IPSG RADIUS Server Configuration Mode Commands


IPSG RADIUS Server Configuration Mode Commands
 
 
The IP Services Gateway (IPSG) RADIUS Server Configuration Mode is used to create and configure IPSG services within the current system context. The IPSG RADIUS Server Mode configures the system to receive RADIUS accounting requests as if it is a RADIUS Accounting Server, and reply after accessing those requests for user information.
 
Important: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).
 
bind
Binds the IPSG RADIUS Server service to a logical AAA interface and specifies the number of allowed subscriber sessions.
Product
IPSG
Privilege
Security Administrator, Administrator
Syntax
bind { accounting-proxy address address | address address } [ max-subscribers num | port num | source-context name ]
bind authentication-proxy address address [ acct-port port | auth-port port | max-subscribers num | source-context name ]
no bind
no
Removes the binding for the service.
accounting-proxy address address | address address } [ max-subscribers num | port num | source-context name ]
accounting-proxy address address: Specifies IP address of the interface where accounting proxy requests are received by this service. address must be specified using standard IPv4 or IPv6 dotted decimal notation.
address address: Specifies IP address of the interface where accounting requests are received by this service. address must be specified using standard IPv4 or IPv6 dotted decimal notation.
max-subscribers num: Specifies the maximum number of subscriber sessions allowed for the service. If this option is not configured, the system defaults to the license limit.
In Release 8.x, num must be an integer from 0 through 3000000.
In Release 9.x and later, num must be an integer from 0 through 4000000.
port num: Default: 1813. Specifies the port number of the interface where accounting requests are received by this service. num must be an integer from 0 through 65535.
source-context name: Specifies the source context where RADIUS accounting requests are received. name must be an alpha and/or numeric string of 1 through 79 characters in length.
This keyword should be configured if the source of the RADIUS requests is in a different context than the IPSG service. If this keyword is not configured, the system will default to the context in which the IPSG service is configured.
authentication-proxy address address [ acct-port port | auth-port port | max-subscribers num | source-context name ]
authentication-proxy address address: Specifies the IP address of the interface where authentication proxy requests are received by this service. address must be specified using standard IPv4 or IPv6 dotted decimal notation.
Important: Enabling authentication proxy also enables accounting proxy.
acct-port port: Default: 1813. Specifies the port number of the interface where accounting proxy requests are received by this service. port must be an integer from 0 through 65535.
auth-port port: Default: 1812. Specifies the port number of the interface where authentication proxy requests are received by this service. port must be an integer from 0 through 65535.
max-subscribers num: Specifies the maximum number of subscriber sessions allowed for the service. If this option is not configured, the system defaults to the license limit.
In Release 8.x, num must be an integer from 0 through 3000000.
In Release and 9.0 later, num must be an integer from 0 through 4000000.
source-context name: Specifies the source context where RADIUS accounting requests are received. name must be an alpha and/or numeric string of 1 through 79 characters in length.
This keyword should be configured if the source of the RADIUS requests is in a different context then the IPSG service. If this keyword is not configured, the system will default to the context in which the IPSG service is configured.
Usage
Use this command to bind the IPSG RADIUS Server service to a logical AAA interface and specify the number of allowed subscriber sessions. If the AAA interface is not located in this context, configure the source-context parameter.
Use the accounting and authentication proxy settings to enable RADIUS proxy server functionality on the IPSG. These commands are used when the NAS providing the RADIUS request messages is incapable of sending them to two separate devices. The IPSG in RADIUS Server mode proxies the RADIUS request and response messages while performing the user identification task in order to provide services to the session.
Example
The following command binds the service to a AAA interface with and IP address of 1.2.3.4 located in the source context named aaa_ingress:
bind address 1.2.3.4 source-context aaa_ingress
 
connection authorization
Sets the RADIUS authorization password that must be matched by the RADIUS accounting requests received by this service.
Product
IPSG
Privilege
Security Administrator, Administrator
Syntax
connection authorization { [ encrypted ] password password }
no connection authorization
[ encrypted ] password password
encrypted: Indicates that the received RADIUS authorization password is encrypted.
password password: Specifies the password that must be matched by incoming RADIUS accounting requests. password must be an alpha and/or numeric string of 1 through 63 characters in length.
no
Removes the RADIUS authorization for the IPSG RADIUS server service.
Usage
The IPSG RADIUS server service does not terminate RADIUS user authentication so the user password is unknown.
Use this command to configure the authorization password that the RADIUS accounting requests must match in order for the service to examine and extract user information.
Example
The following command sets the RADIUS authorization password that must be matched by the RADIUS accounting requests sent to this service. The password must be encrypted and the example provided is the word “secret”.
connection authorization encrypted password secret
 
end
Exits the current mode and returns to the Exec Mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
end
Usage
Use this command to change to the Exec Mode.
 
