IPSG RADIUS Server Configuration Mode Commands

The IP Services Gateway (IPSG) RADIUS Server Configuration Mode is used to create and configure IPSG RADIUS Server services in the current context. This mode enables configuring the system to receive RADIUS accounting requests as if it is a RADIUS accounting server, and reply after accessing those requests for subscriber information.

IMPORTANT:

The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).

bind

This command allows you to bind the current IPSG service to a logical AAA interface, and specify the number of subscriber sessions allowed.

Platform:

ASR 5000

Product:

IPSG


Privilege:

Security Administrator, Administrator


Syntax
bind accounting-proxy
address ipv4/ipv6_address [ max-subscribers max_sessions | port port_number | source-context source_context ]bind address ipv4/ipv6_address [ max-subscribers max_sessions | port port_number | source-context source_context ]+bind authentication-proxy
address ipv4/ipv6_address [ acct-port port_number | auth-port port_number | max-subscribers max_sessions | source-context source_context ]no bind
no

If previously configured, removes the binding for the service.

bind accounting-proxy address ipv4/ipv6_address [ max-subscribers max_sessions | port port_number | source-context source_context ]
  • accounting-proxy address ipv4/ipv6_address: Specifies the IP address of the interface where accounting proxy requests are received by this service in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.
  • max-subscribers max_sessions: Specifies the maximum number of subscriber sessions allowed for the service. If this option is not configured, the system defaults to the license limit.In StarOS 9.0 and later releases, max_sessions must be an integer from 0 through 4000000.In StarOS 8.3 and earlier releases, max_sessions must be an integer from 0 through 3000000.
  • port port_number: Specifies the port number of the interface where accounting requests are received by this service.port_number must be an integer from 1 through 65535.Default: 1813
  • source-context source_context: Specifies the source context where RADIUS accounting requests are received.source_context must be an alphanumeric string of 1 through 79 characters.This keyword should be configured if the source of the RADIUS requests is in a different context than the IPSG service. If this keyword is not configured, the system will default to the context in which the IPSG service is configured.
bind address ipv4/ipv6_address [ max-subscribers max_sessions | port port_number | source-context source_context ]+
  • address ipv4/ipv6_address: Specifies the IP address of the interface where accounting requests are received by this service in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.
  • max-subscribers max_sessions: Specifies the maximum number of subscriber sessions allowed for the service. If this option is not configured, the system defaults to the license limit.In StarOS 9.0 and later releases, max_sessions must be an integer from 0 through 4000000.In StarOS 8.3 and earlier releases, max_sessions must be an integer from 0 through 3000000.
  • port port_number: Specifies the port number of the interface where accounting requests are received by this service.port_number must be an integer from 1 through 65535.Default: 1813
  • source-context source_context: Specifies the source context where RADIUS accounting requests are received.source_context must be an alphanumeric string of 1 through 79 characters.This keyword should be configured if the source of the RADIUS requests is in a different context than the IPSG service. If this keyword is not configured, the system will default to the context in which the IPSG service is configured.
bind authentication-proxy address ipv4/ipv6_address [ acct-port port_number | auth-port port_number | max-subscribers max_sessions | source-context source_context ]
  • authentication-proxy address ipv4/ipv6_address: Specifies the IP address of the interface where authentication proxy requests are received by this service in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.

    IMPORTANT:

    Enabling authentication proxy also enables accounting proxy.

  • acct-port port_number: Specifies the port number of the interface where accounting proxy requests are received by this service.port_number must be an integer from 0 through 65535.Default: 1813
  • auth-port port_number: Specifies the port number of the interface where authentication proxy requests are received by this service.port_number must be an integer from 0 through 65535.Default: 1812
  • max-subscribers max_sessions: Specifies the maximum number of subscriber sessions allowed for the service. If this option is not configured, the system defaults to the license limit.In StarOS 9.0 and later releases, max_sessions must be an integer from 0 through 4000000.In StarOS 8.3 and earlier releases, max_sessions must be an integer from 0 through 3000000.
  • source-context source_context: Specifies the source context where RADIUS accounting requests are received.source_context must be an alphanumeric string of 1 through 79 characters.This keyword should be configured if the source of the RADIUS requests is in a different context then the IPSG service. If this keyword is not configured, the system will default to the context in which the IPSG service is configured.

