Configuring AAA for Cisco Voice Gateways, Release 12.4T
Cisco IOS Configuration
Download this chapter
Cisco IOS ConfigurationCisco IOS Configuration
Download the complete book
Configuring AAA for Cisco Voice Gateways, Release 12.4TConfiguring AAA for Cisco Voice Gateways, Release 12.4T (PDF - 460 KB)
give_us_feedback

Table Of Contents

Cisco IOS Configuration

Prerequisite Configuration

Configuring AAA Basics

Directing AAA Requests to a RADIUS Server

Directing AAA Requests by Using Account Numbers

Directing AAA Requests using Called Party Number

Directing AAA Requests Using Trunk Groups

Enabling and Disabling Accounting for any Call Leg

Global Configuration Mode

dial-peer configuration mode

Customizing Accounting Packets

Configuration Overview

Configuration Tasks for Customizing Accounting Packets

Generate Accounting Packets by Enabling Voice Accounting

Using Callhistory-detail to Send All VSAs

Defining and Applying Customized Accounting Templates


Cisco IOS Configuration

This chapter includes the following sections:

Prerequisite Configuration

Directing AAA Requests to a RADIUS Server

Enabling and Disabling Accounting for any Call Leg

Customizing Accounting Packets

Prerequisite Configuration

The following general tasks are prerequisites to configuring the Cisco IOS features described in this document:

Establish a working IP network. For more information about configuring IP, refer to the Cisco IOS IP Configuration Guide.

Configure Voice over IP. For more information about configuring Voice over IP, refer to the Cisco IOS Voice Configuration Library.

Program and configure the interface between the RADIUS server and the Cisco voice gateway to operate with vendor specific attributes (VSAs). Refer to the RADIUS Vendor-Specific Attributes Voice Implementation Guide.

Download the TCL scripts that are not embedded in Cisco IOS from the Cisco CCO software support URL:
http://www.cisco.com/public/sw-center/

Define and apply IVR applications on the dial peer to direct AAA requests to a RADIUS server. For more information, see the Cisco IOS TCL and VoiceXML Application Guide

Configuring AAA Basics

You must follow these steps to set up AAA before you start directing AAA requests to a RADIUS server:

Step 1 Enable authentication, authorization, and accounting (AAA) security services: 

Router(config)# aaa new-model

Example: 

aaa new-model

Step 2 Define a RADIUS server host by entering the following command: 

Router(config)# radius server host ipaddress auth-port port-number acct-port port-number

Example: 

radius server host 1.5.35.10 auth-port 2001 acct-port 2002

Step 3 Use the RADIUS server defined in Step 2 to define a AAA group.

a. To define a group name, enter the following command in global configuration mode: 

Router(config)# aaa group server radius group-name

Note For the argument group-name in the command, enter the name of the specific RADIUS server (for example server1) you want to authenticate, or enter the argument radius if you want to authenticate all RADIUS servers.

Example: 

aaa group server radius server1

b. To configure the IP address of the RADIUS server for the group server, enter the following command in group server configuration mode: 

Router(config-sg-radius)# server ip-address auth-port port-number acct-port 
port-number

Example: 

server 1.5.35.10 auth-port 2001 acct-port 2002

Step 4 Exit group server configuration mode. 

Router(config-sg-radius)# exit

Step 5 To specify the password for use between the gateway and the RADIUS serier, enter the following command in global configuration mode:

Router(config)# radius-server key key


Example: 

radius-server key 1user23

Step 6 Use the AAA group defined in Step 2 above to define an AAA method list.

a. For voice authentication, enter the aaa authentication login command

a. . 

Router(config)# aaa authentication login list-name method1 [method2...]

Examples: 

aaa authentication login h323 group server2

aaa authentication login MIS-access group radius

b. For voice authorization, enter the aaa authorization command. 

Router(config)# aaa authorization exec list-name method1 [method2...]

Examples: 

aaa authorization exec h323 group server2 

aaa authorization exec MIS-access group radius

c. For voice accounting, enter the aaa accounting command in global cofiguration mode. 

Router(config)# aaa accounting connection list-name start-stop method1 [method2..]

Example: 

aaa accounting connection h323 start-stop group server1

Directing AAA Requests to a RADIUS Server

You can use TCL scripts or the CLI to direct AAA requests to a specific RADIUS server based on:

Customer account number

Called party number

Trunk group

Directing AAA Requests by Using Account Numbers

It is easier to use TCL scripts instead of the CLI to direct AAA requests using account numbers.

To use TCL scripts for directing AAA requests using account numbers, follow the steps below:

Step 1 Before you start using TCL scripts to direct AAA requests using account numbers, you must define and apply the interactive voice response (IVR) application on the dial peer.

