Table Of Contents
ip mobile home-agent accounting
ip mobile home-agent dynamic-address
ip mobile home-agent redundancy
ip mobile home-agent reject-static-addr
ip mobile home-agent resync-sa
ip mobile home-agent revocation
radius-server attribute 32 include-in-access-req
show ip mobile binding vrf realm
snmp-server enable traps ipmobile
Command Reference
This section documents new or modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.2 command reference publications.
•
clear ip mobile host-counters
•
•
•
•
•
•
•
•
•
•
•
aaa accounting
To enable authentication, authorization, and accounting (AAA) accounting of requested services for billing or security purposes when you use RADIUS or TACACS+, use the aaa accounting command in global configuration mode. To disable AAA accounting, use the no form of this command.
aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} {start-stop | stop-only | none} [broadcast] group groupname
no aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} [broadcast] group groupname
Syntax Description
auth-proxy
Provides information about all authenticated-proxy user events.
system
Performs accounting for all system-level events not associated with users, such as reloads.
network
Runs accounting for all network-related service requests, including SLIP1 , PPP2 , PPP NCPs3 , and ARAP4 .
exec
Runs accounting for EXEC shell session. This keyword might return user profile information such as what is generated by the autocommand command.
connection
Provides information about all outbound connections made from the network access server, such as Telnet, LAT5 , TN3270, PAD6 , and rlogin.
commands level
Runs accounting for all commands at the specified privilege level. Valid privilege level entries are integers from 0 through 15.
default
Uses the listed accounting methods that follow this argument as the default list of methods for accounting services.
list-name
Character string used to name the list of at least one of the accounting methods described in Table A-2.
start-stop
Sends a "start" accounting notice at the beginning of a process and a "stop" accounting notice at the end of a process. The "start" accounting record is sent in the background. The requested user process begins regardless of whether the "start" accounting notice was received by the accounting server.
stop-only
Sends a "stop" accounting notice at the end of the requested user process.
none
Disables accounting services on this line or interface.
broadcast
(Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, fail over occurs using the backup servers defined within that group.
group groupname
At least one of the keywords described in Table A-1.
1 SLIP = Serial Line Internet Protocol
2 PPP = Point-to-Point Protocol
3 PPP NCPs = Point-to-Point Protocol Network Control Protocols
4 ARAP = AppleTalk Remote Access Protocol
5 LAT = local-area transport
6 PAD = packet assembler/disassembler
Defaults
AAA accounting is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the aaa accounting command to enable accounting and to create named method lists defining specific accounting methods on a per-line or per-interface basis.
Table A-1 contains descriptions of accounting method keywords.
In Table 1, the group radius and group tacacs+ methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs-server host commands to configure the host servers. Use the aaa group server radius and aaa group server tacacs+ commands to create a named group of servers.
Cisco IOS software supports the following two methods of accounting:
•
•
Method lists for accounting define the way accounting will be performed. Named accounting method lists enable you to designate a particular security protocol to be used on specific lines or interfaces for particular types of accounting services. Create a list by entering the list-name and the method, where list-name is any character string used to name this list (excluding the names of methods, such as radius or tacacs+) and method identifies the methods to be tried in sequence as given.
If the aaa accounting command for a particular accounting type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines (where this accounting type applies) except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no accounting takes place.
Named accounting method lists are specific to the indicated type of accounting. Method list keywords are described in Table A-2.
Note
For minimal accounting, include the stop-only keyword to send a "stop" record accounting notice at the end of the requested user process. For more accounting, you can include the start-stop keyword, so that RADIUS or TACACS+ sends a "start" accounting notice at the beginning of the requested process and a "stop" accounting notice at the end of the process. Accounting is stored only on the RADIUS or TACACS+ server. The none keyword disables accounting services for the specified line or interface.
When AAA accounting is activated, the network access server monitors either RADIUS accounting attributes or TACACS+ AV pairs pertinent to the connection, depending on the security method you have implemented. The network access server reports these attributes as accounting records, which are then stored in an accounting log on the security server. For a list of supported RADIUS accounting attributes, refer to the appendix "RADIUS Attributes" in the Cisco IOS Security Configuration Guide. For a list of supported TACACS+ accounting AV pairs, refer to the appendix "TACACS+ Attribute-Value Pairs" in the Cisco IOS Security Configuration Guide.
Note
Examples
The following example defines a default commands accounting method list, where accounting services are provided by a TACACS+ security server, set for privilege level 15 commands with a stop-only restriction.
aaa accounting commands 15 default stop-only group tacacs+The following example defines a default auth-proxy accounting method list, where accounting services are provided by a TACACS+ security server with a stop-only restriction. The aaa accounting command activates authentication proxy accounting.
aaa new-modelaaa authentication login default group tacacs+aaa authorization auth-proxy default group tacacs+aaa accounting auth-proxy default start-stop group tacacs+Related Commands
aaa accounting update
To enable periodic interim accounting records to be sent to the accounting server, use the aaa accounting update command in global configuration mode. To disable interim accounting updates, use the no form of this command.
aaa accounting update [newinfo] [periodic number]
no aaa accounting update
Syntax Description
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
When aaa accounting update is activated, the Cisco IOS software issues interim accounting records for all users on the system. If the keyword newinfo is used, interim accounting records will be sent to the accounting server every time there is new accounting information to report. An example of this would be when IP Control Protocol (IPCP) completes IP address negotiation with the remote peer. The interim accounting record will include the negotiated IP address used by the remote peer.
When used with the keyword periodic, interim accounting records are sent periodically as defined by the argument number. The interim accounting record contains all of the accounting information recorded for that user up to the time the accounting record is sent.
When using both the newinfo and periodic keywords, interim accounting records are sent to the accounting server every time there is new accounting information to report, and accounting records are sent to the accounting server periodically as defined by the argument number. For example, if you configure aaa accounting update newinfo periodic number, all users currently logged in will continue to generate periodic interim accounting records while new users will generate accounting records based on the newinfo algorithm.
