IPSG RADIUS Snoop Configuration Mode Commands

IPSG RADIUS Snoop Configuration Mode Commands
 
The IP Services Gateway (IPSG) RADIUS Snoop Configuration Mode is used to create and configure IPSG services within the current context. The IPSG RADIUS Snoop Mode configures the system to inspect RADIUS accounting requests on the way to the RADIUS accounting server and extract user information.
note_smallImportant: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).
bind
Configures the service to accept data on any interface configured in the context. Optionally allows the system to limit the number of sessions processed by this service.
Product
IPSG
Privilege
Security Administrator, Administrator
Syntax
bind [ max-subscribers max_sessions ]
no bind
no
If previously configured, deletes the binding configuration for the service.
max-subscribers max_sessions
Specifies the maximum number of subscriber sessions allowed for the service. If this option is not configured, the system defaults to the license limit.
In 8.3 and earlier releases, max_sessions must be an integer from 0 through 3000000.
In 9.0 and later releases, max_sessions must be an integer from 0 through 4000000.
Usage
Use this command to initiate the service and begin accepting data on any interface configured in the context.
Example
The following command prepares the system to receive subscriber sessions on any interface in the context and limits the sessions to 10000:
bind max-subscribers 10000
connection authorization
Sets the RADIUS authorization password that must be matched by the RADIUS accounting requests “snooped” by this service.
Product
IPSG
Privilege
Security Administrator, Administrator
Syntax
connection authorization [ encrypted ] password password
no connection authorization
no
Deletes the RADIUS connection authorization configuration from the current IPSG RADIUS snoop service.
[ encrypted ] password password
encrypted: Specifies that the received RADIUS authorization password is encrypted.
password password: Specifies the password that must be matched by incoming RADIUS accounting requests.
In 12.0 and earlier releases, password must be an alphanumeric string of 1 through 63 characters.
In 12.2 and later releases, with encryption password must be an alphanumeric string of 1 through 132 characters. And, without password must be an alphanumeric string of 1 through 63 characters.
Usage
RADIUS accounting requests being examined by the IPSG RADIUS snoop service are destined for a RADIUS Accounting Server. Since the “snoop” service does not terminate user authentication, the user password is unknown.
Use this command to configure the authorization password that the RADIUS accounting requests must match in order for the service to examine and extract user information.
Example
The following command sets the RADIUS authorization password that must be matched by the RADIUS accounting requests “snooped” by this service. The password must be encrypted and the example provided is the word “secret”.
connection authorization encrypted password secret
end
Exits the current configuration mode and returns to the Exec mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
end
Usage
Use this command to return to the Exec mode.
exit
Exits the current mode and returns to the parent configuration mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
exit
Usage
Use this command to return to the parent configuration mode.
radius
Specifies the RADIUS accounting servers where accounting requests are sent after being “inspected” by this service.
Product
IPSG
Privilege
Security Administrator, Administrator
Syntax
[ no ] radius { accounting server ipv4/ipv6_address [ port port_number | source-context context_name ] | dictionary { 3gpp2 | 3gpp2-835 | custom XX | standard | starent | starent-835 | starent-vsa1 | starent-vsa1-835 } }
no
Removes the RADIUS accounting server identifier from this service.
radius accounting server ipv4/ipv6_address
Specifies the IP address of a RADIUS accounting server where accounting requests are sent after being “snooped” by this service in IPv4 dotted-decimal or IPv6 colon-separated notation.
Up to 16 addresses can be configured.
port port_number
Specifies the port number of the RADIUS Accounting Server where accounting requests are sent after being “snooped” by this service.
port_number must be an integer from 1 through 65535.
Default: 1813
source-context context_name
Specifies the source context where RADIUS accounting requests are received.
context_name must be an alphanumeric string of 1through 79 characters.
If this keyword is not configured, the system will default to the context in which the IPSG service is configured.
dictionary { 3gpp2 | 3gpp2-835 | custom XX | standard | starent | starent-835 | starent-vsa1 | starent-vsa1-835 }
Specifies what dictionary to use. The possible values are described in the following table:
Dictionary
Description
3gpp
This dictionary consists not only of all of the attributes in the standard dictionary, but also all of the attributes specified in 3GPP 32.015.
3gpp2
This dictionary consists not only of all of the attributes in the standard dictionary, but also all of the attributes specified in IS-835-A.
3gpp2-835
This dictionary consists not only of all of the attributes in the standard dictionary, but also all of the attributes specified in IS-835.
customXX
These are customized dictionaries. For information on custom dictionaries, please contact your Cisco account representative.
XX is the integer value of the custom dictionary.
standard
This dictionary consists only of the attributes specified in RFC 2865, RFC 2866, and RFC 2869.
starent
This dictionary consists of all of the attributes in the starent-vsa1 dictionary and incorporates additional Starent Networks VSAs by using a two-byte VSA Type field. This dictionary is the master-set of all of the attributes in all of the dictionaries supported by the system.
starent-835
This dictionary consists of all of the attributes in the starent-vsa1-835 dictionary and incorporates additional Starent Networks VSAs by using a two-byte VSA Type field. This dictionary is the master-set of all of the attributes in all of the -835 dictionaries supported by the system.
starent-vsa1
This dictionary consists not only of the 3gpp2 dictionary, but also includes Starent Networks vendor-specific attributes (VSAs) as well. The VSAs in this dictionary support a one-byte wide VSA Type field in order to support certain RADIUS applications. The one-byte limit allows support for only 256 VSAs (0 - 255). This is the default dictionary.
starent-vsa1-835
This dictionary consists not only of the 3gpp2-835 dictionary, but also includes Starent Networks vendor-specific attributes (VSAs) as well. The VSAs in this dictionary support a one-byte wide VSA Type field in order to support certain RADIUS applications. The one-byte limit allows support for only 256 VSAs (0 - 255). This is the default dictionary.
Usage
Use this command to specify the RADIUS Accounting Servers where accounting requests are sent after being snooped by this service.
Example
The following command specifies the IP address (10.2.3.4) of a RADIUS Accounting Server whose accounting requests are to be “snooped”, and the source context (aaa_ingress) where the requests are received on the system:
radius accounting server 10.2.3.4 source-context aaa_ingress
setup-timeout
Configures a timeout value for IPSG session setup attempts.
Product
IPSG
Privilege
Security Administrator, Administrator
Syntax
setup-timeout setup_timeout
default setup-timeout
setup_timeout
Specifies the period of time (in seconds) the IPSG session setup is allowed to continue before the setup attempt is terminated.
setup_timeout must be an integer from 1 through 1000000.
Default: 60
Usage
Use this command to prevent IPSG session setup attempts from continuing without termination.
Example
The following command configures the session setup timeout setting to 20 seconds:
setup-timeout 20
 
 
Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883