diameter accounting { dictionary { aaa-custom1 | aaa-custom10 | aaa-custom2 | aaa-custom3 | aaa-custom4 | aaa-custom5 | aaa-custom6 | aaa-custom7 | aaa-custom8 | aaa-custom9 | nasreq | rf-plus } | endpoint endpoint_name | hd-mode fall-back-to-local | hd-storage-policy hd_policy | max-retries max_retries | max-transmissions max_transmissions | request-timeout request_timeout_duration | server host_name priority priority }
no diameter accounting { endpoint | hd-mode | hd-storage-policy | max-retries | max-transmissions | server host_name }
no diameter accounting { endpoint | hd-mode | hd-storage-policy | max-retries | max-transmissions | server host_name }
endpoint: Removes the configured accounting endpoint, and the default accounting server configured in the default AAA group will be used.
hd-mode: Sends records to the Diameter server, if all Diameter servers are down or unreachable, then copies records to the local hard disk drive (HDD) and periodically retries the Diameter server.
hd-storage-policy: Disables use of the specified HD storage policy.
max-retries: Disables the configured retry attempts for Diameter accounting in the current AAA group.
max-transmissions: Disables the configured maximum transmission attempts for Diameter accounting in the current AAA group.
server host_name: Removes the configured Diameter host host_name from this AAA server group for Diameter accounting.
dictionary: Sets the context’s dictionary as the system default.
hd-mode: Sends records to the Diameter server, if all Diameter servers are down or unreachable, then copies records to the local HDD and periodically retries the Diameter server.
max-retries: Sets the retry attempts for Diameter accounting in the current AAA group to default 0 (disable).
max-transmissions: Sets the configured maximum transmission attempts for Diameter accounting in the current AAA group to default 0 (disable).
request-timeout: Sets the timeout duration, in seconds, for Diameter accounting requests in the current AAA group to default 20.
aaa-custom1 ... aaa-custom10: Configures the custom dictionaries. Even though the CLI syntax supports several custom dictionaries, not necessarily all of them have been defined. If a custom dictionary that has not been implemented is selected, the default dictionary will be used.
nasreq: nasreq dictionary—the dictionary as defined by RFC 3588.
rf-plus: RF Plus dictionary.
endpoint endpoint_name
endpoint_name must be a string of 1 through 63 characters.
hd-storage-policy hd_policy
hd_policy must be the name of a configured HD Storage policy, and must be an alphanumeric string of 1 through 63 characters.
This and the hd-mode command are used to enable the storage of Rf Diameter Messages to HDD in case all Diameter Servers are down or unreachable.
max-retries max_retries
max_retries specifies the maximum number of retry attempts, and must be an integer from 1 through 1000.
max-transmissions max_transmissions
Specifies the maximum number of transmission attempts for a Diameter request. Use this in conjunction with the max-retries max_retries option to control how many servers will be attempted to communicate with.
max_transmissions must be an integer from 1 through 1000.
request-timeout request_timeout_duration
request_timeout_duration specifies the number of seconds, and must be an integer from 1 through 3600.
host_name specifies the Diameter host name, and must be an alphanumeric string of 1 through 63 characters.
priority specifies the relative priority of this Diameter host. The priority is used in server selection. The priority must be an integer from 1 through 1000.
diameter accounting dictionary aaa-custom10
diameter authentication { dictionary { aaa-custom1 | aaa-custom10 | aaa-custom11 | aaa-custom12 | aaa-custom13 | aaa-custom14 | aaa-custom15 | aaa-custom16 | aaa-custom17 | aaa-custom18 | aaa-custom19 | aaa-custom2 | aaa-custom20 | aaa-custom3 | aaa-custom4 | aaa-custom5 | aaa-custom6 | aaa-custom7 | aaa-custom8 | aaa-custom9 | nasreq } | endpoint endpoint_name | max-retries max_retries | max-transmissions max_transmissions | redirect-host-avp { just-primary | primary-then-secondary } | request-timeout request_timeout_duration | server host_name priority priority }
dictionary: Sets the context’s dictionary as the system default.
