AAA Interface Configuration


AAA Interface Configuration
 
 
This chapter describes how to configure access control to network services, and the type of services available to subscribers once they have access. The authentication, authorization, and accounting (AAA) configuration described in this chapter provides the primary framework through which you can set up AAA functionality in your network for a service subscriber.
 
This chapter includes the following information:
 
 
Configuring RADIUS AAA Functionality
RADIUS-based AAA functionality must be configured at the context and system levels. This section describes how to configure the RADIUS-based AAA parameters at the context and system levels.
 
To configure RADIUS AAA functionality:
Step 1
Step 2
Step 3
Save your configuration as described in the Verifying and Saving Your Configuration chapter.
Important: Commands used in the configuration examples in this section provide base functionality to the extent that the most common or likely commands and/or keyword options are presented. In many cases, other optional commands and/or keyword options are available. Refer to the Command Line Interface Reference for complete information regarding all commands.
 
Configuring RADIUS AAA Functionality at Context Level
This section describes how to configure context-level RADIUS parameters for subscriber authentication and accounting (optional). As noted in this reference, RADIUS-based AAA functionality can be configured within any context, even its own.
 
Important: This section provides minimum instructions to configure context-level AAA functionality that allows the system to process data sessions. Commands that configure additional context-level AAA properties are described in the Understanding the System Operation and Configuration chapter of the System Administration Guide.
Important: Commands except change-authorize-nas-ip, accounting prepaid, accounting prepaid custom, and accounting unestablished-sessions used in this section, or in the Understanding the System Operation and Configuration chapter, are also applicable to support AAA server group for AAA functionality. For details on AAA server group functionality, see the Configuring AAA Server Group for AAA Functionality section.
To configure RADIUS AAA functionality at the context level use the following configuration:
configure
  context <context_name>
     radius server <ip_address> key <shared_secret> [ max <value> ] [ oldports | port <tcp_port> ] [ priority <priority> ]
     radius [ mediation-device ] accounting server <ip_address> key <shared_secret> [ acct-on { enable | disable } ] [ acct-off { enable | disable } ] [ max <msgs> ] [ oldports ] [ port <port_number> ] [ priority <priority> ] [ type standard ]
     radius attribute nas-identifier <identifier>
     radius attribute nas-ip-address address <primary_address> [ backup <second_address> ]
     radius strip-domain [ authentication-only | accounting-only ]
     end
Notes:
 
Optional. If you want to support more than 320 server configurations system-wide, in the Global Configuration Mode, use the following command:
aaa large-configuration
<context_name> must be the system context designated for AAA configuration.
For information on GGSN-specific additional configurations using RADIUS accounting see the Creating and Configuring APNs section of the GGSN Administration Guide.
<identifier> must be the name designated to identify the system in the Access Request message(s) it sends to the RADIUS server.
Optional. Multiple RADIUS attribute dictionaries have been created for the system. Each dictionary consists of a set of attributes that can be used in conjunction with the system. As a result, users could take advantage of all of the supported attributes or only a subset. To specify the RADIUS attribute dictionary that you want to implement, in the Context Configuration Mode, use the following command:
radius dictionary { 3gpp | 3gpp2 | 3gpp2-835 | customXX | standard | starent | starent-835 | starent-vsa1 | starent-vsa1-835 }
Optional. Configure the system to support NAI-based authentication in the event that the system cannot authenticate the subscriber using a supported authentication protocol. To enable NAI-construction, in the Context Configuration Mode, use the following command:
aaa constructed-nai authentication [ encrypted ] password <password>
Optional. If RADIUS is configured for GGSN service, the system can be configured to support NAI-based authentication to use RADIUS shared secret as password. To enable, in the Context Configuration Mode, use the following command:
aaa constructed-nai authentication use-shared-secret-password
If authentication type is set to allow-noauth or msid-auth and aaa constructed-nai authentication use-shared-secret-password is issued then the system will use RADIUS shared secret as password. In case the authentication type is msid-auth it will always send RADIUS shared secret as password by default in ACCESS-REQUEST.
Optional. To configure the system to allow a user session even when all authentication servers are unreachable, in the Context Configuration Mode, use the following command. When enabled, the session is allowed without authentication. However, the accounting information is still sent to the RADIUS accounting server, if it is reachable.
radius allow authentication-down
Optional. To configure the maximum number of times RADIUS authentication requests must be re-transmitted, in the Context Configuration Mode, use the following command:
radius max-transmissions <transmissions>
Optional. If RADIUS is configured for PDSN service, to configure the accounting trigger options for R-P originated calls to generate STOP immediately or to wait for active-stop from old PCF on handoff, in the Context Configuration Mode, use the following command:
radius accounting rp handoff-stop { immediate | wait-active-stop }
For more information on configuring additional accounting trigger options for R-P generated calls for a PDSN service, refer to the radius accounting rp command in the Command Line Interface Reference.
Optional. To configure the system to check for failed RADIUS AAA servers, in the Context Configuration Mode, use the following command:
radius detect-dead-server { consecutive-failures <count> | keepalive | response-timeout <seconds> }
After a server’s state is changed to “Down”, the deadtime timer is started. When the timer expires, the server’s state is returned to “Active”. If both consecutive-failures and response-timeout are configured, then both parameters have to be met before a server’s state is changed to “Down”. For a complete explanation of RADIUS server states, refer RADIUS Server State Behavior appendix.
Optional. To configure the system to check for failed RADIUS accounting servers, in the Context Configuration Mode, use the following command:
radius accounting detect-dead-server { consecutive-failures <count> | response-timeout <seconds> }
After a server’s state is changed to “Down”, the deadtime timer is started. When the timer expires, the server’s state is returned to “Active”. If both consecutive-failures and response-timeout are configured, then both parameters have to be met before a server’s state is changed to “Down”. For a complete explanation of RADIUS server states, refer RADIUS Server State Behavior.
Optional. If required, users can configure the dynamic redundancy for HA as described in the HA Redundancy for Dynamic Home Agent Assignment chapter of the System Enhanced Feature Configuration Guide.
 
