endpoint: Removes the configured accounting endpoint, and the default accounting server configured in the default AAA group will be used.
hd-mode: Sends records to the Diameter server, if all Diameter servers are down or unreachable, then copies records to the local HDD and periodically retries the Diameter server.
hd-storage-policy: Disables use of the specified HD storage policy.
max-retries: Disables the configured retry attempts for Diameter accounting in the current AAA group.
max-transmissions: Disables the configured maximum transmission attempts for Diameter accounting in the current AAA group.
server host_name: Removes the configured Diameter host
host_name from this AAA server group for Diameter accounting.
dictionary: Sets the context’s dictionary as the system default.
hd-mode: Sends records to the Diameter server, if all Diameter servers are down or unreachable, then copies records to the local HDD and periodically retries the Diameter server.
max-retries: Sets the retry attempts for Diameter accounting in the current AAA group to default 0 (disable).
max-transmissions: Sets the configured maximum transmission attempts for Diameter accounting in the current AAA group to default 0 (disable).
aaa-custom1 ... aaa-custom10: The custom dictionaries. Even though the CLI syntax supports several custom dictionaries, not necessarily all of them have been defined. If a custom dictionary that has not been implemented is selected, the default dictionary will be used.
nasreq: nasreq dictionary—the dictionary defined by RFC 4005.
rf-plus: RF Plus dictionary.
endpoint_name must be a string of 1 through 63 characters in length.
hd_policy must be the name of a configured HD Storage policy, and must be a string of 1 through 63 alpha and/or numeric characters in length.
This and the hd-mode command are used to enable the storage of Rf Diameter Messages to HDD in case all Diameter Servers are down or unreachable.
tries specifies the maximum number of retry attempts, and must be an integer from 1 through 1000.
transmissions must be an integer from 1 through 1000.
duration specifies the number of seconds, and must be an integer from 1 through 3600.
server host_name priority priority
host_name specifies the Diameter host name, and must be a string of 1 through 63 characters in length.
priority specifies the relative priority of this Diameter host. The priority is used in server selection. The priority must be an integer from 1 through 1000.
dictionary: Sets the context’s dictionary as the system default.
endpoint: Removes the configured authentication endpoint, and the default server configured in default AAA group will be used.
max-retries: Disables the configured retry attempts for Diameter authentication in the current AAA group.
max-transmissions: Disables the configured maximum transmission attempts for Diameter authentication in the current AAA group.
server host_name: Removes the configured Diameter host
host_name from this AAA server group for Diameter authentication.
max-retries: Sets the retry attempts for Diameter authentication requests in the current AAA group to default 0 (disable).
max-transmissions: Sets the configured maximum transmission attempts for Diameter authentication in the current AAA group to default 0 (disable).
redirect-host-avp: Sets the redirect choice to default (just-primary).
aaa-custom1 ... aaa-custom20: The custom dictionaries. Even though the CLI syntax supports several custom dictionaries, not necessarily all of them have been defined. If a custom dictionary that has not been implemented is selected, the default dictionary will be used.
Important: aaa-custom11 dictionary is only available in StarOS 8.1 and later releases.
aaa-custom12 to
aaa-custom20 dictionaries are only available in StarOS 9.0 and later releases.
nasreq: nasreq dictionary—the dictionary defined by RFC 4005.
endpoint_name must be a string of 1 through 63 characters in length.
tries specifies the maximum number of retry attempts, and must be an integer from1 through 1000.
transmissions specifies the maximum number of transmission attempts, and must be an integer from 1 through 1000.
just-primary: Redirect only to primary host.
primary-then-secondary: Redirect to primary host, if fails then redirect to the secondary host.
duration specifies the number of seconds the system will wait for a response from a Diameter server before re-transmitting the request, and must be an integer from 1 through 3600.
server host_name priority priority
host_name specifies the Diameter authentication server’s host name, and must be a string of 1 through 63 characters in length.
priority specifies the relative priority of this Diameter host. The priority is used in server selection. The priority must be an integer from 1 through 1000.
result-code start_result_code [ to end_result_code ] action { continue | retry-and-terminate | terminate }
start_result_code: Specifies the result code number, must be an integer from 1 through 65535.
to end_result_code: Specifies the upper limit of a range of result codes.
to end_result_code must be greater than
start_result_code.