Caution
Examples
The following example sends PPP accounting records to a remote RADIUS server. When IPCP completes negotiation, this command sends an interim accounting record to the RADIUS server that includes the negotiated IP address for this user; it also sends periodic interim accounting records to the RADIUS server at 30 minute intervals.
aaa accounting network default start-stop group radiusaaa accounting update newinfo periodic 30Related Commands
aaa accounting
Enables AAA accounting of requested services for billing or security purposes.
aaa authorization ipmobile
To authorize Mobile IP to retrieve security associations from the AAA server using TACACS+ or RADIUS, use the aaa authorization ipmobile global configuration command. Use the no form of this command to remove authorization.
aaa authorization ipmobile {tacacs+ | radius}
no aaa authorization ipmobile {tacacs+ | radius}
Syntax Description
Defaults
AAA is not used to retrieve security associations for authentication.
Command Modes
Global configuration
Command History
Usage Guidelines
Mobile IP requires security associations for registration authentication. The security associations are configured on the router or on an AAA server. This command is not need for the former; but in the latter case, this command authorizes Mobile IP to retrieve the security associations from the AAA server.
Note
Examples
The following example uses TACACS+ to retrieve security associations from the AAA server:
aaa new-modelaaa authorization ipmobile tacacs+tacacs-server host 1.2.3.4tacacs-server key mykeyip mobile host 10.0.0.1 10.0.0.5 virtual-network 10.0.0.0 255.0.0.0 aaaRelated Commands
aaa pod server
To enable inbound user sessions to be disconnected when specific session attributes are presented, use the aaa pod server global configuration command. To disable this feature, use the no form of this command.
aaa pod server [port port-number] [auth-type {any | all | session-key}] server-key string
no aaa pod server
Syntax Description
Defaults
The POD server function is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
For a session to be disconnected, the values in one or more of the key fields in the POD request must match the values for a session on one of the network access server ports. Which values must match depends on the auth-type attribute defined in the command. If no auth-type is specified, all four values must match. If no match is found, all connections remain intact and an error response is returned. The key fields are as follows:
•
•
•
•
Examples
The following example enables POD and sets the secret key to "ab9123."
router (config)# aaa pod server server-key ab9123access list
To configure the access list mechanism for filtering frames by protocol type or vendor code, use the access-list global configuration command. Use the no form of this command to remove the single specified entry from the access list.
access-list access-list-number {permit | deny} {type-code wild-mask | address mask}
no access-list access-list-number {permit | deny} {type-code wild-mask | address mask}
Syntax Description
Defaults
No numbered encryption access lists are defined, and therefore no traffic will be encrypted/decrypted. After being defined, all encryption access lists contain an implicit "deny" ("do not encrypt/decrypt") statement at the end of the list..
Command Modes
Global configuration
Command History
Usage Guidelines
Use encryption access lists to control which packets on an interface are encrypted/decrypted, and which are transmitted as plain text (unencrypted).
When a packet is examined for an encryption access list match, encryption access list statements are checked in the order that the statements were created. After a packet matches the conditions in a statement, no more statements will be checked. This means that you need to carefully consider the order in which you enter the statements.
To use the encryption access list, you must first specify the access list in a crypto map and then apply the crypto map to an interface, using the crypto map (CET global configuration) and crypto map (CET interface configuration) commands.
Fragmented IP packets, other than the initial fragment, are immediately accepted by any extended IP access list. Extended access lists used to control virtual terminal line access or restrict contents of routing updates must not match the TCP source port, the type of service value, or the packet's precedence.
Note
Caution
Note
Examples
The following example creates a numbered encryption access list that specifies a class C subnet for the source and a class C subnet for the destination of IP packets. When the router uses this encryption access list, all TCP traffic that is exchanged between the source and destination subnets will be encrypted.
access-list 101 permit tcp 172.21.3.0 0.0.0.255 172.22.2.0 0.0.0.255clear ip mobile binding
To remove mobility bindings, use the clear ip mobile binding EXEC command.
clear ip mobile binding {all [load standby-group-name] | ip-address | nai string ip_address | vrf realm realm} [synch]
Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
The Home Agent creates a mobility binding for each roaming mobile node. The mobility binding allows the mobile node to exchange packets with the correspondent node. Associated with the mobility binding is the tunnel to the visited network and a host route to forward packets destined for the mobile node. There should be no need to clear the binding because it expires after lifetime is reached or when the mobile node deregisters.
When the mobility binding is removed, the number of users on the tunnel is decremented and the host route is removed from the routing table. The mobile node is not notified.
When the synch option is specified, bindings that are administratively cleared on the active HA are synched to the standby HA, and the bindings will be deleted on the standby HA. When the redundancy mode is active-standby, the synch option will not take effect if the clear command is issued on the standby HA.
Note
Examples
The following example administratively stops mobile node 10.0.0.1 from roaming:
Router# clear ip mobile binding 10.0.0.1Router# show ip mobile bindingMobility Binding List:Total 110.0.0.1:Care-of Addr 68.0.0.31, Src Addr 68.0.0.31,Lifetime granted 02:46:40 (10000), remaining 02:46:32Flags SbdmGvt, Identification B750FAC4.C28F56A8,Tunnel100 src 66.0.0.5 dest 68.0.0.31 reverse-allowedRouting Options - (G)GRERelated Commands
clear ip mobile host-counters
To clear the mobility counters specific to each mobile station, use the clear ip mobile host-counters EXEC command.
clear ip mobile host-counters [[ip-address | nai string ip_address] undo]]
Syntax Description
ip-address
(Optional) IP address of a mobile node.
nai string
(Optional) Network access identifier of the mobile node.
undo
(Optional) Restores the previously cleared counters.
Command Modes
EXEC
Command History
12.0(1)T
This command was introduced.
12.2(2)XC
The nai keyword and associated variables were added.
Usage Guidelines
This command clears the counters that are displayed when you use the show ip mobile host command. The undo keyword restores the counters (this is useful for debugging).