Verifying Your Configuration
To verify your configurations:
In the Exec mode, enter the following command:
show configuration context <aaa_context_name>
The output displays a concise list of settings that you have configured for the context.
 
Configuring Diameter AAA Functionality
This section describes how to configure the Diameter endpoints and system to use the Diameter servers for subscriber authentication and accounting (optional).
 
To configure Diameter AAA functionality:
Step 1
Step 2
Step 3
Step 4
Save your configuration as described in the Verifying and Saving Your Configuration chapter.
Important: Commands used in the configuration examples in this section provide base functionality to the extent that the most common or likely commands and/or keyword options are presented. In many cases, other optional commands and/or keyword options are available. Refer to the Command Line Interface Reference for complete information regarding all commands.
 
Configuring Diameter Endpoint
Before configuring the Diameter AAA functionality you must configure the Diameter endpoint.
Use the following configuration example to configure Diameter endpoint:
configure
  context <context_name>
     diameter endpoint <endpoint_name>
        origin host <host_name> address <ip_address> [ port <port_number> ] [ accept-incoming-connections ] [ address <ip_address_secondary> ]
        peer <peer_name> [ realm <realm_name> ] address <ip_address> [ [ port <port_number> ] [ connect-on-application-access ] [ send-dpr-before-disconnect [ disconnect-cause <disconnect_cause> ] ] [ sctp ] ]+
        end
Notes:
 
