Cisco 10000 Series Internet Router Service Selection Gateway Configuration Guide - Authentication and Accounting [Cisco 10000 Series Routers]

Table Of Contents

Authentication and Accounting

SSG Full Username RADIUS Attribute

Restrictions for SSG Full Username RADIUS Attribute

Configuration Examples for SSG Full Username RADIUS Attribute

RADIUS Accounting Records

Account Login and Logout

Configuration Examples for Account Login and Logout

Service Connection and Termination

Configuration Examples for Service Connection and Termination

Authentication and Accounting

The Cisco 10000 series router supports the following SSG features for authentication and accounting related functions:

•SSG Full Username RADIUS Attribute

•RADIUS Accounting Records

This chapter describes the SSG features for authentication and accounting.

SSG Full Username RADIUS Attribute

The Full Username RADIUS attribute allows SSG to include the user's full username and domain (user@service) in the RADIUS authentication and accounting requests.

Restrictions for SSG Full Username RADIUS Attribute

The size of the full username is limited to the smaller of the following values:

•246 bytes (10 bytes less than the standard RADIUS protocol limitation)

•10 bytes less than the maximum size of the RADIUS attribute supported by your proxy

Configuration Examples for SSG Full Username RADIUS Attribute

Example 4-1 RADIUS Freeware Format Example
Service-Info = "X"
Example 4-2 CiscoSecure ACS for UNIX Example
9,251 = "X"
RADIUS Accounting Records

SSG sends accounting records with the associated attributes to the RADIUS accounting server when the following events occur:

•Account Login and Logout

•Service Connection and Termination

Account Login and Logout

SSG sends a RADIUS accounting-request record to the local RADIUS server when a user logs in to or out of the SSG. The Acct-Status-Type attribute included in the accounting-request record indicates if the accounting-request marks the start of the user service or the end of the service.

When a user logs in, SSG sends an accounting-start record to RADIUS. When a user logs out, SSG sends an accounting-stop record.

Configuration Examples for Account Login and Logout

Example 4-3 shows the information contained in a RADIUS accounting-start record.

Example 4-3 RADIUS Accounting-Start Record
Acct-Status-Type = Start
NAS-IP-Address = ip_address
User-Name = "username"
Acct-Session-Id = "session_id"
Framed-IP-Address = user_ip 
Proxy-State = "n"
Example 4-4 shows the information contained in a RADIUS accounting-stop record.

Example 4-4 RADIUS Accounting-Stop Record
Acct-Status-Type = Stop
NAS-IP-Address = ip_address
User-Name = "username"
Acct-Session-Time = time
Acct-Terminate-Cause = cause
Acct-Session-Id = "session_id"
Framed-IP-Address = user_ip
Proxy-State = "n"
The Acct-Session-Time attribute indicates the length of session, expressed in seconds. The Acct-Terminate-Cause attribute indicates the reason for account termination, which can be due to the following events:

•User-Request

•Session-Timeout

•Idle-Timeout

•Lost-Carrier

Service Connection and Termination

SSG also sends a RADIUS accounting-request record to the local RADIUS server when a user accesses or terminates a service. The Acct-Status-Type attribute included in the accounting-request record indicates whether the accounting-request marks the start of the user service or the end of the service.

When a user accesses a service, SSG sends an accounting-start record to RADIUS. When a user terminates a service, SSG sends an accounting-stop record.

Configuration Examples for Service Connection and Termination

Example 4-5 shows the information contained in an accounting-start record for service access.

Example 4-5 RADIUS Accounting-Start Record for Service Access
User-Name = "username"
     Acct-Status-Type = Start
     Acct-Authentic = RADIUS
     Service-Type = Framed
     Acct-Session-Id = "00000010"
     Framed-Protocol = PPP
     Service-Info = "Nisp-name.com"
     Service-Info = "Uusername"
     Service-Info = "TP"
     Acct-Delay-Time = 0
The following list describes some of the attributes included in the record. For more information, refer to the Service Section Gateway, Release 12.2(15)B feature module.