Step 2 Use the authentication, authorization, and accounting TCL verbs to customize your TCL scripts. Refer to the Accounting Template, page 21 in Chapter 1, "Overview of AAA on Voice Gateways" for an example of a TCL script.

The authentication, accounting, and authorization TCL verbs are:

a. Authentication: Use the following TCL verb: 

aaa authenticate account password [-a avlistSend][-s servertag]

b. Authorization: Use the following TCL verb: 

aaa authorize account password ani destination {legID|info-tag} [-s servertag]

c. Accounting: Use the following TCL verbs to start or update accounting messages: 

aaa accounting start {legID|info-tag} [-s servertag]

Step 3 (Optional). If you use the accounting TCL verb, then use the accounting suppress command to suppress accounting on the same dial peer on which you have specified your application.

Follow the steps below to suppress accounting on the dial peer:

a. Enter the voice class aaa command in global configuration mode. 

Router(config)# voice-class aaa tag

Example: 

voice-class aaa 1001

b. Enter the accounting suppress command in voice class configuration mode. 

Router(config-class)# accounting suppress

c. Enter the voice class aaa command in dial peer configuration mode. 

Router(config)# dial-peer voice tag {pots|voip}

Router(config-dial-peer)# voice class aaa tag

Example: 

dial-peer voice 101 voip

voice class aaa 1001

Directing AAA Requests using Called Party Number

You can use the called party number to direct AAA requests in dial peer configuration mode as follows:

Step 1 Define a dial peer.

a. Enter dial peer configuration mode using the dial peer voice command. The argument number defines a particular dial peer. 

Router(config)# dial-peer voice tag {pots|voip}

Example: 

dial-peer voice 202 pots

b. Specify the incoming called number using the incoming called number command in dial peer configuration mode. The argument string is a series of digits that specifies the incoming called number. 

Router(config-dial-peer)# incoming called number string

Example: 

incoming called number 5550900

Step 2 Define the voice class.

a. Enter the voice class aaa command in global configuration mode. The argument tag identifies the dial peer. 

Router(config)# voice class aaa tag

Example: 

voice-class aaa 202

b. Define authentication, authorization, and accounting methods. Enter the authentication, authorization and accounting commands in voice class mode. The argument methodListName is used to name the list of authentication, authorization or accounting methods applicable to each command. 

Router(config-class)# authentication method methodListName 

Router(config-class)# accounting method methodListName 

Router(config-class)# authorization method methodListName

Example: 

authentication method pw

accounting method rd

authorization method pc

c. Define voice class in dial peer configuration mode. Enter dial peer configuration mode and then define the voice class in that mode. The argument tag identifes the same dial peer as in step a) above. 

Router(config)# dial-peer voice tag {pots|voip}

Router(config-dial-peer)# voice-class aaa tag

Example: 

dial-peer voice 202 pots

voice-class aaa 202

Directing AAA Requests Using Trunk Groups

To direct AAA requests using trunk groups, a trunk group must first associate with a dial peer. To use this method, group all the interfaces using one trunk group and define only one dial peer instead of individual ports for the interfaces using that trunk group.

You can direct AAA requests using trunk groups in dial-peer configuration mode as follows:

Step 1 Define the trunk group by entering the trunk group command in global configuration mode. The argument tag is a number. 

Router(config)# trunk group tag

Example: 

trunk group 303

Step 2 Use the trunk group tag in Step 1 to group the interfaces.

a. Enter the interface serial command in global configuration mode to specify a serial interface on the channelized T1 or E1 controller. The argument slot/port denotes the slot and port number where the channelized T1 or E1 controller is located. The argument timeslot denotes the ISDN D channel timeslot which is 15 for channelized E1 and 23 for channelized T1. 

Router(config)# interface serial slot/port: timeslot

Example: 

interface serial 1/1:23

b. Enter the trunk group command. 

Router(config-inter-serial)# trunk group tag

Example: 

trunk group 303

Step 3 Use the tag defined in Step 2b) above.

a. Enter the voice class aaa command in global configuration mode. 

Router(config)# voice-class aaa tag

Example: 

voice-class aaa 303

b. Define authentication, accounting, and authorization methods. Enter the authentication method, accounting method, and authorization method commands in voice class mode. The argument methodListName is used to name the list of authentication, accounting, or authorization methods applicable to each command. 

Router(config-class)# authentication method methodListName 

Router(config-class)# accounting method methodListName 

Router(config-class)# authorization method methodListName

Example: 

authentication method ab

accounting method cd

authorization method ef

c. Enter dial peer configuration mode using the dial peer voice command. 

