AAA Server Group Configuration Mode Commands


AAA Server Group Configuration Mode Commands
 
 
The AAA Server Group Configuration Mode is used to create and manage the Diameter/RADIUS server groups within the context or system. AAA server group facilitates management of group (list) of servers at per subscriber/APN/realm level for AAA functionality.
 
 
diameter accounting
This command configures Diameter accounting parameters.
Product
All
Privilege
Security Administrator, Administrator
Syntax
diameter accounting { dictionary { aaa-custom1 | aaa-custom10 | aaa-custom2 | aaa-custom3 | aaa-custom4 | aaa-custom5 | aaa-custom6 | aaa-custom7 | aaa-custom8 | aaa-custom9 | nasreq | rf-plus } | endpoint endpoint_name | hd-mode fall-back-to-local | hd-storage-policy hd_policy | max-retries tries | max-transmissions transmissions | request-timeout duration | server host_name priority priority }
default diameter accounting { dictionary | hd-mode | max-retries | max-transmissions | request-timeout }
no diameter accounting { endpoint | hd-mode | hd-storage-policy | max-retries | max-transmissions | server host_name }
no diameter accounting { endpoint | hd-mode | hd-storage-policy | max-retries | max-transmissions | server host_name }
endpoint: Removes the configured accounting endpoint, and the default accounting server configured in the default AAA group will be used.
hd-mode: Sends records to the Diameter server, if all Diameter servers are down or unreachable, then copies records to the local HDD and periodically retries the Diameter server.
hd-storage-policy: Disables use of the specified HD storage policy.
max-retries: Disables the configured retry attempts for Diameter accounting in the current AAA group.
max-transmissions: Disables the configured maximum transmission attempts for Diameter accounting in the current AAA group.
server host_name: Removes the configured Diameter host host_name from this AAA server group for Diameter accounting.
default diameter accounting { dictionary | hd-mode| max-retries | max-transmissions | request-timeout }
dictionary: Sets the context’s dictionary as the system default.
hd-mode: Sends records to the Diameter server, if all Diameter servers are down or unreachable, then copies records to the local HDD and periodically retries the Diameter server.
max-retries: Sets the retry attempts for Diameter accounting in the current AAA group to default 0 (disable).
max-transmissions: Sets the configured maximum transmission attempts for Diameter accounting in the current AAA group to default 0 (disable).
request-timeout: Sets the timeout duration, in seconds, for Diameter accounting requests in the current AAA group to default 20.
dictionary { aaa-custom1 | aaa-custom10 | aaa-custom2 | aaa-custom3 | aaa-custom4 | aaa-custom5 | aaa-custom6 | aaa-custom7 | aaa-custom8 | aaa-custom9 | nasreq | rf-plus }
Specifies the Diameter accounting dictionary.
aaa-custom1 ... aaa-custom10: The custom dictionaries. Even though the CLI syntax supports several custom dictionaries, not necessarily all of them have been defined. If a custom dictionary that has not been implemented is selected, the default dictionary will be used.
nasreq: nasreq dictionary—the dictionary defined by RFC 4005.
rf-plus: RF Plus dictionary.
endpoint endpoint_name
Enables Diameter to be used for accounting, and specifies which Diameter endpoint to use.
endpoint_name must be a string of 1 through 63 characters in length.
hd-mode fall-back-to-local
Specifies that records be copied to the local HDD if the diameter server is down or unreachable. CDF/CGF will pull the records through SFTP.
hd-storage-policy hd_policy
Associates the specified HD Storage policy with the AAA group.
hd_policy must be the name of a configured HD Storage policy, and must be a string of 1 through 63 alpha and/or numeric characters in length.
HD Storage policies are configured through the Global Configuration Mode.
This and the hd-mode command are used to enable the storage of Rf Diameter Messages to HDD in case all Diameter Servers are down or unreachable.
max-retries tries
Specifies how many times a Diameter request should be retried with the same server, if the server fails to respond to a request.
tries specifies the maximum number of retry attempts, and must be an integer from 1 through 1000.
Default: 0
max-transmissions transmissions
Specifies the maximum number of transmission attempts for a Diameter request. Use this in conjunction with the max-retries tries option to control how many servers will be attempted to communicate with.
transmissions must be an integer from 1 through 1000.
Default: 0
request-timeout duration
Specifies the number of seconds the system will wait for a response from a Diameter server before re-transmitting the request.
duration specifies the number of seconds, and must be an integer from 1 through 3600.
Default: 20
server host_name priority priority
Specifies the current context Diameter accounting server’s host name and priority.
host_name specifies the Diameter host name, and must be a string of 1 through 63 characters in length.
priority specifies the relative priority of this Diameter host. The priority is used in server selection. The priority must be an integer from 1 through 1000.
Usage
Use this command to manage the Diameter accounting options according to the Diameter server used for the context.
Example
The following command configures the Diameter accounting dictionary:
diameter accounting dictionary <dictionary>
The following command configures the Diameter endpoint:
diameter accounting endpoint <endpoint_name>
The following commands configure Diameter accounting options:
diameter accounting max-retries <tries>
diameter accounting max-transmissions <transmissions>
diameter accounting request-timeout <duration>
diameter accounting server <host_name> priority <priority>
The following commands disable/clear the options:
no diameter accounting endpoint
no diameter accounting server <host_name>
 
diameter authentication
This command configures Diameter authentication parameters.
Product
All
Privilege
Security Administrator, Administrator
Syntax
diameter authentication { dictionary { aaa-custom1 | aaa-custom10 | aaa-custom11 | aaa-custom12 | aaa-custom13 | aaa-custom14 | aaa-custom15 | aaa-custom16 | aaa-custom17 | aaa-custom18 | aaa-custom19 | aaa-custom2 | aaa-custom20 | aaa-custom3 | aaa-custom4 | aaa-custom5 | aaa-custom6 | aaa-custom7 | aaa-custom8 | aaa-custom9 | nasreq } | endpoint endpoint_name | max-retries tries | max-transmissions transmissions | redirect-host-avp { just-primary | primary-then-secondary } | request-timeout duration | server host_name priority priority }
default diameter authentication { dictionary | max-retries | max-transmissions | redirect-host-avp | request-timeout }
no diameter authentication { endpoint | max-retries | max-transmissions | server host_name }
no diameter authentication { endpoint | max-retries | max-transmissions | server }host_name
dictionary: Sets the context’s dictionary as the system default.
endpoint: Removes the configured authentication endpoint, and the default server configured in default AAA group will be used.
max-retries: Disables the configured retry attempts for Diameter authentication in the current AAA group.
max-transmissions: Disables the configured maximum transmission attempts for Diameter authentication in the current AAA group.
server host_name: Removes the configured Diameter host host_name from this AAA server group for Diameter authentication.
default diameter authentication { dictionary | max-retries | max-transmissions | redirect-host-avp | request-timeout }
max-retries: Sets the retry attempts for Diameter authentication requests in the current AAA group to default 0 (disable).
max-transmissions: Sets the configured maximum transmission attempts for Diameter authentication in the current AAA group to default 0 (disable).
redirect-host-avp: Sets the redirect choice to default (just-primary).
request-timeout: Sets the timeout duration, in seconds, for Diameter authentication requests in the current AAA group to default 20.
dictionary { aaa-custom1 | aaa-custom10 | aaa-custom11 | aaa-custom12 | aaa-custom13 | aaa-custom14 | aaa-custom15 | aaa-custom16 | aaa-custom17 | aaa-custom18 | aaa-custom19 | aaa-custom2 | aaa-custom20 | aaa-custom3 | aaa-custom4 | aaa-custom5 | aaa-custom6 | aaa-custom7 |aaa-custom8 | aaa-custom9 | nasreq }
Specifies the Diameter authentication dictionary.
aaa-custom1 ... aaa-custom20: The custom dictionaries. Even though the CLI syntax supports several custom dictionaries, not necessarily all of them have been defined. If a custom dictionary that has not been implemented is selected, the default dictionary will be used.
Important: aaa-custom11 dictionary is only available in StarOS 8.1 and later releases. aaa-custom12 to aaa-custom20 dictionaries are only available in StarOS 9.0 and later releases.
nasreq: nasreq dictionary—the dictionary defined by RFC 4005.
endpoint endpoint_name
Enables Diameter to be used for authentication, and specifies which Diameter endpoint to use.
endpoint_name must be a string of 1 through 63 characters in length.
max-retries tries
Specifies how many times a Diameter authentication request should be retried with the same server, if the server fails to respond to a request.
tries specifies the maximum number of retry attempts, and must be an integer from1 through 1000.
Default: 0
max-transmissions transmissions
Specifies the maximum number of transmission attempts for a Diameter authentication request. Use this in conjunction with the “max-retries tries” option to control how many servers will be attempted to communicate with.
transmissions specifies the maximum number of transmission attempts, and must be an integer from 1 through 1000.
Default: 0
diameter authentication redirect-host-avp { just-primary | primary-then-secondary }
Specifies whether to use just one returned AVP, or use the first returned AVP as selecting the primary host and the second returned AVP as selecting the secondary host.
just-primary: Redirect only to primary host.
primary-then-secondary: Redirect to primary host, if fails then redirect to the secondary host.
Default: just-primary
request-timeout duration
Specifies how long the system will wait for a response from a Diameter server before re-transmitting the request.
duration specifies the number of seconds the system will wait for a response from a Diameter server before re-transmitting the request, and must be an integer from 1 through 3600.
Default: 20 seconds
server host_name priority priority
Specifies the current context Diameter authentication server’s host name and priority.
host_name specifies the Diameter authentication server’s host name, and must be a string of 1 through 63 characters in length.
priority specifies the relative priority of this Diameter host. The priority is used in server selection. The priority must be an integer from 1 through 1000.
Usage
Use this command to manage the Diameter authentication options according to the Diameter server used for the context.
Example
The following command configures the Diameter authentication dictionary:
diameter authentication dictionary <dictionary>
The following command configures the Diameter endpoint:
diameter authentication endpoint <endpoint_name>
The following commands configure Diameter authentication options:
diameter authentication max-retries <tries>
diameter authentication max-transmissions <transmissions>
diameter authentication redirect-host-avp primary-then-secondary
diameter authentication server <host_name> priority <priority>
diameter authentication request-timeout <duration>
The following commands disable/clear the options:
no diameter authentication endpoint
no diameter authentication server <host_name>
 