endpoint: Removes the configured authentication endpoint, and the default server configured in default AAA group will be used.
max-retries: Disables the configured retry attempts for Diameter authentication in the current AAA group.
max-transmissions: Disables the configured maximum transmission attempts for Diameter authentication in the current AAA group.
server host_name: Removes the configured Diameter host host_name from this AAA server group for Diameter authentication.
max-retries: Sets the retry attempts for Diameter authentication requests in the current AAA group to default 0 (disable).
max-transmissions: Sets the configured maximum transmission attempts for Diameter authentication in the current AAA group to default 0 (disable).
redirect-host-avp: Sets the redirect choice to default (just-primary).
request-timeout: Sets the timeout duration, in seconds, for Diameter authentication requests in the current AAA group to default 20.
aaa-custom1 ... aaa-custom8, aaa-custom10 ... aaa-custom20: Configures the custom dictionaries. Even though the CLI syntax supports several custom dictionaries, not necessarily all of them have been defined. If a custom dictionary that has not been implemented is selected, the default dictionary will be used.
Important: aaa-custom11 dictionary is only available in StarOS 8.1 and later releases. aaa-custom12 to aaa-custom20 dictionaries are only available in StarOS 9.0 and later releases.aaa-custom9: Configures the STa standard dictionary.
nasreq: nasreq dictionary—the dictionary as defined by RFC 3588.
endpoint endpoint_name
endpoint_name must be an alphanumeric string of 1 through 63 characters.
max-retries max_retries
max_retries specifies the maximum number of retry attempts, and must be an integer from 1 through 1000.
max-transmissions max_transmissions
Specifies the maximum number of transmission attempts for a Diameter authentication request. Use this in conjunction with the “max-retries max_retries” option to control how many servers will be attempted to communicate with.
max_transmissions specifies the maximum number of transmission attempts, and must be an integer from 1 through 1000.
just-primary: Redirect only to primary host.
primary-then-secondary: Redirect to primary host, if fails then redirect to the secondary host.
request-timeout request_timeout_duration
request_timeout_duration specifies the number of seconds the system will wait for a response from a Diameter server before re-transmitting the request, and must be an integer from 1 through 3600.
host_name specifies the Diameter authentication server’s host name, and must be an alphanumeric string of 1 through 63 characters.
priority specifies the relative priority of this Diameter host. The priority is used in server selection. The priority must be an integer from 1 through 1000.
diameter authentication dictionary aaa-custom1
diameter authentication failure-handling { authorization-request | eap-request | eap-termination-request } { request-timeout action { continue | retry-and-terminate | terminate } | result-code start_result_code { [ to end_result_code ] action { continue | retry-and-terminate | terminate } } }
no diameter authentication failure-handling { authorization-request | eap-request | eap-termination-request } result-code start_result_code [ to end_result_code ]
|
•
|
continue: Continues session
|
|
•
|
retry-and-terminate: First retries, if it fails then terminates the session
|
|
•
|
terminate: Terminates session
|
result-code start_result_code [ to end_result_code ] action { continue | retry-and-terminate | terminate }
start_result_code: Specifies the result code number, must be an integer from 1 through 65535.
to end_result_code: Specifies the upper limit of a range of result codes. to end_result_code must be greater than start_result_code.
action { continue | retry-and-terminate | terminate }: Specifies the action to be taken for failures:
|
•
|
continue: Continues
|
|
•
|
retry-and-terminate: First retries, if it fails then terminates
|
|
•
|
terminate: Terminates
|
The following commands configure result codes 5001, 5002, 5004, and 5005 to use “action continue” and result code 5003 to use “action terminate”:
This command is deprecated and is replaced by the diameter accounting dictionary and diameter authentication dictionary commands. See the diameter accounting and diameter authentication commands respectively.
radius { deadtime minutes | detect-dead-server { consecutive-failures consecutive_failures_count | response-timeout response_timeout_duration } | dictionary dictionary | max-outstanding max_messages | max-retries max_retries | max-transmissions max_transmissions | probe-message local-service-address ipv4/ipv6_address | strip-domain { authentication-only | accounting-only } | timeout idle_seconds }
dictionary dictionary
Specifies which dictionary to use. The following table describes the possible values for dictionary:
|
customXX
|
XX is the integer value of the custom dictionary.