Examples
The following example shows how the counters can be used for debugging:
Router# show ip mobile host20.0.0.1:Allowed lifetime 10:00:00 (36000/default)Roaming status -Unregistered-, Home link on virtual network 20.0.0.0/8Accepted 0, Last time -never-Overall service time -never-Denied 0, Last time -never-Last code `-never- (0)'Total violations 0Tunnel to MN - pkts 0, bytes 0Reverse tunnel from MN - pkts 0, bytes 0Router# clear ip mobile host-countersRouter# show ip mobile host-counters20.0.0.1:Allowed lifetime 10:00:00 (36000/default)Roaming status -Unregistered-, Home link on virtual network 20.0.0.0/8Accepted 0, Last time -never-Overall service time -never-Denied 0, Last time -never-Last code `-never- (0)'Total violations 0Tunnel to MN - pkts 0, bytes 0Reverse tunnel from MN - pkts 0, bytes 0Related Commands
clear ip mobile secure
To clear and retrieve remote security associations, use the clear ip mobile secure EXEC command.
clear ip mobile secure {host lower [upper] | nai string | empty | all} [load]
Syntax Description
Command Modes
EXEC
Command History
12.0(1)T
This command was introduced.
12.2(2)XC
The nai keyword and associated variables were added.
Usage Guidelines
Security associations are required for registration authentication. They can be stored on an AAA server. During registration, they may be stored locally after retrieval from the AAA server. The security association on the router may become stale or out of date when the security association on the AAA server changes.
This command clears security associations that have been downloaded from the AAA server.
Note
Examples
In the following example, the AAA server has the security association for user 10.0.0.1 after registration:
Router# show ip mobile secure host 10.0.0.1Security Associations (algorithm,mode,replay protection,key):10.0.0.1:SPI 300, MD5, Prefix-suffix, Timestamp +/- 7,Key `oldkey' 1230552d39b7c1751f86bae5205ec0c8The security association of the AAA server changes as follows:
Router# clear ip mobile secure host 10.0.0.1 loadRouter# show ip mobile secure host 10.0.0.110.0.0.1:SPI 300, MD5, Prefix-suffix, Timestamp +/- 7,Key `newkey' 1230552d39b7c1751f86bae5205ec0c8Related Commands
ip mobile secure
Specifies the mobility security associations for mobile host, visitor, Home Agent, and Foreign Agent.
clear ip mobile traffic
To clear counters, use the clear ip mobile traffic EXEC command.
clear ip mobile traffic
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
12.0(1)T
This command was introduced.
12.3(7)XJ
This command adds clear MIPv4 Registration Revocation related counters and Radius Disconnect related statistics.
Usage Guidelines
Mobile IP counters are accumulated during operation. They are useful for debugging and monitoring.
This command clears all Mobile IP counters. The undo keyword restores the counters (this is useful for debugging.) See the show ip mobile traffic command for a list and description of all counters.
Examples
The following example shows how the counters can be used for debugging:
Router# show ip mobile trafficIP Mobility traffic:Advertisements:Solicitations received 0Advertisements sent 0, response to solicitation 0Home Agent Registrations:Register 8, Deregister 0 requestsRegister 7, Deregister 0 repliedAccepted 6, No simultaneous bindings 0Denied 1, Ignored 1Unspecified 0, Unknown HA 0Administrative prohibited 0, No resource 0Authentication failed MN 0, FA 0Bad identification 1, Bad request form 0..Router# clear ip mobile trafficRouter# show ip mobile trafficIP Mobility traffic:Advertisements:Solicitations received 0Advertisements sent 0, response to solicitation 0Home Agent Registrations:Register 0, Deregister 0 requestsRegister 0, Deregister 0 repliedAccepted 0, No simultaneous bindings 0Denied 0, Ignored 0Unspecified 0, Unknown HA 0Administrative prohibited 0, No resource 0Authentication failed MN 0, FA 0Bad identification 0, Bad request form 0Related Commands
crypto map (global IPSec)
To create or modify a crypto map entry and enter the crypto map configuration mode, use the crypto map global configuration command. To delete a crypto map entry or set, use the no form of this command.
crypto map map-name seq-num ipsec-manual
crypto map map-name seq-num ipsec-isakmp [dynamic dynamic-map-name] [discover]
no crypto map map-name [seq-num]
Syntax Description
Command Modes
Global configuration.
Command History
Usage Guidelines
Issue the crypto map map-name seq-num command without a keyword to modify an existing crypto map entry.
Examples
The following example creates a crypto map entry and indicates that IKE will not be used to establish the IPSec security associations for protecting the traffic:
Router# crypto map map-name seq-num ipsec-manualdebug aaa accounting
To display information on accountable events as they occur, use the debug aaa accounting command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug aaa accounting
no debug aaa accounting
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Usage Guidelines
The information displayed by the debug aaa accounting command is independent of the accounting protocol used to transfer the accounting information to a server. Use the debug tacacs and debug radius protocol-specific commands to get more detailed information about protocol-level issues.
You can also use the show accounting command to step through all active sessions and to print all the accounting records for actively accounted functions. The show accounting command allows you to display the active "accountable events" on the system. It provides systems administrators a quick look at what is happening, and may also be useful for collecting information in the event of a data loss of some kind on the accounting server. The show accounting command displays additional data on the internal state of the authentication, authorization, and accounting (AAA) security system if debug aaa accounting is turned on as well.
Examples
The following is sample output from the debug aaa accounting command:
Router# debug aaa accounting16:49:21: AAA/ACCT: EXEC acct start, line 1016:49:32: AAA/ACCT: Connect start, line 10, glare16:49:47: AAA/ACCT: Connection acct stop:task_id=70 service=exec port=10 protocol=telnet address=172.31.3.78 cmd=glare bytes_in=308 bytes_out=76 paks_in=45 paks_out=54 elapsed_time=14debug aaa pod
To display debug information for Radius Disconnect message processing at AAA subsystem level , use the debug aaa pod command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug aaa pod
no debug aaa pod
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Examples
The following is sample output from the debug aaa pod command:
Router#sh debuggingGeneral OS:AAA POD packet processing debugging is onThe scenario is a POD request is received from RADIUS 17.17.17.18 with the set of attributes displayed below and after processing PDSN sends back an ACK
Router#03:30:05: POD: 17.17.17.18 request queued03:30:05: ++++++ POD Attribute List ++++++03:30:05: 63ECE94C 0 00000009 username(336) 12 sri-sip-user03:30:05: 65FCEB50 0 00000009 clid(27) 11 0000000000103:30:05: 65FCEB64 0 00000021 cdma-disconnect-reason(420) 4 1(1)03:30:05: 65FCEB78 0 00000029 cdma-correlation-id(374) 8 0000000203:30:05:03:30:05: POD: Sending ACK from port 1700 to 17.17.17.18/1700debug ip mobile
To display IP mobility activities, use the debug ip mobile command in privileged EXEC mode.
debug ip mobile [advertise | host [access-list-number] | local-area | standby]
Syntax Description
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the debug ip mobile standby command to troubleshoot redundancy problems.
