IPSG RADIUS Snoop Configuration Mode Commands

The IP Services Gateway (IPSG) RADIUS Snoop Configuration Mode is used to create and configure IPSG services within the current context. The IPSG RADIUS Snoop Mode configures the system to inspect RADIUS accounting requests on the way to the RADIUS accounting server and extract user information.

IMPORTANT:

The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).

bind

This command allows you to configure the service to accept data on any interface configured in the context. Optionally, you can also configure the system to limit the number of sessions processed by this service.

Platform:

ASR 5000

Product:

IPSG


Privilege:

Security Administrator, Administrator


Syntax
bind [ max-subscribers max_sessions ]no bind
no

If previously configured, deletes the binding configuration for the service.

max-subscribers max_sessions

Specifies the maximum number of subscriber sessions allowed for the service. If this option is not configured, the system defaults to the license limit.

In StarOS 9.0 and later releases, max_sessions must be an integer from 0 through 4000000.

In StarOS 8.3 and earlier releases, max_sessions must be an integer from 0 through 3000000.


Usage:

Use this command to initiate the service and begin accepting data on any interface configured in the context.


Example:
The following command prepares the system to receive subscriber sessions on any interface in the context and limits the sessions to 10000:
bind max-subscribers 10000
connection authorization

This command allows you to configure the RADIUS authorization password that must be matched by the RADIUS accounting requests “snooped” by this service.

Platform:

ASR 5000

Product:

IPSG


Privilege:

Security Administrator, Administrator


Syntax
connection authorization [ encrypted ] password passwordno connection authorization
no

Deletes the RADIUS connection authorization configuration from the current IPSG RADIUS snoop service.

[ encrypted ] password password
  • encrypted: Specifies that the received RADIUS authorization password is encrypted.
  • password password: Specifies the password that must be matched by incoming RADIUS accounting requests.In StarOS 12.1 and earlier releases, password must be an alphanumeric string of 1 through 63 characters.

Usage:

RADIUS accounting requests being examined by the IPSG RADIUS snoop service are destined for a RADIUS Accounting Server. Since the “snoop” service does not terminate user authentication, the user password is unknown.

Use this command to configure the authorization password that the RADIUS accounting requests must match in order for the service to examine and extract user information.


Example:
The following command sets the RADIUS authorization password that must be matched by the RADIUS accounting requests “snooped” by this service. The password is encrypted, and the password used in this example is “secret”.
connection authorization
encrypted password secret
end

Exits the current configuration mode and returns to the Exec mode.

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
end

Usage:

Use this command to return to the Exec mode.

exit

Exits the current mode and returns to the parent configuration mode.

Product:

All


Privilege:

Security Administrator, Administrator


Syntax
exit

Usage:

Use this command to return to the parent configuration mode.

radius

This command allows you to specify the RADIUS accounting servers where accounting requests are sent after being “inspected” by this service.

Platform:

ASR 5000

Product:

IPSG


Privilege:

Security Administrator, Administrator


Syntax
[ no ] radius { accounting
server ipv4/ipv6_address [ port port_number | source-context context_name ] | dictionary { 3gpp2 | 3gpp2-835 | customXX | standard | starent | starent-835 | starent-vsa1 | starent-vsa1-835 } }
no

Removes the RADIUS accounting server identifier from this service.

radius accounting server ipv4/ipv6_address

Specifies the IP address of a RADIUS accounting server where accounting requests are sent after being “snooped” by this service in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.

Up to 16 addresses can be configured.

port port_number

Specifies the port number of the RADIUS Accounting Server where accounting requests are sent after being “snooped” by this service.

port_number must be an integer from 1 through 65535.

Default: 1813

source-context context_name

Specifies the source context where RADIUS accounting requests are received.

context_name must be an alphanumeric string of 1 through 79 characters.

If this keyword is not configured, the system will default to the context in which the IPSG service is configured.

dictionary { 3gpp2 | 3gpp2-835 | custom XX | standard | starent | starent-835 | starent-vsa1 | starent-vsa1-835 }

Specifies what dictionary to use. The possible values are described in the following table:

Dictionary Description

3gpp

This dictionary consists not only of all of the attributes in the standard dictionary, but also all of the attributes specified in 3GPP 32.015.

3gpp2

This dictionary consists not only of all of the attributes in the standard dictionary, but also all of the attributes specified in IS-835-A.

3gpp2-835

This dictionary consists not only of all of the attributes in the standard dictionary, but also all of the attributes specified in IS-835.

customXX

These are customized dictionaries. For information on custom dictionaries, please contact your Cisco account representative.

XX is the integer value of the custom dictionary.

standard

This dictionary consists only of the attributes specified in RFC 2865, RFC 2866, and RFC 2869.

starent

This dictionary consists of all of the attributes in the starent-vsa1 dictionary and incorporates additional Starent Networks VSAs by using a two-byte VSA Type field. This dictionary is the master-set of all of the attributes in all of the dictionaries supported by the system.

starent-835

This dictionary consists of all of the attributes in the starent-vsa1-835 dictionary and incorporates additional Starent Networks VSAs by using a two-byte VSA Type field. This dictionary is the master-set of all of the attributes in all of the -835 dictionaries supported by the system.

starent-vsa1

This dictionary consists not only of the 3gpp2 dictionary, but also includes Starent Networks vendor-specific attributes (VSAs) as well. The VSAs in this dictionary support a one-byte wide VSA Type field in order to support certain RADIUS applications. The one-byte limit allows support for only 256 VSAs (0–255). This is the default dictionary.

starent-vsa1-835

This dictionary consists not only of the 3gpp2-835 dictionary, but also includes Starent Networks vendor-specific attributes (VSAs) as well. The VSAs in this dictionary support a one-byte wide VSA Type field in order to support certain RADIUS applications. The one-byte limit allows support for only 256 VSAs (0–255). This is the default dictionary.




Usage:

Use this command to specify the RADIUS Accounting Servers where accounting requests are sent after being snooped by this service.


Example:
The following command specifies the IP address (10.2.3.4) of a RADIUS Accounting Server whose accounting requests are to be “snooped”, and the source context (aaa_ingress) where the requests are received on the system:
radius accounting server
10.2.3.4 source-context aaa_ingress
setup-timeout

This command allows you to configure the timeout value for IPSG session setup attempts.

Platform:

ASR 5000

Product:

IPSG


Privilege:

Security Administrator, Administrator


Syntax
setup-timeout setup_timeoutdefault setup-timeout
setup_timeout

Specifies the period of time (in seconds) the IPSG session setup is allowed to continue before the setup attempt is terminated.

setup_timeout must be an integer from 1 through 1000000.

Default: 60


Usage:

Use this command to prevent IPSG session setup attempts from continuing without termination.


Example:
The following command configures the session setup timeout setting to 20 seconds:
setup-timeout 20