|
 Important: In 12.0 and later releases, no new attributes can be added to the starent-vsa1 dictionary. If there are any new attributes to be added, these can only be added to the starent dictionary. For more information, please contact your Cisco account representative. |
|
deadtime minutes
Specifies the number of minutes to wait before changing the state of a RADIUS server from “Down” to “Active”. minutes must be an integer from 0 through 65535.
Important: This parameter should be set to allow enough time to remedy the issue that originally caused the server’s state to be changed to “Down”. After the deadtime timer expires, the system returns the server’s state to “Active” regardless of whether or not the issue has been fixed.
Important: For a complete explanation of RADIUS server states, refer to the RADIUS Server State Behavior appendix in the AAA and GTPP Interface Administration and Reference.detect-dead-server { consecutive-failures consecutive_failures_count | keepalive | response-timeout response_timeout_duration }
consecutive-failures consecutive_failures_count: Specifies the number of consecutive failures, for any AAA Manager, before a server’s state is changed from “Active” to “Down”. consecutive_failures_count must be an integer from 1 through 1000. Default: 4.
keepalive: Enables the AAA server alive-dead detect mechanism based on sending keepalive authentication messages to all authentication servers. Default is disabled.
response-timeout response_timeout_duration: Specifies the number of seconds, for any AAA Manager, to wait for a response to any message before a server’s state is changed from “Active” to “Down”. response_timeout_duration must be an integer from 1 through 65535.
Important: If both consecutive-failures and response-timeout are configured, then both parameters must be met before a server’s state is changed to “Down”.
Important: The “Active” or “Down” state of a RADIUS server as defined by the system, is based on accessibility and connectivity. For example, if the server is functional but the system has placed it into a “Down” state, it could be the result of a connectivity problem. When a RADIUS server’s state is changed to “Down”, a trap is sent to the management station and the deadtime timer is started.max-outstanding max_messages
max_messages must be an integer from 1 through 4000.
max-retries max_retries
max_retries must be an integer from 0 through 65535.
max-transmissions max_transmissions
Sets the maximum number of re-transmissions for RADIUS authentication requests. This limit is used in conjunction with max-retries parameter for each server.
max_transmissions must be an integer from 1 through 65535.
probe-message local-service-address ipv4/ipv6_address
radius probe-message: Configures AVPs to be sent in RADIUS authentication probe messages.
local-service-address: Configures the service ip-address to be sent as an AVP in RADIUS authentication probe messages.
ipv4/ipv6_address: Specifies the IP address of the server.
ip_address must be specified in IPv4 dotted-decimal or IPv6 colon-separated notation. A maximum of 128 RADIUS servers can be configured per context. This limit includes accounting and authentication servers.
Specifies that the domain must be stripped from the user name prior to authentication or accounting.
When the argument authentication-only or accounting-only is present, strip-domain is applied only to the specified RADIUS message types.
timeout idle_seconds
idle_seconds must be an integer from 1 through 65535.
radius accounting { archive [ stop-only ] | deadtime minutes | detect-dead-server { consecutive-failures consecutive_failures_count | keepalive | response-timeout response_timeout_duration } | fire-and-forget | interim interval interim_interval | max-outstanding max_messages | max-pdu-size octets | max-retries max_retries | max-transmissions max_transmissions | timeout idle_seconds }
stop-only specifies archiving of only STOP accounting messages.
deadtime minutes
minutes must be an integer from 0 through 65535.
Important: This parameter should be set to allow enough time to remedy the issue that originally caused the server’s state to be changed to “Down”. After the deadtime timer expires, the system returns the server’s state to “Active” regardless of whether or not the issue has been fixed.
