Step 1
Step 2
Step 3 Save your configuration as described in the Verifying and Saving Your Configuration chapter.Important: Commands used in the configuration examples in this section provide base functionality to the extent that the most common or likely commands and/or keyword options are presented. In many cases, other optional commands and/or keyword options are available. Refer to the Command Line Interface Reference for complete information regarding all commands.
Important: This section provides minimum instructions to configure context-level AAA functionality that allows the system to process data sessions. Commands that configure additional context-level AAA properties are described in the Understanding the System Operation and Configuration chapter of the System Administration Guide.
Important: Commands except change-authorize-nas-ip, accounting prepaid, accounting prepaid custom, and accounting unestablished-sessions used in this section, or in the Understanding the System Operation and Configuration chapter, are also applicable to support AAA server group for AAA functionality. For details on AAA server group functionality, see the Configuring AAA Server Group for AAA Functionality section.
context <context_name>radius server <ip_address> key <shared_secret> [ max <value> ] [ oldports | port <tcp_port> ] [ priority <priority> ]radius [ mediation-device ] accounting server <ip_address> key <shared_secret> [ acct-on { enable | disable } ] [ acct-off { enable | disable } ] [ max <msgs> ] [ oldports ] [ port <port_number> ] [ priority <priority> ] [ type standard ]radius attribute nas-identifier <identifier>
• Optional. If you want to support more than 320 server configurations system-wide, in the Global Configuration Mode, use the following command:
• <context_name> must be the system context designated for AAA configuration.
• For information on GGSN-specific additional configurations using RADIUS accounting see the Creating and Configuring APNs section of the GGSN Administration Guide.
• <identifier> must be the name designated to identify the system in the Access Request message(s) it sends to the RADIUS server.
• Optional. Multiple RADIUS attribute dictionaries have been created for the system. Each dictionary consists of a set of attributes that can be used in conjunction with the system. As a result, users could take advantage of all of the supported attributes or only a subset. To specify the RADIUS attribute dictionary that you want to implement, in the Context Configuration Mode, use the following command:radius dictionary { 3gpp | 3gpp2 | 3gpp2-835 | customXX | standard | starent | starent-835 | starent-vsa1 | starent-vsa1-835 }
• Optional. Configure the system to support NAI-based authentication in the event that the system cannot authenticate the subscriber using a supported authentication protocol. To enable NAI-construction, in the Context Configuration Mode, use the following command:
• Optional. If RADIUS is configured for GGSN service, the system can be configured to support NAI-based authentication to use RADIUS shared secret as password. To enable, in the Context Configuration Mode, use the following command:
• Optional. To configure the system to allow a user session even when all authentication servers are unreachable, in the Context Configuration Mode, use the following command. When enabled, the session is allowed without authentication. However, the accounting information is still sent to the RADIUS accounting server, if it is reachable.
• Optional. To configure the maximum number of times RADIUS authentication requests must be re-transmitted, in the Context Configuration Mode, use the following command:
• Optional. If RADIUS is configured for PDSN service, to configure the accounting trigger options for R-P originated calls to generate STOP immediately or to wait for active-stop from old PCF on handoff, in the Context Configuration Mode, use the following command:For more information on configuring additional accounting trigger options for R-P generated calls for a PDSN service, refer to the radius accounting rp command in the Command Line Interface Reference.
• Optional. To configure the system to check for failed RADIUS AAA servers, in the Context Configuration Mode, use the following command:After a server’s state is changed to “Down”, the deadtime timer is started. When the timer expires, the server’s state is returned to “Active”. If both consecutive-failures and response-timeout are configured, then both parameters have to be met before a server’s state is changed to “Down”. For a complete explanation of RADIUS server states, refer RADIUS Server State Behavior appendix.
• Optional. To configure the system to check for failed RADIUS accounting servers, in the Context Configuration Mode, use the following command:After a server’s state is changed to “Down”, the deadtime timer is started. When the timer expires, the server’s state is returned to “Active”. If both consecutive-failures and response-timeout are configured, then both parameters have to be met before a server’s state is changed to “Down”. For a complete explanation of RADIUS server states, refer RADIUS Server State Behavior.
• Optional. If required, users can configure the dynamic redundancy for HA as described in the HA Redundancy for Dynamic Home Agent Assignment chapter of the System Enhanced Feature Configuration Guide.show configuration context <aaa_context_name>
Step 2
Step 3
Step 4 Save your configuration as described in the Verifying and Saving Your Configuration chapter.Important: Commands used in the configuration examples in this section provide base functionality to the extent that the most common or likely commands and/or keyword options are presented. In many cases, other optional commands and/or keyword options are available. Refer to the Command Line Interface Reference for complete information regarding all commands.
context <context_name>diameter endpoint <endpoint_name>origin host <host_name> address <ip_address> [ port <port_number> ] [ accept-incoming-connections ] [ address <ip_address_secondary> ]peer <peer_name> [ realm <realm_name> ] address <ip_address> [ [ port <port_number> ] [ connect-on-application-access ] [ send-dpr-before-disconnect [ disconnect-cause <disconnect_cause> ] ] [ sctp ] ]+
• Optional. To support Diameter proxy server on per-PAC/PSC or per-system basis, in the Global Configuration Mode, use the following command:
• <context_name> must be the name of the system context designated for AAA configuration.
