Table Of Contents
Cisco Broadband Wireless Gateway 1.1 Command Reference, IOS Release 12.4(15)XL2
aaa accounting network
aaa accounting update
aaa authentication
aaa authentication ppp
clear wimax agw bs
clear wimax agw redundancy statistics
clear wimax agw statistics
clear wimax agw subscriber
cs-type
data-delivery-service
debug ip slb
debug condition
debug eap
debug eap authenticator
debug ip packet
debug ip slb
debug radius
debug wimax agw aaa
debug wimax agw message
debug wimax agw message tlv
debug wimax agw path
debug wimax agw r6 flow
debug wimax agw r6 session
debug wimax agw r6 subscriber
debug wimax agw redundancy
debug wimax agw switching
debug wimax agw vtemplate
dhcp gateway address
direction
encapsulation agw
ip access-group
ip address allocation subscriber timeout
ip route aggregate
ip static allowed
maximum-latency
maximum-traffic-burst
maximum-traffic-rate-sustained
media-flow-type
minimum-traffic-rate-reserved
pak-classify-rule
policy-transmission-request
precedence
priority
proxy-realm
qos-info
radius-server vsa send accounting wimax
radius-server vsa send authentication wimax
reduced-resources-code
reference-point r6
reference-point r6 keepalive max-failures-allowed
reference-point r6 keepalive timeout
reference-point r6 response retransmits
reference-point r6 response timeout
sdu-size
security subscriber address-filtering ingress
service-flow pre-defined profile
set
service wimax agw
show ip slb sessions
show subscriber msid bs-list
show wimax agw
show wimax agw message
show wimax agw path
show wimax agw redundancy status
show wimax agw statistics
show wimax agw subscriber
show wimax agw tlv
show wimax agw user-group
sla profile-name
subscriber redundancy rate
timeout idle
timeout session
tolerated-jitter
traffic-priority
unsolicited-interval-grant
unsolicited-interval-polling
user auto provisioning
user-group (user group list configuration subcommand)
vlan (service flow direction cs-type submode)
vrf (user group configuration submode)
vrf-default
wimax agw base-station group
wimax agw base-station ip-addr any group
wimax agw r6 maximum base-station
wimax agw r6 maximum subscriber
wimax agw redundancy
wimax agw service-flow pak-classify-rule profile
wimax agw service-flow profile
wimax agw service-flow profile qos-info
wimax agw sla profile
wimax agw user group-list
Cisco Broadband Wireless Gateway 1.1 Command Reference, IOS Release 12.4(15)XL2
29 May 2008
The following commands are new or changed in Cisco BWG 1.1 for IOS Release 12.4(15)XL2:
•
aaa accounting network
•aaa accounting update
•aaa authentication
•aaa authentication ppp
•clear wimax agw bs
•clear wimax agw redundancy statistics
•clear wimax agw statistics
•clear wimax agw subscriber
•cs-type
•data-delivery-service
•debug ip slb
•debug condition
•debug eap
•debug eap authenticator
•debug ip packet
•debug ip slb
•debug radius
•debug radius
•debug wimax agw aaa
•debug wimax agw message
•debug wimax agw message tlv
•debug wimax agw path
•debug wimax agw r6 flow
•debug wimax agw r6 session
•debug wimax agw r6 subscriber
•debug wimax agw redundancy
•debug wimax agw switching
•debug wimax agw vtemplate
•dhcp gateway address
•direction
•direction
•encapsulation agw
•ip access-group
•ip address allocation subscriber timeout
•ip route aggregate
•ip static allowed
•maximum-latency
•maximum-traffic-burst
•maximum-traffic-rate-sustained
•media-flow-type
•minimum-traffic-rate-reserved
•pak-classify-rule
•policy-transmission-request
•precedence
•priority
•proxy-realm
•qos-info
•radius-server vsa send accounting wimax
•radius-server vsa send authentication wimax
•reduced-resources-code
•reference-point r6
•reference-point r6 keepalive max-failures-allowed
•reference-point r6 keepalive timeout
•reference-point r6 response retransmits
•reference-point r6 response timeout
•sdu-size
•security subscriber address-filtering ingress
•service-flow pre-defined profile
•set
•service wimax agw
•show ip slb sessions
•show subscriber msid bs-list
•show wimax agw
•show wimax agw message
•show wimax agw path
•show wimax agw redundancy status
•show wimax agw statistics
•show wimax agw subscriber
•show wimax agw tlv
•show wimax agw user-group
•sla profile-name
•subscriber redundancy rate
•timeout idle
•timeout session
•tolerated-jitter
•traffic-priority
•unsolicited-interval-grant
•unsolicited-interval-polling
•user auto provisioning
•user-group (user group list configuration subcommand)
•vlan (service flow direction cs-type submode)
•vrf (user group configuration submode)
•vrf-default
•wimax agw base-station group
•wimax agw base-station ip-addr any group
•wimax agw r6 maximum base-station
•wimax agw r6 maximum subscriber
•wimax agw redundancy
•wimax agw service-flow pak-classify-rule profile
•wimax agw service-flow profile
•wimax agw service-flow profile qos-info
•wimax agw sla profile
•wimax agw user group-list
aaa accounting network
To enable authentication, authorization, and accounting (AAA) accounting of requested services for billing or security purposes when you use RADIUS or TACACS+, use the aaa accounting command in global configuration mode. To disable AAA accounting, use the no form of this command.