Optional. To support Diameter proxy server on per-PAC/PSC or per-system basis, in the Global Configuration Mode, use the following command:
require diameter-proxy { multiple | single }
<context_name> must be the name of the system context designated for AAA configuration.
Optional. To enable Diameter proxy for the endpoint, in the Diameter Endpoint Configuration Mode, use the following command:
use-proxy
Optional. To set the realm for the Diameter endpoint, in the Diameter Endpoint Configuration Mode, use the following command:
origin realm <realm_name>
<realm_name> is typically a company or service name. The realm is the Diameter identity and will be present in all Diameter messages.
Optional. To create an entry in the route table for the Diameter peer, in the Diameter Endpoint Configuration Mode, use the following command:
route-entry { [ host <host_name> ] [ peer <peer_id> ] [ realm <realm_name> ] } [ application credit-control ] [ weight <value> ]
Optional. To set how the action after failure, or recovery after failure is performed for the route table, in the Diameter Endpoint Configuration Mode, use the following command:
route-failure { deadtime <seconds> | recovery-threshold percent <percent> | result-code <result_code> | threshold <counter> }
Optional. To enable/disable the Transport Layer Security (TLS) support between Diameter client and Diameter server node, in the Diameter Endpoint Configuration Mode, use the following command:
tls { certificate <cert_string> | password <password> | privatekey <private_key> }
connection timeout <timeout>
Optional. To set the connection retry timeout, in seconds, in the Diameter Endpoint Configuration Mode, use the following command:
connection retry-timeout <retry_timeout>
Optional. To set the number of Device Watchdog Requests (DWRs) to be sent before the connection with a Diameter endpoint is closed, in the Diameter Endpoint Configuration Mode, use the following command:
device-watchdog-request max-retries <retry_count>
Optional. To set the maximum number of Diameter messages that any ACS Manager (ACSMgr)/Session Manager (SessMgr) may send to any one peer awaiting responses, in the Context Configuration Mode, use the following command:
max-outstanding <msgs>
Optional. To set the response timeout for the Diameter endpoint, in seconds, in the Diameter Endpoint Configuration Mode, use the following command:
response-timeout <duration>
Optional. To set the watchdog timeout for the Diameter endpoint, in seconds, in the Diameter Endpoint Configuration Mode, use the following command:
watchdog-timeout <duration>
 
Configuring Diameter AAA Functionality at Context Level
There are context-level Diameter parameters that must be configured to provide AAA functionality for subscriber sessions. As noted in Understanding the System Operation and Configuration chapter of the System Administration Guide, AAA functionality can be configured within any context, even its own.
 
This section describes how to configure the Diameter-based AAA parameters at the context level. To configure Diameter-based AAA parameters at the system level, see Configuring System-Level AAA Functionality .
Important: This section provides the minimum instruction set to configure context-level Diameter AAA functionality that allows the system to process data sessions. Commands that configure additional context-level AAA properties are provided in Understanding the System Operation and Configuration chapter of the System Administration Guide.
To configure Diameter AAA functionality at the context level use the following configuration:
configure
  context <context_name>
     diameter authentication endpoint <endpoint_name>
     diameter authentication server <host_name> priority <priority>
     diameter authentication dictionary <dictionary>
     diameter accounting endpoint <endpoint_name>
     diameter accounting server <host_name> priority <priority>
     diameter accounting dictionary <dictionary>
     end
Notes:
 
<context_name> must be the name of the system context designated for AAA configuration.
<endpoint_name> must be the same Diameter endpoint name configured in the Configuring Diameter Endpoint section.
Optional. To configure the number of retry attempts for a Diameter authentication request with the same server, if the server fails to respond to a request, in the Context Configuration Mode, use the following command:
diameter authentication max-retries <tries>
Optional. To configure the maximum number of transmission attempts for a Diameter authentication request, in the Context Configuration Mode, use the following command. Use this in conjunction with the max-retries <tries> option to control how many servers will be attempted to communicate with.
diameter authentication max-transmissions <transmissions>
Optional. To configure how long the system must wait for a response from a Diameter server before re-transmitting the authentication request, in the Context Configuration Mode, use the following command:
diameter authentication request-timeout <duration>
Optional. To configure how many times a Diameter accounting request must be retried with the same server, if the server fails to respond to a request, in the Context Configuration Mode, use the following command:
diameter accounting max-retries <tries>
Optional. To configure the maximum number of transmission attempts for a Diameter accounting request, in the Context Configuration Mode, use the following command. You can use this in conjunction with the max-retries tries option to control how many servers will be attempted to communicate with.
diameter accounting max-transmissions <transmissions>
Optional. To configure how long the system will wait for a response from a Diameter server before re-transmitting the accounting request, in the Context Configuration Mode, use the following command:
diameter accounting request-timeout <duration>
 
Verifying Your Configuration
To verify your configurations:
In the Exec mode, enter the following command:
show configuration context <aaa_context_name>
The output displays a concise list of settings that you have configured for the context.
 
Configuring Diameter Authentication Failure Handling
This section describes how to configure Diameter Authentication Failure Handling at the context level and the AAA group level.
 