Important: For a complete explanation of RADIUS server states, refer to the RADIUS Server State Behavior Appendix in the AAA and GTPP Interface Administration and Reference.detect-dead-server { consecutive-failures consecutive_failures_count | keepalive | response-timeout response_timeout_duration }
consecutive-failures consecutive_failures_count: Specifies the number of consecutive failures, for any AAA Manager, before a server’s state is changed from “Active” to “Down”. consecutive_failures_count must be an integer from 1 through 1000. Default: 4
keepalive: Enables the AAA server alive-dead detect mechanism based on sending keepalive authentication messages to all authentication servers. Default: disabled
response-timeout response_timeout_duration: Specifies the number of seconds, for any AAA Manager, to wait for a response to any message before a server’s state is changed from “Active” to “Down”. response_timeout_duration must be an integer from 1 through 65535.
Important: If both consecutive-failures and response-timeout are configured, then both parameters must be met before a server’s state is changed to “Down”.
Important: The “Active” or “Down” state of a RADIUS server as defined by the system, is based on accessibility and connectivity. For example, if the server is functional but the system has placed it into a “Down” state, it could be the result of a connectivity problem. When a RADIUS server’s state is changed to “Down”, a trap is sent to the management station and the deadtime timer is started.
Important: For a complete explanation of RADIUS server states, refer to the RADIUS Server State Behavior Appendix in the AAA and GTPP Interface Administration and Reference.This CLI is independent of the APN or subscriber profile configuration aaa secondary-group aaa_group_name.
interim interval interim_interval
interim_interval must be an integer from 50 through 40000000.
Important: If RADIUS is used as the accounting protocol for the GGSN product, other commands are used to trigger periodic accounting updates. However, these commands would cause RADIUS STOP/START packets to be sent as opposed to INTERIM-UPDATE packets. Also, note that accounting interim interval settings received from a RADIUS server take precedence over those configured on the system.max-outstanding max_messages
max_messages must be an integer from 1 through 4000.
max-pdu-size octets
octets must be an integer from 512 through 2048.
max-retries max_retries
max_retries must be an integer from 0 through 65535.
max-transmissions max_transmissions
max_transmissions must be an integer from 1 through 65535.
timeout timeout_duration
timeout_duration must be an integer from 1 through 65535.
Default: first-server
first-n n
Specifies that the AGW must send accounting data to n (more than one) AAA servers based on their priority. The full set of accounting data is sent to each of the n AAA servers. Response from any one of the servers would suffice to proceed with the call. On receiving an ACK from any one of the servers, all retries are stopped.
n is the number of AAA servers to which accounting data will be sent, and must be an integer from 2 through 128.
Important: This is a customer-specific keyword and needs customer-specific license to use this feature. For more information on GGSN preservation mode, refer to the GGSN Service Configuration Mode Commands chapter.The following command configures the HA accounting policy to custom1-aaa-res-mgmt:
radius accounting interim { interval interim_interval | volume { downlink bytes uplink bytes | total bytes | uplink bytes downlink bytes } }
interval interim_interval
Specifies the time interval, in seconds, between sending interim accounting records. interim_interval must be an integer from 50 through 40000000.
downlink bytes uplink bytes: Specifies the downlink to uplink volume limit, in bytes, for RADIUS Interim accounting. bytes must be an integer from 100000 through 4000000000.
total bytes: Specifies the total volume limit, in bytes, for RADIUS interim accounting. bytes must be an integer from 100000 through 4000000000.
uplink bytes downlink bytes: Specifies the uplink to downlink volume limit, in bytes, for RADIUS interim accounting. bytes must be an integer from 100000 through 4000000000.
list list_id
list_id must be an integer from 1 through 65535.