Router(config)# dial-peer voice tag {pots|voip}

Example: 

dial-peer voice 303 pots

d. Define the voice class in dial peer configuration mode. The argument tag identifes the same dial peer as in Step a above. 

Router(config-dial-peer)# voice-class aaa tag

Example: 

voice-class aaa 303

e. Define the trunk group in dial peer configuration mode. The argument tag is the the same number as in Step b) above. 

Router(config-dial-peer)# trunk group tag

Example: 

trunk group 303

Enabling and Disabling Accounting for any Call Leg

Enabling voice accounting by using the gw-accounting aaa command will send only the default list of VSAs to the accounting server.

Global Configuration Mode

To enable and disable accounting for any call leg in global configuration mode, follow these steps:

Step 1 To enable accounting for any call leg, enter the gw-accounting aaa command in global configuration mode. Use the no form of the command to disable accounting. 

Router (config)# gw-accounting aaa 

Router (config)# no gw-accounting aaa

To disable accounting based on the type of dial peer, use the following command:

Step 2 To disable accounting based on the type of dial peer, use the following commands:

a. Enter the gw-accounting aaa command. 

Router(config)# gw-accounting aaa

b. Enter the suppress command. 

Router(config-gw-accounting-aaa)# suppress

You have a choice of entering pots or voip, based on the type of dial peer.


c. Enter the suppress pots or suppress voip command. 

Router(config-gw-accounting-aaa)# suppress pots

or 

Router(config-gw-accounting-aaa)# suppress voip

dial-peer configuration mode

To disable accounting in dial-peer configuration mode, follow these steps:

Step 1 Enter the voice class aaa command in global configuration mode. 

Router(config)# voice class aaa tag

Example: 

voice-class aaa 303

Step 2 Enter the accounting suppress command in voice class aaa mode. 

Router(config-class)# accounting suppress [in-bound|out-bound]

Example: 

accounting suppress

Step 3 Enter the voice class aaa command in dial peer configuration mode. 

Router(config)# dial-peer voice tag {pots|voip}

Router(config-dial-peer)# voice-class aaa tag

Example: 

dial-peer voice 303 pots

voice-class aaa 303

Customizing Accounting Packets

This section contains the following sub-sections:

Configuration Overview

Configuration Tasks for Customizing Accounting Packets

Configuration Overview

Accounting packets for voice calls consist of voice-specific attributes as well as those that are not specific to voice. This document focuses only on voice-specific attributes. You can add some application-level attributes through the TCL script and fine tune the attribute list created by the system; the result is an accounting template that is customized to your accounting needs.

To customize your accounting packets, first create accounting templates.

Note If you do not want to customize your accounting packets, enable voice accounting by using the gw-accounting aaa command to generate accounting packets. A specific set of attributes, which include both non voice-specific and voice-specific attributes, is automatically sent by the gateway to the RADIUS server.

To view the current list of VSAs, refer to the RADIUS Vendor Specific Attributes Voice Implementation Guide. For example, in the "Accounting Template" section on page 21 of Chapter 1, "Overview of AAA on Voice Gateways", the default attributes are:

h323-gw-id

 

h323-call-origin

 

h323-call-type

 

h323-setup-time

 

h323-connect-time

 

h323-disconnect-time

 

h323-disconnect-cause

 

h323-remote-address

 

h323-voice-quality

ICPIF

subscriber

 

To send all the VSAs to the accounting server use the template callhistory-detail command in global configuration mode. The Accounting Template, page 21 in Chapter 1, "Overview of AAA on Voice Gateways" includes the default and new VSAs. Refer to the "Using Callhistory-detail to Send All VSAs" section for configuration details.

For the latest list of VSAs, refer to RADIUS Vendor-Specific Attributes Voice Implementation Guide.

To fine tune your accounting packets based on your billing needs, create accounting templates using specific VSAs that are applicable to your accounting needs. For example, to target different accounting servers for incoming calls from different trunks, you must define multiple accounting templates and associate them with different sets of incoming dial peers. To create a template, remove the attributes that are not applicable by adding the # sign in front of each of those attributes.

To tunr your accounting packets, remove attributes that do not apply to your billing needs. Deleting these attributes creates a custom accounting template that acts as a filter, allowing only the defined attributes to be sent to the accounting server. To apply acustomized template, first define the template using the call accounting template voice command in global configuration mode, and then apply it using either TCL scripts or the CLI. If you are using the CLI, you can apply the template either in global configuration or dial-peer configuration mode. Refer to the "Defining and Applying Customized Accounting Templates" section for configuraion details.