No per-user debugging output is shown for mobile nodes using the network access identifier (NAI) for the debug ip mobile host command. Debugging of specific mobile nodes using an IP address is possible through the access list.
Examples
The following is sample output from the debug ip mobile command when Foreign Agent reverse tunneling is enabled:
MobileIP:MN 14.0.0.30 deleted from ReverseTunnelTable of Ethernet2/1(Entries 0)The following is sample output from the debug ip mobile advertise command:
Router# debug ip mobile advertiseMobileIP: Agent advertisement sent out Ethernet1/2: type=16, len=10, seq=1, lifetime=36000,flags=0x1400(rbhFmGv-rsv-),Care-of address: 68.0.0.31Prefix Length ext: len=1 (8 )FA Challenge value:769C808DTable A-3 Debug IP Mobile Advertise Field Descriptions
debug ip mobile host
Use the debug ip mobile host EXEC command to display IP mobility events.
debug ip mobile host acl
no debug ip mobile host
Syntax Description
Defaults
No default values.
Command History
Examples
The following is sample output from the debug ip mobile host command:
Router# debug ip mobile hostMobileIP: HA received registration for MN 20.0.0.6 on interface Ethernet1 using COA68.0.0.31 HA 66.0.0.5 lifetime 30000 options sbdmgvTMobileIP: Authenticated FA 68.0.0.31 using SPI 110 (MN 20.0.0.6)MobileIP: Authenticated MN 20.0.0.6 using SPI 300MobileIP: HA accepts registration from MN 20.0.0.6MobileIP: Mobility binding for MN 20.0.0.6 updatedMobileIP: Roam timer started for MN 20.0.0.6, lifetime 30000MobileIP: MH auth ext added (SPI 300) in reply to MN 20.0.0.6MobileIP: HF auth ext added (SPI 220) in reply to MN 20.0.0.6MobileIP: HA sent reply to MN 20.0.0.6debug ip mobile redundancy
Use the debug ip mobile redundancy EXEC command to display IP mobility events.
debug ip mobile redundancy
no debug ip mobile redundancy
Syntax Description
This command has no keywords or arguments.
Defaults
No default values.
Command History
Examples
The following is sample output from the debug ip mobile redundancy command:
Router# debug ip mobile redundancy00:19:21: MobileIP: Adding MN service flags to bindupdate00:19:21: MobileIP: Adding MN service flags 0 init registration flags 100:19:21: MobileIP: Adding a hared version cvse - bindupdate00:19:21: MobileIP: HARelayBindUpdate version number 2MobileIP: MN 40.0.0.20 - sent BindUpd to HA 7.0.0.3 HAA 7.0.0.400:19:21: MobileIP: HA standby maint started - cnt 100:19:21: MobileIP: MN 40.0.0.20 - HA rcv BindUpdAck accept from 7.0.0.3 HAA 7.0.0.400:19:22: MobileIP: HA standby maint started - cnt 1debug radius
To display information associated with RADIUS, use the debug radius command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug radius [brief | hex]
no debug radius [brief | hex]
Syntax Description
brief
(Optional) Displays abbreviated debug output.
hex
(Optional) Displays debugging output in hexadecimal notation.
Defaults
Debugging output in ASCII format is enabled.
Command Modes
Privileged EXEC
Command History
11.2(1)T
This command was introduced.
12.2(11)T
The brief and hex keywords were added. The default output format became ASCII rather than hexadecimal.
Usage Guidelines
RADIUS is a distributed security system that secures networks against unauthorized access. Cisco supports RADIUS under the authentication, authorization, and accounting (AAA) security system. When RADIUS is used on the router, you can use the debug radius command to display detailed debugging and troubleshooting information in ASCII format. Use the debug radius brief command for abbreviated output displaying client/server interaction and minimum packet information. Use the debug radius hex command to display packet dump information that has not been truncated in hex format.
Examples
The following is sample output from the debug radius command:
Router# debug radiusRadius protocol debugging is onRadius packet hex dump debugging is offRouter#00:02:50: RADIUS: ustruct sharecount=300:02:50: Radius: radius_port_info() success=0 radius_nas_port=100:02:50: RADIUS: Initial Transmit ISDN 0:D:23 id 0 10.0.0.1:1824, Accounting-Request, len 35800:02:50: RADIUS: NAS-IP-Address [4] 6 10.0.0.000:02:50: RADIUS: Vendor, Cisco [26] 19 VT=02 TL=13 ISDN 0:D:2300:02:50: RADIUS: NAS-Port-Type [61] 6 Async00:02:50: RADIUS: User-Name [1] 12 "4085554206"00:02:50: RADIUS: Called-Station-Id [30] 7 "52981"00:02:50: RADIUS: Calling-Station-Id [31] 12 "4085554206"00:02:50: RADIUS: Acct-Status-Type [40] 6 Start00:02:50: RADIUS: Service-Type [6] 6 Login00:02:50: RADIUS: Vendor, Cisco [26] 27 VT=33 TL=21 h323-gw-id=5300_43.00:02:50: RADIUS: Vendor, Cisco [26] 55 VT=01 TL=49 h323-incoming-conf-id=8F3A3163 B4980003 0 29BD000:02:50: RADIUS: Vendor, Cisco [26] 31 VT=26 TL=25 h323-call-origin=answer00:02:50: RADIUS: Vendor, Cisco [26] 32 VT=27 TL=26 h323-call-type=Telephony00:02:50: RADIUS: Vendor, Cisco [26] 57 VT=25 TL=51 h323-setup-time=*16:02:48.681 PST Fri Dec 31 