-
Cisco IOS Security Configuration Guide: Securing User Services, Release 12.4T
-
Securing User Services Overview
-
Autosecure
- Authentication, Authorization, and Accounting (AAA)
-
Security Server Protocols
-
RADIUS
-
Configuring RADIUS
-
AAA Dead-Server Detection
-
AAA-SERVER-MIB Set Operation
-
ACL Default Direction
-
Attribute Screening for Access Requests
-
Enable Multilink PPP via RADIUS for Preauthentication User
-
Enhanced Test Command
-
Framed-Route in RADIUS Accounting
-
Offload Server Accounting Enhancement
-
Per VRF AAA
-
RFC-2867 RADIUS Tunnel Accounting
-
RADIUS Attribute Screening
-
RADIUS Centralized Filter Management
-
RADIUS Debug Enhancements
-
RADIUS Logical Line ID
-
RADIUS NAS-IP-Address Attribute Configurability
-
RADIUS Route Download
-
RADIUS Server Load Balancing
-
RADIUS Support of 56-Bit Acct Session-Id
-
RADIUS Tunnel Preference for Load Balancing and Fail-Over
-
RADIUS Server Reorder on Failure
-
Tunnel Authentication via RADIUS on Tunnel Terminator
-
RADIUS Interim Update at Call Connect
-
Define Interface Policy-Map AV Pairs AAA
-
- TACACS+
-
RADIUS
-
RADIUS and TACACS+ Attributes
-
RADIUS Attributes
-
RADIUS Attributes Overview and RADIUS IETF Attributes
-
RADIUS Vendor-Proprietary Attributes
-
Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values
-
Connect-Info RADIUS Attribute 77
-
Encrypted Vendor Specific Attributes
-
Local AAA Server
-
Per-User QoS via AAA Policy Name
-
RADIUS Attribute 5 (NAS-Port) Format Specified on a Per-Server Group Level
-
RADIUS Attribute 8 (Framed-IP-Address) in Access Requests
-
RADIUS Attribute 82: Tunnel Assignment ID
-
RADIUS Attribute 104
-
RADIUS Progress Codes
-
RADIUS Timeout Set During Pre-Authentication
-
RADIUS Tunnel Attribute Extensions
-
V.92 Reporting Using RADIUS Attribute v.92-info
-
RADIUS Attribute 66 (Tunnel-Client-Endpoint) Enhancements
-
- TACACS+ Attributes
-
RADIUS Attributes
- Secure Shell (SSH)
-
Cisco IOS Login Enhancements (Login Block)
-
Cisco IOS Resilient Configuration
-
Image Verification
-
IP Source Tracker
-
Role-Based CLI Access
- User Security Configuration
-
Configuring Kerberos
-
Lawful Intercept Architecture
-
Table Of Contents
AAA Broadcast Accounting—Mandatory Response Support
Prerequisites for AAA Broadcast Accounting—Mandatory Response Support
Restrictions for AAA Broadcast Accounting—Mandatory Response Support
Information About AAA Broadcast Accounting—Mandatory Response Support
Simultaneous Broadcast and Wait Accounting
How AAA Broadcast Accounting is Supported for GGSN
Configuring Broadcast and Wait Accounting on the GGSN
Configuration Examples for AAA Broadcast Accounting—Mandatory Response Support
AAA Broadcast Accounting—Mandatory Response Support: Example
Feature Information for AAA Broadcast Accounting—Mandatory Response Support
AAA Broadcast Accounting—Mandatory Response Support
First Published: October 10, 2008Last Updated: August 4, 2009The AAA Broadcast Accounting—Mandatory Response Support feature provides a mechanism to support broadcast accounting under each server group through a Gateway GPRS Support Node (GGSN), which acts as a gateway between a General Packet Radio Service (GPRS) wireless data network and other networks such as the Internet or private networks.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for AAA Broadcast Accounting—Mandatory Response Support" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
Contents
•
Prerequisites for AAA Broadcast Accounting—Mandatory Response Support
•
•
•
•
•
Prerequisites for AAA Broadcast Accounting—Mandatory Response Support
See the Cisco GGSN Release 8.0 Configuration Guide for more information on preparing for the GGSN configuration.
Restrictions for AAA Broadcast Accounting—Mandatory Response Support
Accounting information can be sent simultaneously to a maximum of ten AAA servers.