aaa accounting {auth-proxy | system | network | exec | connection | commands level | dot1x}
{default | list-name} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] group
group-name
no aaa accounting {auth-proxy | system | network | exec | connection | commands level | dot1x}
{default | list-name} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] group
group-name
Syntax Description
auth-proxy
|
Provides information about all authenticated-proxy user events.
|
system
|
Performs accounting for all system-level events not associated with users, such as reloads.
Note When system accounting is used and the accounting server is unreachable at system startup time, the system will not be accessible for approximately two minutes.
|
network
|
Runs accounting for all network-related service requests, including Serial Line Internet Protocol (SLIP), PPP, PPP Network Control Protocols (NCPs), and AppleTalk Remote Access Protocol (ARAP).
|
exec
|
Runs accounting for the EXEC shell session. This keyword might return user profile information such as what is generated by the autocommand command.
|
connection
|
Provides information about all outbound connections made from the network access server, such as Telnet, local-area transport (LAT), TN3270, packet assembler and disassembler (PAD), and rlogin.
|
commands level
|
Runs accounting for all commands at the specified privilege level. Valid privilege level entries are integers from 0 through 15.
|
dot1x
|
Provides information about all IEEE 802.1x-related user events.
|
default
|
Uses the listed accounting methods that follow this keyword as the default list of methods for accounting services.
|
list-name
|
Character string used to name the list of at least one of the following accounting methods:
•group radius—Uses the list of all RADIUS servers for authentication as defined by the aaa group server radius command.
•group tacacs+—Uses the list of all TACACS+ servers for authentication as defined by the aaa group server tacacs+ command.
•group group-name—Uses a subset of RADIUS or TACACS+ servers for accounting as defined by the server group group-name argument.
|
vrf vrf-name
|
(Optional) Specifies a virtual routing and forwarding (VRF) configuration.
VRF is used only with system accounting.
|
start-stop
|
Sends a "start" accounting notice at the beginning of a process and a "stop" accounting notice at the end of a process. The "start" accounting record is sent in the background. The requested user process begins regardless of whether the "start" accounting notice was received by the accounting server.
|
stop-only
|
Sends a "stop" accounting notice at the end of the requested user process.
|
none
|
Disables accounting services on this line or interface.
|
broadcast
|
(Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, failover occurs using the backup servers defined within that group.
|
group group-name
|
Specifies the accounting method list. Enter at least one of the following keywords:
•auth-proxy—Creates a method list to provide accounting information about all authenticated hosts that use the authentication proxy service.
•commands—Creates a method list to provide accounting information about specific, individual EXEC commands associated with a specific privilege level.
•connection—Creates a method list to provide accounting information about all outbound connections made from the network access server.
•exec—Creates a method list to provide accounting records about user EXEC terminal sessions on the network access server, including username, date, and start and stop times.
•network—Creates a method list to provide accounting information for SLIP, PPP, NCPs, and ARAP sessions.
•resource—Creates a method list to provide accounting records for calls that have passed user authentication or calls that failed to be authenticated.
•tunnel—Creates a method list to provide accounting records (Tunnel-Start, Tunnel-Stop, and Tunnel-Reject) for virtual private dialup network (VPDN) tunnel status changes.
•tunnel-link—Creates a method list to provide accounting records (Tunnel-Link-Start, Tunnel-Link-Stop, and Tunnel-Link-Reject) for VPDN tunnel-link status changes.
|
Defaults
AAA accounting is disabled.