The following commands configure result codes 5001, 5002, 5004, and
5005 to use “action continue” and result code
5003 to use “action terminate”:
This command is deprecated and is replaced by the diameter accounting dictionary and
diameter authentication dictionary commands. See the
diameter accounting and
diameter authentication commands respectively.
vrf_name is name of a pre-configured virtual routing and forwarding (VRF) context configured in Context configuration mode through
ip vrf command.
radius { deadtime minutes | detect-dead-server { consecutive-failures count | response-timeout seconds } | dictionary dictionary | max-outstanding messages | max-retries tries | max-transmissions transmissions | strip-domain { authentication-only | accounting-only } | timeout idle_seconds }
|
|
|
XX is the integer value of the custom dictionary.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Important: This parameter should be set to allow enough time to remedy the issue that originally caused the server’s state to be changed to “Down”. After the deadtime timer expires, the system returns the server’s state to “Active” regardless of whether or not the issue has been fixed.
Important: For a complete explanation of RADIUS server states, refer to the
RADIUS Server State Behavior appendix in the
AAA Interface Administration and Reference.
detect-dead-server { consecutive-failures count | keepalive | response-timeout seconds }
consecutive-failures count: Specifies the number of consecutive failures, for any AAA Manager, before a server’s state is changed from “Active” to “Down”.
count must be an integer from 1 through 1000. Default: 4.
keepalive: Enables the AAA server alive-dead detect mechanism based on sending keepalive authentication messages to all authentication servers. Default is disabled.
response-timeout seconds: Specifies the number of seconds, for any AAA Manager, to wait for a response to any message before a server’s state is changed from “Active” to “Down”.
seconds must be an integer from 1 through 65535.
Important: If both
consecutive-failures and
response-timeout are configured, then both parameters must be met before a server’s state is changed to “Down”.
Important: The “Active” or “Down” state of a RADIUS server as defined by the system, is based on accessibility and connectivity. For example, if the server is functional but the system has placed it into a “Down” state, it could be the result of a connectivity problem. When a RADIUS server’s state is changed to “Down”, a trap is sent to the management station and the
deadtime timer is started.
messages must be an integer from 1 through 4000.
tries must be an integer from 0 through 65535.
transmissions must be an integer from 1 through 65535.
When the argument authentication-only or
accounting-only is present,
strip-domain is applied only to the specified RADIUS message types.
idle_seconds must be an integer from 1 through 65535.
radius detect-dead-server consecutive-failures 6
radius accounting { archive [ stop-only ] | deadtime minutes | detect-dead-server { consecutive-failures count | keepalive | response-timeout seconds } | interim interval seconds | max-outstanding messages | max-pdu-size octets | max-retries tries | max-transmissions transmissions | timeout idle_seconds}
stop-only specifies archiving of only STOP accounting messages.
minutes must be an integer from 0 through 65535.
Important: This parameter should be set to allow enough time to remedy the issue that originally caused the server’s state to be changed to “Down”. After the deadtime timer expires, the system returns the server’s state to “Active” regardless of whether or not the issue has been fixed.
Important: For a complete explanation of RADIUS server states, refer to the
RADIUS Server State Behavior Appendix in the
AAA Interface Administration and Reference.
detect-dead-server { consecutive-failures count | keepalive | response-timeout seconds }
consecutive-failures count: Specifies the number of consecutive failures, for any AAA Manager, before a server’s state is changed from “Active” to “Down”.
count must be an integer from 1 through 1000. Default: 4
keepalive: Enables the AAA server alive-dead detect mechanism based on sending keepalive authentication messages to all authentication servers. Default: disabled
response-timeout seconds: Specifies the number of seconds, for any AAA Manager, to wait for a response to any message before a server’s state is changed from “Active” to “Down”.
seconds must be an integer from 1 through 65535.
Important: If both
consecutive-failures and
response-timeout are configured, then both parameters must be met before a server’s state is changed to “Down”.
Important: The “Active” or “Down” state of a RADIUS server as defined by the system, is based on accessibility and connectivity. For example, if the server is functional but the system has placed it into a “Down” state, it could be the result of a connectivity problem. When a RADIUS server’s state is changed to “Down”, a trap is sent to the management station and the deadtime timer is started.
Important: For a complete explanation of RADIUS server states, refer to the
RADIUS Server State Behavior Appendix in the
AAA Interface Administration and Reference.
seconds must be an integer from 50 through 40000000.
Important: If RADIUS is used as the accounting protocol for the GGSN product, other commands are used to trigger periodic accounting updates. However, these commands would cause RADIUS STOP/START packets to be sent as opposed to INTERIM-UPDATE packets. Also, note that accounting interim interval settings received from a RADIUS server take precedence over those configured on the system.
messages must be an integer from 1 through 4000.
octets must be an integer from 512 through 2048.
tries must be an integer from 0 through 65535.
transmissions must be an integer from 1 through 65535.
seconds must be an integer from 1 through 65535.
