port-Id [87] 9 "0/0/0/0"*Jul 7 03:39:42.199: RADIUS: Service-Type [6] 6Framed [2]*Jul 7 03:39:42.199: RADIUS: NAS-IP-Address [4] 610.0.1.123*Jul 7 03:39:42.271: RADIUS: Received from id 1645/14 172.19.192.238:2195,Access-Accept, len 194*Jul 7 03:39:42.271: RADIUS: authenticator 30 AD FF 8E 59 0C E4 6C - BA 1123 63 81 DE 6F D7*Jul 7 03:39:42.271: RADIUS: Framed-Protocol [7] 6PPP [1]*Jul 7 03:39:42.275: RADIUS: Service-Type [6] 6Framed [2]*Jul 7 03:39:42.275: RADIUS: Vendor, Cisco [26] 26*Jul 7 03:39:42.275: RADIUS: Cisco AVpair [1] 20 "vpdn:tunnel-id=lac"*Jul 7 03:39:42.275: RADIUS: Vendor, Cisco [26] 29*Jul 7 03:39:42.275: RADIUS: Cisco AVpair [1] 23 "vpdn:tunnel-type=l2tp"*Jul 7 03:39:42.275: RADIUS: Vendor, Cisco [26] 30*Jul 7 03:39:42.275: RADIUS: Cisco AVpair [1] 24 "vpdn:gw-password=cisco"*Jul 7 03:39:42.275: RADIUS: Vendor, Cisco [26] 31*Jul 7 03:39:42.275: RADIUS: Cisco AVpair [1] 25 "vpdn:nas-password=cisco"*Jul 7 03:39:42.275: RADIUS: Vendor, Cisco [26] 34*Jul 7 03:39:42.275: RADIUS: Cisco AVpair [1] 28 "vpdn:ip-addresses=12.0.0.2"*Jul 7 03:39:42.275: RADIUS: Service-Type [6] 6Framed [2]*Jul 7 03:39:42.275: RADIUS: Framed-Protocol [7] 6PPP [1]*Jul 7 03:39:42.275: RADIUS(00000026): Received from id 1645/14*Jul 7 03:39:42.275: ppp21 PPP/AAA: Check Attr: Framed-Protocol*Jul 7 03:39:42.275: ppp21 PPP/AAA: Check Attr: service-type*Jul 7 03:39:42.275: ppp21 PPP/AAA: Check Attr: tunnel-id*Jul 7 03:39:42.275: ppp21 PPP/AAA: Check Attr: tunnel-type*Jul 7 03:39:42.275: ppp21 PPP/AAA: Check Attr: gw-password*Jul 7 03:39:42.275: ppp21 PPP/AAA: Check Attr: nas-password*Jul 7 03:39:42.275: ppp21 PPP/AAA: Check Attr: ip-addresses*Jul 7 03:39:42.275: ppp21 PPP/AAA: Check Attr: service-type*Jul 7 03:39:42.275: ppp21 PPP/AAA: Check Attr: Framed-Protocol*Jul 7 03:39:42.279: AAA/BIND(00000027): Bind i/f*Jul 7 03:39:42.279: Tnl 21407 L2TP: O SCCRQ*Jul 7 03:39:42.279: Tnl 21407 L2TP: O SCCRQ, flg TLS, ver 2, len 134, tnl0, ns 0, nr 0C8 02 00 86 00 00 00 00 00 00 00 00 80 08 00 0000 00 00 01 80 08 00 00 00 02 01 00 00 08 00 0000 06 11 30 80 09 00 00 00 07 6C 61 63 00 19 0000 00 08 43 69 73 63 6F 20 53 79 73 74 65 6D 732C 20 49 6E 63 2E 80 ...*Jul 7 03:39:49.279: Tnl 21407 L2TP: O StopCCN*Jul 7 03:39:49.279: Tnl 21407 L2TP: O StopCCN, flg TLS, ver 2, len 66, tnl0, ns 1, nr 0C8 02 00 42 00 00 00 00 00 01 00 00 80 08 00 0000 00 00 04 80 1E 00 00 00 01 00 02 00 06 54 6F6F 20 6D 61 6E 79 20 72 65 74 72 61 6E 73 6D 6974 73 00 08 00 09 00 69 00 01 80 08 00 00 00 0953 9F*Jul 7 03:39:49.279: RADIUS/ENCODE(00000026):Orig. component type = PPoE*Jul 7 03:39:49.279: RADIUS(00000026): Config NAS IP: 10.0.0.0*Jul 7 03:39:49.279: RADIUS(00000026): sending*Jul 7 03:39:49.279: RADIUS/ENCODE: Best Local IP-Address 10.0.1.123 forRadius-Server 172.19.192.238*Jul 7 03:39:49.279: RADIUS(00000026): Send Accounting-Request to172.19.192.238:2196 id 1646/32, len 179*Jul 7 03:39:49.279: RADIUS: authenticator 0A 85 2F F0 65 6F 25 E1 - 97 54CC BF EA F7 62 89*Jul 7 03:39:49.279: RADIUS: Acct-Session-Id [44] 10 "00000037"*Jul 7 03:39:49.279: RADIUS: Framed-Protocol [7] 6PPP [1]*Jul 7 03:39:49.279: RADIUS: Tunnel-Medium-Type [65] 600:IPv4 [1]*Jul 7 03:39:49.279: RADIUS: Tunnel-Client-Endpoi[66] 10 "12.0.0.1"*Jul 7 03:39:49.279: RADIUS: Tunnel-Server-Endpoi[67] 10 "12.0.0.2"*Jul 7 03:39:49.283: RADIUS: Tunnel-Type [64] 600:L2TP [3]*Jul 7 03:39:49.283: RADIUS: Acct-Tunnel-Connecti[68] 3 "0"*Jul 7 03:39:49.283: RADIUS: Tunnel-Client-Auth-I[90] 5 "lac"*Jul 7 03:39:49.283: RADIUS: User-Name [1] 16 "user@domian.com"*Jul 7 03:39:49.283: RADIUS: Acct-Authentic [45] 6RADIUS [1]*Jul 7 03:39:49.283: RADIUS: Acct-Session-Time [46] 60*Jul 7 03:39:49.283: RADIUS: Acct-Input-Octets [42] 60*Jul 7 03:39:49.283: RADIUS: Acct-Output-Octets [43] 60*Jul 7 03:39:49.283: RADIUS: Acct-Input-Packets [47] 60*Jul 7 03:39:49.283: RADIUS: Acct-Output-Packets [48] 60*Jul 7 03:39:49.283: RADIUS: Acct-Terminate-Cause[49] 6 nas-error [9]*Jul 7 03:39:49.283: RADIUS: Acct-Status-Type [40] 6Stop [2]*Jul 7 03:39:49.283: RADIUS: NAS-Port-Type [61] 6Virtual [5]*Jul 7 03:39:49.283: RADIUS: NAS-Port [5] 60*Jul 7 03:39:49.283: RADIUS: NAS-Port-Id [87] 9 "0/0/0/0"*Jul 7 03:39:49.283: RADIUS: Service-Type [6] 6Framed [2]*Jul 7 03:39:49.283: RADIUS: NAS-IP-Address [4] 610.0.1.123*Jul 7 03:39:49.283: RADIUS: Acct-Delay-Time [41] 60*Jul 7 03:39:49.335: RADIUS: Received from id 1646/32 172.19.192.238:2196,Accounting-response, len 20*Jul 7 03:39:49.335: RADIUS: authenticator C8 C4 61 AF 4D 9F 78 07 - 94 2B44 44 17 56 EC 03Additional References
The following sections provide references related to Per VRF AAA.