Command Modes
Global configuration (config)
Command History
Release
|
Modification
|
10.3
|
This command was introduced.
|
12.0(5)T
|
Group server support was added.
|
12.1(1)T
|
The broadcast keyword was introduced on the Cisco AS5300 and Cisco AS5800 universal access servers.
|
12.1(5)T
|
The auth-proxy keyword was added.
|
12.2(1)DX
|
The vrf keyword and vrf-name argument were introduced on the Cisco 7200 series and Cisco 7401ASR.
|
12.2(2)DD
|
This command was integrated into Cisco IOS Release 12.2(2)DD.
|
12.2(4)B
|
This command was integrated into Cisco IOS Release 12.2(4)B.
|
12.2(13)T
|
The vrf keyword and vrf-name argument were integrated into Cisco IOS Release 12.2(13)T.
|
12.2(15)B
|
The tunnel and tunnel-link accounting methods were introduced.
|
12.3(4)T
|
The tunnel and tunnel-link accounting methods were integrated into Cisco IOS Release 12.3(4)T.
|
12.2(28)SB
|
This command was integrated into Cisco IOS Release 12.2(28)SB.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.4(11)T
|
The dot1x keyword was integrated into Cisco IOS Release 12.4(11)T.
|
12.2(33)SXH
|
This command was integrated into Cisco IOS release 12.(33)SXH.
|
Usage Guidelines
General Information
Use the aaa accounting command to enable accounting and to create named method lists that define specific accounting methods on a per-line or per-interface basis.
Table 6 contains descriptions of keywords for AAA accounting methods.
Table 6 aaa accounting Methods
Keyword
|
Description
|
group radius
|
Uses the list of all RADIUS servers for authentication as defined by the aaa group server radius command.
|
group tacacs+
|
Uses the list of all TACACS+ servers for authentication as defined by the aaa group server tacacs+ command.
|
group group-name
|
Uses a subset of RADIUS or TACACS+ servers for accounting as defined by the server group group-name argument.
|
In Table 6, the group radius and group tacacs+ methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs-server host commands to configure the host servers. Use the aaa group server radius and aaa group server tacacs+ commands to create a named group of servers.
Cisco IOS software supports the following two methods of accounting:
•RADIUS—The network access server reports user activity to the RADIUS security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.
•TACACS+—The network access server reports user activity to the TACACS+ security server in the form of accounting records. Each accounting record contains accounting AV pairs and is stored on the security server.
Method lists for accounting define the way accounting will be performed. Named accounting method lists enable you to designate a particular security protocol to be used on specific lines or interfaces for particular types of accounting services. Create a list by entering values for the list-name argument where list-name is any character string used to name this list (excluding the names of methods, such as RADIUS or TACACS+) and method list keywords to identify the methods to be tried in sequence as given.
If the aaa accounting command for a particular accounting type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines (where this accounting type applies) except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no accounting takes place.
Note System accounting does not use named accounting lists; you can define the default list only for system accounting.
For minimal accounting, include the stop-only keyword to send a "stop" record accounting notice at the end of the requested user process. For more accounting, you can include the start-stop keyword, so that RADIUS or TACACS+ sends a "start" accounting notice at the beginning of the requested process and a "stop" accounting notice at the end of the process. Accounting is stored only on the RADIUS or TACACS+ server. The none keyword disables accounting services for the specified line or interface.
To specify an accounting configuration for a particular VRF, specify a default system accounting method list, and use the vrf keyword and vrf-name argument. System accounting does not have knowledge of VRF unless specified.
When AAA accounting is activated, the network access server monitors either RADIUS accounting attributes or TACACS+ AV pairs pertinent to the connection, depending on the security method you have implemented. The network access server reports these attributes as accounting records, which are then stored in an accounting log on the security server. For a list of supported RADIUS accounting attributes, see the appendix "RADIUS Attributes" in the Cisco IOS Security Configuration Guide. For a list of supported TACACS+ accounting AV pairs, see the appendix "TACACS+ Attribute-Value Pairs" in the Cisco IOS Security Configuration Guide.
Note This command cannot be used with TACACS or extended TACACS.
Cisco Service Selection Gateway Broadcast Accounting
To configure Cisco Service Selection Gateway (SSG) broadcast accounting, use ssg_broadcast_accounting for the list-name argument. For more information about configuring SSG, see the chapter "Configuring Accounting for SSG" in the Cisco IOS Service Selection Gateway Configuration Guide, Release 12.4.