diameter authentication failure-handling
This command configures the failure handling for Diameter authentication requests and Diameter EAP requests.
Product
All
Privilege
Security Administrator, Administrator
Syntax
diameter authentication failure-handling { authorization-request | eap-request | eap-termination-request } { request-timeout action { continue | retry-and-terminate | terminate } | result-code start_result_code { [ to end_result_code ] action { continue | retry-and-terminate | terminate } } }
no diameter authentication failure-handling { authorization-request | eap-request | eap-termination-request } result-code start_result_code [ to end_result_code ]
default diameter authentication failure-handling { authorization-request | eap-request | eap-termination-request } request-timeout action
no
Disables Diameter authentication failure handling.
default
Configures the default Diameter authentication failure handling setting.
authorization-request
Specifies that failure handling must be performed on Diameter authorization request (AAR/AAA) messages.
eap-request
Specifies configuring failure handling for EAP requests.
eap-termination-request
Specifies configuring failure handling for EAP termination requests.
request-timeout action { continue | retry-and-terminate | terminate }
Specifies the action to be taken for failures:
continue: Continues session
retry-and-terminate: First retries, if it fails then terminates the session
terminate: Terminates session
result-code start_result_code [ to end_result_code ] action { continue | retry-and-terminate | terminate }
start_result_code: Specifies the result code number, must be an integer from 1 through 65535.
to end_result_code: Specifies the upper limit of a range of result codes. to end_result_code must be greater than start_result_code.
action { continue | retry-and-terminate | terminate }: Specifies action to be taken for failures:
continue: Continues
retry-and-terminate: First retries, if it fails then terminates
terminate: Terminates
Usage
Use this command to configure error handling for Diameter EAP, EAP-termination, and authorization requests. Specific actions (continue, retry-and-terminate, or terminate) can be associated with each possible result-code. Ranges of result codes can be defined with the same action, or actions can be specific on a per-result code basis.
Example
The following commands configure result codes 5001, 5002, 5004, and 5005 to use “action continue” and result code 5003 to use “action terminate”:
diameter authentication failure-handling eap-request result-code 5001 to 5005 action continue
diameter authentication failure-handling eap-request result-code 5003 action terminate
 
diameter dictionary
This command is deprecated and is replaced by the diameter accounting dictionary and diameter authentication dictionary commands. See the diameter accounting and diameter authentication commands respectively.
 
end
Exits the current configuration mode and returns to the Exec mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
end
Usage
Use this command to return to the Exec mode.
 
exit
Exits the current mode and returns to the parent configuration mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
exit
Usage
Use this command to return to the parent configuration mode.
 
radius ip vrf
This command associates the specific AAA group with a Virtual Routing and Forwarding (VRF) Context instance for GRE tunnel interface configuration. By default the VRF is NULL, which means that AAA group is associated with global routing table.
Product
All
Privilege
Security Administrator, Administrator
Syntax
radius ip vrf vrf_name
no radius ip vrf
no
Removes/disassociates configured IP Virtual Routing and Forwarding (VRF) context instance.
vrf_name
Specifies the name of a pre-configured VRF context instance.
vrf_name is name of a pre-configured virtual routing and forwarding (VRF) context configured in Context configuration mode through ip vrf command.
Usage
Use this command to associate/disassociate a pre-configured VRF context for a GRE tunnel interface.
By default the VRF is NULL, which means that AAA group is associated with global routing table.
Example
The following command associates VRF context instance GRE_vrf1 with this AAA group:
radius ip vrf GRE_vrf1
 
radius
This command configures basic RADIUS options.
Product
All
Privilege
Security Administrator, Administrator
Syntax
radius { deadtime minutes | detect-dead-server { consecutive-failures count | response-timeout seconds } | dictionary dictionary | max-outstanding messages | max-retries tries | max-transmissions transmissions | strip-domain { authentication-only | accounting-only } | timeout idle_seconds }
default radius { deadtime | detect-dead-server | dictionary | max-outstanding | max-retries | max-transmissions | timeout }
no radius { detect-dead-server | max-transmissions | strip-domain }
no
Removes configuration for the specified keyword.
default
Configures default setting for the specified keyword.
dictionary dictionary
Specifies which dictionary to use. The following table describes possible values for dictionary:
XX is the integer value of the custom dictionary.
deadtime minutes
Default: 10
Specifies the number of minutes to wait before changing the state of a RADIUS server from “Down” to “Active”. minutes must be an integer from 0 through 65535.
Important: This parameter should be set to allow enough time to remedy the issue that originally caused the server’s state to be changed to “Down”. After the deadtime timer expires, the system returns the server’s state to “Active” regardless of whether or not the issue has been fixed.
Important: For a complete explanation of RADIUS server states, refer to the RADIUS Server State Behavior appendix in the AAA Interface Administration and Reference.
detect-dead-server { consecutive-failures count | keepalive | response-timeout seconds }
consecutive-failures count: Specifies the number of consecutive failures, for any AAA Manager, before a server’s state is changed from “Active” to “Down”. count must be an integer from 1 through 1000. Default: 4.
keepalive: Enables the AAA server alive-dead detect mechanism based on sending keepalive authentication messages to all authentication servers. Default is disabled.
response-timeout seconds: Specifies the number of seconds, for any AAA Manager, to wait for a response to any message before a server’s state is changed from “Active” to “Down”. seconds must be an integer from 1 through 65535.
Important: If both consecutive-failures and response-timeout are configured, then both parameters must be met before a server’s state is changed to “Down”.
Important: The “Active” or “Down” state of a RADIUS server as defined by the system, is based on accessibility and connectivity. For example, if the server is functional but the system has placed it into a “Down” state, it could be the result of a connectivity problem. When a RADIUS server’s state is changed to “Down”, a trap is sent to the management station and the deadtime timer is started.
max-outstanding messages
Default: 256
Specifies the maximum number of outstanding messages a single AAA Manager instance will queue.
messages must be an integer from 1 through 4000.
max-retries tries
Default: 5
Specifies the maximum number of times communication with a AAA server will be attempted before it is marked as “Not Responding”, and the detect dead server’s consecutive failures count is incremented.
tries must be an integer from 0 through 65535.
max-transmissions transmissions
Default: Disabled
Sets the maximum number of re-transmissions for RADIUS authentication requests. This limit is used in conjunction with max-retries parameter for each server.
When failing to communicate with a RADIUS sever, the subscriber is failed once all of the configured RADIUS servers have been exhausted, or once the configured number of maximum transmissions is reached.
For example, if three servers are configured and if the configured max-retries is 3 and max-transmissions is 12, then the primary server is tried four times (once plus three retries), the secondary server is tried four times, and then a third server is tried four times. If there is a fourth server, it is not tried because the maximum number of transmissions (12) has been reached.
transmissions must be an integer from 1 through 65535.
strip-domain { authentication-only | accounting-only }
Specifies that the domain must be stripped from the user name prior to authentication or accounting.
By default, strip-domain configuration will be applied to both authentication and accounting messages, if configured.
When the argument authentication-only or accounting-only is present, strip-domain is applied only to the specified RADIUS message types.
timeout idle_seconds
Default: 3
Specifies the number of seconds to wait for a response from the RADIUS server before re-sending the messages.
idle_seconds must be an integer from 1 through 65535.
Usage
Use this command to configure the basic RADIUS parameters according to the RADIUS server used for the context.
Example
radius detect-dead-server consecutive-failures 6
radius dictionary 3gpp2
radius timeout 300
radius strip-domain authentication-only
 