199900:02:50: RADIUS: Vendor, Cisco [26] 46 VT=24 TL=40 h323-conf-id=8F3A3163 B4980003 0 29BD000:02:50: RADIUS: Acct-Session-Id [44] 10 "00000002"00:02:50: RADIUS: Delay-Time [41] 6 000:02:51: RADIUS: Received from id 0 1.7.157.1:1824, Accounting-response, len 2000:02:51: %ISDN-6-CONNECT: Interface Serial0:22 is now connected to 408527420600:03:01: RADIUS: ustruct sharecount=300:03:01: Radius: radius_port_info() success=0 radius_nas_port=100:03:01: RADIUS: Initial Transmit ISDN 0:D:23 id 1 1.7.157.1:1823, Access-Request, len 17100:03:01: RADIUS: NAS-IP-Address [4] 6 10.0.0.000:03:01: RADIUS: Vendor, Cisco [26] 19 VT=02 TL=13 ISDN 0:D:2300:03:01: RADIUS: NAS-Port-Type [61] 6 Async00:03:01: RADIUS: User-Name [1] 8 "123456"00:03:01: RADIUS: Vendor, Cisco [26] 46 VT=24 TL=40 h323-conf-id=8F3A3163 B4980003 0 29BD000:03:01: RADIUS: Calling-Station-Id [31] 12 "4085554206"00:03:01: RADIUS: User-Password [2] 18 *00:03:01: RADIUS: Vendor, Cisco [26] 36 VT=01 TL=30 h323-ivr-out=transactionID:000:03:01: RADIUS: Received from id 1 1.7.157.1:1823, Access-Accept, len 11500:03:01: RADIUS: Service-Type [6] 6 Login00:03:01: RADIUS: Vendor, Cisco [26] 29 VT=101 TL=23 h323-credit-amount=4500:03:01: RADIUS: Vendor, Cisco [26] 27 VT=102 TL=21 h323-credit-time=3300:03:01: RADIUS: Vendor, Cisco [26] 26 VT=103 TL=20 h323-return-code=000:03:01: RADIUS: Class [25] 7 6C6F63616C00:03:01: RADIUS: saved authorization data for user 62321E14 at 6233D25800:03:13: %ISDN-6-DISCONNECT: Interface Serial0:22 disconnected from 4085274206, call lasted 22 seconds00:03:13: RADIUS: ustruct sharecount=200:03:13: Radius: radius_port_info() success=0 radius_nas_port=100:03:13: RADIUS: Sent class "local" at 6233D2C4 from user 62321E1400:03:13: RADIUS: Initial Transmit ISDN 0:D:23 id 2 1.7.157.1:1824, Accounting-Request, len 77500:03:13: RADIUS: NAS-IP-Address [4] 6 10.0.0.000:03:13: RADIUS: Vendor, Cisco [26] 19 VT=02 TL=13 ISDN 0:D:2300:03:13: RADIUS: NAS-Port-Type [61] 6 Async00:03:13: RADIUS: User-Name [1] 8 "123456"00:03:13: RADIUS: Called-Station-Id [30] 7 "52981"00:03:13: RADIUS: Calling-Station-Id [31] 12 "4085274206"00:03:13: RADIUS: Acct-Status-Type [40] 6 Stop00:03:13: RADIUS: Class [25] 7 6C6F63616C00:03:13: RADIUS: Undebuggable [45] 6 0000000100:03:13: RADIUS: Service-Type [6] 6 Login00:03:13: RADIUS: Vendor, Cisco [26] 27 VT=33 TL=21 h323-gw-id=5300_43.00:03:13: RADIUS: Vendor, Cisco [26] 55 VT=01 TL=49 h323-incoming-conf-id=8F3A3163 B4980003 0 29BD000:03:13: RADIUS: Vendor, Cisco [26] 31 VT=26 TL=25 h323-call-origin=answer00:03:13: RADIUS: Vendor, Cisco [26] 32 VT=27 TL=26 h323-call-type=Telephony00:03:13: RADIUS: Vendor, Cisco [26] 57 VT=25 TL=51 h323-setup-time=*16:02:48.681 PST Fri Dec 31 199900:03:13: RADIUS: Vendor, Cisco [26] 59 VT=28 TL=53 h323-connect-time=*16:02:48.946 PST Fri Dec 31 199900:03:13: RADIUS: Vendor, Cisco [26] 62 VT=29 TL=56in=000:03:13: RADIUS: Vendor, Cisco [26] 23 VT=01 TL=17 pre-bytes-out=000:03:13: RADIUS: Vendor, Cisco [26] 21 VT=01 TL=15 pre-paks-in=000:03:13: RADIUS: Vendor, Cisco [26] 22 VT=01 TL=16 pre-paks-out=000:03:13: RADIUS: Vendor, Cisco [26] 22 VT=01 TL=16 nas-rx-speed=000:03:13: RADIUS: Vendor, Cisco [26] 22 VT=01 TL=16 nas-tx-speed=000:03:13: RADIUS: Delay-Time [41] 6 000:03:13: RADIUS: Received from id 2 1.7.157.1:1824, Accounting-response, len 20h323-disconnect-time=*16:03:11.306 PST Fri Dec 31 199900:03:13: RADIUS: Vendor, Cisco [26] 32 VT=30 TL=26 h323-disconnect-cause=1000:03:13: RADIUS: Vendor, Cisco [26] 28 VT=31 TL=22 h323-voice-quality=000:03:13: RADIUS: Vendor, Cisco [26] 46 VT=24 TL=40 h323-conf-id=8F3A3163 B4980003 0 29BD000:03:13: RADIUS: Acct-Session-Id [44] 10 "00000002"00:03:13: RADIUS: Acct-Input-Octets [42] 6 000:03:13: RADIUS: Acct-Output-Octets [43] 6 8800000:03:13: RADIUS: Acct-Input-Packets [47] 6 000:03:13: RADIUS: Acct-Output-Packets [48] 6 55000:03:13: RADIUS: Acct-Session-Time [46] 6 2200:03:13: RADIUS: Vendor, Cisco [26] 30 VT=01 TL=24 subscriber=RegularLine00:03:13: RADIUS: Vendor, Cisco [26] 35 VT=01 TL=29 h323-ivr-out=Tariff:Unknown00:03:13: RADIUS: Vendor, Cisco [26] 22 VT=01 TL=16 pre-bytes-The following is sample output from the debug radius brief command:
Router# debug radius briefRadius protocol debugging is onRadius packet hex dump debugging is offRadius protocol in brief format debugging is on00:05:21: RADIUS: Initial Transmit ISDN 0:D:23 id 6 10.0.0.1:1824, Accounting-Request, len 35800:05:21: %ISDN-6-CONNECT: Interface Serial0:22 is now connected to 408527420600:05:26: RADIUS: Retransmit id 600:05:31: RADIUS: Tried all servers.00:05:31: RADIUS: No valid server found. Trying any viable server00:05:31: RADIUS: Tried all servers.00:05:31: RADIUS: No response for id 700:05:31: RADIUS: Initial Transmit ISDN 0:D:23 id 8 10.0.0.0:1823, Access-Request, len 17100:05:36: RADIUS: Retransmit id 800:05:36: RADIUS: Received from id 8 1.7.157.1:1823, Access-Accept, len 11500:05:47: %ISDN-6-DISCONNECT: Interface Serial0:22 disconnected from 4085274206, call lasted 26 seconds00:05:47: RADIUS: Initial Transmit ISDN 0:D:23 id 9 10.0.0.1:1824, Accounting-Request, len 77500:05:47: RADIUS: Received from id 9 1.7.157.1:1824, Accounting-response, len 20The following example shows debug radius hex output:
Router# debug radius hexRadius protocol debugging is onRadius packet hex dump debugging is onRouter#17:26:52: RADIUS: ustruct sharecount=317:26:52: Radius: radius_port_info() success=0 radius_nas_port=117:26:52: RADIUS: Initial Transmit ISDN 0:D:23 id 10 10.0.0.1:1824, Accounting-Request, len 36117:26:52: Attribute 4 6 01081D0317:26:52: Attribute 26 19 00000009020D4953444E20303A443A323317:26:52: Attribute 61 6 0000000017:26:52: Attribute 1 12 3430383532373432303617:26:52: Attribute 30 7 353239383117:26:52: Attribute 31 12 3430383532373432303617:26:52: Attribute 40 6 0000000117:26:52: Attribute 6 6 0000000117:26:52: Attribute 26 27 000000092115683332332D67772D69643D353330305F34332E17:26:52: Attribute 26 57 000000090133683332332D696E636F6D696E672D636F6E662D69643D3846334133313633204234393830303046 2030203342453731423817:26:52: Attribute 26 31 000000091A19683332332D63616C6C2D6F726967696E3D616E7377657217:26:52: Attribute 26 32 000000091B1A683332332D63616C6C2D747970653D54656C6570686F6E7917:26:52: Attribute 26 56 000000091932683332332D73657475702D74696D653D2A30393A32363A35322E3838302050535420536174204A 616E2031203230303017:26:52: Attribute 26 48 00000009182A683332332D636F6E662D69643D3846334133313633204234393830303046203020334245373142 3817:26:52: Attribute 44 10 303030303030303517:26:52: Attribute 41 6 0000000017:26:52: %ISDN-6-CONNECT: Interface Serial0:22 is now connected to 408527420617:26:52: RADIUS: Received from id 10 10.0.0.1:1824, Accounting-response, len 2017:27:01: RADIUS: ustruct sharecount=317:27:01: Radius: radius_port_info() success=0 radius_nas_port=117:27:01: RADIUS: Initial Transmit ISDN 0:D:23 id 11 10.0.0.0:1823, Access-Request, len 17317:27:01: Attribute 4 6 01081D0317:27:01: Attribute 26 19 00000009020D4953444E20303A443A323317:27:01: Attribute 61 6 0000000017:27:01: Attribute 1 8 31323334353617:27:01: Attribute 26 48 00000009182A683332332D636F6E662D69643D3846334133313633204234393830303046203020334245373142 3817:27:01: Attribute 31 12 3430383532373432303617:27:01: Attribute 2 18 C980D8D0E9A061B3D783C61AA6F2721417:27:01: Attribute 26 36 00000009011E683332332D6976722D6F75743D7472616E73616374696F6E49443A3317:27:01: RADIUS: Received from id 11 1.7.157.1:1823, Access-Accept, len 11517:27:01: Attribute 6 6 0000000117:27:01: Attribute 26 29 000000096517683332332D6372656469742D616D6F756E743D343517:27:01: Attribute 26 27 000000096615683332332D6372656469742D74696D653D333317:27:01: Attribute 26 26 000000096714683332332D72657475726E2D636F64653D3017:27:01: Attribute 25 7 6C6F63616C17:27:01: RADIUS: saved authorization data for user 61AA0698 at 6215087C17:27:09: %ISDN-6-DISCONNECT: Interface Serial0:22 disconnected from 4085554206, call lasted 17 seconds17:27:09: RADIUS: ustruct sharecount=217:27:09: Radius: radius_port_info() success=0 radius_nas_port=117:27:09: RADIUS: Sent class "local" at 621508E8 from user 61AA069817:27:09: RADIUS: Initial Transmit ISDN 0:D:23 id 12 1.7.157.1:1824, Accounting-Request, len 77617:27:09: Attribute 4 6 01081D0317:27:09: Attribute 26 19 00000009020D4953444E20303A443A323317:27:09: Attribute 61 6 0000000017:27:09: Attribute 1 8 31323334353617:27:09: Attribute 30 7 353239383117:27:09: Attribute 31 12 3430383532373432303617:27:09: Attribute 40 6 0000000217:27:09: Attribute 25 7 6C6F63616C17:27:09: Attribute 45 6 0000000117:27:09: Attribute 6 6 0000000117:27:09: Attribute 26 27 000000092115683332332D67772D69643D353330305F34332E17:27:09: Attribute 26 57 000000090133683332332D696E636F6D696E672D636F6E662D69643D3846334133313633204234393830303046 2030203342453731423817:27:09: Attribute 26 31 000000091A19683332332D63616C6C2D6F726967696E3D616E7377657217:27:09: Attribute 26 32 000000091B1A683332332D63616C6C2D747970653D54656C6570686F6E7917:27:09: Attribute 26 56 000000091932683332332D73657475702D74696D653D2A30393A32363A35322E3838302050535420536174204A 616E2031203230303017:27:09: Attribute 26 58 000000091C34683332332D636F6E6E6563742D74696D653D2A30393A32363A35322E3930372050535420536174 204A616E2031203230303017:27:09: Attribute 26 61 000000091D37683332332D646973636F6E6E6563742D74696D653D2A30393A32373A31302E3133372050535420 536174204A616E2031203230303017:27:09: Attribute 26 32 000000091E1A683332332D646973636F6E6E6563742D63617573653D313017:27:09: Attribute 26 28 000000091F16683332332D766F6963652D7175616C6974793D3017:27:09: Attribute 26 48 00000009182A683332332D636F6E662D69643D3846334133313633204234393830303046203020334245373142 3817:27:09: Attribute 44 10 303030303030303517:27:09: Attribute 42 6 0000000017:27:09: Attribute 43 6 00012CA017:27:09: Attribute 47 6 0000000017:27:09: Attribute 48 6 000001E117:27:09: Attribute 46 6 0000001117:27:09: Attribute 26 30 000000090118737562736372696265723D526567756C61724C696E6517:27:09: Attribute 26 35 00000009011D683332332D6976722D6F75743D5461726966663A556E6B6E6F776E17:27:09: Attribute 26 22 0000000901107072652D62797465732D696E3D3017:27:09: Attribute 26 23 0000000901117072652D62797465732D6F75743D3017:27:09: Attribute 26 21 00000009010F7072652D70616B732D696E3D3017:27:09: Attribute 26 22 0000000901107072652D70616B732D6F75743D3017:27:09: Attribute 26 22 0000000901106E61732D72782D73706565643D3017:27:09: Attribute 26 22 0000000901106E61732D74782D73706565643D3017:27:09: Attribute 41 6 0000000017:27:09: RADIUS: Received from id 12 10.0.0.1:1824, Accounting-response, len 20debug tacacs