Configuring at Context Level
This section describes how to configure context-level error handling for EAP requests / EAP termination requests. Specific actions (continue, retry-and-terminate, or terminate) can be associated with each possible result-code. Ranges of result codes can be defined with the same action, or actions can be specific on a per-result code basis.
To configure Diameter Authentication Failure Handling at the context level use the following configuration:
configure
  context <context_name>
     diameter authentication failure-handling { authorization-request | eap-request | eap-termination-request } { request-timeout action { continue | retry-and-terminate | terminate } | result-code <result_code> { [ to <result_code> ] action { continue | retry-and-terminate | terminate } } }
     end
Notes:
 
<context_name> must be the name of the system source context designated for subscriber configuration.
 
Configuring at AAA Group Level
This section describes how to configure error handling for EAP requests / EAP termination requests at the AAA group level. Specific actions (continue, retry-and-terminate, or terminate) can be associated with each possible result-code. Ranges of result codes can be defined with the same action, or actions can be specific on a per-result code basis.
To configure Diameter Authentication Failure Handling at the AAA group level use the following configuration example:
configure
  context <context_name>
     aaa group <group_name>
        diameter authentication failure-handling { authorization-request | eap-request | eap-termination-request } { request-timeout action { continue | retry-and-terminate | terminate } | result-code <result_code> { [ to <result_code> ] action { continue | retry-and-terminate | terminate } } }
        end
Notes:
 
<context_name> must be the name of the system source context designated for subscriber configuration.
<group_name> must be the name of the AAA group designated for AAA functionality within the specific context.
 
Configuring System-Level AAA Functionality
There are system-level AAA parameters that must be configured in order to provide AAA functionality for subscriber and context-level administrative user sessions. As noted in Understanding the System Operation and Configuration chapter of the System Administration Guide, AAA functionality can be configured within any context, even its own.
 
Important: Commands used in the configuration examples in this section provide base functionality to the extent that the most common or likely commands and/or keyword options are presented. In many cases, other optional commands and/or keyword options are available. Refer to the Command Line Interface Reference for complete information regarding all commands.
This procedure applies to both RADIUS and Diameter.
To configure system-level AAA functionality use the following configuration:
configure
  aaa default-domain subscriber <domain_name>
  aaa default-domain administrator <domain_name>
  aaa last-resort context subscriber <context_name>
  aaa last-resort context administrator <context_name>
  aaa username-format { domain | username } { @ | % | - | \ | # | / }
  end
Notes:
 
<domain_name> is the name of the domain, or context, to use for performing AAA functions in the subscriber session. For information on the role of the default domain in the context selection process can be found in the Understanding the System Operation and Configuration chapter of the System Administration Guide.
<context_name> must be the name of the context to use for performing AAA functions in the subscriber session. Additional information on the role of the last-resort context in the context selection process can be found in the Understanding the System Operation and Configuration chapter of the System Administration Guide.
 
Verifying your configuration
To verify your configuration:
In the Exec mode, enter the following command:
show configuration context <context_name>
In the output, verify the AAA settings that you have configured in this user session.
 
Configuring AAA Server Group for AAA Functionality
In addition to the AAA configurations, a AAA server group feature can be configured at the context-level to manage subscriber authentication and accounting through configuring AAA servers into groups.
In general, 128 AAA Server IP address/port per context can be configured on the system and the system selects servers from this list depending on the server selection algorithm (round robin, first server). Instead of having a single list of servers per context, this feature provides the ability to configure multiple server groups. Each server group, in turn, consists of a list of servers.
This feature works in the following way:
 
AAA server group configuration is performed at the context-level. Different subscribers may use the same AAA context, but different AAA server groups only. Server configuration defined in the subscriber profile/APN template supersedes the servers or server groups configuration defined in context mode.
AAA server groups are assigned to the subscriber through realm (domain) configuration for all services. For GGSN service AAA server groups can be assigned to the subscriber through APN configuration also.
To configure AAA Server Group for AAA functionality:
Step 1
 
–or–
Step 2
Save your configuration as described in the Verifying and Saving Your Configuration chapter.
Important: Commands used in the configuration examples in this section provide base functionality to the extent that the most common or likely commands and/or keyword options are presented. In many cases, other optional commands and/or keyword options are available. Refer to the Command Line Interface Reference for complete information regarding all commands.
 
AAA Server Group Configuration
This section describes how to configure the context to use a group of AAA servers for subscriber authentication and accounting through subscriber/realm (domain)/APN configuration.
 