Specifies that the AGW must send accounting data to n (more than one) AAA servers based on their priority. The full set of accounting data is sent to each of the
n AAA servers. Response from any one of the servers would suffice to proceed with the call. On receiving an ACK from any one of the servers, all retries are stopped.
n is the number of AAA servers to which accounting data will be sent, and must be an integer from 2 through 128.
Important: This is a customer-specific keyword and needs customer-specific license to use this feature. For more information on GGSN preservation mode, refer GGSN Service Mode Commands chapter.
volume { downlink bytes uplink bytes | total bytes | uplink bytes downlink bytes }
downlink bytes uplink bytes: Specifies the downlink to uplink volume limit, in bytes, for RADIUS Interim accounting.
bytes must be an integer from 100,000 through 4,000,000,000.
total bytes: Specifies the total volume limit, in bytes, for RADIUS interim accounting.
bytes must be an integer from 100,000 through 4,000,000,000.
uplink bytes downlink bytes: Specifies the uplink to downlink volume limit, in bytes, for RADIUS interim accounting.
bytes must be an integer from 100,000 through 4,000,000,000.
list_id must be an integer from 1 through 65535.
Individual subscriber can be associated to remote IP address lists through the configuration/specification of an attribute in their local or RADIUS profile. (Refer to the radius accounting command in the Subscriber Configuration mode.) When configured/specified, accounting data is collected pertaining to the subscriber’s communication with any of the remote addresses specified in the list.
id must be an alpha and/or numeric string of 1 through 15 characters in length.
number must be an integer from 1 through 10.
ip_address must be specified using the standard IPv4 dotted decimal notation.
number must be an integer from 3 through 10.
seconds must be an integer from 1 through 30.
name must be an alpha and/or numeric string of 1 through 127 characters in length.
Default: wait-active-stop
•
|
immediate: Indicates that accounting STOP should be generated immediately on handoff, i.e. not to wait active-stop from the old PCF.
|
•
|
wait-active-stop: Indicates that accounting STOP is generated only when active-stop received from the old PCF when handoff occurs.
|
minute must be an integer from 0 through 59.
hour must be an integer from 0 through 23.
Default: active-handoff: Disabled
•
|
active-handoff: Disables a single R-P event (and therefore a RADIUS accounting event) when an Active PCF-to-PFC Handoff occurs. Instead, two R-P events occur (one for the Connection Setup, and the second for the Active-Start)
|
•
|
active-start-param-change: Disables an R-P event (and therefore a RADIUS accounting event) when an Active-Start is received from the PCF and there has been a parameter change.
|
•
|
active-stop: Disables an R-P event (and therefore a RADIUS accounting event) when an Active-Stop is received from the PCF.
|
Important: This keyword has been obsoleted by the
trigger-policy keyword. Note that if this command is used, if the context configuration is displayed, radius accounting rp configuration is represented in terms of the trigger-policy.
Default: airlink-usage: Disabled
•
|
airlink-usage [ counter-rollover ]: Specifies the use of Airlink-Usage RADIUS accounting policy for R-P, which generates a start on Active-Starts, and a stop on Active-Stops.
|
•
|
If the counter-rollover option is enabled, the system generates a STOP/START pair before input/output data octet counts (or input/output data packet counts) become larger than (2^32 - 1) in value. This setting is used to guarantee that a 32-bit octet count in any STOP message has not wrapped to larger than 2^32 thus ensuring the accuracy of the count. The system, may, at its discretion, send the STOP/START pair at any time, so long as it does so before the 32-bit counter has wrapped. Note that a STOP/START pair is never generated unless the subscriber RP session is in the Active state, since octet/packet counts are not accumulated when in the Dormant state.
|
•
|
custom : Specifies the use of custom RADIUS accounting policy for R-P. The custom policy can consist of the following:
|
•
|
active-handoff: Enables a single R-P event (and therefore a RADIUS accounting event) when an Active PCF-to-PFC Handoff occurs. Normally two R-P events will occur (one for the Connection Setup, and the second for the Active-Start)
|
•
|
active-start-param-change: Enables an R-P event (and therefore a RADIUS accounting event) when an Active-Start is received from the PCF and there has been a parameter change.
|
Important: Note that a custom trigger policy with only
active-start-param-change enabled is identical to the
standard trigger-policy.
•
|
active-stop: Enables an R-P event (and therefore a RADIUS accounting event) when an Active-Stop is received from the PCF.
|
Important: If the
radius accounting rp trigger-policy custom command is executed without any of the optional keywords, all custom options are disabled.