Layer 2 LAN Switch Port
You must configure the RADIUS server to perform accounting tasks, such as logging start, stop, and interim-update messages and time stamps. To turn on these functions, enable logging of "Update/Watchdog packets from this AAA client" in your RADIUS server Network Configuration tab. Next, enable "CVS RADIUS Accounting" in your RADIUS server System Configuration tab.
You must enable AAA before you can enter the aaa accounting command. To enable AAA and 802.1X (port-based authentication), use the following global configuration mode commands:
•aaa new-model
•aaa authentication dot1x default group radius
•dot1x system-auth-control
Use the show radius statistics command to display the number of RADIUS messages that do not receive the accounting response message.
Examples
The following example defines a default commands accounting method list, where accounting services are provided by a TACACS+ security server, set for privilege level 15 commands with a stop-only restriction.
aaa accounting commands 15 default stop-only group tacacs+
The following example defines a default auth-proxy accounting method list, where accounting services are provided by a TACACS+ security server with a start-stop restriction. The aaa accounting command activates authentication proxy accounting.
aaa authentication login default group tacacs+
aaa authorization auth-proxy default group tacacs+
aaa accounting auth-proxy default start-stop group tacacs+
The following example defines a default system accounting method list, where accounting services are provided by RADIUS security server "server1" with a start-stop restriction. The aaa accounting command specifies accounting for vrf "vrf1."
aaa accounting system default vrf1 water start-stop group server1
The following example defines a default IEEE 802.1x accounting method list, where accounting services are provided by a RADIUS server. The aaa accounting command activates IEEE 802.1x accounting.
aaa authentication dot1x default group radius
aaa authorization dot1x default group radius
aaa accounting dot1x default start-stop group radius
The following example shows how to enable network accounting and send tunnel and tunnel-link accounting records to the RADIUS server. (Tunnel-Reject and Tunnel-Link-Reject accounting records are automatically sent if either start or stop records are configured.)
aaa accounting network tunnel start-stop group radius
aaa accounting network session start-stop group radius
The following example shows how to enable IEEE 802.1x accounting:
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
Related Commands
Command
|
Description
|
aaa authentication dot1x
|
Specifies one or more AAA methods for use on interfaces running IEEE 802.1X.
|
aaa authentication ppp
|
Specifies one or more AAA authentication methods for use on serial interfaces running PPP.
|
aaa authorization
|
Sets parameters that restrict user access to a network.
|
aaa group server radius
|
Groups different RADIUS server hosts into distinct lists and distinct methods.
|
aaa group server tacacs+
|
Groups different server hosts into distinct lists and distinct methods.
|
aaa new-model
|
Enables the AAA access control model.
|
dot1x system-auth-control
|
Enables port-based authentication.
|
radius-server host
|
Specifies a RADIUS server host.
|
show radius statistics
|
Displays the RADIUS statistics for accounting and authentication packets.
|
tacacs-server host
|
Specifies a TACACS+ server host.
|
aaa accounting update
To enable periodic interim accounting records to be sent to the accounting server, use the aaa accounting update command in global configuration mode. To disable interim accounting updates, use the no form of this command.
aaa accounting update [newinfo] [periodic number [jitter {maximum max-value}]]
no aaa accounting update
Syntax Description
newinfo
|
(Optional) An interim accounting record is sent to the accounting server whenever there is new accounting information to report relating to the user in question.
|
periodic
|
(Optional) An interim accounting record is sent to the accounting server periodically, as defined by the number.
|
number
|
(Optional) Integer specifying number of minutes.
|
jitter
|
(Optional) Allows you to set the maximum jitter value in periodic accounting.
|
maximum max-value
|
The number of seconds to set for maximum jitter in periodic accounting. The value 0 turns off jitter. Jitter is set to 300 seconds (5 minutes) by default.
|
Defaults
Disabled
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.3
|
This command was introduced.
|
12.2(13)T
|
Introduced support for generation of an additional updated interim accounting record that contains all available attributes when a call leg is connected.
|
12.2(15)T11
|
The jitter keyword was added.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
12.4(15)XL
|
This command was incorporated into Cisco IOS Release 12.4(15)XL.
|
Usage Guidelines
•When the aaa accounting update command is activated, the Cisco IOS software issues interim accounting records for all users on the system. If the newinfo keyword is used, interim accounting records will be sent to the accounting server every time there is new accounting information to report. An example would be when IP Control Protocol (IPCP) completes IP address negotiation with the remote peer. The interim accounting record will include the negotiated IP address used by the remote peer.