Individual subscriber can be associated to remote IP address lists through the configuration/specification of an attribute in their local or RADIUS profile. (Refer to the radius accounting command in the Subscriber Configuration mode.) When configured/specified, accounting data is collected pertaining to the subscriber’s communication with any of the remote addresses specified in the list.
radius accounting keepalive { calling-station-id id | consecutive-response consecutive_responses | framed-ip-address ip_address | interval seconds | retries number | timeout seconds | username user_name }
id must be an alphanumeric string of size 1 to 15 characters.
consecutive-response consecutive_responses
consecutive_responses must be an integer from 1 through 10.
framed-ip-address ip_address
ip_address must be specified using IPv4 dotted-decimal notation.
interval seconds
retries number
number must be an integer from 3 through 10.
timeout timeout_duration
timeout_duration must be an integer from 1 through 30.
username user_name
user_name must be an alphanumeric string of 1 through 127 characters.
radius accounting keepalive username Test-Username2
radius accounting rp { handoff-stop { immediate | wait-active-stop } | tod minute hour | trigger-event { active-handoff | active-start-param-change | active-stop } | trigger-policy { airlink-usage [ counter-rollover ] | custom [ active-handoff | active-start-param-change | active-stop ] | standard } | trigger-stop-start }
no radius accounting rp { tod minute hour | trigger-event { active-handoff | active-start-param-change | active-stop } | trigger-stop-start }
|
•
|
immediate: Indicates that accounting STOP should be generated immediately on handoff, i.e. not to wait active-stop from the old PCF.
|
|
•
|
wait-active-stop: Indicates that accounting STOP is generated only when active-stop received from the old PCF when handoff occurs.
|
Default: wait-active-stop
tod minute hour
minute must be an integer from 0 through 59.
hour must be an integer from 0 through 23.
active-start-param-change: Enabled
active-stop: Disabled
|
•
|
active-handoff: Disables a single R-P event (and therefore a RADIUS accounting event) when an Active PCF-to-PFC Handoff occurs. Instead, two R-P events occur (one for the Connection Setup, and the second for the Active-Start)
|
|
•
|
active-start-param-change: Disables an R-P event (and therefore a RADIUS accounting event) when an Active-Start is received from the PCF and there has been a parameter change.
|
|
•
|
active-stop: Disables an R-P event (and therefore a RADIUS accounting event) when an Active-Stop is received from the PCF.
|
Default: active-handoff: Disabled
Important: This keyword has been obsoleted by the trigger-policy keyword. Note that if this command is used, if the context configuration is displayed, radius accounting rp configuration is represented in terms of the trigger-policy.Default: airlink-usage: Disabled
active-handoff = Disabled
active-start-param-change = Disabled
active-stop = Disabled
standard: Enabled
|
•
|
airlink-usage [ counter-rollover ]: Specifies the use of Airlink-Usage RADIUS accounting policy for R-P, which generates a start on Active-Starts, and a stop on Active-Stops.
|
|
•
|
If the counter-rollover option is enabled, the system generates a STOP/START pair before input/output data octet counts (or input/output data packet counts) become larger than (2^32 - 1) in value. This setting is used to guarantee that a 32-bit octet count in any STOP message has not wrapped to larger than 2^32 thus ensuring the accuracy of the count. The system, may, at its discretion, send the STOP/START pair at any time, so long as it does so before the 32-bit counter has wrapped. Note that a STOP/START pair is never generated unless the subscriber RP session is in the Active state, since octet/packet counts are not accumulated when in the Dormant state.
|
|
•
|
custom: Specifies the use of custom RADIUS accounting policy for R-P. The custom policy can consist of the following:
|
|
•
|
active-handoff: Enables a single R-P event (and therefore a RADIUS accounting event) when an Active PCF-to-PFC Handoff occurs. Normally two R-P events will occur (one for the Connection Setup, and the second for the Active-Start)
|
|
•
|
active-start-param-change: Enables an R-P event (and therefore a RADIUS accounting event) when an Active-Start is received from the PCF and there has been a parameter change.
|
Important: Note that a custom trigger policy with only active-start-param-change enabled is identical to the standard trigger-policy.|
•
|
active-stop: Enables an R-P event (and therefore a RADIUS accounting event) when an Active-Stop is received from the PCF.
|
Important: If the radius accounting rp trigger-policy custom command is executed without any of the optional keywords, all custom options are disabled.|
•
|
standard: Specifies the use of Standard RADIUS accounting policy for R-P in accordance with IS-835B.