radius accounting
This command configures the current context’s RADIUS accounting parameters.
Product
All
Privilege
Security Administrator, Administrator
Syntax
radius accounting { archive [ stop-only ] | deadtime minutes | detect-dead-server { consecutive-failures count | keepalive | response-timeout seconds } | interim interval seconds | max-outstanding messages | max-pdu-size octets | max-retries tries | max-transmissions transmissions | timeout idle_seconds}
default radius accounting { deadtime | detect-dead-server | max-outstanding | max-pdu-size | max-retries | max-transmissions | timeout }
no radius accounting { archive | detect-dead-server | interim interval | max-transmissions }
no
Removes configuration for the specified keyword.
default
Configures the default setting for the specified keyword.
archive [ stop-only ]
Default: enabled
Enables archiving of RADIUS accounting messages in the system after the accounting message has exhausted retries to all available RADIUS accounting servers. All RADIUS accounting messages generated by a session are delivered to the RADIUS accounting server in serial. That is, previous RADIUS accounting messages from the same call must be delivered and acknowledged by the RADIUS accounting server before the next RADIUS accounting message is sent to the RADIUS accounting server.
stop-only specifies archiving of only STOP accounting messages.
deadtime minutes
Default: 10 minutes
Specifies the number of minutes to wait before changing the state of a RADIUS server from “Down” to “Active”.
minutes must be an integer from 0 through 65535.
Important: This parameter should be set to allow enough time to remedy the issue that originally caused the server’s state to be changed to “Down”. After the deadtime timer expires, the system returns the server’s state to “Active” regardless of whether or not the issue has been fixed.
Important: For a complete explanation of RADIUS server states, refer to the RADIUS Server State Behavior Appendix in the AAA Interface Administration and Reference.
detect-dead-server { consecutive-failures count | keepalive | response-timeout seconds }
consecutive-failures count: Specifies the number of consecutive failures, for any AAA Manager, before a server’s state is changed from “Active” to “Down”. count must be an integer from 1 through 1000. Default: 4
keepalive: Enables the AAA server alive-dead detect mechanism based on sending keepalive authentication messages to all authentication servers. Default: disabled
response-timeout seconds: Specifies the number of seconds, for any AAA Manager, to wait for a response to any message before a server’s state is changed from “Active” to “Down”. seconds must be an integer from 1 through 65535.
Important: If both consecutive-failures and response-timeout are configured, then both parameters must be met before a server’s state is changed to “Down”.
Important: The “Active” or “Down” state of a RADIUS server as defined by the system, is based on accessibility and connectivity. For example, if the server is functional but the system has placed it into a “Down” state, it could be the result of a connectivity problem. When a RADIUS server’s state is changed to “Down”, a trap is sent to the management station and the deadtime timer is started.
Important: For a complete explanation of RADIUS server states, refer to the RADIUS Server State Behavior Appendix in the AAA Interface Administration and Reference.
interim interval seconds
Default: Disabled
Specifies the time interval, in seconds, for sending accounting INTERIM-UPDATE records.
seconds must be an integer from 50 through 40000000.
Important: If RADIUS is used as the accounting protocol for the GGSN product, other commands are used to trigger periodic accounting updates. However, these commands would cause RADIUS STOP/START packets to be sent as opposed to INTERIM-UPDATE packets. Also, note that accounting interim interval settings received from a RADIUS server take precedence over those configured on the system.
max-outstanding messages
Default: 256
Specifies the maximum number of outstanding messages a single AAA Manager instance will queue.
messages must be an integer from 1 through 4000.
max-pdu-size octets
Default: 2048
Specifies the maximum sized packet data unit which can be accepted/generated, in bytes (octets).
octets must be an integer from 512 through 2048.
max-retries tries
Default: 5
Specifies the maximum number of times communication with a AAA server will be attempted before it is marked as “Not Responding” and the detect dead server consecutive failures count is incremented.
tries must be an integer from 0 through 65535.
Once the maximum number of retries is reached this is considered a single failure for the consecutive failures count for detecting dead servers.
max-transmissions transmissions
Default: Disabled
Sets the maximum number of transmissions for a RADIUS accounting message before the message is declared as failed.
transmissions must be an integer from 1 through 65535.
timeout seconds
Default: 3
Specifies the amount of time to wait for a response from a RADIUS server before retransmitting a request.
seconds must be an integer from 1 through 65535.
Usage
Use this command to configure RADIUS accounting options according to the RADIUS server used for the context.
Example
The following command configures the accounting timeout parameter to 16 seconds.
radius accounting timeout 16
 
radius accounting apn-to-be-included
This command specifies the APN name inclusion for RADIUS accounting.
Product
GGSN
Privilege
Security Administrator, Administrator
Syntax
radius accounting apn-to-be-included { gi | gn }
default radius accounting apn-to-be-included
default
Configures the default setting.
gi
Specifies the use of Gi APN name in RADIUS accounting request. Gi APN represents the APN received in the Create PDP context request message from SGSN.
gn
Specifies the use of Gn APN name in RADIUS accounting request. Gn APN represents the APN selected by the GGSN.
Usage
Use this command to specify the APN name to be included for RADIUS accounting.
Example
The following command configures the gn APN name to be included for RADIUS accounting:
radius accounting apn-to-be-included gn
 
radius accounting algorithm
This command specifies the fail-over/load-balancing algorithm to select the RADIUS accounting server(s) to which accounting data must be sent.
Product
All
Privilege
Security Administrator, Administrator
Syntax
radius accounting algorithm { first-n n | first-server | round-robin }
default radius accounting algorithm
default
Configures the default setting.
Default: first-server
first-n n
Default: 1 (Disabled)
Specifies that the AGW must send accounting data to n (more than one) AAA servers based on their priority. The full set of accounting data is sent to each of the n AAA servers. Response from any one of the servers would suffice to proceed with the call. On receiving an ACK from any one of the servers, all retries are stopped.
n is the number of AAA servers to which accounting data will be sent, and must be an integer from 2 through 128.
first-server
Specifies that the context must send accounting data to the RADIUS server with the highest configured priority. In the event that this server becomes unreachable, accounting data is sent to the server with the next-highest configured priority. This is the default algorithm.
round-robin
Specifies that the context must load balance sending accounting data among all of the defined RADIUS servers. Accounting data is sent in a circular queue fashion on a per Session Manager task basis, where data is sent to the next available server and restarts at the beginning of the list of configured servers. The order of the list is based upon the configured relative priority of the servers.
Usage
Use this command to specify the algorithm to select the RADIUS accounting server(s) to which accounting data must be sent.
Example
The following command configures to use the round-robin algorithm for RADIUS accounting server selection:
radius accounting algorithm round-robin
 