Related Documents
Related Topic Document TitleAAA: Configuring Server Groups
Cisco IOS Security Configuration Guide, Release 12.4
Broadcast Accounting
AAA Broadcast Accounting Feature Guide, Release 12.1(1)T
Cisco IOS Security Commands
Cisco IOS Security Command Reference, Release 12.4
Cisco IOS Switching Services Commands
Cisco IOS Switching Services Command Reference, Release 12.2
Configuring Multiprotocol Label Switching
"Configuring Multiprotocol Label Switching" chapter in the Cisco IOS Switching Services Configuration Guide, Release 12.2
Configuring Virtual Templates section
"Virtual Templates, Profiles, and Networks" chapter in the Cisco IOS Dial Technologies Configuration Guide, Release 12.2
RADIUS Attribute Screening
RADIUS Attribute Screening Feature Guide, Release 12.4
RADIUS Debug Enhancements
RADIUS Debug Enhancements Feature Guide, Release 12.4
Standards
MIBs
MIBs MIBs LinkNone
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
Technical Assistance
Command Reference
This section documents new and modified commands only.
•
aaa accounting send stop-record authentication
•
ip vrf forwarding (server-group)
•
radius-server attribute 44 include-in-access-req
•
radius-server domain-stripping
aaa accounting
To enable authentication, authorization, and accounting (AAA) accounting of requested services for billing or security purposes when you use RADIUS or TACACS+, use the aaa accounting command in global configuration mode. To disable AAA accounting, use the no form of this command.
aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] group groupname
no aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} [vrf vrf-name] [broadcast] group groupname
Syntax Description
auth-proxy
Provides information about all authenticated-proxy user events.
system
Performs accounting for all system-level events not associated with users, such as reloads.
network
Runs accounting for all network-related service requests, including Serial Line Internet Protocol (SLIP), PPP, PPP Network Control Protocols (NCPs), and AppleTalk Remote Access Protocol (ARAP).
exec
Runs accounting for EXEC shell session. This keyword might return user profile information such as what is generated by the autocommand command.
connection
Provides information about all outbound connections made from the network access server, such as Telnet, local-area transport (LAT), TN3270, packet assembler and disassembler (PAD), and rlogin.
commands level
Runs accounting for all commands at the specified privilege level. Valid privilege level entries are integers from 0 through 15.
default
Uses the listed accounting methods that follow this argument as the default list of methods for accounting services.
list-name
Character string used to name the list of at least one of the accounting methods described in Table 2.
vrf vrf-name
(Optional) Specifies a virtual route forwarding (VRF) configuration.
VRF is used only with system accounting.
start-stop
Sends a "start" accounting notice at the beginning of a process and a "stop" accounting notice at the end of a process. The "start" accounting record is sent in the background. The requested user process begins regardless of whether the "start" accounting notice was received by the accounting server.
stop-only
Sends a "stop" accounting notice at the end of the requested user process.
none
Disables accounting services on this line or interface.
broadcast
(Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, failover occurs using the backup servers defined within that group.
group group-name
At least one of the keywords described in Table 3.
Defaults
AAA accounting is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the aaa accounting command to enable accounting and to create named method lists that define specific accounting methods on a per-line or per-interface basis.
Table 2 contains descriptions of keywords for aaa accounting methods.
In Table 2, the group radius and group tacacs+ methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs-server host commands to configure the host servers. Use the aaa group server radius and aaa group server tacacs+ commands to create a named group of servers.
Cisco IOS software supports the following two methods of accounting:
•
RADIUS—The network access server reports user activity to the RADIUS security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.
•
TACACS+—The network access server reports user activity to the TACACS+ security server in the form of accounting records. Each accounting record contains accounting AV pairs and is stored on the security server.
Method lists for accounting define the way accounting will be performed. Named accounting method lists enable you to designate a particular security protocol to be used on specific lines or interfaces for particular types of accounting services. Create a list by entering the list-name and the method, where list-name is any character string used to name this list (excluding the names of methods, such as RADIUS or TACACS+) and method identifies the methods to be tried in sequence as given.
If the aaa accounting command for a particular accounting type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines (where this accounting type applies) except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no accounting takes place.
Named accounting method lists are specific to the indicated type of accounting. Method list keywords are described in Table 3.
Note
System accounting does not use named accounting lists; you can define the default list only for system accounting.
For minimal accounting, include the stop-only keyword to send a "stop" record accounting notice at the end of the requested user process. For more accounting, you can include the start-stop keyword, so that RADIUS or TACACS+ sends a "start" accounting notice at the beginning of the requested process and a "stop" accounting notice at the end of the process. Accounting is stored only on the RADIUS or TACACS+ server. The none keyword disables accounting services for the specified line or interface.
To specify an accounting configuration for a particular VRF, specify a default system accounting method list, and use the vrf keyword and vrf-name argument. System accounting does not have knowledge of VRF unless specified.
When AAA accounting is activated, the network access server monitors either RADIUS accounting attributes or TACACS+ AV pairs pertinent to the connection, depending on the security method you have implemented. The network access server reports these attributes as accounting records, which are then stored in an accounting log on the security server. For a list of supported RADIUS accounting attributes, refer to the appendix "RADIUS Attributes" in the "Cisco IOS Security Configuration Guide". For a list of supported TACACS+ accounting AV pairs, refer to the appendix "TACACS+ Attribute-Value Pairs" in the "Cisco IOS Security Configuration Guide".