Usage:

Use this command to bind the IPSG RADIUS Server service to a logical AAA interface and specify the number of allowed subscriber sessions. If the AAA interface is not located in this context, configure the source-context parameter.

Use the accounting and authentication proxy settings to enable RADIUS proxy server functionality on the IPSG. These commands are used when the NAS providing the RADIUS request messages is incapable of sending them to two separate devices. The IPSG in RADIUS Server mode proxies the RADIUS request and response messages while performing the user identification task in order to provide services to the session.


Example:
The following command binds the service to a AAA interface with and IP address of 10.2.3.4 located in the source context named aaa_ingress:
bind address 10.2.3.4
source-context aaa_ingress
connection authorization

This command allows you to configure the RADIUS authorization password that must be matched by the RADIUS accounting requests received by the current IPSG service.

Platform:

ASR 5000

Product:

IPSG


Privilege:

Security Administrator, Administrator


Syntax
connection authorization [ encrypted ] password passwordno connection authorization
no

Deletes the RADIUS authorization from the current IPSG RADIUS Server service.

[ encrypted ] password password
  • encrypted: Specifies that the RADIUS authorization password is encrypted.
  • password password: Specifies the password that must be matched by incoming RADIUS accounting requests.In StarOS 12.1 and earlier releases, password must be an alphanumeric string of 1 through 63 characters.

Usage:

The IPSG RADIUS server service does not terminate RADIUS user authentication so the user password is unknown.

Use this command to configure the authorization password that the RADIUS accounting requests must match in order for the service to examine and extract user information.


Example:
The following command sets the RADIUS authorization password that must be matched by the RADIUS accounting requests sent to this service. The password is encrypted, and the password used in this example is “secret”.
connection authorization
encrypted password secret
end

Exits the current configuration mode and returns to the Exec mode.

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
end

Usage:

Use this command to return to the Exec mode.

exit

Exits the current mode and returns to the parent configuration mode.

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
exit

Usage:

Use this command to return to the parent configuration mode.

profile

This command allows you to configure the IPSG service to use APN or subscriber profile.

IMPORTANT:

Note that the eWAG service uses only the APN profile. Whereas, the IPSG service uses both APN and subscriber profiles.

Platform:

ASR 5000

Product:

IPSG


Privilege:

Security Administrator, Administrator


Syntax
profile { APN | subscriber }default profile
default

Configures this command with its default setting.

Default: APN

APN

Specifies to use APN profile for the service.

subscriber

IMPORTANT:

This option is supported only for the IPSG RADIUS Server service.

Specifies to use subscriber profile for the service.


Usage:

Use this command to set the service to support APN profiles (supporting Gx through the enabling of ims-auth-service) or for basic subscriber profile lookup.


Example:
The following command specifies to use the subscriber profile:
profile subscriber
radius accounting

This command allows you to specify the IP address and shared secret of the RADIUS accounting client from which RADIUS accounting requests are received. The RADIUS client can be either the access gateway or the RADIUS accounting server depending on which device is sending accounting requests.

Platform:

ASR 5000

Product:

IPSG


Privilege:

Security Administrator, Administrator


Syntax
radius accounting { client { ipv4/ipv6_address | ipv4/ipv6_address/mask } [ encrypted ] key key [ acct-onoff [ aaa-context aaa_context_name ] [ aaa-group aaa_server_group_name ] [ clear-sessions ] + ] [ dictionary dictionary ] [ disconnect-message [ dest-port destination_port_number ] + | interim create-new-call }no radius accounting { client { ipv4/ipv6_address | ipv4/ipv6_address/mask } | interim
create-new-call }default radius accounting
interim create-new-call
no

If previously configured, removes the specified configuration.

ipv4/ipv6_address | ipv4/ipv6_address/mask

Specifies the IP address, and optionally subnet mask of the RADIUS client from which RADIUS accounting requests are received.

ipv4/ipv6_address/ipv4/ipv6_address/mask must be in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.