radius accounting billing-version
This command configures billing-system version of RADIUS accounting servers.
Product
All
Privilege
Security Administrator, Administrator
Syntax
radius accounting billing-version version
default radius accounting billing-version
default
Configures the default setting.
Default: 0
version
Specifies the billing-system version, and must be an integer from 0 through 4294967295.
Usage
Use this command to configure the billing-system version of RADIUS accounting servers.
Example
The following command configures the billing-system version of RADIUS accounting servers as 10:
radius accounting billing-version 10
 
radius accounting gtp trigger-policy
This command configures the RADIUS accounting trigger policy for GTP messages.
Product
GGSN
Privilege
Security Administrator, Administrator
Syntax
radius accounting gtp trigger-policy [ standard | ggsn-preservation-mode ]
default radius accounting gtp trigger-policy
default
Resets the RADIUS accounting trigger policy to standard behavior for GTP session.
standard
This keyword sets the RADIUS accounting trigger policy to standard behavior which is configured for GTP session for GGSN service.
ggsn-preservation-mode
This keyword sends RADIUS Accounting Start when the GTP message with private extension of preservation mode is received from SGSN.
Important: This is a customer-specific keyword and needs customer-specific license to use this feature. For more information on GGSN preservation mode, refer GGSN Service Mode Commands chapter.
Usage
Use this command to set the trigger policy for the AAA accounting for a GTP session.
Example
The following command sets the RADIUS accounting trigger policy for GTP session to standard:
default radius accounting gtp trigger-policy
 
radius accounting ha policy
Configures the RADIUS accounting policy for HA sessions.
Product
HA
Privilege
Security Administrator, Administrator
Syntax
radius accounting ha policy { custom1-aaa-res-mgmt | session-start-stop }
default radius accounting ha policy
default
Configures the default setting.
session-start-stop
Specifies sending Accounting Start when the Session is connected, and sending Accounting Stop when the session is disconnected. This is the default behavior.
custom1-aaa-res-mgmt
Accounting Start/Stop messages are generated to assist special resource management done by AAA servers. It is similar to the session-start-stop accounting policy, except for the following differences:
Usage
Use this command to configure the AAA accounting behavior for an HA session.
Example
The following command configures the HA accounting policy to custom1-aaa-res-mgmt:
radius accounting ha policy custom1-aaa-res-mgmt
 
radius accounting interim
This command configures the volume of uplink and downlink volume octet counts that trigger RADIUS interim accounting, and configures the time period between the sending of interim accounting records.
Product
GGSN, PDSN, HA, HSGW
Privilege
Security Administrator, Administrator
Syntax
radius accounting interim { interval seconds | volume { downlink bytes uplink bytes | total bytes | uplink bytes downlink bytes } }
no radius accounting interim volume
no
Disables RADIUS interim accounting.
interval seconds
Specifies the time interval, in seconds, between sending interim accounting records. seconds must be an integer from 50 through 40,000,000.
volume { downlink bytes uplink bytes | total bytes | uplink bytes downlink bytes }
downlink bytes uplink bytes: Specifies the downlink to uplink volume limit, in bytes, for RADIUS Interim accounting. bytes must be an integer from 100,000 through 4,000,000,000.
total bytes: Specifies the total volume limit, in bytes, for RADIUS interim accounting. bytes must be an integer from 100,000 through 4,000,000,000.
uplink bytes downlink bytes: Specifies the uplink to downlink volume limit, in bytes, for RADIUS interim accounting. bytes must be an integer from 100,000 through 4,000,000,000.
Usage
Use this command to trigger RADIUS interim accounting based on the volume of uplink and downlink bytes and/or to configure the time interval between the sending of interim accounting records.
Example
The following command triggers RADIUS interim accounting when the total volume of uplink and downlink bytes reaches 110000:
radius accounting interim volume total 110000
The following command sets the interval between sending interim accounting records to 3 minutes (180 seconds):
radius accounting interim interval 180
 
radius accounting ip remote-address
This command configures IP remote address-based RADIUS accounting parameters.
Product
PDSN, HA
Privilege
Security Administrator, Administrator
Syntax
[ no ] radius accounting ip remote-address { collection | list list_id }
no
Removes configuration for the specified keyword.
collection
Enables collecting and reporting Remote-Address-Based accounting in RADIUS Accounting. This should be enabled in the AAA Context. It is disabled by default.
list list_id
Enters the Remote Address List Configuration mode. This mode configures a list of remote addresses that can be referenced by the subscriber's profile.
list_id must be an integer from 1 through 65535.
Usage
This command is used as part of the Remote Address-based Accounting feature to both configure remote IP address lists and enable the collection of accounting data for the addresses in those lists on a per-subscriber basis.
Individual subscriber can be associated to remote IP address lists through the configuration/specification of an attribute in their local or RADIUS profile. (Refer to the radius accounting command in the Subscriber Configuration mode.) When configured/specified, accounting data is collected pertaining to the subscriber’s communication with any of the remote addresses specified in the list.
Once this functionality is configured on the system and in the subscriber profiles, it must be enabled by executing this command with the collection keyword.
Example
radius accounting ip remote-address collection
 
radius accounting keepalive
Configures the keepalive authentication parameters for the RADIUS accounting server.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no | default ] radius accounting keepalive { calling-station-id id | consecutive-response number | framed-ip-address ip_address | interval seconds | retries number | timeout seconds | username name }
no
Removes configuration for the specified keyword.
default
Configures the default setting for the specified keyword.
calling-station-id id
Configures the Calling-Station-Id to be used for the keepalive authentication.
id must be an alpha and/or numeric string of 1 through 15 characters in length.
Default: 000000000000000
consecutive-response number
Configures the number of consecutive authentication response after which the server is marked as reachable.
number must be an integer from 1 through 10.
Default: 1
framed-ip-address ip_address
Configures the framed-ip-address to be used for the keepalive accounting.
ip_address must be specified using the standard IPv4 dotted decimal notation.
interval seconds
Configures the time interval between the two keepalive access requests.
Default: 30 seconds
retries number
Configures the number of times the keepalive access request to be sent before marking the server as unreachable.
number must be an integer from 3 through 10.
Default: 3
timeout seconds
Configures the time interval between each keepalive access request retries.
seconds must be an integer from 1 through 30.
Default: 3 seconds
username name
Configures the user name to be used for authentication.
name must be an alpha and/or numeric string of 1 through 127 characters in length.
Default: Test-Username
Usage
Use this command to configure the keepalive authentication parameters for the RADIUS accounting server.
Example
The following command sets the user name for RADIUS keepalive access requests to Test-Username2:
radius accounting keepalive username Test-Username2
The following command sets the number of RADIUS accounting keepalive retries to 4.
radius accounting keepalive retries 4
 
radius accounting pdif trigger-policy
Configures the policy for generating START/STOP pairs in overflow condition.
Product
PDIF
Privilege
Administrator, Security Administrator
Syntax
[ default ] radius accounting pdif trigger-policy { standard | counter-rollover }
default
The default option configures the “standard” policy.
standard
Applies a policy as defined by the standards.
counter-rollover
If the counter-rollover option is enabled, the system generates a STOP/START pair before input/output data octet counts (or input/output data packet counts) become larger than (2^32 - 1) in value. This setting is used to guarantee that a 32-bit octet count in any STOP message has not wrapped to larger than 2^32 thus ensuring the accuracy of the count. The system may, at its discretion, send the STOP/START pair at any time, so long as it does so before the 32-bit counter has wrapped.
Usage
Used to define the policy for dealing with overflow packet counts.
Example
Use the following example to set the default policy to standard.
default radius accounting pdif trigger-policy
 