•When the gw-accounting aaa command and the aaa accounting update newinfo command and keyword are activated, Cisco IOS software generates and sends an additional updated interim accounting record to the accounting server when a call leg is connected. All attributes (for example, h323-connect-time and backward-call-indicators (BCI)) available at the time of call connection are sent through this interim updated accounting record.
•When used with the periodic keyword, interim accounting records are sent periodically as defined by the number. The interim accounting record contains all of the accounting information recorded for that user up to the time the accounting record is sent.
•When using both the newinfo and periodic keywords, interim accounting records are sent to the accounting server every time there is new accounting information to report, and accounting records are sent to the accounting server periodically as defined by the number. For example, if you configure the aaa accounting update newinfo periodic number command, all users currently logged in will continue to generate periodic interim accounting records while new users will generate accounting records based on the newinfo algorithm.
•Vendor-specific attributes (VSAs) such as h323-connect-time and backward-call-indicator (BCI) are transmitted in the interim update RADIUS message when the aaa accounting update newinfo command and keyword are enabled.
•Jitter is used to provide an interval of time between records so that the AAA server does not get overwhelmed by a constant stream of records. If certain applications require that periodic records be sent a exact intervals, you should disable jitter by setting it to 0.
Caution Using the
aaa accounting update periodic command and keyword can cause heavy congestion when many users are logged into the network.
Examples
The following example sends PPP accounting records to a remote RADIUS server. When IPCP completes negotiation, this command sends an interim accounting record to the RADIUS server that includes the negotiated IP address for this user; it also sends periodic interim accounting records to the RADIUS server at 30-minute intervals.
aaa accounting network default start-stop group radius
aaa accounting update newinfo periodic 30
The following example sends periodic interim accounting records to the RADIUS server at 30-minute intervals and disables jitter:
aaa accounting update newinfo periodic 30 jitter maximum 0
Related Commands
Command
|
Description
|
aaa accounting
|
Enables AAA accounting of requested services for billing or security purposes.
|
gw-accounting aaa
|
Enables VoIP gateway accounting through the AAA system.
|
aaa authentication
To specify one or more authentication, authorization, and accounting (AAA) methods for use on interfaces running IEEE 802.1X, use the aaa authentication dot1x command in global configuration mode. To disable authentication, use the no form of this command
aaa authentication dot1x {default | listname} method1 [method2...]
no aaa authentication dot1x {default | listname} method1 [method2...]
Syntax Description
default
|
Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in.
|
listname
|
Character string used to name the list of authentication methods tried when a user logs in.
|
method1 [method2...]
|
At least one of these keywords:
•enable—Uses the enable password for authentication.
•group radius—Uses the list of all RADIUS servers for authentication.
•line—Uses the line password for authentication.
•local—Uses the local username database for authentication.
•local-case—Uses the case-sensitive local username database for authentication.
•none—Uses no authentication. The client is automatically authenticated by the switch without using the information supplied by the client.
|
Defaults
No authentication is performed.
Command Types
Global configuration
Command History
Release
|
Modification
|
12.1(6)EA2
|
This command was introduced for the Cisco Ethernet switch network module.
|
12.2(15)ZJ
|
This command was implemented on the following platforms for the Cisco Ethernet Switch Module: Cisco 2600 series, Cisco 3600 series, and Cisco 3700 series.
|
12.3(2)XA
|
This command was introduced on the following Cisco router platforms: Cisco 806, Cisco 831, Cisco 836, Cisco 837, Cisco 1701, Cisco 1710, Cisco 1721, Cisco 1751-V, and Cisco 1760.
|
12.3(4)T
|
This command was integrated into Cisco IOS Release 12.3(4)T. Router support was added for the following platforms: Cisco 1751, Cisco 2610XM - Cisco 2611XM, Cisco 2620XM - Cisco 2621XM, Cisco 2650XM - Cisco 2651XM, Cisco 2691, Cisco 3640, Cisco 3640A, and Cisco 3660.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
12.4(15)XL
|
This command was integrated into Cisco IOS Release 12.5(15)YX.
|
Usage Guidelines
The method argument identifies the list of methods that the authentication algorithm tries in the given sequence to validate the password provided by the client. The only method that is truly 802.1X-compliant is the group radius method, in which the client data is validated against a RADIUS authentication server. The remaining methods enable AAA to authenticate the client by using locally configured data. For example, the local and local-case methods use the username and password that are saved in the Cisco IOS configuration file. The enable and line methods use the enable and line passwords for authentication.