A maximum of 16 IP addresses can be configured.

[ encrypted ] key key
  • encrypted: Specifies that the shared key between the RADIUS client and this service is encrypted.
  • key key: Specifies the shared key between the RADIUS client and this service.In StarOS 12.1 and earlier releases, key must be an alphanumeric string of 1 through 127 characters and is case sensitive.
acct-onoff [ aaa-context aaa_context_name ] [ aaa-group aaa_server_group_name ] [ clear-sessions ] +

IMPORTANT:

This option is applicable only to the IPSG Proxy Mode.

Specifies to proxy accounting On/Off messages to AAA server.

  • aaa-context aaa_context_name: Specifies the context to find AAA server groups. If not specified, by default, the AAA context will be the source context.aaa_context_name must be the name of a AAA context, and must be an alphanumeric string of 1 through 79 characters.
  • aaa-group aaa_server_group_name: Specifies the AAA server group. If not specified, by default, the AAA server group will be default.aaa_server_group_name must be the name of AAA server group, and must be an alphanumeric string of 1 through 63 characters.
  • clear-sessions: Specifies to clear IPSG sessions on receiving accounting On/Off messages.
  • +: Indicates that more than one of the preceding options may be specified in a single command.
dictionary dictionary

Specifies the dictionary to use.

IMPORTANT:

In this release, eWAG supports only the starent-vsa1 dictionary.

dictionary can be one of the following.

Dictionary Description

3gpp2

This dictionary consists not only of all of the attributes in the standard dictionary, but also all of the attributes specified in IS-835-A.

3gpp2-835

This dictionary consists not only of all of the attributes in the standard dictionary, but also all of the attributes specified in IS-835.

customX

These are customized dictionaries. For information on custom dictionaries, please contact your Cisco account representative.

X is the integer value of the custom dictionary.

standard

This dictionary consists only of the attributes specified in RFC 2865, RFC 2866, and RFC 2869.

starent

This dictionary consists of all of the attributes in the starent-vsa1 dictionary and incorporates additional Starent Networks VSAs by using a two-byte VSA Type field. This dictionary is the master-set of all of the attributes in all of the dictionaries supported by the system.

starent-835

This dictionary consists of all of the attributes in the starent-vsa1-835 dictionary and incorporates additional Starent Networks VSAs by using a two-byte VSA Type field. This dictionary is the master-set of all of the attributes in all of the -835 dictionaries supported by the system.

starent-vsa1

This dictionary consists not only of the 3GPP2 dictionary, but also includes Starent Networks vendor-specific attributes (VSAs) as well. The VSAs in this dictionary support a one-byte wide VSA Type field in order to support certain RADIUS applications. The one-byte limit allows support for only 256 VSAs (0–255). This is the default dictionary.

IMPORTANT:

In StarOS 12.0 and later releases, no new attributes can be added to the starent-vsa1 dictionary. If there are new attributes to be added, you can only add them to the starent dictionary. For more information, please contact your Cisco account representative.

starent-vsa1-835

This dictionary consists not only of the 3GPP2-835 dictionary, but also includes Starent Networks vendor-specific attributes (VSAs) as well. The VSAs in this dictionary support a one-byte wide VSA Type field in order to support certain RADIUS applications. The one-byte limit allows support for only 256 VSAs (0–255). This is the default dictionary.