•
|
standard: Specifies the use of Standard RADIUS accounting policy for R-P in accordance with IS-835B.
|
radius [ mediation-device ] accounting server ip_address [ encrypted ] key value [ acct-on { enable | disable } ] [ acct-off { enable | disable } ] [ max messages ] [ oldports ] [ port port_number ] [ priority priority ] [ type standard ] [ admin-status { enable | disable } ] [ -noconfirm ]
Important: If this option is not used, by default the system enables standard AAA transactions.
ip_address [ port port_number ]
Specifies the IP address of the accounting server. ip_address must be specified using the standard IPv4 dotted decimal notation or colon notation for IPv6. A maximum of 1600 RADIUS servers per context/system and 128 servers per server group can be configured. This limit includes accounting and authentication servers.
port port_number specifies the port number to use for communications.
port_number must be an integer from 0 through 65535. Default is 1813.
Important: Same RADIUS server IP address and port can be configured in multiple RADIUS server group within a context.
Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted. The key
value must be an alpha and/or numeric string of 1 through 15 characters, or when encrypted an alpha and/or numeric string of 1 through 30 characters.
The encrypted keyword is intended only for use by the chassis while saving configuration scripts. The system displays the
encrypted keyword in the configuration file as a flag that the variable following the
key keyword is the encrypted version of the plaint text key. Only the encrypted key is saved as part of the configuration file.
messages must be an integer from 1 through 256.
priority must be an integer from 1 through 1000, where 1 is the highest priority. When configuring two or more servers with the same priority you will be asked to confirm that you want to do this. If you use the
-noconfirm option, you are not asked for confirmation and multiple servers could be assigned the same priority.
mediation-device: Obsolete keyword.
standard: Use standard AAA transactions.
enable: Enables the RADIUS accounting server.
disable: Disables the RADIUS accounting server.
radius attribute { nas-identifier id | nas-ip-address address
primary_address [ backup
secondary_address ] [ nexthop-forwarding-address
nexthop_address ] [ vlan
vlan_id ] [ mpls-label input
input output
output [
integer_value ] ] }
primary_address: The IP address of the primary interface to use in the current context. This must be specified using the standard IPv4 dotted decimal notation.
backup: The IP address of the secondary interface to use in the current context. This must be specified using the standard IPv4 dotted decimal notation.
nexthop_address must be specified using the standard IPv4 dotted decimal notation.
Important: To define more than one NAS IP address per context, in Global Configuration Mode use the
aaa large-configuration command. If enabled, for a PDSN a maximum of 400 and for a GGSN a maximum of 800 NAS IP addresses/NAS identifiers (1 primary and 1 secondary per Server group) can be configured per context.
mpls-label input in_label_value| output out_label_value1 [ out_label_value2 ]
•
|
in_label_value is the MPLS label that will identify inbound traffic destined for the configured NAS IP address.
|
•
|
out_label_value1 and out_label_value2 identify the MPLS labels to be added to packets sent from the specified NAS IP address.
|
vlan_id must be a pre-configured VLAN ID and must be an integer from 1 through 4096. It is the VLAN ID to be provided to the system in RADIUS attributes.
gi: Specifies the usage of Gi APN name in RADIUS authentication request. Gi APN represents the APN received in the Create PDP Context request message from SGSN.
gn: Specifies the usage of Gn APN name in RADIUS authentication request. Gn APN represents the APN selected by the GGSN.
[ no | default ] radius charging { deadtime dead_minutes | detect-dead-server { consecutive-failures count | response-timeout seconds } | max-outstanding messages | max-retries tries | max-transmissions transmissions | timeout idle_seconds }
dead_minutes must be an integer from 0 through 65535.
consecutive-failures count: Specifies the number of consecutive failures, for each AAA Manager, before a server is marked as unreachable.
count must be an integer from 1 through 1000.
response-timeout seconds: Specifies the number of seconds for each AAA Manager to wait for a response to any message before a server is detected as failed, or in a down state.
seconds must be an integer from 1 through 65535.
messages must be an integer from 1 through 4000.
tries must be an integer from 0 through 65535.
transmissions must be an integer from 1 through 65535.
idle_seconds must be an integer from 1 through 65535.