To display information associated with TACACS, use the debug tacacs command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug tacacs
no debug tacacs
Syntax Description
This command has no keywords or arguments.
Command Modes
Privileged EXEC
Usage Guidelines
TACACS is a distributed security system that secures networks against unauthorized access. Cisco supports TACACS under the authentication, authorization, and accounting (AAA) security system.
Use the debug aaa authentication command to get a high-level view of login activity. When TACACS is used on the router, you can use the debug tacacs command for more detailed debugging information.
Examples
The following is sample output from the debug aaa authentication command for a TACACS login attempt that was successful. The information indicates that TACACS+ is the authentication method used.
Router# debug aaa authentication14:01:17: AAA/AUTHEN (567936829): Method=TACACS+14:01:17: TAC+: send AUTHEN/CONT packet14:01:17: TAC+ (567936829): received authen response status = PASS14:01:17: AAA/AUTHEN (567936829): status = PASSThe following is sample output from the debug tacacs command for a TACACS login attempt that was successful, as indicated by the status PASS:
Router# debug tacacs14:00:09: TAC+: Opening TCP/IP connection to 192.168.60.15 using source 10.116.0.7914:00:09: TAC+: Sending TCP/IP packet number 383258052-1 to 192.168.60.15 (AUTHEN/START)14:00:09: TAC+: Receiving TCP/IP packet number 383258052-2 from 192.168.60.1514:00:09: TAC+ (383258052): received authen response status = GETUSER14:00:10: TAC+: send AUTHEN/CONT packet14:00:10: TAC+: Sending TCP/IP packet number 383258052-3 to 192.168.60.15 (AUTHEN/CONT)14:00:10: TAC+: Receiving TCP/IP packet number 383258052-4 from 192.168.60.1514:00:10: TAC+ (383258052): received authen response status = GETPASS14:00:14: TAC+: send AUTHEN/CONT packet14:00:14: TAC+: Sending TCP/IP packet number 383258052-5 to 192.168.60.15 (AUTHEN/CONT)14:00:14: TAC+: Receiving TCP/IP packet number 383258052-6 from 192.168.60.1514:00:14: TAC+ (383258052): received authen response status = PASS14:00:14: TAC+: Closing TCP/IP connection to 192.168.60.15The following is sample output from the debug tacacs command for a TACACS login attempt that was unsuccessful, as indicated by the status FAIL:
Router# debug tacacs13:53:35: TAC+: Opening TCP/IP connection to 192.168.60.15 using source192.48.0.7913:53:35: TAC+: Sending TCP/IP packet number 416942312-1 to 192.168.60.15(AUTHEN/START)13:53:35: TAC+: Receiving TCP/IP packet number 416942312-2 from 192.168.60.1513:53:35: TAC+ (416942312): received authen response status = GETUSER13:53:37: TAC+: send AUTHEN/CONT packet13:53:37: TAC+: Sending TCP/IP packet number 416942312-3 to 192.168.60.15(AUTHEN/CONT)13:53:37: TAC+: Receiving TCP/IP packet number 416942312-4 from 192.168.60.1513:53:37: TAC+ (416942312): received authen response status = GETPASS13:53:38: TAC+: send AUTHEN/CONT packet13:53:38: TAC+: Sending TCP/IP packet number 416942312-5 to 192.168.60.15(AUTHEN/CONT)13:53:38: TAC+: Receiving TCP/IP packet number 416942312-6 from 192.168.60.1513:53:38: TAC+ (416942312): received authen response status = FAIL13:53:40: TAC+: Closing TCP/IP connection to 192.168.60.15ip mobile home-agent
To enable and control Home Agent services on the router, use the ip mobile home-agent global configuration command. To disable these services, use the no form of this command.
ip mobile home-agent [home-agent address] [broadcast] [care-of-access acl] [lifetime number] [aaa] [nat-detect] [revocation] [replay seconds] [reverse-tunnel off] [roam-access acl] [strip-realm] [suppress-unreachable] [local-timezone] [unknown [accept | deny]] [send-mn-address]
no ip mobile home-agent [broadcast] [care-of-access acl] [lifetime number] [aaa] [nat-detect] [revocation] [replay seconds] [reverse-tunnel private address] [roam-access acl] [strip-nai-realm] [suppress-unreachable] [local-timezone] [unknown [accept | deny]] [send-mn-address]
Syntax Description
Defaults
This command is disabled by default. Broadcasting is disabled by default. Reverse tunnel support is enabled by default. ICMP Unreachable messages are sent by default.