|
radius [ mediation-device ] accounting server ip_address [ encrypted ] key value [ acct-on { disable | enable } ] [ acct-off { disable | enable } ] [ admin-status { disable | enable } ] [ max max_messages ] [ max-rate max_value ] [ oldports ] [ port port_number ] [ priority priority ] [ type { mediation-device | standard } ] [ -noconfirm ]
Important: If this option is not used, by default the system enables standard AAA transactions.Specifies the IP address of the accounting server. ip_address must be specified using IPv4 dotted-decimal notation. A maximum of 1600 RADIUS servers per context/system and 128 servers per server group can be configured. This limit includes accounting and authentication servers.
port port_number specifies the port number to use for communications. port_number must be an integer from 0 through 65535. Default is 1813.
Important: The same RADIUS server IP address and port can be configured in multiple RADIUS server groups within a context.[ encrypted ] key value
Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted.
In 12.1 and earlier releases, the key value must be an alphanumeric string of 1 through 127 characters without encryption, and 1 through 256 characters with encryption.
In 12.2 and later releases, the key value must be an alphanumeric string of 1 through 127 characters without encryption, and 1 through 236 characters with encryption enabled.
The encrypted keyword is intended only for use by the chassis while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the key keyword is the encrypted version of the plaint text key. Only the encrypted key is saved as part of the configuration file.
max max_messages
max_messages must be an integer from 1 through 256.
max-rate max_value
max_value must be an integer from 0 through 1000.
priority priority
priority must be an integer from 1 through 1000, where 1 is the highest priority. When configuring two or more servers with the same priority you will be asked to confirm that you want to do this. If you use the -noconfirm option, you are not asked for confirmation and multiple servers could be assigned the same priority.
mediation-device: Obsolete keyword.
standard: Use standard AAA transactions.
Default: standard
enable: Enables the RADIUS accounting server.
disable: Disables the RADIUS accounting server.
The following command sets the accounting server with mediation device transaction for AAA server 10.2.3.4:
Default: first-server
Important: Please note that this command is applicable ONLY to CDMA products. To configure this functionality in UMTS/LTE products (GGSN/P-GW), use the command mediation-device delay-GTP-response in APN Configuration mode. radius attribute { nas-identifier nas_id | nas-ip-address address primary_address [ backup secondary_address ] [ nexthop-forwarding-address nexthop_address ] [ mpls-label input in_label_value | output out_label_value1 [ out_label_value2 ] [ vlan vlan_id ] ] }
nas-identifier nas_id
Specifies the attribute name by which the system will be identified in Access-Request messages. nas_id must be a case-sensitive alphanumeric string of 1 through 32 characters.
nas-ip-address address primary_address
primary_address : The IP address of the primary interface to use in the current context. This must be specified using the IPv4 dotted-decimal notation.
Important: In 12.0 and earlier releases, the configuration of NAS IP address with IPv6 prefix is currently not supported.backup secondary_address
backup: The IP address of the secondary interface to use in the current context. This must be specified using IPv4 dotted-decimal notation.
nexthop-forwarding-address nexthop_address
nexthop_address must be specified using IPv4 dotted-decimal notation.
Important: To define more than one NAS IP address per context, in Global Configuration Mode use the aaa large-configuration command. If enabled, for a PDSN a maximum of 400 and for a GGSN a maximum of 800 NAS IP addresses/NAS identifiers (1 primary and 1 secondary per server group) can be configured per context.|
•
|
in_label_value is the MPLS label that will identify inbound traffic destined for the configured NAS IP address.
|
|
•
|
out_label_value1 and out_label_value2 identify the MPLS labels to be added to packets sent from the specified NAS IP address.
|
|
•
|
out_label_value1 is the inner output label.
|
|
•
|
out_label_value2 is the outer output label.
|
vlan vlan_id
vlan_id must be a pre-configured VLAN ID, and must be an integer from 1 through 4096. It is the VLAN ID to be provided to the system in RADIUS attributes.
This option is available only when nexthop-forwarding gateway is also configured with nexthop-forwarding-address nexthop_address keyword and aaa-large configuration is enabled at Global Configuration level.