exit
Exits the current mode and returns to the parent configuration mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
exit
Usage
Use this command to return to the parent configuration mode.
 
profile
Configures the service to use APN or subscriber profiles.
Product
IPSG
Privilege
Security Administrator, Administrator
Syntax
profile { APN | subscriber }
default profile
APN
Sets the service to support APN configuration required to enable Gx support. This is the default setting for this command.
subscriber
Sets the service to support subscriber profile lookup.
Usage
Use this command to set the service to support APN profiles (supporting Gx through the enabling of ims-auth-service) or for basic subscriber profile lookup.
 
radius accounting
Specifies the IP address and shared secret of the RADIUS accounting client from which RADIUS accounting requests are received. The RADIUS client can be either the access gateway or the RADIUS accounting server depending on which device is sending accounting requests.
Product
IPSG
Privilege
Security Administrator, Administrator
Syntax
radius accounting { { client { ip_address | ip_address/mask } [ encrypted ] key secret [ dictionary dictionary ] [ disconnect-message [ dest-port destination_port ] ] } | { interim create-new-call } }
no radius accounting client { ip_address | ip_address/mask }
default radius accounting interim create-new-call
no
Removes the RADIUS accounting client address identifier from the service.
ip_address | ip_address/mask
Specifies the IP address and, optionally, subnet mask of the RADIUS client from which RADIUS accounting requests are received. ip_address and ip_address/mask must be specified using standard IPv4 or IPv6 dotted decimal notation.
Up to 16 addresses can be configured.
dictionary dictionary
Specifies what dictionary database to use. The possible values for db are described in the following table:
 
X is the integer value of the custom dictionary.
[ encrypted ] key secret
encrypted: Specifies that the shared key between the RADIUS client and this service is encrypted.
key secret: Specifies the shared key between the RADIUS client and this service. secret must be an alpha and/or numeric string of 1 through 127 characters in length, and is case sensitive.
disconnect-message [ dest-port destination_port ]
Specifies sending disconnect message.
dest-port destination_port: Optionally, the port number to which the disconnect message must be sent can be specified.
destination_port must be an integer from 1 through 65535.
interim create-new-call
Default: disabled
Enables the ability to create a new session upon receipt of a RADIUS interim message.
Usage
Use this command to configure the communication with the RADIUS client from which RADIUS accounting requests are received.
Example
The following command configures the service to communicate with a RADIUS client with an IP address of 1.2.3.4 and an encrypted shared secret of secret_1234:
radius accounting client 1.2.3.4 encrypted key secret_1234
 
radius dictionary
Configures the RADIUS database dictionary to use for the IPSG service.
Product
IPSG
Privilege
Security Administrator, Administrator
Syntax
radiusdictionarydb
default radius dictionary
dictionary db
Default: starent-vsa1
Specifies what dictionary database to use. The possible values for db are described in the table that follows:
 
XX is the integer value of the custom dictionary.
Usage
Use this command to specify the RADIUS database dictionary to use for the IPSG service.
Example
The following command configures the IPSG service to use the custom10 RADIUS database dictionary:
radius dictionary custom10
 
setup-timeout
Configures a timeout value for IPSG session set up attempts.
Product
IPSG
Privilege
Security Administrator, Administrator
Syntax
setup-timeout seconds
default setup-timeout
seconds
Default: 60
Specifies the time period, in seconds, the IPSG session setup is allowed to continue before the set up attempt is terminated. seconds must be an integer from 1 through 100000.
Usage
Use this command to prevent IPSG session set up attempts from continuing without termination.
Example
The following command sets the session set up timeout to 20 seconds:
setup-timeout 20
 
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883