radius accounting rp
Configures the RADIUS accounting R-P originated call options.
Product
PDSN
Privilege
Security Administrator, Administrator
Syntax
radius accounting rp { handoff-stop { immediate | wait-active-stop } | tod minute hour | trigger-event { active-handoff | active-start-param-change | active-stop } | trigger-policy { airlink-usage [ counter-rollover ] | custom [ active-handoff | active-start-param-change | active-stop ] | standard } | trigger-stop-start }
no radius accounting rp { tod minute hour | trigger-event { active-handoff | active-start-param-change | active-stop } | trigger-stop-start }
default radius accounting rp { handoff-stop | trigger-policy }
no
Removes earlier configuration for the specified keyword.
default
Sets the default configuration for the specified keyword.
handoff-stop { immediate | wait-active-stop }
Default: wait-active-stop
Specifies the behavior of generating accounting STOP when handoff occurs.
immediate: Indicates that accounting STOP should be generated immediately on handoff, i.e. not to wait active-stop from the old PCF.
wait-active-stop: Indicates that accounting STOP is generated only when active-stop received from the old PCF when handoff occurs.
tod minute hour
Specifies the time of day a RADIUS event is to be generated for accounting. Up to four different times of the day may be specified through individual commands.
minute must be an integer from 0 through 59.
hour must be an integer from 0 through 23.
trigger-event { active-handoff | active-start-param-change | active-stop }
Default: active-handoff: Disabled
active-start-param-change: Enabled
active-stop: Disabled
Configures the events for which a RADIUS event is generated for accounting as one of the following:
active-handoff: Disables a single R-P event (and therefore a RADIUS accounting event) when an Active PCF-to-PFC Handoff occurs. Instead, two R-P events occur (one for the Connection Setup, and the second for the Active-Start)
active-start-param-change: Disables an R-P event (and therefore a RADIUS accounting event) when an Active-Start is received from the PCF and there has been a parameter change.
active-stop: Disables an R-P event (and therefore a RADIUS accounting event) when an Active-Stop is received from the PCF.
Important: This keyword has been obsoleted by the trigger-policy keyword. Note that if this command is used, if the context configuration is displayed, radius accounting rp configuration is represented in terms of the trigger-policy.
trigger-policy { airlink-usage [ counter-rollover ] | custom [ active-handoff | active-start-param-change | active-stop ] | standard }
Default: airlink-usage: Disabled
custom:
active-handoff = Disabled
active-start-param-change = Disabled
active-stop = Disabled
standard: Enabled
Configures the overall accounting policy for R-P sessions as one of the following:
airlink-usage [ counter-rollover ]: Specifies the use of Airlink-Usage RADIUS accounting policy for R-P, which generates a start on Active-Starts, and a stop on Active-Stops.
If the counter-rollover option is enabled, the system generates a STOP/START pair before input/output data octet counts (or input/output data packet counts) become larger than (2^32 - 1) in value. This setting is used to guarantee that a 32-bit octet count in any STOP message has not wrapped to larger than 2^32 thus ensuring the accuracy of the count. The system, may, at its discretion, send the STOP/START pair at any time, so long as it does so before the 32-bit counter has wrapped. Note that a STOP/START pair is never generated unless the subscriber RP session is in the Active state, since octet/packet counts are not accumulated when in the Dormant state.
custom : Specifies the use of custom RADIUS accounting policy for R-P. The custom policy can consist of the following:
active-handoff: Enables a single R-P event (and therefore a RADIUS accounting event) when an Active PCF-to-PFC Handoff occurs. Normally two R-P events will occur (one for the Connection Setup, and the second for the Active-Start)
active-start-param-change: Enables an R-P event (and therefore a RADIUS accounting event) when an Active-Start is received from the PCF and there has been a parameter change.
Important: Note that a custom trigger policy with only active-start-param-change enabled is identical to the standard trigger-policy.
active-stop: Enables an R-P event (and therefore a RADIUS accounting event) when an Active-Stop is received from the PCF.
Important: If the radius accounting rp trigger-policy custom command is executed without any of the optional keywords, all custom options are disabled.
standard: Specifies the use of Standard RADIUS accounting policy for R-P in accordance with IS-835B.
trigger-stop-start
Specifies that a stop/start RADIUS accounting pair should be sent to the RADIUS server when an applicable R-P event occurs.
Usage
Use this command to configure the events for which a RADIUS event is sent to the server when the accounting procedures vary between servers.
Example
The following command enables an R-P event (and therefore a RADIUS accounting event) when an Active-Stop is received from the PCF:
radius accounting rp trigger-event active-stop
The following command generates the STOP only when active-stop received from the old PCF when handoff occurs:
default radius accounting rp handoff-stop
 
radius accounting server
For accounting, this command configures the RADIUS accounting server(s) in the current context.
Product
All
Privilege
Security Administrator, Administrator
Syntax
radius [ mediation-device ] accounting server ip_address [ encrypted ] key value [ acct-on { enable | disable } ] [ acct-off { enable | disable } ] [ max messages ] [ oldports ] [ port port_number ] [ priority priority ] [ type standard ] [ admin-status { enable | disable } ] [ -noconfirm ]
no radius [ mediation-device ] accounting server ip_address [ oldports | port port_number ]
no
Removes the server or server port(s) specified from the list of configured servers.
mediation-device
Enables mediation-device specific AAA transactions use to communicate with this RADIUS server.
Important: If this option is not used, by default the system enables standard AAA transactions.
ip_address [ port port_number ]
Specifies the IP address of the accounting server. ip_address must be specified using the standard IPv4 dotted decimal notation or colon notation for IPv6. A maximum of 1600 RADIUS servers per context/system and 128 servers per server group can be configured. This limit includes accounting and authentication servers.
port port_number specifies the port number to use for communications. port_number must be an integer from 0 through 65535. Default is 1813.
Important: Same RADIUS server IP address and port can be configured in multiple RADIUS server group within a context.
[ encrypted ] key value
Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted. The key value must be an alpha and/or numeric string of 1 through 15 characters, or when encrypted an alpha and/or numeric string of 1 through 30 characters.
The encrypted keyword is intended only for use by the chassis while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the key keyword is the encrypted version of the plaint text key. Only the encrypted key is saved as part of the configuration file.
acct-on { enable | disable }
Default: disable
Enables and disables sending of the Accounting-On message when a new RADIUS server is added to the configuration.
When this is enabled, the Accounting-On message is sent when a new RADIUS server is added in the configuration. However, if for some reason the Accounting-On message cannot be sent at the time of server configuration (for example; if the interface is down), then the message is sent as soon as possible. Once the Accounting-On message is sent, if it is not responded to after the configured RADIUS accounting timeout, the message is retried the configured number of RADIUS accounting retries. Once all retries have been exhausted, the system no longer attempts to send the Accounting-On message for this server.
acct-off { enable | disable }
Default: enable
Disables and enables the sending of the Accounting-Off message when a RADIUS server is removed from the configuration.
The Accounting-Off message is sent when a RADIUS server is removed from the configuration, or when there is an orderly shutdown. However, if for some reason the Accounting-On message cannot be sent at this time, it is never sent. The Accounting-Off message is sent only once, regardless of how many accounting retries are enabled.
max messages
Default: 0
Specifies the maximum number of outstanding messages that may be allowed to the server.
messages must be an integer from 1 through 256.
oldports
Sets the UDP communication port to the out of date standardized default for RADIUS communications to 1646.
priority priority
Default: 1000
Specifies the relative priority of this accounting server. The priority is used in server selection for determining which server to send accounting data to.
priority must be an integer from 1 through 1000, where 1 is the highest priority. When configuring two or more servers with the same priority you will be asked to confirm that you want to do this. If you use the -noconfirm option, you are not asked for confirmation and multiple servers could be assigned the same priority.
type { mediation-device | standard }
Default: standard
mediation-device: Obsolete keyword.
Specifies the type of AAA transactions to use to communicate with this RADIUS server.
standard: Use standard AAA transactions.
admin-status { enable | disable }
Configures the admin-status for the RADIUS accounting server.
enable: Enables the RADIUS accounting server.
disable: Disables the RADIUS accounting server.
-noconfirm
Specifies that the command must execute without any prompts and confirmation from the user.
Usage
Use this command to configure the RADIUS accounting servers with which the system must communicate for accounting.
Up to 1600 RADIUS servers per context/system and 128 servers per server group can be configured. The servers can be configured as Accounting, Authentication, Charging servers, or any combination thereof.
Example
The following command sets the accounting server with mediation device transaction for AAA server 1.2.3.4:
radius mediation-device accounting server 1.2.3.4 key sharedKey port 1024 max 127
 