Specific VSAs that cannot be controlled by the accounting template are sent as attribute-value (AV) pairs through the avlistSend argument of the TCL verbs used in the script, and they are:

h323-ivr-out

h323-ivr-in

h323-credit-amount

h323-return-code

h323-prompt-id

h323-time-and-delay

h323-redirect-number

h323-preferred-lang

h323-redirect-ip-addr

h323-billing-model

h323-currency

Configuration Tasks for Customizing Accounting Packets

Use the "Configuration Overview" section to plan your customizing needs before you begin the applicable configuration tasks below.

Generate Accounting Packets by Enabling Voice Accounting

To automatically generate accounting packets by enabling voice accounting, enter the gw-accounting aaa command in global configuration mode. 

Router(config)# gw-accounting aaa 

Router(gw-accounting aaa)# exit

Using Callhistory-detail to Send All VSAs

To send all VSAs (default and new) to the accounting server:

Step 1 Enter the gw-accounting aaa command to enter C mode. 

Router(config)# gw-accounting aaa

Step 2 Enter the acct-template callhistory-detail command in V mode. 

Router(config-gw-accounting-aaa)# acct-template callhistory-detail 

Router(config-gw-accounting-aaa)#

Defining and Applying Customized Accounting Templates

To define an accounting template:

Step 1 Enter the call accounting-template voice command in global configuration mode. Enter the template name for acctTempName. The url is the address where you store the template. Always assign a .cdr extension to the filename in the URL. 

Router(config)# call accounting-template voice acctTempName url

Example: 

call accounting-template voice cdr1 tftp://highway/mjs/templates/cdr1.cdr

Note After bootup, if the template file fails to load from the TFTP server, the system tries to automatically reload the file at five minute intervals.

You can use an accounting template through the CLI (in global configuration or dial-peer configuration mode), or by using TCL verbs.

To use an accounting template through the CLI in global configuration mode, use the following commands:

Step 1 Enter the gw-accounting aaa command to enter gateway accounting AAA mode. 

Router(config)# gw-accounting aaa

Step 2 Enter the acct-template command. Assign your template name to acctTempName. 

Router (config-gw-accounting-aaa)# acct-template acctTempName

Example: 

acct-template april1

Applying a Customized Accounting Template through the CLI in Dial-Peer Configuration Mode

To apply a customized accounting template through the CLI in dial peer configuration mode, follow these steps:

Step 1 Enter the call accounting-template voice command in global configuration mode. Assign your template name to acctTempName and your template address (usually your tftp address) to url. 

Router(config)# call accounting-template voice acctTempName url

Example: 

call accounting-template voice cdr1 tftp://highway/mjs/templates/cdr1.cdr

Step 2 Enter the voice class aaa command in global configuration mode. Assign a numerical value to tag. 

Router(config)# voice class aaa tag

Example: 

voice-class aaa 404

Step 3 Enter the accounting-template command in voice class AAA mode. Assign your template name to acctTempName. 

Router(config-class)# accounting-template acctTempName

Example: 

accounting-template april1

Step 4 Change configuration mode from global to dial peer and using the dial peer voice command, enter the voice class aaa command in dial-peer configuration mode. The numerical value of tag is the same value of tag in Step 2 above. 

Router(config)# dial peer voice number [pots|voip]

Router(config-dial-peer)# voice class aaa tag

Example: 

dial-peer voice 404 pots

voice-class aaa 404

Applying a Customized Acounting Template through a TCL Script

Use the aaa accounting start TCL verb. Assign an incoming or outgoing call leg, or assign an information tag. Assign your template name to acctTempName. 

aaa accounting start {legID|info-tag} -t acctTempName

Adding Attributes to Accounting Packets through TCL scripts

To add attributes to accounting packets through TCL scripts, follow these steps:

Step 1 Use the avlistSend argument in the TCL verbs to send the following attributes:

h323-ivr-out

h323-ivr-in

h323-credit-amount

h323-return-code

h323-prompt-id

h323-time-and-delay

h323-redirect-number

h323-preferred-lang

h323-redirect-ip-addr

h323-billing-model

h323-currency

Step 2 Use TCL verbs for authentication, authorization, and accounting.

a. For authentication, use the aaa authenticate TCL verb. 

aaa authenticate account password [-a avlistSend]

b. For authorization, use the aaa authorize TCL verb. 

aaa authorize account password ani destination {legID | info-tag} [-a avlistSend]

c. For accounting, use the aaa accounting start TCL verb. 

aaa accounting start {legID | info-tag} [-a avlistSend]
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Pulse, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Fast Step, Follow Me Browsing, FormShare, GainMaker, GigaDrive, HomeLink, iLYNX, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0908R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2007-2009 Cisco Systems, Inc. All rights reserved.