IPSG RADIUS Server Configuration Mode Commands


IPSG RADIUS Server Configuration Mode Commands
 
The IP Services Gateway (IPSG) RADIUS Server Configuration Mode is used to create and configure IPSG services in the current system context. The IPSG RADIUS Server Mode configures the system to receive RADIUS accounting requests as if it is a RADIUS Accounting Server, and reply after accessing those requests for user information.
note_smallImportant: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).
bind
Binds the IPSG RADIUS Server service to a logical AAA interface and specifies the number of allowed subscriber sessions.
Product
IPSG
Privilege
Security Administrator, Administrator
Syntax
bind { accounting-proxy address ipv4/ipv6_address | address ipv4/ipv6_address } [ max-subscribers max_sessions | port port_number | source-context source_context ]
bind authentication-proxy address ipv4/ipv6_address [ acct-port port_number | auth-port port_number | max-subscribers max-sessions | source-context source_context ]
no bind
no
Removes the binding for the service.
accounting-proxy address ipv4/ipv6_address | address ipv4/ipv6_address } [ max-subscribers max_sessions | port port_number | source-context source_context ]
accounting-proxy address ipv4/ipv6_address: Specifies the IP address of the interface where accounting proxy requests are received by this service in IPv4 dotted-decimal or IPv6 colon-separated notation.
address ipv4/ipv6_address: Specifies the IP address of the interface where accounting requests are received by this service in IPv4 dotted-decimal or IPv6 colon-separated notation.
max-subscribers max_sessions: Specifies the maximum number of subscriber sessions allowed for the service. If this option is not configured, the system defaults to the license limit.
In 8.3 and earlier releases, max_sessions must be an integer from 0 through 3000000.
In 9.0 and later releases, max_sessions must be an integer from 0 through 4000000.
port port_number: Specifies the port number of the interface where accounting requests are received by this service.
port_number must be an integer from 1 through 65535.
Default: 1813
source-context source_context: Specifies the source context where RADIUS accounting requests are received.
source_context must be an alphanumeric string of 1 through 79 characters.
This keyword should be configured if the source of the RADIUS requests is in a different context than the IPSG service. If this keyword is not configured, the system will default to the context in which the IPSG service is configured.
authentication-proxy address ipv4/ipv6_address [ acct-port port_number | auth-port port_number | max-subscribers max_sessions | source-context source_context ]
authentication-proxy address ipv4/ipv6_address: Specifies the IP address of the interface where authentication proxy requests are received by this service in IPv4 dotted-decimal or IPv6 colon-separated notation.
note_smallImportant: Enabling authentication proxy also enables accounting proxy.
acct-port port_number: Specifies the port number of the interface where accounting proxy requests are received by this service.
port_number must be an integer from 0 through 65535.
Default: 1813
auth-port port_number: Specifies the port number of the interface where authentication proxy requests are received by this service.
port_number must be an integer from 0 through 65535.
Default: 1812
max-subscribers max_sessions: Specifies the maximum number of subscriber sessions allowed for the service. If this option is not configured, the system defaults to the license limit.
In 8.3 and earlier releases, max_sessions must be an integer from 0 through 3000000.
In 9.0 and later releases, max_sessions must be an integer from 0 through 4000000.
source-context source_context: Specifies the source context where RADIUS accounting requests are received.
source_context must be an alphanumeric string of 1 through 79 characters.
This keyword should be configured if the source of the RADIUS requests is in a different context then the IPSG service. If this keyword is not configured, the system will default to the context in which the IPSG service is configured.
Usage
Use this command to bind the IPSG RADIUS Server service to a logical AAA interface and specify the number of allowed subscriber sessions. If the AAA interface is not located in this context, configure the source-context parameter.
Use the accounting and authentication proxy settings to enable RADIUS proxy server functionality on the IPSG. These commands are used when the NAS providing the RADIUS request messages is incapable of sending them to two separate devices. The IPSG in RADIUS Server mode proxies the RADIUS request and response messages while performing the user identification task in order to provide services to the session.
Example
The following command binds the service to a AAA interface with and IP address of 10.2.3.4 located in the source context named aaa_ingress:
bind address 10.2.3.4 source-context aaa_ingress
connection authorization
Configures the RADIUS authorization password that must be matched by the RADIUS accounting requests received by this service.
Product
IPSG
Privilege
Security Administrator, Administrator
Syntax
connection authorization [ encrypted ] password password
no connection authorization
no
Deletes the RADIUS authorization from the current IPSG RADIUS Server service.
[ encrypted ] password password
encrypted: Specifies that the RADIUS authorization password is encrypted.
password password: Specifies the password that must be matched by incoming RADIUS accounting requests.
In 12.0 and earlier releases, password must be an alphanumeric string of 1 through 63 characters.