radius algorithm
This command configures the RADIUS authentication server selection algorithm for the current context.
Product
All
Privilege
Security Administrator, Administrator
Syntax
radius algorithm { first-server | round-robin }
default radius algorithm
default
Configures the default setting.
Default: first-server
first-server
Accounting data is sent to the first available server based upon the relative priority of each configured server.
round-robin
Accounting data is sent in a circular queue fashion on a per Session Manager task basis where data is sent to the next available server and restarts at the beginning of the list of configured servers. The order of the list is based upon the configure relative priority of the servers.
Usage
Use this command to configure the context’s RADIUS server selection algorithm to ensure proper load distribution amongst the available servers.
Example
radius algorithm first-server
radius algorithm round-robin
 
radius allow
This command configures the system behavior for allowing subscriber sessions when RADIUS accounting and/or authentication is unavailable.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no ] radius allow { authentication-down | accounting-down }
no
Specifies that the specified option is to be disabled.
authentication-down
Default: Disabled
Allows sessions while authentication is not available (down).
accounting-down
Default: Enabled
Allows sessions while accounting is unavailable (down).
Usage
Allow sessions during system troubles when the risk of IP address and/or subscriber spoofing is minimal. The denial of sessions may cause dissatisfaction with subscribers at the cost/expense of verification and/or accounting data.
Example
radius allow authentication-down
no radius allow authentication-down
radius allow accounting-down
no radius allow accounting-down
 
radius attribute
Configures the system’s RADIUS identification parameters.
Product
All
Privilege
Security Administrator, Administrator
Syntax
radius attribute { nas-identifier id | nas-ip-address address primary_address [ backup secondary_address ] [ nexthop-forwarding-address nexthop_address ] [ vlan vlan_id ] [ mpls-label input input output output [ integer_value ] ] }
no radius attribute { nas-identifier | nas-ip-address }
default radius attribute nas-identifier
no
Removes configuration for the specified keyword.
default
Configures the default setting.
nas-identifier id
Specifies the attribute name by which the system will be identified in Access-Request messages. id must be a case-sensitive alpha and/or numeric string of 1 through 32 characters in length.
nas-ip-address address primary_address
Specifies the AAA interface IP address(es) used to identify the system. Up to two addresses can be configured.
primary_address: The IP address of the primary interface to use in the current context. This must be specified using the standard IPv4 dotted decimal notation.
backup secondary_address
backup: The IP address of the secondary interface to use in the current context. This must be specified using the standard IPv4 dotted decimal notation.
nexthop-forwarding-address nexthop_address
Configures next hop IP address for this NAS IP address. It optionally sets the RADIUS client to provide VLAN ID and nexthop forwarding address to system when running in single nexthop gateway mode.
nexthop_address must be specified using the standard IPv4 dotted decimal notation.
Important: To define more than one NAS IP address per context, in Global Configuration Mode use the aaa large-configuration command. If enabled, for a PDSN a maximum of 400 and for a GGSN a maximum of 800 NAS IP addresses/NAS identifiers (1 primary and 1 secondary per Server group) can be configured per context.
 
mpls-label input in_label_value| output out_label_value1 [ out_label_value2 ]
Configures the traffic from the specified RADIUS client NAS IP address to use the specified MPLS labels.
in_label_value is the MPLS label that will identify inbound traffic destined for the configured NAS IP address.
out_label_value1 and out_label_value2 identify the MPLS labels to be added to packets sent from the specified NAS IP address.
out_label_value1 is the inner output label.
out_label_value2 is the outer output label.
MPLS label values must be an integer from 16 to 1048575.
vlan vlan_id
This optional keyword sets the RADIUS client to provide VLAN ID with nexthop forwarding address to system when running in single nexthop gateway mode.
vlan_id must be a pre-configured VLAN ID and must be an integer from 1 through 4096. It is the VLAN ID to be provided to the system in RADIUS attributes.
This option is available only when nexthop-forwarding gateway is also configured with nexthop-forwarding-address nexthop_address keyword and aaa-large configuration is enabled at Global Configuration level.
Usage
This is necessary for NetWare Access Server usage such as the system must be identified to the NAS.
The system supports the concept of the active nas-ip-address. The active nas-ip-address is defined as the current source ip address for RADIUS messages being used by the system. This is the content of the nas-ip-address attribute in each RADIUS message.
The system will always have exactly one active nas-ip-address. The active nas-ip-address will start as the primary nas-ip-address. However, the active nas-ip-address may switch from the primary to the backup, or the backup to the primary. The following events will occur when the active nas-ip-address is switched:
The system uses a revertive algorithm when transitioning active NAS IP addresses as described below:
Example
radius attribute nas-ip-address 1.2.3.4
no radius attribute nas-identifier sampleID
 
radius authenticate
This command configures RADIUS authentication related parameters.
Product
All
Privilege
Security Administrator, Administrator
Syntax
radius authenticate { apn-to-be-included { gi | gn } | null-username }
default radius authenticate { apn-to-be-included | null-username }
no radius authenticate null-username
default
Configures the default setting.
no radius authenticate null-username
Disables sending an Access-Request message to the AAA server for user names (NAI) that are blank.
apn-to-be-included
Specifies the APN name to be included for RADIUS authentication:
gi: Specifies the usage of Gi APN name in RADIUS authentication request. Gi APN represents the APN received in the Create PDP Context request message from SGSN.
gn: Specifies the usage of Gn APN name in RADIUS authentication request. Gn APN represents the APN selected by the GGSN.
null-username
Specifies attempting RADIUS authentication even if the provided user name is NULL (empty).
Default: Enables authenticating, sending Access-Request messages to the AAA server, all user names, including NULL user names.
Usage
Use this command to disable, or re-enable, sending Access-Request messages to the AAA server for usernames (NAI) that are blank (NULL).
Example
To disable sending Access-Request messages for user names (NAI) that are blank, enter the following command:
no radius authenticate null-username
To re-enable sending Access-Request messages for user names (NAI) that are blank, enter the following command:
radius authenticate null-username
 
radius authenticator-validation
This command enables (allows) and disables (prevents) the MD5 authentication of RADIUS user. MD5 authentication is enabled by default.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no ] radius authenticator-validation
no
Disables MD5 authentication validation for an Access-Request message to the AAA server.
Usage
Use this command to disable or re-enable, sending Access-Request messages to the AAA server for MD5 validation.
Example
To disable MD5 authentication validation for Access-Request messages for usernames (NAI), enter the following command:
no radius authenticator-validation
To enable MD5 authentication validation for Access-Request messages for user names (NAI), enter the following command:
radius authenticator-validation
 