•Acct-Status-Type—Indicates that the accounting-request marks the start of the user service.

•Service-Type—Indicates the type of service requested or the type of service to be provided. PPP and SLIP connections use the service type.

•Service-Info—Indicates the following:

–Nname—Indicates the name of the service profile.

–Uname—Indicates the username used to authenticate the user with the remote RADIUS server. This attribute is used for proxy services.

–Ttype—Indicates whether the connection is proxy (X), tunnel (T), or passthrough (P).

Example 4-6 shows the information contained in an accounting-stop record for service termination.

Example 4-6 RADIUS Accounting-Stop Record for Service Termination
NAS-IP-Address = 192.168.2.48
NAS-Port = 0
NAS-Port-Type = Virtual
User-Name = "zeus"
Acct-Status-Type = Stop
Service-Type = Framed-User
Acct-Session-Id = "00000002"
Acct-Terminate-Cause = User-Request
Acct-Session-Time = 84
Acct-Input-Octets = 0
Acct-Output-Octets = 649
Acct-Input-Packets = 0
Acct-Output-Packets = 17
Framed-Protocol = PPP
Framed-IP-Address = 201.168.101.10
Control-Info = "I0;0"
Control-Info = "O0;649"
Service-Info = "Ninternet"
Service-Info = "Uzeus"
Service-Info = "TP"
Acct-Delay-Time = 0
The following describes some of the attributes included in the record. For more information, refer to the Service Section Gateway, Release 12.2(15)B feature module.

•Acct-Status-Type—Indicates that the accounting-request marks the end of the user service.

•Service-Type—Indicates the type of service.

•Acct-Session-Time—Indicates how long the user has been receiving service and is expressed in seconds.

•Acct-Terminate-Cause—Indicates the reason for service termination, which can be due to the following events:

–User-Request

–Lost-Carrier

–Lost-Service

–Session-Timeout

–Idle-Timeout

	Cisco 10000 Series Internet Router Service Selection Gateway Configuration Guide
	Authentication and Accounting
Cisco 10000 Series Internet Router Service Selection Gateway Configuration Guide About This Guide Service Selection Gateway Overview Scaling and Performance SSG Logon and Logoff Authentication and Accounting Service Selection Methods Service Connection Service Profiles and Cached Service Profiles SSG Hierarchical Policing Interface Configuration SSG TCP Redirect Miscellaneous SSG Features Monitoring and Maintaining SSG SSG Implementation Notes Configuration Example for SSG Glossary Index	Download this chapter Authentication and Accounting Download the complete book Cisco 10000 Series Router Service Selection Gateway Configuration Guide (PDF - 1 MB) Table Of Contents Authentication and Accounting SSG Full Username RADIUS Attribute Restrictions for SSG Full Username RADIUS Attribute Configuration Examples for SSG Full Username RADIUS Attribute RADIUS Accounting Records Account Login and Logout Configuration Examples for Account Login and Logout Service Connection and Termination Configuration Examples for Service Connection and Termination Authentication and Accounting The Cisco 10000 series router supports the following SSG features for authentication and accounting related functions: •SSG Full Username RADIUS Attribute •RADIUS Accounting Records This chapter describes the SSG features for authentication and accounting. SSG Full Username RADIUS Attribute The Full Username RADIUS attribute allows SSG to include the user's full username and domain (user@service) in the RADIUS authentication and accounting requests. Restrictions for SSG Full Username RADIUS Attribute The size of the full username is limited to the smaller of the following values: •246 bytes (10 bytes less than the standard RADIUS protocol limitation) •10 bytes less than the maximum size of the RADIUS attribute supported by your proxy Configuration Examples for SSG Full Username RADIUS Attribute Example 4-1 RADIUS Freeware Format Example Service-Info = "X" Example 4-2 CiscoSecure ACS for UNIX Example 9,251 = "X" RADIUS Accounting Records SSG sends accounting records with the associated attributes to the RADIUS accounting server when the following events occur: •Account Login and Logout •Service Connection and Termination Account Login and Logout SSG sends a RADIUS accounting-request record to the local RADIUS server when a user logs in to or out of the SSG. The Acct-Status-Type attribute included in the accounting-request record indicates if the accounting-request marks the start of the user service or the end of the service. When a user logs in, SSG sends an accounting-start record to RADIUS. When a user logs out, SSG sends an accounting-stop record. Configuration Examples for Account Login and Logout Example 4-3 shows the information contained in a RADIUS accounting-start record. Example 4-3 RADIUS Accounting-Start Record Acct-Status-Type = Start NAS-IP-Address = ip_address User-Name = "username" Acct-Session-Id = "session_id" Framed-IP-Address = user_ip Proxy-State = "n" Example 4-4 shows the information contained in a RADIUS accounting-stop record. Example 4-4 RADIUS Accounting-Stop Record Acct-Status-Type = Stop NAS-IP-Address = ip_address User-Name = "username" Acct-Session-Time = time Acct-Terminate-Cause = cause Acct-Session-Id = "session_id" Framed-IP-Address = user_ip Proxy-State = "n" The Acct-Session-Time attribute indicates the length of session, expressed in seconds. The Acct-Terminate-Cause attribute indicates the reason for account termination, which can be due to the following events: •User-Request •Session-Timeout •Idle-Timeout •Lost-Carrier Service Connection and Termination SSG also sends a RADIUS accounting-request record to the local RADIUS server when a user accesses or terminates a service. The Acct-Status-Type attribute included in the accounting-request record indicates whether the accounting-request marks the start of the user service or the end of the service. When a user accesses a service, SSG sends an accounting-start record to RADIUS. When a user terminates a service, SSG sends an accounting-stop record. Configuration Examples for Service Connection and Termination Example 4-5 shows the information contained in an accounting-start record for service access. Example 4-5 RADIUS Accounting-Start Record for Service Access User-Name = "username" Acct-Status-Type = Start Acct-Authentic = RADIUS Service-Type = Framed Acct-Session-Id = "00000010" Framed-Protocol = PPP Service-Info = "Nisp-name.com" Service-Info = "Uusername" Service-Info = "TP" Acct-Delay-Time = 0 The following list describes some of the attributes included in the record. For more information, refer to the Service Section Gateway, Release 12.2(15)B feature module. •Acct-Status-Type—Indicates that the accounting-request marks the start of the user service. •Service-Type—Indicates the type of service requested or the type of service to be provided. PPP and SLIP connections use the service type. •Service-Info—Indicates the following: –Nname—Indicates the name of the service profile. –Uname—Indicates the username used to authenticate the user with the remote RADIUS server. This attribute is used for proxy services. –Ttype—Indicates whether the connection is proxy (X), tunnel (T), or passthrough (P). Example 4-6 shows the information contained in an accounting-stop record for service termination. Example 4-6 RADIUS Accounting-Stop Record for Service Termination NAS-IP-Address = 192.168.2.48 NAS-Port = 0 NAS-Port-Type = Virtual User-Name = "zeus" Acct-Status-Type = Stop Service-Type = Framed-User Acct-Session-Id = "00000002" Acct-Terminate-Cause = User-Request Acct-Session-Time = 84 Acct-Input-Octets = 0 Acct-Output-Octets = 649 Acct-Input-Packets = 0 Acct-Output-Packets = 17 Framed-Protocol = PPP Framed-IP-Address = 201.168.101.10 Control-Info = "I0;0" Control-Info = "O0;649" Service-Info = "Ninternet" Service-Info = "Uzeus" Service-Info = "TP" Acct-Delay-Time = 0 The following describes some of the attributes included in the record. For more information, refer to the Service Section Gateway, Release 12.2(15)B feature module. •Acct-Status-Type—Indicates that the accounting-request marks the end of the user service. •Service-Type—Indicates the type of service. •Acct-Session-Time—Indicates how long the user has been receiving service and is expressed in seconds. •Acct-Terminate-Cause—Indicates the reason for service termination, which can be due to the following events: –User-Request –Lost-Carrier –Lost-Service –Session-Timeout –Idle-Timeout
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.