Note
This command cannot be used with TACACS or extended TACACS.
Cisco Service Selection Gateway Broadcast Accounting
To configure Cisco Service Selection Gateway (SSG) broadcast accounting, the list-name argument must be ssg_broadcast_accounting. For more information about configuring SSG, see the chapter Configuring Accounting for SSG" in the "Cisco IOS Service Selection Gateway Configuration Guide", Release 12.4.
Examples
The following example defines a default commands accounting method list, where accounting services are provided by a TACACS+ security server, set for privilege level 15 commands with a stop-only restriction.
aaa accounting commands 15 default stop-only group tacacs+The following example defines a default auth-proxy accounting method list, where accounting services are provided by a TACACS+ security server with a start-stop restriction. The aaa accounting command activates authentication proxy accounting.
aaa new-modelaaa authentication login default group tacacs+aaa authorization auth-proxy default group tacacs+aaa accounting auth-proxy default start-stop group tacacs+The following example defines a default system accounting method list, where accounting services are provided by RADIUS security server "sg_water" with a start-stop restriction. The aaa accounting command specifies accounting for vrf "water."
aaa accounting system default vrf water start-stop group sg_waterThe following example shows how to enable network accounting and send tunnel and tunnel-link accounting records to the RADIUS server. (Tunnel-Reject and Tunnel-Link-Reject accounting records are automatically sent if either start or stop records are configured.)
aaa accounting network tunnel start-stop group radiusaaa accounting network session start-stop group radiusRelated Commands
aaa accounting delay-start
To delay generation of accounting "start" records until the user IP address is established, use the aaa accounting delay-start command in global configuration mode. To disable this functionality, use the no form of this command.
aaa accounting delay-start [all] [vrf vrf-name]
no aaa accounting delay-start [all] [vrf vrf-name]
Syntax Description
Defaults
Accounting records are not delayed.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the aaa accounting delay-start command to delay generation of accounting "start" records until the IP address of the user has been established. Use the vrf vrf-name keyword and argument to delay accounting "start" records for individual Virtual Private Network (VPN) routing and forwarding (VRF) users or use the all keyword for all VRF and non-VRF users.
Examples
The following example shows how to delay accounting "start" records until the IP address of the user is established:
aaa new-modelaaa authentication ppp default radiusaaa accounting network default start-stop radiusaaa accounting delay-startradius-server host 172.16.0.0 non-standardradius-server key rad123The following example shows that accounting "start" records are to be delayed to all VRF and non-VRF users:
aaa new-modelaaa authentication ppp default radiusaaa accounting network default start-stop radiusaaa accounting delay-start allradius-server host 172.16.0.0 non-standardradius-server key rad123Related Commands
aaa accounting send stop-record authentication
To refine generation of authentication, authorization, and accounting (AAA) accounting "stop" records, use the aaa accounting send stop-record authentication command in global configuration mode. To end generation of accounting stop records, use the no form of this command with the appropriate keyword.
aaa accounting send stop-record authentication {failure | success {remote-server}} [vrf vrf-name]
Failed Calls: End Accounting Stop Record Generation
no aaa accounting send stop-record authentication failure {remote-server}
Successful Calls: End Accounting Stop Record Generation
no aaa accounting send stop-record authentication success {remote-server}
Syntax Description
Defaults
Accounting "stop" records are sent only if one of the following is true:
•
A start record has been sent.
•
The call is successfully established with the "stop-only" configuration and is terminated.
Command Modes
Global configuration
Command History
Usage Guidelines
When the aaa accounting command is activated, by default the Cisco IOS software does not generate accounting records for system users who fail login authentication or who succeed in login authentication but fail PPP negotiation for some reason. The aaa accounting command can be configured to sent a "stop" record using either the start-stop keyword or the stop-only keyword.
When the aaa accounting command is issued with either the start-stop keyword or the stop-only keyword, the "stop" records can be further configured with the aaa accounting send stop-record authentication command. The failure and success keywords are mutually exclusive. If you have the aaa accounting send stop-record authentication command enabled with the failure keyword and then enable the same command with the success keyword, accounting stop records will no longer be generated for failed calls. Accounting stop records will now be sent for successful calls only until you issue either of the following commands:
•
no aaa accounting send stop-record authentication success {remote-server}
•
aaa accounting send stop-record authentication failure {remote-server}
When using the failure keyword, a "stop" record will be sent for calls that are rejected during authentication.
When using the success keyword, a "stop" record will be sent for calls that meet one of the following criteria:
•
Calls that are authenticated by a remote AAA server when the call is terminated.
•
Calls that are not authenticated by a remote AAA server and the start record has been sent.
•
Calls that are successfully established and then terminated with the "stop-only" aaa accounting configuration.
Use the vrf vrf-name keyword and argument to generate accounting "stop" records per Virtual Private Network (VPN) routing and forwarding configuration.