In 12.2 and later releases, with encryption password must be an alphanumeric string of 1 through 132 characters. And without encryption, password must be an alphanumeric string of 1 through 63 characters.
Usage
The IPSG RADIUS server service does not terminate RADIUS user authentication so the user password is unknown.
Use this command to configure the authorization password that the RADIUS accounting requests must match in order for the service to examine and extract user information.
Example
The following command sets the RADIUS authorization password that must be matched by the RADIUS accounting requests sent to this service. The password must be encrypted and the example provided is the word “secret”.
connection authorization encrypted password secret
end
Exits the current configuration mode and returns to the Exec mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
end
Usage
Use this command to return to the Exec mode.
exit
Exits the current mode and returns to the parent configuration mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
exit
Usage
Use this command to return to the parent configuration mode.
profile
Configures the service to use an Access Point NAme (APN) or subscriber profiles.
Product
IPSG
Privilege
Security Administrator, Administrator
Syntax
profile { APN | subscriber }
default profile
default
Configures the default setting for this command.
Default: APN
APN
Specifies the service to support APN configuration required to enable Gx support.
subscriber
Specifies the service to support subscriber profile lookup.
Usage
Use this command to set the service to support APN profiles (supporting Gx through the enabling of ims-auth-service) or for basic subscriber profile lookup.
radius accounting
Specifies the IP address and shared secret of the RADIUS accounting client from which RADIUS accounting requests are received. The RADIUS client can be either the access gateway or the RADIUS accounting server depending on which device is sending accounting requests.
Product
IPSG
Privilege
Security Administrator, Administrator
Syntax
radius accounting { { client { ipv4/ipv6_address | ipv4/ipv6_address/mask } [ encrypted ] key secret [ dictionary dictionary ] [ disconnect-message [ dest-port destination_port ] ] } | { interim create-new-call } }
no radius accounting client { ipv4/ipv6_address | ipv4/ipv6_address/mask }
default radius accounting interim create-new-call
no
Removes the RADIUS accounting client address identifier from the service.
ipv4/ipv6_address | ipv4/ipv6_address/mask
Specifies the IP address and, optionally, subnet mask of the RADIUS client from which RADIUS accounting requests are received.
ipv4/ipv6_address and ipv6/ipv6_address/mask are expressed in IPv4 dotted-decimal or IPv6 colon-separated notation with CIDR.
Up to 16 addresses can be configured.
dictionary dictionary
Specifies what dictionary database to use. The possible values for dictionary are described in the following table:
X is the integer value of the custom dictionary.
note_smallImportant: In 12.0 and later releases, no new attributes can be added to the starent-vsa1 dictionary. If there are any new attributes to be added, these can only be added to the starent dictionary. For more information, please contact your Cisco account representative.
[ encrypted ] key secret
encrypted: Specifies that the shared key between the RADIUS client and this service is encrypted.
key secret: Specifies the shared key between the RADIUS client and this service.
In 12.0 and earlier releases, secret must be an alphanumeric string of 1 through 127 characters and is case sensitive.
In 12.2 and later releases, with encryption secret must be an alphanumeric string of 1 through 236 characters and is case sensitive. And, without encryption secret must be an alphanumeric string of 1 through 127 characters and is case sensitive
disconnect-message [ dest-port destination_port ]
Specifies sending disconnect message.
dest-port destination_port: Specifies the port number to which the disconnect message must be sent. destination_port must be an integer from 1 through 65535.
interim create-new-call
Enables the ability to create a new session upon receipt of a RADIUS interim message. Default: Disabled
Usage
Use this command to configure the communication with the RADIUS client from which RADIUS accounting requests are received.
Example
The following command configures the service to communicate with a RADIUS client with an IP address of 10.2.3.4 and an encrypted shared secret of secret_1234:
radius accounting client 10.2.3.4 encrypted key secret_1234
radius dictionary
Configures the RADIUS database dictionary for use with the IPSG service.
Product
IPSG
Privilege
Security Administrator, Administrator
Syntax
radius dictionary dictionary
default radius dictionary
dictionary dictionary
Default: starent-vsa1
Specifies what dictionary database to use. The possible values for dictionary are described in the table that follows:
XX is the integer value of the custom dictionary.
Usage
Use this command to specify the RADIUS database dictionary to use for the IPSG service.
Example
The following command configures the IPSG service to use the custom10 RADIUS database dictionary:
radius dictionary custom10
setup-timeout
Configures a timeout value for IPSG session set up attempts.
Product
IPSG
Privilege
Security Administrator, Administrator
Syntax
setup-timeout setup_timeout
default setup-timeout
setup_timeout
Specifies the time period (in seconds) IPSG session setup attempt is allowed to continue before being terminated.
setup_timeout must be an integer from 1 through 1000000.
Default: 60
Usage
Use this command to prevent IPSG session set up attempts from continuing without termination.
Example
The following command sets the session setup timeout to 20 seconds:
setup-timeout 20
 
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883