• Optional. To enable Diameter proxy for the endpoint, in the Diameter Endpoint Configuration Mode, use the following command:
• Optional. To set the realm for the Diameter endpoint, in the Diameter Endpoint Configuration Mode, use the following command:origin realm <realm_name>
• <realm_name> is typically a company or service name. The realm is the Diameter identity and will be present in all Diameter messages.
• Optional. To create an entry in the route table for the Diameter peer, in the Diameter Endpoint Configuration Mode, use the following command:route-entry { [ host <host_name> ] [ peer <peer_id> ] [ realm <realm_name> ] } [ application credit-control ] [ weight <value> ]
• Optional. To set how the action after failure, or recovery after failure is performed for the route table, in the Diameter Endpoint Configuration Mode, use the following command:route-failure { deadtime <seconds> | recovery-threshold percent <percent> | result-code <result_code> | threshold <counter> }
• Optional. To enable/disable the Transport Layer Security (TLS) support between Diameter client and Diameter server node, in the Diameter Endpoint Configuration Mode, use the following command:connection timeout <timeout>
• Optional. To set the connection retry timeout, in seconds, in the Diameter Endpoint Configuration Mode, use the following command:connection retry-timeout <retry_timeout>
• Optional. To set the number of Device Watchdog Requests (DWRs) to be sent before the connection with a Diameter endpoint is closed, in the Diameter Endpoint Configuration Mode, use the following command:device-watchdog-request max-retries <retry_count>
• Optional. To set the maximum number of Diameter messages that any ACS Manager (ACSMgr)/Session Manager (SessMgr) may send to any one peer awaiting responses, in the Context Configuration Mode, use the following command:max-outstanding <msgs>
• Optional. To set the response timeout for the Diameter endpoint, in seconds, in the Diameter Endpoint Configuration Mode, use the following command:response-timeout <duration>
• Optional. To set the watchdog timeout for the Diameter endpoint, in seconds, in the Diameter Endpoint Configuration Mode, use the following command:watchdog-timeout <duration>There are context-level Diameter parameters that must be configured to provide AAA functionality for subscriber sessions. As noted in Understanding the System Operation and Configuration chapter of the System Administration Guide, AAA functionality can be configured within any context, even its own.This section describes how to configure the Diameter-based AAA parameters at the context level. To configure Diameter-based AAA parameters at the system level, see Configuring System-Level AAA Functionality .Important: This section provides the minimum instruction set to configure context-level Diameter AAA functionality that allows the system to process data sessions. Commands that configure additional context-level AAA properties are provided in Understanding the System Operation and Configuration chapter of the System Administration Guide.
context <context_name>diameter authentication endpoint <endpoint_name>diameter authentication dictionary <dictionary>diameter accounting endpoint <endpoint_name>diameter accounting dictionary <dictionary>
• <context_name> must be the name of the system context designated for AAA configuration.
• <endpoint_name> must be the same Diameter endpoint name configured in the Configuring Diameter Endpoint section.
• Optional. To configure the number of retry attempts for a Diameter authentication request with the same server, if the server fails to respond to a request, in the Context Configuration Mode, use the following command:
• Optional. To configure the maximum number of transmission attempts for a Diameter authentication request, in the Context Configuration Mode, use the following command. Use this in conjunction with the max-retries <tries> option to control how many servers will be attempted to communicate with.diameter authentication max-transmissions <transmissions>
• Optional. To configure how long the system must wait for a response from a Diameter server before re-transmitting the authentication request, in the Context Configuration Mode, use the following command:diameter authentication request-timeout <duration>
• Optional. To configure how many times a Diameter accounting request must be retried with the same server, if the server fails to respond to a request, in the Context Configuration Mode, use the following command:diameter accounting max-retries <tries>
• Optional. To configure the maximum number of transmission attempts for a Diameter accounting request, in the Context Configuration Mode, use the following command. You can use this in conjunction with the max-retries tries option to control how many servers will be attempted to communicate with.diameter accounting max-transmissions <transmissions>
• Optional. To configure how long the system will wait for a response from a Diameter server before re-transmitting the accounting request, in the Context Configuration Mode, use the following command:diameter accounting request-timeout <duration>show configuration context <aaa_context_name>context <context_name>diameter authentication failure-handling { authorization-request | eap-request | eap-termination-request } { request-timeout action { continue | retry-and-terminate | terminate } | result-code <result_code> { [ to <result_code> ] action { continue | retry-and-terminate | terminate } } }
• <context_name> must be the name of the system source context designated for subscriber configuration.context <context_name>aaa group <group_name>diameter authentication failure-handling { authorization-request | eap-request | eap-termination-request } { request-timeout action { continue | retry-and-terminate | terminate } | result-code <result_code> { [ to <result_code> ] action { continue | retry-and-terminate | terminate } } }
• <context_name> must be the name of the system source context designated for subscriber configuration.