Examples
The following example shows how to generate "stop" records for users who fail to authenticate at login or during session negotiation:
aaa accounting send stop-record authentication failureThe following example shows "start" and "stop" records being sent for a successful call when the aaa accounting send stop-record authentication command is issued with the failure keyword:
Router# show running config | include aaa...aaa new-modelaaa authentication ppp default group radiusaaa authorization network default localaaa accounting send stop-record authentication failureaaa accounting network default start-stop group radius...*Jul 7 03:28:31.543: AAA/BIND(00000018): Bind i/f Virtual-Template2*Jul 7 03:28:31.547: ppp14 AAA/AUTHOR/LCP: Authorization succeeds trivially*Jul 7 03:28:33.555: AAA/AUTHOR (0x18): Pick method list 'default'*Jul 7 03:28:33.555: AAA/BIND(00000019): Bind i/f*Jul 7 03:28:33.555: Tnl 5192 L2TP: O SCCRQ*Jul 7 03:28:33.555: Tnl 5192 L2TP: O SCCRQ, flg TLS, ver 2, len 141, tnl 0,ns 0, nr 0C8 02 00 8D 00 00 00 00 00 00 00 00 80 08 00 0000 00 00 01 80 08 00 00 00 02 01 00 00 08 00 0000 06 11 30 80 10 00 00 00 07 4C 41 43 2D 74 756E 6E 65 6C 00 19 00 00 00 08 43 69 73 63 6F 2053 79 73 74 65 6D 73 ...*Jul 7 03:28:33.563: Tnl 5192 L2TP: Parse AVP 0, len 8, flag 0x8000 (M)*Jul 7 03:28:33.563: Tnl 5192 L2TP: Parse SCCRP*Jul 7 03:28:33.563: Tnl 5192 L2TP: Parse AVP 2, len 8, flag 0x8000 (M)*Jul 7 03:28:33.563: Tnl 5192 L2TP: Protocol Ver 256*Jul 7 03:28:33.563: Tnl 5192 L2TP: Parse AVP 3, len 10, flag 0x8000 (M)*Jul 7 03:28:33.563: Tnl 5192 L2TP: Framing Cap 0x0*Jul 7 03:28:33.563: Tnl 5192 L2TP: Parse AVP 4, len 10, flag 0x8000 (M)*Jul 7 03:28:33.567: Tnl 5192 L2TP: Bearer Cap 0x0*Jul 7 03:28:33.567: Tnl 5192 L2TP: Parse AVP 6, len 8, flag 0x0*Jul 7 03:28:33.567: Tnl 5192 L2TP: Firmware Ver 0x1120*Jul 7 03:28:33.567: Tnl 5192 L2TP: Parse AVP 7, len 16, flag 0x8000 (M)*Jul 7 03:28:33.567: Tnl 5192 L2TP: Hostname LNS-tunnel*Jul 7 03:28:33.567: Tnl 5192 L2TP: Parse AVP 8, len 25, flag 0x0*Jul 7 03:28:33.567: Tnl 5192 L2TP: Vendor Name Cisco Systems, Inc.*Jul 7 03:28:33.567: Tnl 5192 L2TP: Parse AVP 9, len 8, flag 0x8000 (M)*Jul 7 03:28:33.567: Tnl 5192 L2TP: Assigned Tunnel ID 6897*Jul 7 03:28:33.567: Tnl 5192 L2TP: Parse AVP 10, len 8, flag 0x8000 (M)*Jul 7 03:28:33.567: Tnl 5192 L2TP: Rx Window Size 20050*Jul 7 03:28:33.567: Tnl 5192 L2TP: Parse AVP 11, len 22, flag 0x8000 (M)*Jul 7 03:28:33.567: Tnl 5192 L2TP: Chlng81 13 03 F6 A8 E4 1D DD 25 18 25 6E 67 8C 7C 39*Jul 7 03:28:33.567: Tnl 5192 L2TP: Parse AVP 13, len 22, flag 0x8000 (M)*Jul 7 03:28:33.567: Tnl 5192 L2TP: Chlng Resp4D 52 91 DC 1A 43 B3 31 B4 F5 B8 E1 88 22 4F 41*Jul 7 03:28:33.571: Tnl 5192 L2TP: No missing AVPs in SCCRP*Jul 7 03:28:33.571: Tnl 5192 L2TP: I SCCRP, flg TLS, ver 2, len 157, tnl5192, ns 0, nr 1contiguous pak, size 157C8 02 00 9D 14 48 00 00 00 00 00 01 80 08 00 0000 00 00 02 80 08 00 00 00 02 01 00 80 0A 00 0000 03 00 00 00 00 80 0A 00 00 00 04 00 00 00 0000 08 00 00 00 06 11 20 80 10 00 00 00 07 4C 4E53 2D 74 75 6E 6E 65 6C ...*Jul 7 03:28:33.571: Tnl 5192 L2TP: I SCCRP from LNS-tunnel*Jul 7 03:28:33.571: Tnl 5192 L2TP: O SCCCN to LNS-tunnel tnlid 6897*Jul 7 03:28:33.571: Tnl 5192 L2TP: O SCCCN, flg TLS, ver 2, len 42, tnl6897, ns 1, nr 1C8 02 00 2A 1A F1 00 00 00 01 00 01 80 08 00 0000 00 00 03 80 16 00 00 00 0D 32 24 17 BC 6A 19B1 79 F3 F9 A9 D4 67 7D 9A DB*Jul 7 03:28:33.571: uid:14 Tnl/Sn 5192/11 L2TP: O ICRQ to LNS-tunnel 6897/0*Jul 7 03:28:33.571: uid:14 Tnl/Sn 5192/11 L2TP: O ICRQ, flg TLS, ver 2, len63, tnl 6897, lsid 11, rsid 0, ns 2, nr 1C8 02 00 3F 1A F1 00 00 00 02 00 01 80 08 00 0000 00 00 0A 80 0A 00 00 00 0F C8 14 B4 03 80 0800 00 00 0E 00 0B 80 0A 00 00 00 12 00 00 00 0000 0F 00 09 00 64 0F 10 09 02 02 00 1B 00 00*Jul 7 03:28:33.575: uid:14 Tnl/Sn 5192/11 L2TP: Parse AVP 0, len 8, flag0x8000 (M)*Jul 7 03:28:33.575: uid:14 Tnl/Sn 5192/11 L2TP: Parse ICRP*Jul 7 03:28:33.575: uid:14 Tnl/Sn 5192/11 L2TP: Parse AVP 14, len 8, flag0x8000 (M)*Jul 7 03:28:33.575: uid:14 Tnl/Sn 5192/11 L2TP: Assigned Call ID 5*Jul 7 03:28:33.575: uid:14 Tnl/Sn 5192/11 L2TP: No missing AVPs in ICRP*Jul 7 03:28:33.575: uid:14 Tnl/Sn 5192/11 L2TP: I ICRP, flg TLS, ver 2, len28, tnl 5192, lsid 11, rsid 0, ns 1, nr 3contiguous pak, size 28C8 02 00 1C 14 48 00 0B 00 01 00 03 80 08 00 0000 00 00 0B 80 08 00 00 00 0E 00 05*Jul 7 03:28:33.579: uid:14 Tnl/Sn 5192/11 L2TP: O ICCN to LNS-tunnel 6897/5*Jul 7 03:28:33.579: uid:14 Tnl/Sn 5192/11 L2TP: O ICCN, flg TLS, ver 2, len167, tnl 6897, lsid 11, rsid 5, ns 3, nr 2C8 02 00 A7 1A F1 00 05 00 03 00 02 80 08 00 0000 00 00 0C 80 0A 00 00 00 18 06 1A 80 00 00 0A00 00 00 26 06 1A 80 00 80 0A 00 00 00 13 00 0000 01 00 15 00 00 00 1B 01 04 05 D4 03 05 C2 2305 05 06 0A 0B E2 7A ...