There are context-level AAA parameters that must be configured in order to provide AAA server group functionality for subscriber sessions.
Important: This section provides the minimum instruction set for configuring a AAA server group for AAA functionality. Commands that configure other properties of this functionality are provided in the Command Line Interface Reference.
To configure a AAA server group use the following configuration:
configure
  context <context_name>
     aaa group <group_name>
     end
Notes:
 
Optional. If you want to support more than 64 server groups system-wide, in the Global Configuration Mode, use the following command:
aaa large-configuration
<context_name> must be the name of the system context designated for AAA functionality configuration.
<group_name> must be the name of the AAA group designated for AAA functionality within the specific context. A total of 800 server groups can be configured system-wide including default server-group unless aaa large-configuration is enabled.
 
Verifying Your Configuration
To verify your configuration:
Step 1
context <context_name>
Step 2
show configuration context <context_name>
In the output verify the server group’s configuration.
Important: The “default” server group in a context is applicable to all subscribers/APNs within that context by default.
 
Applying a AAA Server Group to a Subscriber
The following procedure assumes that a domain alias was previously configured as described in Creating Contexts section of the System Administration Guide.
To apply AAA server group to a subscriber use the following configuration example:
configure
  context <context_name>
     subscriber name <subscriber_name>
        aaa group <group_name>
        end
Notes:
 
<context_name> must be the name of the system source context designated for subscriber configuration.
<sub_name> must be the name of the subscriber template configured as the default template for the domain. For more information on creating contexts, refer to the Creating Contexts section of the System Element Configuration Procedures chapter in the System Administration Guide.
<group_name> must be the name of the AAA server group designated for AAA functionality within the context as described in the AAA Server Group Configuration section.
 
Verifying Subscriber Configuration
Step 1
context <context_name>
Step 2
show subscribers configuration username <subscriber_name>
Step 3
 
Applying a AAA Server Group to an APN
After configuring a AAA server group at context-level, an APN within the same context can be configured to use the user-defined server group.
Use the following configuration example to apply a user-defined AAA server group functionality to a previously configured APN within the same context.
configure
  context <context_name>
     apn <apn_name>
        aaa group <group_name>
        end
Notes:
 
<group_name> must be the name of the AAA server group previously configured for AAA functionality in a specific context as described in the AAA Server Group Configuration section.
 
Verifying APN Configuration
Step 1
context <context_name>
Step 2
show apn name <apn_name>
Step 3
 
Configuring the Destination Context Attribute
Once a user has been authenticated, a AAA attribute is returned in the access-accept message that contains the name of the destination context where the subscriber will egress from. For RADIUS-based subscribers, this is the SN-VPN-NAME attribute, or SN1-VPN-NAME attribute in some RADIUS dictionaries.
 
The system supports configuring subscriber profiles locally within a context though subscriber templates or on a RADIUS server. Subscribers configured on the system are configured within the contexts they were created. In the Understanding the System Operation and Configuration chapter of the System Administration Guide, the role of subscriber default, which is automatically configured for each context, and realm-based subscriber templates, which serves as a default subscriber template for users whose domain portion of their user name matches a domain alias within a context, was discussed. The role of these special subscriber templates is to provide a set of default attributes that may be used to populate any missing values for an authenticated RADIUS-based subscriber. The parameter that would contain this attribute value is called the IP context-name.
Further, it was explained that these attributes must be configured manually for both the subscriber default and any realm-based subscriber template created.
One of the rules that must be configured is a parameter that allows subscriber data traffic to be routed between source and destination contexts. Use the following example configuration to configure that rule.
Important: Commands used in the configuration example in this section provide base functionality to the extent that the most common or likely commands and/or keyword options are presented. In many cases, other optional commands and/or keyword options are available. Refer to the Command Line Interface Reference for complete information regarding all commands.
configure
  context <context_name>
     subscriber name default
        ip context-name <destination_context_name>
        end
Notes:
 
<context_name> must be the name of the system source context designated for Default subscriber configuration.
<destination_context_name> must be the name of the destination context configured on the system containing the interfaces through which session traffic is routed.
 
Verifying Your Configuration
To verify your global AAA configurations:
In the Exec mode, use the following command:
show configuration
The output displays all the settings that you have configured in this user session. Verify the default-domain, last-resort, and username-format settings.
 
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883