IMPORTANT:

For information on the specific dictionary to use for your deployment contact your Cisco account representative.

disconnect-message [ dest-port destination_port_number ]

Specifies to send RADIUS disconnect message to the configured RADIUS accounting client in call failure scenarios.

dest-port destination_port_number: Specifies the port number to which the disconnect message must be sent.

destination_port_number must be an integer from 1 through 65535.

interim create-new-call

IMPORTANT:

This option does not apply to the IPSG Proxy Mode.

Specifies to create a new session upon receipt of a RADIUS interim message.

Default: Disabled


Usage:

Use this command to configure the communication parameters for the RADIUS client from which RADIUS accounting requests are received.


Example:
The following command configures the service to communicate with a RADIUS client with an IP address of 10.2.3.4 and an encrypted shared secret of key1234:
radius accounting client
10.2.3.4 encrypted key key1234
radius dictionary

This command allows you to specify the RADIUS dictionary for the current IPSG service.

Platform:

ASR 5000

Product:

IPSG


Privilege:

Security Administrator, Administrator


Syntax
radius dictionary dictionary_namedefault radius dictionary
default

Specifies to use the default dictionary.

Default: starent-vsa1

dictionary dictionary_name

Specifies the dictionary to use.

IMPORTANT:

In this release, eWAG supports only the starent-vsa1 dictionary.

dictionary_name must be one of the following.

Dictionary Description

3gpp2

This dictionary consists not only of all of the attributes in the standard dictionary, but also all of the attributes specified in IS-835-A.

3gpp2-835

This dictionary consists not only of all of the attributes in the standard dictionary, but also all of the attributes specified in IS-835.

customXX

These are customized dictionaries. For information on custom dictionaries, please contact your Cisco account representative.

XX is the integer value of the custom dictionary.

standard

This dictionary consists only of the attributes specified in RFC 2865, RFC 2866, and RFC 2869.

starent

This dictionary consists of all of the attributes in the starent-vsa1 dictionary and incorporates additional Starent Networks VSAs by using a two-byte VSA Type field. This dictionary is the master-set of all of the attributes in all of the dictionaries supported by the system.

starent-835

This dictionary consists of all of the attributes in the starent-vsa1-835 dictionary and incorporates additional Starent Networks VSAs by using a two-byte VSA Type field. This dictionary is the master-set of all of the attributes in all of the -835 dictionaries supported by the system.

starent-vsa1

This dictionary consists not only of the 3GPP2 dictionary, but also includes Starent Networks vendor-specific attributes (VSAs) as well. The VSAs in this dictionary support a one-byte wide VSA Type field in order to support certain RADIUS applications. The one-byte limit allows support for only 256 VSAs (0–255). This is the default dictionary.

starent-vsa1-835

This dictionary consists not only of the 3GPP2-835 dictionary, but also includes Starent Networks vendor-specific attributes (VSAs) as well. The VSAs in this dictionary support a one-byte wide VSA Type field in order to support certain RADIUS applications. The one-byte limit allows support for only 256 VSAs (0–255). This is the default dictionary.



IMPORTANT:

For information on the specific dictionary to use for your deployment contact your Cisco account representative.


Usage:

Use this command to specify the RADIUS dictionary to use for the IPSG RADIUS Server service.


Example:
The following command specifies to use the custom10 RADIUS dictionary:
radius dictionary custom10
setup-timeout

This command allows you to configure a timeout for session setup attempts for the current IPSG service.

Platform:

ASR 5000

Product:

IPSG


Privilege:

Security Administrator, Administrator


Syntax
setup-timeout setup_timeout_secondsdefault setup-timeout
default

Configures this command with its default setting.

Default: 60 seconds

setup_timeout_seconds

Specifies the time period, in seconds, for which a session setup attempt is allowed to continue before being terminated.

setup_timeout_seconds must be an integer from 1 through 1000000.


Usage:

Use this command to configure a timeout for IPSG session setup attempts.


Example:
The following command configures the timeout for session setup attempts to 30 seconds:
setup-timeout 30