*Jul 7 03:28:33.579: RADIUS/ENCODE(00000018):Orig. component type = PPoE*Jul 7 03:28:33.579: RADIUS(00000018): Config NAS IP: 0.0.0.0*Jul 7 03:28:33.579: RADIUS(00000018): sending*Jul 7 03:28:33.579: RADIUS/ENCODE: Best Local IP-Address 10.0.1.123 forRadius-Server 172.19.192.238*Jul 7 03:28:33.579: RADIUS(00000018): Send Accounting-Request to172.19.192.238:2196 id 1646/23, len 176*Jul 7 03:28:33.579: RADIUS: authenticator 3C 81 D6 C5 2B 6D 21 8E - 19 FF43 B5 41 86 A8 A5*Jul 7 03:28:33.579: RADIUS: Acct-Session-Id [44] 10 "00000023"*Jul 7 03:28:33.579: RADIUS: Framed-Protocol [7] 6PPP [1]*Jul 7 03:28:33.579: RADIUS: Tunnel-Medium-Type [65] 600:IPv4 [1]*Jul 7 03:28:33.583: RADIUS: Tunnel-Client-Endpoi[66] 10 "12.0.0.1"*Jul 7 03:28:33.583: RADIUS: Tunnel-Server-Endpoi[67] 10 "12.0.0.2"*Jul 7 03:28:33.583: RADIUS: Tunnel-Assignment-Id[82] 5 "lac"*Jul 7 03:28:33.583: RADIUS: Tunnel-Type [64] 600:L2TP [3]*Jul 7 03:28:33.583: RADIUS: Acct-Tunnel-Connecti[68] 12 "3356800003"*Jul 7 03:28:33.583: RADIUS: Tunnel-Client-Auth-I[90] 12 "LAC-tunnel"*Jul 7 03:28:33.583: RADIUS: Tunnel-Server-Auth-I[91] 12 "LNS-tunnel"*Jul 7 03:28:33.583: RADIUS: User-Name [1] 16 "user@domain.com"*Jul 7 03:28:33.583: RADIUS: Acct-Authentic [45] 6Local [2]*Jul 7 03:28:33.583: RADIUS: Acct-Status-Type [40] 6Start [1]*Jul 7 03:28:33.583: RADIUS: NAS-Port-Type [61] 6Virtual [5]*Jul 7 03:28:33.583: RADIUS: NAS-Port [5] 60*Jul 7 03:28:33.583: RADIUS: NAS-Port-Id [87] 9 "0/0/0/0"*Jul 7 03:28:33.583: RADIUS: Service-Type [6] 6Framed [2]*Jul 7 03:28:33.583: RADIUS: NAS-IP-Address [4] 610.0.1.123*Jul 7 03:28:33.583: RADIUS: Acct-Delay-Time [41] 60*Jul 7 03:28:33.683: RADIUS: Received from id 1646/23 172.19.192.238:2196,Accounting-response, len 20*Jul 7 03:28:33.683: RADIUS: authenticator 1C E9 53 42 A2 8A 58 9A - C3 CC1D 79 9F A4 6F 3AThe following example shows the "stop" record being sent when the call is rejected during authentication when the aaa accounting send stop-record authentication command is issued with the success keyword.
Router# show running config | include aaa,,,aaa new-modelaaa authentication ppp default group radiusaaa authorization network default localaaa accounting send stop-record authentication success remote-serveraaa accounting network default start-stop group radiusRouter#*Jul 7 03:39:40.199: AAA/BIND(00000026): Bind i/f Virtual-Template2*Jul 7 03:39:40.199: ppp21 AAA/AUTHOR/LCP: Authorization succeeds trivially*Jul 7 03:39:42.199: RADIUS/ENCODE(00000026):Orig. component type = PPoE*Jul 7 03:39:42.199: RADIUS: AAA Unsupported [156] 7*Jul 7 03:39:42.199: RADIUS: 30 2F 30 2F30 [0/0/0]*Jul 7 03:39:42.199: RADIUS(00000026): Config NAS IP: 0.0.0.0*Jul 7 03:39:42.199: RADIUS/ENCODE(00000026): acct_session_id: 55*Jul 7 03:39:42.199: RADIUS(00000026): sending*Jul 7 03:39:42.199: RADIUS/ENCODE: Best Local IP-Address 10.0.1.123 forRadius-Server 172.19.192.238*Jul 7 03:39:42.199: RADIUS(00000026): Send Access-Request to172.19.192.238:2195 id 1645/14, len 94*Jul 7 03:39:42.199: RADIUS: authenticator A6 D1 6B A4 76 9D 52 CF - 33 5D16 BE AC 7E 5F A6*Jul 7 03:39:42.199: RADIUS: Framed-Protocol [7] 6PPP [1]*Jul 7 03:39:42.199: RADIUS: User-Name [1] 16 "user@domain.com"*Jul 7 03:39:42.199: RADIUS: CHAP-Password [3] 19 **Jul 7 03:39:42.199: RADIUS: NAS-Port-Type [61] 6Virtual [5]*Jul 7 03:39:42.199: RADIUS: NAS-Port [5] 60*Jul 7 03:39:42.199: RADIUS: NAS-Port-Id [87] 9 "0/0/0/0"*Jul 7 03:39:42.199: RADIUS: Service-Type [6] 6Framed [2]*Jul 7 03:39:42.199: RADIUS: NAS-IP-Address [4] 610.0.1.123*Jul 7 03:39:42.271: RADIUS: Received from id 1645/14 172.19.192.238:2195,Access-Accept, len 194*Jul 7 03:39:42.271: RADIUS: authenticator 30 AD FF 8E 59 0C E4 6C - BA 1123 63 81 DE 6F D7*Jul 7 03:39:42.271: RADIUS: Framed-Protocol [7] 6PPP [1]*Jul 7 03:39:42.275: RADIUS: Service-Type [6] 6Framed [2]*Jul 7 03:39:42.275: RADIUS: Vendor, Cisco [26] 26*Jul 7 03:39:42.275: RADIUS: Cisco AVpair [1] 20 "vpdn:tunnel-id=lac"*Jul 7 