The system uses a revertive algorithm when transitioning active NAS IP addresses as described below:
gi: Specifies the usage of Gi APN name in RADIUS authentication request. Gi APN represents the APN received in the Create PDP Context request message from SGSN.
gn: Specifies the usage of Gn APN name in RADIUS authentication request. Gn APN represents the APN selected by the GGSN.
radius charging { deadtime dead_time | detect-dead-server { consecutive-failures consecutive_failures_count | response-timeout response_timeout_duration } | max-outstanding max_messages | max-retries max_retries | max-transmissions max_transmissions | timeout idle_seconds }
deadtime dead_time
dead_time must be an integer from 0 through 65535.
detect-dead-server { consecutive-failures consecutive_failures_count | response-timeout response_timeout_duration }
consecutive-failures consecutive_failures_count: Specifies the number of consecutive failures, for each AAA Manager, before a server is marked as unreachable.
consecutive_failures_count must be an integer from 1 through 1000.
response-timeout response_timeout_duration: Specifies the number of seconds for each AAA Manager to wait for a response to any message before a server is detected as failed, or in a down state.
response_timeout_duration must be an integer from 1 through 65535.
max-outstanding max_messages
max_messages must be an integer from 1 through 4000.
max-retries max_retries
max_retries must be an integer from 0 through 65535.
max-transmissions max_transmissions
Sets the maximum number of re-transmissions for RADIUS authentication requests. This limit is used in conjunction with the max-retries parameter for each server.
max_transmissions must be an integer from 1 through 65535.
timeout idle_seconds
idle_seconds must be an integer from 1 through 65535.
The following command sets the timeout value to 300 seconds to wait for a response from RADIUS server before resending the messages:
first-n n
Specifies that the AGW must send accounting data to n (more than one) AAA servers based on their priority. Response from any one of the n AAA servers would suffice to proceed with the call. The full set of accounting data is sent to each of the n AAA servers.
n is the number of AAA servers to which accounting data will be sent, and must be an integer from 2 through 128.
radius charging accounting server ip_address [ encrypted ] key value [ max max_messages ] [ oldports ] [ port port_number ] [ priority priority ] [ admin-status { enable | disable } ] [ -noconfirm ]
Specifies the IP address of the accounting server. ip_address must be specified using IPv4 dotted-decimal notation. A maximum of 128 RADIUS servers can be configured per context. This limit includes accounting and authentication servers.
[ encrypted ] key value
Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted.
In 12.1 and earlier releases, the key value must be an alphanumeric string of 1 through 127 characters without encryption, and 1 through 256 characters with encryption.
In 12.2 and later releases, the key value must be an alphanumeric string of 1 through 127 characters without encryption, and 1 through 236 characters with encryption enabled.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the key keyword is the encrypted version of the plaint text key. Only the encrypted key is saved as part of the configuration file.
max max_messages
Specifies the maximum number of outstanding messages that may be allowed to the server. max_messages must be an integer from 0 through 4000.
port port_number
port_number must be an integer from 0 through 65535.
priority priority
Specifies the relative priority of this accounting server. The priority is used in server selection for determining which server to send accounting data to. priority must be an integer from 1 through 1000, where 1 is the highest priority.
Default: first-server
radius charging server ip_address [ encrypted ] key value [ max max_messages ] [ oldports ] [ port port_number ] [ priority priority ] [ admin-status { enable | disable } ] [ -noconfirm ]
Specifies the IP address of the server. ip_address must be specified using IPv4 dotted-decimal notation. A maximum of 128 RADIUS servers can be configured per context. This limit includes accounting and authentication servers.
[ encrypted ] key value
Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted.
In 12.1 and earlier releases, the key value must be an alphanumeric string of 1 through 127 characters without encryption, and 1 through 256 characters with encryption.
In 12.2 and later releases, the key value must be an alphanumeric string of 1 through 127 characters without encryption, and 1 through 236 characters with encryption enabled.