Specifies that the AGW must send accounting data to n (more than one) AAA servers based on their priority. Response from any one of the
n AAA servers would suffice to proceed with the call. The full set of accounting data is sent to each of the
n AAA servers.
n is the number of AAA servers to which accounting data will be sent, and must be an integer from 2 through 128.
radius charging accounting server ip_address [ encrypted ] key value [ max messages ] [ oldports ] [ port port_number ] [ priority priority ] [ admin-status { enable | disable } ] [ -noconfirm ]
Specifies the IP address of the accounting server. ip_address must be specified using the standard IPv4 dotted decimal notation. A maximum of 128 RADIUS servers can be configured per context. This limit includes accounting and authentication servers.
Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted. The key
value must be an alpha and/or numeric string of 1 through 15 characters, or an alpha and/or numeric string of 1 through 30 characters when encrypted.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the
encrypted keyword in the configuration file as a flag that the variable following the
key keyword is the encrypted version of the plaint text key. Only the encrypted key is saved as part of the configuration file.
port_number must be an integer from 0 through 65535.
radius charging server ip_address [ encrypted ] key value [ max messages ] [ oldports ] [ port port_number ] [ priority priority ] [ admin-status { enable | disable } ] [ -noconfirm ]
Specifies the IP address of the server. ip_address must be specified using the standard IPv4 dotted decimal notation. A maximum of 128 RADIUS servers can be configured per context. This limit includes accounting and authentication servers.
Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted. The key
value must be an alpha and/or numeric string of 1 through 15 alpha characters, or an alpha and/or numeric string of 1 through 30 characters when encrypted.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the
encrypted keyword in the configuration file as a flag that the variable following the
key keyword is the encrypted version of the plain text key. Only the encrypted key is saved as part of the configuration file.
port_number must be an integer from 1 through 65535.
priority must be an integer from 1 through 1000, where 1 is the highest priority.
vrf_name is name of a pre-configured virtual routing and forwarding (VRF) context configured in Context configuration mode through
ip vrf command.
id must be an alpha and/or numeric string of 1 through 15 characters in length.
number must be an integer from 1 through 5.
password must be an alpha and/or numeric string of 1 through 64 characters in length.
password must be an alpha and/or numeric string of 1 through 64 characters in length.
number must be an integer from 3 through 10.
seconds must be an integer from 1 through 30.
Specifies the user name to be used for authentication. name must be an alpha and/or numeric string of 1 through 127 characters in length.
If access-reject is configured, then both access-accept and access-reject are considered as success for the keepalive authentication request.
If access-reject is not configured, then only access-accept is considered as success for the keepalive access request.
Default: keepalive valid-response access-accept
seconds must be an integer from 1 through 65535.
retries must be an integer from 0 through 65535.
idle_seconds must be an integer from 0 through 65535.
radius server ip_address [ encrypted ] key value [ max messages ] [ oldports ] [ port port_number ] [ priority priority ] [ probe | no-probe ] [ probe-username username ] [ probe-password [ encrypted ] password password ] [ type { mediation-device | standard } ] [ admin-status { enable | disable } ] [ -noconfirm ]
ip_address port port_number
ip_address: Must be specified using the standard IPv4 dotted decimal notation. A maximum of 1600 RADIUS servers per context/system and 128 servers per Server group can be configured. This limit includes accounting and authentication servers.
port port_number: Specifies the port number to use for communications.
port_number must be an integer from 1 through 65535. Default: 1812.
Important: Same RADIUS server IP address and port can be configured in multiple RADIUS server group within a context.
Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted. The key
value must be an alpha and/or numeric string of 1 through 15 characters, or an alpha and/or numeric string of 1 through 30 characters when encrypted.
The encrypted keyword is intended only for use by the chassis while saving configuration scripts. The system displays the
encrypted keyword in the configuration file as a flag that the variable following the
key keyword is the encrypted version of the plain text key. Only the encrypted key is saved as part of the configuration file.
priority must be an integer from 1 through 1000, where 1 is the highest priority. When configuring two or more servers with the same priority you will be asked to confirm that you want to do this. If you use the
-noconfirm option, you are not asked for confirmation and multiple servers could be assigned the same priority.
The username sent to the RADIUS server to authenticate probe messages. username must be an alpha and/or numeric string of 1 through 127 characters in length.
encrypted: This keyword is intended only for use by the chassis while saving configuration scripts. The system displays the
encrypted keyword in the configuration file as a flag that the variable following the
password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.
password password: Specifies the probe-user password for authentication.
password must be an alpha and/or numeric string of 1 through 63 characters in length.
mediation-device: Specifies mediation-device specific AAA transactions. This device is available if you purchased a transaction control services license. Contact your local sales representative for licensing information.
standard - Specifies standard AAA transactions. (Default)
radius server 1.2.5.6 encrypted key scrambledKey oldports priority 10 ]