03:39:42.275: RADIUS: Vendor, Cisco [26] 29*Jul 7 03:39:42.275: RADIUS: Cisco AVpair [1] 23 "vpdn:tunnel-type=l2tp"*Jul 7 03:39:42.275: RADIUS: Vendor, Cisco [26] 30*Jul 7 03:39:42.275: RADIUS: Cisco AVpair [1] 24 "vpdn:gw-password=cisco"*Jul 7 03:39:42.275: RADIUS: Vendor, Cisco [26] 31*Jul 7 03:39:42.275: RADIUS: Cisco AVpair [1] 25 "vpdn:nas-password=cisco"*Jul 7 03:39:42.275: RADIUS: Vendor, Cisco [26] 34*Jul 7 03:39:42.275: RADIUS: Cisco AVpair [1] 28 "vpdn:ip-addresses=12.0.0.2"*Jul 7 03:39:42.275: RADIUS: Service-Type [6] 6Framed [2]*Jul 7 03:39:42.275: RADIUS: Framed-Protocol [7] 6PPP [1]*Jul 7 03:39:42.275: RADIUS(00000026): Received from id 1645/14*Jul 7 03:39:42.275: ppp21 PPP/AAA: Check Attr: Framed-Protocol*Jul 7 03:39:42.275: ppp21 PPP/AAA: Check Attr: service-type*Jul 7 03:39:42.275: ppp21 PPP/AAA: Check Attr: tunnel-id*Jul 7 03:39:42.275: ppp21 PPP/AAA: Check Attr: tunnel-type*Jul 7 03:39:42.275: ppp21 PPP/AAA: Check Attr: gw-password*Jul 7 03:39:42.275: ppp21 PPP/AAA: Check Attr: nas-password*Jul 7 03:39:42.275: ppp21 PPP/AAA: Check Attr: ip-addresses*Jul 7 03:39:42.275: ppp21 PPP/AAA: Check Attr: service-type*Jul 7 03:39:42.275: ppp21 PPP/AAA: Check Attr: Framed-Protocol*Jul 7 03:39:42.279: AAA/BIND(00000027): Bind i/f*Jul 7 03:39:42.279: Tnl 21407 L2TP: O SCCRQ*Jul 7 03:39:42.279: Tnl 21407 L2TP: O SCCRQ, flg TLS, ver 2, len 134, tnl0, ns 0, nr 0C8 02 00 86 00 00 00 00 00 00 00 00 80 08 00 0000 00 00 01 80 08 00 00 00 02 01 00 00 08 00 0000 06 11 30 80 09 00 00 00 07 6C 61 63 00 19 0000 00 08 43 69 73 63 6F 20 53 79 73 74 65 6D 732C 20 49 6E 63 2E 80 ...*Jul 7 03:39:49.279: Tnl 21407 L2TP: O StopCCN*Jul 7 03:39:49.279: Tnl 21407 L2TP: O StopCCN, flg TLS, ver 2, len 66, tnl0, ns 1, nr 0C8 02 00 42 00 00 00 00 00 01 00 00 80 08 00 0000 00 00 04 80 1E 00 00 00 01 00 02 00 06 54 6F6F 20 6D 61 6E 79 20 72 65 74 72 61 6E 73 6D 6974 73 00 08 00 09 00 69 00 01 80 08 00 00 00 0953 9F*Jul 7 03:39:49.279: RADIUS/ENCODE(00000026):Orig. component type = PPoE*Jul 7 03:39:49.279: RADIUS(00000026): Config NAS IP: 0.0.0.0*Jul 7 03:39:49.279: RADIUS(00000026): sending*Jul 7 03:39:49.279: RADIUS/ENCODE: Best Local IP-Address 10.0.1.123 forRadius-Server 172.19.192.238*Jul 7 03:39:49.279: RADIUS(00000026): Send Accounting-Request to172.19.192.238:2196 id 1646/32, len 179*Jul 7 03:39:49.279: RADIUS: authenticator 0A 85 2F F0 65 6F 25 E1 - 97 54CC BF EA F7 62 89*Jul 7 03:39:49.279: RADIUS: Acct-Session-Id [44] 10 "00000037"*Jul 7 03:39:49.279: RADIUS: Framed-Protocol [7] 6PPP [1]*Jul 7 03:39:49.279: RADIUS: Tunnel-Medium-Type [65] 600:IPv4 [1]*Jul 7 03:39:49.279: RADIUS: Tunnel-Client-Endpoi[66] 10 "12.0.0.1"*Jul 7 03:39:49.279: RADIUS: Tunnel-Server-Endpoi[67] 10 "12.0.0.2"*Jul 7 03:39:49.283: RADIUS: Tunnel-Type [64] 600:L2TP [3]*Jul 7 03:39:49.283: RADIUS: Acct-Tunnel-Connecti[68] 3 "0"*Jul 7 03:39:49.283: RADIUS: Tunnel-Client-Auth-I[90] 5 "lac"*Jul 7 03:39:49.283: RADIUS: User-Name [1] 16 "user@domain.com"*Jul 7 03:39:49.283: RADIUS: Acct-Authentic [45] 6RADIUS [1]*Jul 7 03:39:49.283: RADIUS: Acct-Session-Time [46] 60*Jul 7 03:39:49.283: RADIUS: Acct-Input-Octets [42] 60*Jul 7 03:39:49.283: RADIUS: Acct-Output-Octets [43] 60*Jul 7 03:39:49.283: RADIUS: Acct-Input-Packets [47] 60*Jul 7 03:39:49.283: RADIUS: Acct-Output-Packets [48] 60*Jul 7 03:39:49.283: RADIUS: Acct-Terminate-Cause[49] 6 nas-error [9]*Jul 7 03:39:49.283: RADIUS: Acct-Status-Type [40] 6Stop [2]*Jul 7 03:39:49.283: RADIUS: NAS-Port-Type [61] 6Virtual [5]*Jul 7 03:39:49.283: RADIUS: NAS-Port [5] 60*Jul 7 03:39:49.283: RADIUS: NAS-Port-Id [87] 9 "0/0/0/0"*Jul 7 03:39:49.283: RADIUS: Service-Type [6] 6Framed [2]*Jul 7 03:39:49.283: RADIUS: NAS-IP-Address [4] 610.0.1.123*Jul 7 03:39:49.283: RADIUS: Acct-Delay-Time [41] 60*Jul 7 03:39:49.335: RADIUS: Received from id 1646/32 172.19.192.238:2196,Accounting-response, len 20*Jul 7 03:39:49.335: RADIUS: authenticator C8 C4 61 AF 4D 9F 78 07 - 94 2B44 44 17 56 EC 03Related Commands
aaa authorization template
To enable usage of a local or remote customer template on the basis of Virtual Private Network (VPN) routing and forwarding (VRF), use the aaa authorization template command in global configuration mode. To disable the new authorization, use the no form of this command.
aaa authorization template
no aaa authorization template
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled.