• <group_name> must be the name of the AAA group designated for AAA functionality within the specific context.There are system-level AAA parameters that must be configured in order to provide AAA functionality for subscriber and context-level administrative user sessions. As noted in Understanding the System Operation and Configuration chapter of the System Administration Guide, AAA functionality can be configured within any context, even its own.Important: Commands used in the configuration examples in this section provide base functionality to the extent that the most common or likely commands and/or keyword options are presented. In many cases, other optional commands and/or keyword options are available. Refer to the Command Line Interface Reference for complete information regarding all commands.
aaa default-domain subscriber <domain_name>aaa default-domain administrator <domain_name>aaa last-resort context subscriber <context_name>aaa last-resort context administrator <context_name>
• <domain_name> is the name of the domain, or context, to use for performing AAA functions in the subscriber session. For information on the role of the default domain in the context selection process can be found in the Understanding the System Operation and Configuration chapter of the System Administration Guide.
• <context_name> must be the name of the context to use for performing AAA functions in the subscriber session. Additional information on the role of the last-resort context in the context selection process can be found in the Understanding the System Operation and Configuration chapter of the System Administration Guide.show configuration context <context_name>
•
•
Step 2 Save your configuration as described in the Verifying and Saving Your Configuration chapter.Important: Commands used in the configuration examples in this section provide base functionality to the extent that the most common or likely commands and/or keyword options are presented. In many cases, other optional commands and/or keyword options are available. Refer to the Command Line Interface Reference for complete information regarding all commands.
Important: This section provides the minimum instruction set for configuring a AAA server group for AAA functionality. Commands that configure other properties of this functionality are provided in the Command Line Interface Reference.
context <context_name>aaa group <group_name>
•
• Optional. If you want to support more than 64 server groups system-wide, in the Global Configuration Mode, use the following command:
• <context_name> must be the name of the system context designated for AAA functionality configuration.
• <group_name> must be the name of the AAA group designated for AAA functionality within the specific context. A total of 800 server groups can be configured system-wide including default server-group unless aaa large-configuration is enabled.
•
• context <context_name>show configuration context <context_name>Important: The “default” server group in a context is applicable to all subscribers/APNs within that context by default.
The following procedure assumes that a domain alias was previously configured as described in Creating Contexts section of the System Administration Guide.subscriber name <subscriber_name>aaa group <group_name>
• <context_name> must be the name of the system source context designated for subscriber configuration.
• <sub_name> must be the name of the subscriber template configured as the default template for the domain. For more information on creating contexts, refer to the Creating Contexts section of the System Element Configuration Procedures chapter in the System Administration Guide.
• <group_name> must be the name of the AAA server group designated for AAA functionality within the context as described in the AAA Server Group Configuration section.context <context_name>show subscribers configuration username <subscriber_name>context <context_name>apn <apn_name>aaa group <group_name>
• <group_name> must be the name of the AAA server group previously configured for AAA functionality in a specific context as described in the AAA Server Group Configuration section.context <context_name>show apn name <apn_name>The system supports configuring subscriber profiles locally within a context though subscriber templates or on a RADIUS server. Subscribers configured on the system are configured within the contexts they were created. In the Understanding the System Operation and Configuration chapter of the System Administration Guide, the role of subscriber default, which is automatically configured for each context, and realm-based subscriber templates, which serves as a default subscriber template for users whose domain portion of their user name matches a domain alias within a context, was discussed. The role of these special subscriber templates is to provide a set of default attributes that may be used to populate any missing values for an authenticated RADIUS-based subscriber. The parameter that would contain this attribute value is called the IP context-name.Important: Commands used in the configuration example in this section provide base functionality to the extent that the most common or likely commands and/or keyword options are presented. In many cases, other optional commands and/or keyword options are available. Refer to the Command Line Interface Reference for complete information regarding all commands.
context <context_name>ip context-name <destination_context_name>
• <context_name> must be the name of the system source context designated for Default subscriber configuration.
• <destination_context_name> must be the name of the destination context configured on the system containing the interfaces through which session traffic is routed.
![]() |
Cisco Systems Inc. |
Tel: 408-526-4000 |
Fax: 408-527-0883 |