radius charging
This command configures basic RADIUS options for Active Charging Service.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ no | default ] radius charging { deadtime dead_minutes | detect-dead-server { consecutive-failures count | response-timeout seconds } | max-outstanding messages | max-retries tries | max-transmissions transmissions | timeout idle_seconds }
no
Removes configuration for the specified keyword.
default
Configures the default setting for the specified keyword.
deadtime dead_minutes
Specifies the number of minutes to wait before attempting to communicate with a server that has been marked as unreachable.
dead_minutes must be an integer from 0 through 65535.
Default: 10
detect-dead-server { consecutive-failures count | response-timeout seconds }
consecutive-failures count: Specifies the number of consecutive failures, for each AAA Manager, before a server is marked as unreachable.
count must be an integer from 1 through 1000.
Default: 4
response-timeout seconds: Specifies the number of seconds for each AAA Manager to wait for a response to any message before a server is detected as failed, or in a down state.
seconds must be an integer from 1 through 65535.
max-outstanding messages
Specifies the maximum number of outstanding messages a single AAA Manager instance will queue.
messages must be an integer from 1 through 4000.
Default: 256
max-retries tries
Specifies the maximum number of times communication with a AAA server will be attempted before it is marked as unreachable, and the detect dead servers consecutive failures count is incremented.
tries must be an integer from 0 through 65535.
Default: 5
max-transmissions transmissions
Sets the maximum number of re-transmissions for RADIUS authentication requests. This limit is used in conjunction with the max-retries parameter for each server.
When failing to communicate with a RADIUS sever, the subscriber is failed once all of the configured RADIUS servers have been exhausted or once the configured number of maximum transmissions is reached.
For example, if three servers are configured and if the configured max-retries is 3 and max-transmissions is 12, then the primary server is tried four times (once plus three retries), the secondary server is tried four times, and then a third server is tried four times. If there is a fourth server, it is not tried because the maximum number of transmissions (12) has been reached.
transmissions must be an integer from 1 through 65535.
Default: Disabled
timeout idle_seconds
Specifies the number of seconds to wait for a response from the RADIUS server before re-sending the messages.
idle_seconds must be an integer from 1 through 65535.
Default: 3
Usage
Use this command to manage the basic Charging Service RADIUS options according to the RADIUS server used for the context.
Example
radius charging detect-dead-server consecutive-failures 6
radius charging timeout 300
 
radius charging accounting algorithm
This command specifies the fail-over/load-balancing algorithm to be used for selecting RADIUS servers for charging services.
Product
PDSN, GGSN
Privilege
Security Administrator, Administrator
Syntax
radius charging accounting algorithm { first-n n | first-server | round-robin }
first-n n
Default: 1 (Disabled)
Specifies that the AGW must send accounting data to n (more than one) AAA servers based on their priority. Response from any one of the n AAA servers would suffice to proceed with the call. The full set of accounting data is sent to each of the n AAA servers.
n is the number of AAA servers to which accounting data will be sent, and must be an integer from 2 through 128.
first-server
Specifies that the context must send accounting data to the RADIUS server with the highest configured priority. In the event that this server becomes unreachable, accounting data is sent to the server with the next-highest configured priority. This is the default algorithm.
round-robin
Specifies that the context must load balance sending accounting data among all of the defined RADIUS servers. Accounting data is sent in a circular queue fashion on a per Session Manager task basis, where data is sent to the next available server and restarts at the beginning of the list of configured servers. The order of the list is based upon the configured relative priority of the servers.
Usage
Use this command to specify the accounting algorithm to use to select RADIUS servers for charging services configured in the current context.
Example
The following command configures to use the round-robin algorithm for RADIUS server selection:
radius charging accounting algorithm round-robin
 
radius charging accounting server
Configures RADIUS charging accounting servers in the current context for Active Charging Service Prepaid Accounting.
Product
All
Privilege
Security Administrator, Administrator
Syntax
radius charging accounting server ip_address [ encrypted ] key value [ max messages ] [ oldports ] [ port port_number ] [ priority priority ] [ admin-status { enable | disable } ] [ -noconfirm ]
no radius charging accounting server ip_address [ oldports | port port_number ]
no
Removes the server or server port(s) specified from the list of configured servers.
ip_address
Specifies the IP address of the accounting server. ip_address must be specified using the standard IPv4 dotted decimal notation. A maximum of 128 RADIUS servers can be configured per context. This limit includes accounting and authentication servers.
[ encrypted ] key value
Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted. The key value must be an alpha and/or numeric string of 1 through 15 characters, or an alpha and/or numeric string of 1 through 30 characters when encrypted.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the key keyword is the encrypted version of the plaint text key. Only the encrypted key is saved as part of the configuration file.
max messages
Default: 0
Specifies the maximum number of outstanding messages that may be allowed to the server. messages must be an integer from 0 through 4000.
oldports
Sets the UDP communication port to the out of date standardized default for RADIUS communications to 1646.
port port_number
Default: 1813
Specifies the port number to use for communication.
port_number must be an integer from 0 through 65535.
priority priority
Default: 1000
Specifies the relative priority of this accounting server. The priority is used in server selection for determining which server to send accounting data to. priority must be an integer from 1 through 1000, where 1 is the highest priority.
admin-status { enable | disable }
Enables or disables the RADIUS authentication/accounting/charging server functionality and saves the status setting in the configuration file to re-establish the set status at reboot.
-noconfirm
Specifies that the command must execute without any prompts and confirmation from the user.
Usage
This command is used to configure the RADIUS charging accounting server(s) with which the system is to communicate for Active Charging Service Prepaid Accounting requests.
Example
Up to 128 AAA servers can be configured per context when the system is functioning as a PDSN and/or HA. Up to 16 servers are supported per context when the system is functioning as a GGSN.
radius charging accounting server 1.2.3.4 key sharedKey port 1024 max 127
radius charging accounting server 1.2.5.6 encrypted key scrambledKey oldports priority 10 ]
no radius charging accounting server 1.2.5.6
 
radius charging algorithm
Specifies the RADIUS authentication server selection algorithm for Active Charging Service for the current context.
Product
All
Privilege
Security Administrator, Administrator
Syntax
radius charging algorithm { first-server | round-robin }
default radius charging algorithm
default
Configures the default setting.
Default: first-server
first-server
Accounting data is sent to the first available server based upon the relative priority of each configured server.
round-robin
Accounting data is sent in a circular queue fashion on a per Session Manager task basis where data is sent to the next available server and restarts at the beginning of the list of configured servers. The order of the list is based upon the configured relative priority of the servers.
Usage
Use this command to configure the context’s RADIUS server selection algorithm for Active Charging Service to ensure proper load distribution amongst the available servers.
Example
radius algorithm first-server
radius algorithm round-robin
 
radius charging server
Configures the RADIUS charging server(s) in the current context for Active Charging Service Prepaid Authentication.
Product
All
Privilege
Security Administrator, Administrator
Syntax
radius charging server ip_address [ encrypted ] key value [ max messages ] [ oldports ] [ port port_number ] [ priority priority ] [ admin-status { enable | disable } ] [ -noconfirm ]
no radius charging server ip_address [ oldports | port port_number ]
no
Removes the server or server port(s) specified from the list of configured servers.
ip_address
Specifies the IP address of the server. ip_address must be specified using the standard IPv4 dotted decimal notation. A maximum of 128 RADIUS servers can be configured per context. This limit includes accounting and authentication servers.
[ encrypted ] key value
Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted. The key value must be an alpha and/or numeric string of 1 through 15 alpha characters, or an alpha and/or numeric string of 1 through 30 characters when encrypted.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the key keyword is the encrypted version of the plain text key. Only the encrypted key is saved as part of the configuration file.
max messages
Default: 256
Specifies the maximum number of outstanding messages that may be allowed to the server. messages must be an integer from 0 through 4000.
oldports
Sets the UDP communication port to the old default for RADIUS communications to 1645.
port port_number
Default: 1812
Specifies the port number to use for communications.
port_number must be an integer from 1 through 65535.
priority priority
Default: 1000
Specifies the relative priority of this accounting server. The priority is used in server selection for determining which server to send accounting data to.
priority must be an integer from 1 through 1000, where 1 is the highest priority.
admin-status { enable | disable }
Enables or disables the RADIUS authentication, accounting, or charging server functionality and saves the status setting in the configuration file to re-establish the set status at reboot.
-noconfirm
Specifies that the command must execute without any prompts and confirmation from the user.
Usage
This command is used to configure the RADIUS charging server(s) with which the system is to communicate for Active Charging Service Prepaid Authentication requests.
Example
Up to 128 AAA servers can be configured per context when the system is functioning as a PDSN and/or HA. Up to 16 servers are supported per context when the system is functioning as a GGSN.
radius charging server 1.2.3.4 key sharedKey port 1024 max 127
radius charging server 1.2.5.6 encrypted key scrambledKey oldports priority 10 ]
no radius server 1.2.5.6
 