Command Modes
Global configuration
Command History
Release Modification12.2(15)T
This command was introduced.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
Examples
The following example enables usage of a remote customer template:
aaa authorization templateRelated Commands
ip radius source-interface
To force RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets, use the ip radius source-interface command in global configuration mode. To prevent RADIUS from using the IP address of a specified interface for all outgoing RADIUS packets, use the no form of this command.
ip radius source-interface subinterface-name [vrf vrf-name]
no ip radius source-interface
Syntax Description
subinterface-name
Name of the interface that RADIUS uses for all of its outgoing packets.
vrf vrf-name
(Optional) Per Virtual Route Forwarding (VRF) configuration.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to set the IP address of a subinterface to be used as the source address for all outgoing RADIUS packets. The IP address is used as long as the subinterface is in the up state. In this way, the RADIUS server can use one IP address entry for every network access client instead of maintaining a list of IP addresses.
This command is especially useful in cases where the router has many subinterfaces and you want to ensure that all RADIUS packets from a particular router have the same IP address.
The specified subinterface must have an IP address associated with it. If the specified subinterface does not have an IP address or is in the down state, then RADIUS reverts to the default. To avoid this, add an IP address to the subinterface or bring the subinterface to the up state.
Use the vrf vrf-name keyword and argument to configure this command per VRF, which allows multiple disjoined routing or forwarding tables, where the routes of a user have no correlation with the routes of another user.
Examples
The following example shows how to configure RADIUS to use the IP address of subinterface s2 for all outgoing RADIUS packets:
ip radius source-interface s2The following example shows how to configure RADIUS to use the IP address of subinterface Ethernet0 for VRF definition:
ip radius source-interface Ethernet 0 vrf waterRelated Commands
ip vrf forwarding (server-group)
To configure the Virtual Private Network (VPN) routing and forwarding (VRF) reference of an authentication, authorization, and accounting (AAA) RADIUS or TACACS+ server group, use the ip vrf forwarding command in server-group configuration mode. To enable server groups to use the global (default) routing table, use the no form of this command.
ip vrf forwarding vrf-name
no ip vrf forwarding vrf-name
Syntax Description
Defaults
Server groups use the global routing table.
Command Modes
Server-group configuration
Command History
Usage Guidelines
Use the ip vrf forwarding command to specify a VRF for a AAA RADIUS or TACACS+ server group. This command enables dial users to utilize AAA servers in different routing domains.
Examples
The following example shows how to configure the VRF user to reference the RADIUS server in a different VRF server group:
aaa group server radius sg_globalserver-private 172.16.0.0 timeout 5 retransmit 3!aaa group server radius sg_waterserver-private 10.10.0.0 timeout 5 retransmit 3 key waterip vrf forwarding waterThe following example shows how to configure the VRF user to reference the TACACS+ server in the server group tacacs1:
aaa group server tacacs+tacacs1server-private 10.1.1.1 port 19 key ciscoip vrf forwarding ciscoip tacacs source-interface Loopback0ip vrf ciscord 100:1interface Loopback0ip address 10.0.0.2 255.0.0.0ip vrf forwarding ciscoRelated Commands
radius-server attribute 44 include-in-access-req
To send RADIUS attribute 44 (Accounting Session ID) in access request packets before user authentication (including requests for preauthentication), use the radius-server attribute 44 include-in-access-req command in global configuration mode. To remove this command from the configuration, use the no form of this command.
radius-server attribute 44 include-in-access-req [vrf vrf-name]
no radius-server attribute 44 include-in-access-req [vrf vrf-name]
Syntax Description
Defaults
RADIUS attribute 44 is not sent in access-request packets.
Command Modes
Global configuration
Command History
Usage Guidelines
There is no guarantee that the Accounting Session IDs will increment uniformly and consistently. In other words, between two calls, the Accounting Session ID can increase by more than one.
The vrf vrf-name keyword and argument specify Accounting Session IDs per Virtual Private Network (VPN) routing and forwarding (VRF), which allows multiple disjoined routing or forwarding tables, where the routes of a user have no correlation with the routes of another user.
Examples
The following example shows a configuration that sends RADIUS attribute 44 in access-request packets:
aaa new-modelaaa authentication ppp default group radiusradius-server host 10.100.1.34radius-server attribute 44 include-in-access-reqradius-server domain-stripping
To configure a network access server (NAS) to strip suffixes, or to strip both suffixes and prefixes from the username before forwarding the username to the remote RADIUS server, use the radius-server domain-stripping command in global configuration mode. To disable a stripping configuration, use the no form of this command.
radius-server domain-stripping [[right-to-left] [prefix-delimiter character [character2...character7]] [delimiter character [character2...character7]] | strip-suffix suffix] [vrf vrf-name]
no radius-server domain-stripping [[right-to-left] [prefix-delimiter character [character2...character7]] [delimiter character [character2...character7]] | strip-suffix suffix] [vrf vrf-name]
Syntax Description
Command Default
Stripping is disabled. The full username is sent to the RADIUS server.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the radius-server domain-stripping command to configure the NAS to strip the domain from a username before forwarding the username to the RADIUS server. If the full username is user1@cisco.com, enabling the radius-server domain-stripping command results in the username "user1" being forwarded to the RADIUS server.
Use the right-to-left keyword to specify that the username should be parsed for a delimiter from right to left, rather than from left to right. This allows strings with two instances of a delimiter to strip the username at either delimiter. For example, if the username is user@cisco.com@cisco.net, the suffix could be stripped in two ways. The default direction (left to right) would result in the username "user" being forwarded to the RADIUS server. Configuring the right-to-left keyword would result in the username "user@cisco.com" being forwarded to the RADIUS server.
Use the prefix-delimiter keyword to enable prefix stripping and to specify the character or characters that will be recognized as a prefix delimiter. The first configured character that is parsed will be used as the prefix delimiter, and any characters before that delimiter will be stripped.
Use the delimiter keyword to specify the character or characters that will be recognized as a suffix delimiter. The first configured character that is parsed will be used as the suffix delimiter, and any characters after that delimiter will be stripped.
Use strip-suffix suffix to specify a particular suffix to strip from usernames. For example, configuring the radius-server domain-stripping strip-suffix cisco.net command would result in the username user@cisco.net being stripped, while the username user@cisco.com will not be stripped. You may configure multiple suffixes for stripping by issuing multiple instances of the radius-server domain-stripping command. The default suffix delimiter is the @ character.