If you specify group radius, you must configure the RADIUS server by entering the radius-server host global configuration command. If you are not using a RADIUS server, you can use the local or local-case methods, which access the local username database to perform authentication. By specifying the enable or line methods, you can supply the clients with a password to provide access to the switch.
Use the show running-config privileged EXEC command to display the configured lists of authentication methods.
The aaa authentication method-list default indicates if the RADIUS Access Request is to be initiated from the BWG for the unauthenticated group, or not. In the absence of this command under an unauthenticated user group then, the BWG will not send an Access-Request to the AAA and the proxy realm password, and user auto-provisioned commands will not hold importance.
Examples
The following example shows how to create an authentication list. This authentication first tries to contact a RADIUS server. If this action returns an error, the user is allowed access with no authentication:
aaa authentication dot1x agw group radius
aaa authorization network default group radius
aaa accounting update periodic 1
aaa accounting network agw start-stop group radius
Related Commands
Command
|
Description
|
debug dot1x
|
Displays 802.1X debugging information.
|
identity profile default
|
Creates an identity profile and enters dot1x profile configuration mode.
|
show dot1x
|
Displays details for an identity profile.
|
show dot1x (EtherSwitch)
|
Displays 802.1X statistics, administrative status, and operational status for the switch or for the specified interface.
|
aaa authentication ppp
To specify one or more authentication, authorization, and accounting (AAA) authentication methods for use on serial interfaces that are running PPP, use the aaa authentication ppp command in global configuration mode. To disable authentication, use the no form of this command.
aaa authentication ppp {default}
no aaa authentication ppp {default}
Syntax Description
default
|
Uses the listed authentication methods that follow this keyword as the default list of methods when a user logs in.
|
Defaults
If the default list is not set, only the local user database is checked. This has the same effect as that created by the following command:
aaa authentication ppp default local
Command Modes
Global configuration
Command History
Release
|
Modification
|
10.3
|
This command was introduced.
|
12.0(5)T
|
Group server support and local-case were added as method keywords.
|
12.2(31)SB
|
This command was integrated into Cisco IOS Release 12.2(31)SB.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
12.2(33)SRC
|
This command was integrated into Cisco IOS Release 12.2(33)SRC.
|
Usage Guidelines
Note The Cisco BWG only supports the default setting. If you configure aaa authentication ppp agw group radius, the PPP session creation will fail.
The lists that you create with the aaa authentication ppp command are used with the ppp authentication command. These lists contain up to four authentication methods that are used when a user tries to log in to the serial interface.
Create a list by entering the aaa authentication ppp list-name method command, where list-name is any character string used to name this list MIS-access. The method argument identifies the list of methods that the authentication algorithm tries in the given sequence. You can enter up to four methods. Method keywords are described in Table 7.
The additional methods of authentication are used only if the previous method returns an error, not if it fails. Specify none as the final method in the command line to have authentication succeed even if all methods return an error.
If authentication is not specifically set for a function, the default is none and no authentication is performed. Use the more system:running-config command to display currently configured lists of authentication methods.
Note In Table 7, the group radius, group tacacs+, and group group-name methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs+-server host commands to configure the host servers. Use the aaa group server radius and aaa group server tacacs+ commands to create a named group of servers.
Table 7 aaa authentication ppp Methods
Keyword
|
Description
|
if-needed
|
Does not authenticate if the user has already been authenticated on a tty line.
|
krb5
|
Uses Kerberos 5 for authentication (can be used only for Password Authentication Protocol [PAP] authentication).
|
local
|
Uses the local username database for authentication.
|
local-case
|
Uses case-sensitive local username authentication.
|
none
|
Uses no authentication.
|
cache group-name
|
Uses a cache server group for authentication.
|
group radius
|
Uses the list of all RADIUS servers for authentication.
|
group tacacs+
|
Uses the list of all TACACS+ servers for authentication.
|
group group-name
|
Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command.
|
Cisco 10000 Series Router
The Cisco 10000 series router supports a maximum of 2,000 AAA method lists. If you configure more than 2,000 AAA method lists, traceback messages appear on the console.