radius ip vrf
This command associates the specific AAA group with a Virtual Routing and Forwarding (VRF) Context instance for GRE tunnel interface configuration. By default the VRF is NULL, which means that AAA group is associated with global routing table.
Product
All
Privilege
Security Administrator, Administrator
Syntax
radius ip vrf vrf_name
no radius ip vrf
no
Removes/disassociates configured IP Virtual Routing and Forwarding (VRF) context instance.
vrf_name
Specifies the name of a pre-configured VRF context instance.
vrf_name is name of a pre-configured virtual routing and forwarding (VRF) context configured in Context configuration mode through ip vrf command.
Usage
Use this command to associate/disassociate a pre-configured VRF context for a GRE tunnel interface.
By default the VRF is NULL, which means that AAA group is associated with global routing table.
Example
The following command associates VRF context instance GRE_vrf1 with this AAA group:
radius ip vrf GRE_vrf1
 
radius keepalive
This command configures the RADIUS keepalive authentication parameters.
Product
All
Privilege
Security Administrator, Administrator
Syntax
[ default ] radius keepalive [ calling-station-id id | consecutive-response number | encrypted | interval seconds | password | retries number | timeout seconds | username name | valid-response access-accept [ access-reject ] ]
default
Configures the default setting for the specified keyword.
calling-station-id id
Specifies the Calling-Station-Id to be used for the keepalive authentication.
id must be an alpha and/or numeric string of 1 through 15 characters in length.
Default value is 000000000000000.
consecutive-response number
Specifies the number of consecutive authentication responses after which the server is marked as reachable.
number must be an integer from 1 through 5.
Default: 1
encrypted password
Specifies encrypting the password.
password must be an alpha and/or numeric string of 1 through 64 characters in length.
Default password: Test-Password
interval seconds
Specifies the time interval, in seconds, between two keepalive access requests.
Default: 30 seconds
password
Specifies the password to be used for authentication.
password must be an alpha and/or numeric string of 1 through 64 characters in length.
Default password: Test-Password
retries number
Specifies the number of times the keepalive access request to be sent before marking the server as unreachable.
number must be an integer from 3 through 10.
Default: 3
timeout seconds
Specifies the time interval between keepalive access request retries.
seconds must be an integer from 1 through 30.
Default: 3 seconds
username name
Specifies the user name to be used for authentication. name must be an alpha and/or numeric string of 1 through 127 characters in length.
Default: Test-Username
valid-response access-accept [ access-reject ]
Specifies the valid response for the authentication request.
If access-reject is configured, then both access-accept and access-reject are considered as success for the keepalive authentication request.
If access-reject is not configured, then only access-accept is considered as success for the keepalive access request.
Default: keepalive valid-response access-accept
Usage
Use this command to configure the keepalive authentication parameters for the RADIUS server.
Example
The following command configures the user name for RADIUS keepalive access requests to Test-Username2:
radius keepalive username Test-Username2
The following command configures the number of RADIUS keepalive retries to 4:
radius keepalive retries 4
 
radius mediation-device
See the radius accounting server command.
 
radius probe-interval
This command configures the time interval between two RADIUS authentication probes.
Product
All
Privilege
Security Administrator, Administrator
Syntax
radius probe-interval seconds
default radius probe-interval
default
Configures the default setting.
seconds
Default: 60
Specifies the number of seconds to wait before sending another probe authentication request to a RADIUS server.
seconds must be an integer from 1 through 65535.
Usage
Use this command for Interchassis Session Recovery (ICSR) support to set the duration between two authentication probes to the RADIUS server.
Example
The following command sets the RADIUS authentication probe interval to 30 seconds.
radius probe-interval 30
 
radius probe-max-retries
This command configures the number of retries for RADIUS authentication probe response.
Product
All
Privilege
Security Administrator, Administrator
Syntax
radius probe-max-retries retries
default radius probe-max-retries
default
Configures the default setting.
retries
Default: 5
Specifies the number of retries for RADIUS authentication probe response before the authentication is declared as failed.
retries must be an integer from 0 through 65535.
Usage
Use this command for Home Agent Geographical Redundancy (HAGR) support to set the number of attempts to send RADIUS authentication probe without a response before the authentication is declared as failed.
Example
The following command configures the maximum number of retries to 6 seconds.
radius probe-max-retries 6
 
radius probe-timeout
This command configures the timeout duration for HAGR to wait for a response for RADIUS authentication probes.
Product
All
Privilege
Security Administrator, Administrator
Syntax
radius probe-timeout idle_seconds
default radius probe-timeout
default
Configures the default setting.
idle_seconds
Default: 3
Specifies the number of seconds to wait for a response from the RADIUS server before re-sending the authentication probe.
idle_seconds must be an integer from 0 through 65535.
Usage
Use this command for Home Agent Geographical Redundancy (HAGR) support to set the time duration to wait for response before re-sending the RADIUS authentication probe to the RADIUS server.
Example
The following command sets the authentication probe timeout to 120 seconds:
radius probe-timeout 120
 
radius server
This command configures RADIUS authentication server(s) in the current context for authentication.
Product
All
Privilege
Security Administrator, Administrator
Syntax
radius server ip_address [ encrypted ] key value [ max messages ] [ oldports ] [ port port_number ] [ priority priority ] [ probe | no-probe ] [ probe-username username ] [ probe-password [ encrypted ] password password ] [ type { mediation-device | standard } ] [ admin-status { enable | disable } ] [ -noconfirm ]
no radius server ip_address [ oldports | port port_number ]
no
Removes the server or server port(s) specified from the list of configured servers.
ip_address port port_number
Specifies the IP address and port number of the server.
ip_address: Must be specified using the standard IPv4 dotted decimal notation. A maximum of 1600 RADIUS servers per context/system and 128 servers per Server group can be configured. This limit includes accounting and authentication servers.
port port_number: Specifies the port number to use for communications. port_number must be an integer from 1 through 65535. Default: 1812.
Important: Same RADIUS server IP address and port can be configured in multiple RADIUS server group within a context.
[ encrypted ] key value
Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted. The key value must be an alpha and/or numeric string of 1 through 15 characters, or an alpha and/or numeric string of 1 through 30 characters when encrypted.
The encrypted keyword is intended only for use by the chassis while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the key keyword is the encrypted version of the plain text key. Only the encrypted key is saved as part of the configuration file.
max messages
Default: 256
Specifies the maximum number of outstanding messages that may be allowed to the server. messages must be an integer from 0 through 4000.
oldports
Sets the UDP communication port to the old default for RADIUS communications to 1645.
priority priority
Default: 1000
Specifies the relative priority of this accounting server. The priority is used in server selection for determining which server to send accounting data to.
priority must be an integer from 1 through 1000, where 1 is the highest priority. When configuring two or more servers with the same priority you will be asked to confirm that you want to do this. If you use the -noconfirm option, you are not asked for confirmation and multiple servers could be assigned the same priority.
probe
Enable probe messages to be sent to the specified RADIUS server.
no-probe
Disable probe messages from being sent to the specified RADIUS server. This is the default behavior.
probe-username username
The username sent to the RADIUS server to authenticate probe messages. username must be an alpha and/or numeric string of 1 through 127 characters in length.
probe-password [ encrypted ] password password
The password sent to the RADIUS server to authenticate probe messages.
encrypted: This keyword is intended only for use by the chassis while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.
password password: Specifies the probe-user password for authentication. password must be an alpha and/or numeric string of 1 through 63 characters in length.
type { mediation-device | standard }
Specifies the type of transactions the RADIUS server accepts.
mediation-device: Specifies mediation-device specific AAA transactions. This device is available if you purchased a transaction control services license. Contact your local sales representative for licensing information.
standard - Specifies standard AAA transactions. (Default)
admin-status { enable | disable }
Enables or disables the RADIUS authentication, accounting, or charging server functionality and saves the status setting in the configuration file to re-establish the set status at reboot.
-noconfirm
Specifies that the command must execute without any prompts and confirmation from the user.
Usage
This command is used to configure the RADIUS authentication server(s) with which the system is to communicate for authentication.
Up to 1600 RADIUS servers per context/system and 128 servers per Server group can be configured. The servers can be configured as accounting, authentication, charging servers, or any combination thereof.
Example
radius server 1.2.3.4 key sharedKey port 1024 max 127
radius server 1.2.5.6 encrypted key scrambledKey oldports priority 10 ]
no radius server 1.2.5.6
 
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883