Note
Issuing the radius-server domain-stripping strip-suffix suffix command disables the capacity to strip suffixes from all domains. Both the suffix delimiter and the suffix must match for the suffix to be stripped from the full username. The default suffix delimiter of @ will be used if you do not specify a different suffix delimiter or set of suffix delimiters using the delimiter keyword.
To apply a domain-stripping configuration only to a specified VRF, use the vrf vrf-name option.
The interactions between the different types of domain stripping configurations are as follows:
•
You may configure only one instance of the radius-server domain-stripping [right-to-left] [prefix-delimiter character [character2...character7]] [delimiter character [character2...character7]] command.
•
You may configure multiple instances of the radius-server domain-stripping [right-to-left] [prefix-delimiter character [character2...character7]] [delimiter character [character2...character7]] [vrf vrf-name] command with unique values for vrf vrf-name.
•
You may configure multiple instances of the radius-server domain-stripping strip-suffix suffix [vrf per-vrf] command to specify multiple suffixes to be stripped as part of a global or per-VRF ruleset.
•
Issuing any version of the radius-server domain-stripping command automatically enables suffix stripping using the default delimiter character @ for that ruleset, unless a different delimiter or set of delimiters is specified.
•
Configuring a per-suffix stripping rule disables generic suffix stripping for that ruleset. Only suffixes that match the configured suffix or suffixes will be stripped from usernames.
Examples
The following example configures the router to parse the username from right to left and sets the valid suffix delimiter characters as @, \, and $. If the full username is cisco/user@cisco.com$cisco.net, the username "cisco/user@cisco.com" will be forwarded to the RADIUS server because the $ character is the first valid delimiter encountered by the NAS when parsing the username from right to left.
radius-server domain-stripping right-to-left delimiter @\$The following example configures the router to strip the domain name from usernames only for users associated with the VRF instance named abc. The default suffix delimiter @ will be used for generic suffix stripping.
radius-server domain-stripping vrf abcThe following example enables prefix stripping using the character / as the prefix delimiter. The default suffix delimiter character @ will be used for generic suffix stripping. If the full username is cisco/user@cisco.com, the username "user" will be forwarded to the RADIUS server.
radius-server domain-stripping prefix-delimiter /The following example enables prefix stripping, specifies the character / as the prefix delimiter, and specifies the character # as the suffix delimiter. If the full username is cisco/user@cisco.com#cisco.net, the username "user@cisco.com" will be forwarded to the RADIUS server.
radius-server domain-stripping prefix-delimiter / delimiter #The following example enables prefix stripping, configures the character / as the prefix delimiter, configures the characters $, @, and # as suffix delimiters, and configures per-suffix stripping of the suffix cisco.com. If the full username is cisco/user@cisco.com, the username "user" will be forwarded to the RADIUS server. If the full username is cisco/user@cisco.com#cisco.com, the username "user@cisco.com" will be forwarded.
radius-server domain-stripping prefix-delimiter / delimiter $@#radius-server domain-stripping strip-suffix cisco.comThe following example configures the router to parse the username from right to left and enables suffix stripping for usernames with the suffix cisco.com. If the full username is cisco/user@cisco.net@cisco.com, the username "cisco/user@cisco.net" will be forwarded to the RADIUS server. If the full username is cisco/user@cisco.com@cisco.net, the full username will be forwarded.
radius-server domain-stripping right-to-leftradius-server domain-stripping strip-suffix cisco.comThe following example configures a set of global stripping rules that will strip the suffix cisco.com using the delimiter @, and a different set of stripping rules for usernames associated with the VRF named myvrf:
radius-server domain-stripping strip-suffix cisco.com!radius-server domain-stripping prefix-delimiter # vrf myvrfradius-server domain-stripping strip-suffix cisco.net vrf myvrfRelated Commands
server-private (RADIUS)
To configure the IP address of the private RADIUS server for the group server, use the server-private command in server-group configuration mode. To remove the associated private server from the authentication, authorization, and accounting (AAA) group server, use the no form of this command.
server-private ip-address [auth-port port-number | acct-port port-number] [non-standard] [timeout seconds] [retransmit retries] [key string]
no server-private ip-address [auth-port port-number | acct-port port-number] [non-standard] [timeout seconds] [retransmit retries] [key string]
Syntax Description
Defaults
If server-private parameters are not specified, global configurations will be used; if global configurations are not specified, default values will be used.
Command Modes
Server-group configuration
Command History
Usage Guidelines
Use the server-private command to associate a particular private server with a defined server group. To prevent possible overlapping of private addresses between Virtual Route Forwardings (VRFs), private servers (servers with private addresses) can be defined within the server group and remain hidden from other groups, while the servers in the global pool (default "radius" server group) can still be referred to by IP addresses and port numbers. Thus, the list of servers in server groups includes references to the hosts in the global configuration and the definitions of private servers.
Examples
The following example shows how to define the sg_water RADIUS group server and associate private servers with it:
aaa group server radius sg_waterserver-private 10.1.1.1 timeout 5 retransmit 3 key cokeserver-private 10.2.2.2 timeout 5 retransmit 3 key cokeRelated Commands
Glossary
AAA—authentication, authorization, and accounting. A framework of security services that provide the method for identifying users (authentication), for remote access control (authorization), and for collecting and sending security server information used for billing, auditing, and reporting (accounting).
L2TP—Layer 2 Tunnel Protocol. A Layer 2 tunneling protocol that enables an ISP or other access service to create a virtual tunnel to link customer remote sites or remote users with corporate home networks. In particular, a network access server (NAS) at the ISP point of presence (POP) exchanges PPP messages with the remote users and communicates by L2F or L2TP requests and responses with the customer tunnel server to set up tunnels.
PE—Provider Edge. Networking devices that are located on the edge of a service provider network.
RADIUS—Remote Authentication Dial-In User Service. RADIUS is a distributed client/server system that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server that contains all user authentication and network service access information.
SP—service provider.
VHG—Virtual Home Gateway.
VPDN—virtual private dialup network.
VPN—Virtual Private Network. A system that permits dial-in networks to exist remotely to home networks, while giving the appearance of being directly connected. VPNs use L2TP and L2F to terminate the Layer 2 and higher parts of the network connection at the LNS instead of the LAC.
VRF—Virtual Route Forwarding. Initially, a router has only one global default routing/forwarding table. VRFs can be viewed as multiple disjoined routing/forwarding tables, where the routes of a user have no correlation with the routes of another user.
Note
See Internetworking Terms and Acronyms for terms not included in this glossary.
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2001-2006 Cisco Systems, Inc. All rights reserved.