The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the key keyword is the encrypted version of the plain text key. Only the encrypted key is saved as part of the configuration file.
max max_messages
Specifies the maximum number of outstanding messages that may be allowed to the server. max_messages must be an integer from 0 through 4000.
port port_number
port_number must be an integer from 1 through 65535.
priority priority
priority must be an integer from 1 through 1000, where 1 is the highest priority.
vrf_name is the name of a pre-configured virtual routing and forwarding (VRF) context configured in Context configuration mode through ip vrf command.
Caution: Any incorrect configuration, such as associating AAA group with wrong VRF instance or removing a VRF instance, will fail the RADIUS communication.The following command associates VRF context instance ip_vrf1 with specific AAA group (NAS-IP):
radius keepalive { calling-station-id id | consecutive-response number | encrypted | interval seconds | password | retries number | timeout seconds | username user_name | valid-response access-accept [ access-reject ] }
id must be an alphanumeric string of size 1 to 15 characters.
consecutive-response number
number must be an integer from 1 through 10.
In 12.1 and earlier releases, the password must be an alphanumeric string of 1 through 63 characters.
In 12.2 and later releases, the password must be an alphanumeric string of 1 through 132 characters.
interval seconds
password must be an alphanumeric string of 1 through 63 characters.
retries number
number must be an integer from 3 through 10.
timeout timeout_duration
timeout_duration must be an integer from 1 through 30.
username user_name
user_name must be an alphanumeric string of 1 through 127 characters.
If access-reject is configured, then both access-accept and access-reject are considered as success for the keepalive authentication request.
If access-reject is not configured, then only access-accept is considered as success for the keepalive access request.
Default: keepalive valid-response access-accept
The following command configures the user name for RADIUS keepalive access requests to Test-Username2:
radius keepalive username Test-Username2
See the radius accounting server command.
radius probe-interval seconds
seconds must be an integer from 1 through 65535.
radius probe-max-retries retries
retries must be an integer from 0 through 65535.
radius probe-timeout idle_seconds
idle_seconds must be an integer from 0 through 65535.
radius server ip_address [ encrypted ] key value [ admin-status { disable | enable } ] [ max max_messages ] [ max-rate max_value ] [ oldports ] [ port port_number ] [ priority priority ] [ probe | no-probe ] [ probe-username user_name ] [ probe-password [ encrypted ] password password ] [ type { mediation-device | standard } ] [ -noconfirm ]
ip_address: Must be specified using IPv4 dotted-decimal notation. A maximum of 1600 RADIUS servers per context/system and 128 servers per Server group can be configured. This limit includes accounting and authentication servers.
port port_number: Specifies the port number to use for communications. port_number must be an integer from 1 through 65535.
Important: The same RADIUS server IP address and port can be configured in multiple RADIUS server groups within a context.[ encrypted ] key value
Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted.
In 12.1 and earlier releases, the key value must be an alphanumeric string of 1 through 127 characters without encryption, and 1 through 256 characters with encryption.
In 12.2 and later releases, the key value must be an alphanumeric string of 1 through 127 characters without encryption, and 1 through 236 characters with encryption enabled.
The encrypted keyword is intended only for use by the chassis while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the key keyword is the encrypted version of the plain text key. Only the encrypted key is saved as part of the configuration file.
max max_messages
max_messages must be an integer from 0 through 4000.
max-rate max_value
max_value must be an integer from 0 through 1000.
priority priority
priority must be an integer from 1 through 1000, where 1 is the highest priority. When configuring two or more servers with the same priority you will be asked to confirm that you want to do this. If you use the -noconfirm option, you are not asked for confirmation and multiple servers could be assigned the same priority.
Disable probe messages from being sent to the specified RADIUS server. This is the default behavior.
probe-username user_name
The user name sent to the RADIUS server to authenticate probe messages. user_name must be an alphanumeric string of 1 through 127 characters.
encrypted: This keyword is intended only for use by the chassis while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.
password password: Specifies the probe-user password for authentication. password must be an alphanumeric string of 1 through 63 characters.
mediation-device: Specifies mediation-device specific AAA transactions. This device is available if you purchased a transaction control services license. Contact your local Cisco representative for licensing information.
standard: Specifies standard AAA transactions. (Default)