Information About AAA Broadcast Accounting—Mandatory Response Support
The AAA Broadcast Accounting—Mandatory Response Support feature allows up to 10 server groups (methods) to be configured in a method list. The following sections describe the types of AAA accounting used to support GGSN:
•
AAA Broadcast Accounting
AAA broadcast accounting allows accounting information to be sent to multiple authentication, authorization, and accounting (AAA) servers at the same time; that is, accounting information can be broadcast to one or more AAA servers simultaneously. This functionality allows service providers to send accounting information to their own private AAA servers and to the AAA servers of their end customers. It also provides redundant billing information for voice applications.
Broadcasting is allowed among groups of servers, which can be either RADIUS or TACACS+, and each server group can define its backup servers for failover independently of other groups. Failover is a process that may occur when more than one server has been defined within a server group. Failover refers to the process by which information is sent to the first server in a server group; if the first server is unavailable, the information is sent to the next server in the server group. This process continues until the information is successfully sent to one of the servers within the server group or until the list of available servers within the server group is exhausted.
Simultaneous Broadcast and Wait Accounting
With Cisco GGSN Release 8.0 and later releases, broadcast and wait accounting can be configured to work together. The wait accounting feature is configured at the Access Point Name (APN) level, while broadcast accounting is specified at the AAA method level.
Broadcast accounting sends start, stop, and interim accounting records to all the server groups that are configured in a method list. Within a server group, the accounting records are sent to the first active server. If the active server cannot be reached, the accounting records are sent to the next server within a group.
Additionally, one or more server groups within a method list can be configured as "mandatory," meaning that a server from that server group has to respond to the Accounting Start message. The APN-level wait accounting ensures that an accounting response has been received from all mandatory server groups before the packet data protocol (PDP) context is established.
The advantages of broadcast and wait accounting together include:
•
•
•
•
When configuring broadcast and wait accounting together, note the following:
•
•
•
•
•
•
Note
How AAA Broadcast Accounting is Supported for GGSN
The following task is used to configure broadcast and wait accounting on the GGSN.
•
Configuring Broadcast and Wait Accounting on the GGSN
The tasks in this section describe how to configure broadcast and wait accounting on the GGSN.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
Configuration Examples for AAA Broadcast Accounting—Mandatory Response Support
The following configuration example can be used for AAA Broadcast Accounting—Mandatory Response Support:
•
AAA Broadcast Accounting—Mandatory Response Support: Example
The following example globally configures the GGSN to wait for an accounting response from the RADIUS server before sending a Create PDP Context response to the SGSN. The GGSN waits for a response for PDP context requests received across all access points, except access-point 1. RADIUS response message waiting has been overridden at access-point 1 by using the no gtp response-message wait-accounting command.
! Enables AAA globally!aaa new-model!! Defines AAA server group!aaa group server radius abcserver 10.2.3.4 auth-port 1645 acct-port 1646server 10.6.7.8 auth-port 1645 acct-port 1646!! Configures AAA authentication and authorization!aaa authentication ppp abc group abcaaa authorization network abc group abcaaa accounting network abcaction-type start-stopbroadcastgroup SG1 mandatorygroup SG2group SG3 mandatory!gprs access-point-list gprsaccess-point 1access-mode non-transparentaccess-point-name www.pdn1.comaaa-group authentication abc!! Disables waiting for RADIUS response! message at APN 1!no gtp response-message wait-accountingexitaccess-point 2access-mode non-transparentaccess-point-name www.pdn2.comaaa-group authentication abc!! Enables waiting for RADIUS response! messages across all APNs (except APN 1)!gprs gtp response-message wait-accounting!! Configures global RADIUS server hosts! and specifies destination ports for! authentication and accounting requests!radius-server host 10.2.3.4 auth-port 1645 acct-port 1646 non-standardradius-server host 10.6.7.8 auth-port 1645 acct-port 1646 non-standardradius-server key ggsntelAdditional References
The following sections provide references related to the AAA Broadcast Accounting—Mandatory Response Support feature.
Related Documents
Preparation for the GGSN configuration
AAA commands
AAA features
Cisco IOS Security Configuration Guide: Securing User Services
Standards
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
MIBs
RFCs
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
—
Technical Assistance
Feature Information for AAA Broadcast Accounting—Mandatory Response Support
Table 1 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
Note
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco Ironport, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Stackpower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flip Video, Flip Video (Design), Flipshare (Design), Flip Ultra, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0907R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2008 Cisco Systems, Inc. All rights reserved.