Examples
The following example shows how to create a AAA authentication list called MIS-access for serial lines that use PPP. This authentication first tries to contact a TACACS+ server. If this action returns an error, the user is allowed access with no authentication.
aaa authentication ppp MIS-access group tacacs+ none
Here is a sample configuration command for PAP authentication on the BWG.
aaa authentication ppp default group radius
Related Commands
Command
|
Description
|
aaa group server radius
|
Groups different RADIUS server hosts into distinct lists and distinct methods.
|
aaa group server tacacs+
|
Groups different server hosts into distinct lists and distinct methods.
|
aaa new-model
|
Enables the AAA access control model.
|
more system:running-config
|
Displays the contents of the currently running configuration file, the configuration for a specific interface, or map class information.
|
ppp authentication
|
Enables CHAP or PAP or both and specifies the order in which CHAP and PAP authentication are selected on the interface.
|
radius-server host
|
Specifies a RADIUS server host.
|
tacacs+-server host
|
Specifies a TACACS host.
|
clear wimax agw bs
To clear all the subscribers that belong to this base station, and clear the base station details, use the clear wimax agw bs command in global configuration mode.
clear wimax agw bs bs-ip-address
Syntax Description
bs-ip-address
|
IP address of a specific base station.
|
Defaults
There are no default values.
Command Modes
Privileged EXEC
Usage Guidelines
Release
|
Modification
|
12.4(15)XL
|
This command was introduced.
|
Usage Guidelines
Note All clear wimax commands are valid only on the SR ACTIVE card.
For example:
router#clear wimax agw subscriber all
This is STANDBY unit. This command must be issued on the ACTIVE unit
Examples
The following example illustrates how to enable the clear wimax agw bs command:
router#clear wimax agw bs bs-ip-address
clear wimax agw redundancy statistics
To clear redundancy specific statistics, use the clear wimax agw redundancy statistics command in privileged EXEC configuration mode.
clear wimax agw redundancy statistics
Syntax Description
This command has no keywords or arguments.
Defaults
There are no default values.
Command Modes
Privileged EXEC configuration.
Command History
Release
|
Modification
|
12.4(15)XL
|
This command was introduced.
|
Usage Guidelines
You can use the clear wimax agw redundancy statistics command on the standby card without producing a warning message, but the redundancy statistics on the active and standby will not be in sync.
Examples
The following example clears all BWG redundancy statistics:
router#clear wimax agw redundancy statistics
clear wimax agw statistics
To clear statistics on the BWG, use the clear wimax agw statistics command in privileged EXEC configuration mode.
clear wimax agw statistics
Syntax Description
There are no keywords or arguments
Defaults
There are no default values.
Command Modes
Privileged EXEC configuration.
Command History
Release
|
Modification
|
12.4(15)XL
|
This command was introduced.
|
Usage Guidelines
You can use the clear wimax agw statistics command on the standby card without producing a warning message, but the statistics on the active and standby will not be in sync.
Examples
The following example illustrates the clear wimax agw statistics command:
router# clear wimax agw statistics
clear wimax agw subscriber
To clear the subscriber on the BWG, use the clear wimax agw subscriber command in privileged EXEC configuration mode.
clear wimax agw subscriber [mac-id mac-id ] [local]
Syntax Description
mac-id mac-id
|
Specifies the MAC ID of the subscriber. If the MACID is not specified the entire subscriber list is cleared.
|
local
|
If the local keyword is configured, the subscribers are cleared locally, otherwise de-registration is sent to the base station.
|
Defaults
There are no default values.
Command Modes
Privileged EXEC configuration.
Command History
Release
|
Modification
|
12.4(15)XL
|
This command was introduced.
|
Usage Guidelines
Note All clear wimax commands are valid only on the SR ACTIVE card.
For example:
router#clear wimax agw subscriber all
This is STANDBY unit. This command must be issued on the ACTIVE unit
Examples
The following example clears subscribers locally:
clear wimax agw subscriber local
cs-type
To specify the cs-type profile under the corresponding direction, use the cs-type sub command. The no version of the command removes the cs-type information from the corresponding direction. Configuring the command opens a sub configuration mode to configure various cs-type commands.
cs-type {ethernet-cs | ip-cs}
no cs-type {ethernet-cs | ip-cs}
Syntax Description
ethernet-cs
|
Specifies ethernet as the convergence sublayer.
|
ip-cs
|
Specifies IP as the convergence sublayer.
|
Defaults
There are no default values.
Comm