Command Modes
Global configuration
Command History
Usage Guidelines
This command enables and controls Home Agent services on the router. Changes to service take effect immediately; however, broadcast and lifetime settings for previously registered mobile nodes are unaffected. Tunnels are shared by mobile nodes registered with the same endpoints, so the reverse-tunnel-off keyword also affects registered mobile nodes.
The Home Agent is responsible for processing registration requests from the mobile node and setting up tunnels and routes to the care-of address. Packets to the mobile node are forwarded to the visited network.
The Home Agent will forward broadcast packets to mobile nodes if they registered with the service. However, heavy broadcast traffic utilizes the CPU of the router. The Home Agent can control where the mobile nodes roam by the care-of-access parameter, and which mobile node is allowed to roam by the roam-access parameter.
When a registration request comes in, the Home Agent will ignore requests when Home Agent service is not enabled or the security association of the mobile node is not configured. The latter condition occurs because the security association must be available for the MH authentication extension in the reply. If a security association exists for the Foreign Agent (IP source address or care-of address in request), the Foreign Agent is authenticated, and then the mobile node is authenticated. The Identification field is verified to protect against replay attack. The Home Agent checks the validity of the request (see Table A-4) and sends a reply. (Replay codes are listed in Table A-5.) A security violation is logged when Foreign Agent authentication, MH authentication, or Identification verification fails. (The violation reasons are listed in Table A-6.)
After registration is accepted, the Home Agent creates or updates the mobility binding of the mobile node, which contains the expiration timer. If no binding existed before this registration, a virtual tunnel is created, a host route to the mobile node via the care-of address is added to the routing table, and gratuitous ARPs are sent out. For deregistration, the host route is removed from the routing table, the virtual tunnel interface is removed (if no mobile nodes are using it), and gratuitous ARPs are sent out if the mobile node is back home. Mobility binding is removed (along with its associated host route and tunnel) when registration lifetime expires or deregistration is accepted.
By default, the HA uses the entire NAI string as username for authentication (which may be with local security association or retrieved from the AAA server). The strip-nai-realm parameter instructs the HA to strip off the realm part of NAI (if it exists) before performing authentication. Basically, the mobile station is identified by only the username part of NAI.
When the packet destined for the mobile node arrives on the Home Agent, the Home Agent encapsulates the packet and tunnels it to the care-of address. If the Don't fragment bit is set in the packet, the outer bit of the IP header is also set. This allows the Path MTU Discovery to set the MTU of the tunnel. Subsequent packets greater than the MTU of the tunnel will be dropped and an ICMP datagram too big message sent to the source. If the Home Agent loses the route to the tunnel endpoint, the host route to the mobile node will be removed from the routing table until tunnel route is available. Packets destined for the mobile node without a host route will be sent out the interface (home link) or to the virtual network (see the description of suppress-unreachable keyword). For subnet-directed broadcasts to the home link, the Home Agent will send a copy to all mobile nodes registered with the broadcast routing option.
Table A-4 describes how the Home Agent treats registrations with various bits set when authentication and identification are passed.
Table A-5 lists the Home Agent registration reply codes.
Table A-6 lists security violation codes.
Table A-6 Security Violation Codes
1
No mobility security association.
2
Bad authenticator.
3
Bad identifier.
4
Bad SPI.
5
Missing security extension.
6
Other.
Examples
The following example enables broadcast routing and specifies a global registration lifetime of 7200 seconds (2 hours):
ip mobile home-agent broadcast lifetime 7200Router (config)#ip mobile home-agent reverse-tunnel ?off Disable reverse tunnel modeprivate-address Reverse Tunneling Mandatory for Private Mobile IP addressesRelated Commands
ip mobile home-agent accounting
To enable the Home Agent accounting feature, use the ip mobile home-agent accounting command in global configuration mode.
ip mobile home-agent accounting list
Syntax Description
list
Specifies the accounting method used to generate accouting records. The accounting method identified by list is configured using the aaa accounting network command.
Defaults
There are no default values for this command.
Command Modes
Global configuration
Command History
Usage Guidelines
The Home Agent cannot open more than 100k bindings if HA Accounting feature is enabled.
Examples
The following example illustrates the ip mobile home-agent accounting command:
Router# ip mobile home-agent accounting list
ip mobile home-agent dynamic-address
To set the Home Agent Address field in a Registration Response packet, use the ip mobile home-agent dynamic-address command in global configuration. Use the no form of the command to disable this feature, or to reset the field.
ip mobile home-agent dynamic-address ip address
no ip mobile home-agent dynamic-address ip address
Syntax Description
Defaults
The Home Agent Address field will be set to ip address.
Command Modes
Global configuration
Command History
Examples
The following example illustrates the ip mobile home-agent dynamic address command:
Router# ip mobile home-agent dynamic address 1.1.1.1ip mobile home-agent redundancy
To configure the Home Agent for redundancy by using the Hot Standby Router Protocol (HSRP) group name, use the ip mobile home-agent redundancy subcommand under the ip mobile home-agent global configuration command. To remove the address, use the no form of this command.
ip mobile home-agent redundancy hsrp-group-name [[virtual-network] address addr] [mode active-standby]
no ip mobile home-agent redundancy hsrp-group-name [[virtual-network] address addr] [mode active-standby]
Syntax Description
Defaults
No global Home Agent addresses are specified.
Command Modes
Subcommand of the ip mobile home-agent global configuration command.
Command History
12.0(2)T
This command was introduced.
12.3(7)XJ1
The mode active-standby option was added.
Usage Guidelines
You must first configure the ip mobile home-agent command to use this sub-command.
The virtual-network keyword specifies that the HSRP group supports virtual networks.
Note
When Mobile IP standby is configured, the Home Agent can request mobility bindings from the peer Home Agent. When the command is deconfigured, the Home Agent can remove mobility bindings. The following describes how Home Agent redundancy operates on physical and virtual networks.
Physical network:
Only the active Home Agent will receive registrations. It updates the standby Home Agent. The standby Home Agent requests the mobility binding table from the active Home Agent. When Mobile IP standby is deconfigured, the standby Home Agent removes all bindings, but the active Home Agent keeps all bindings.
Virtual network:
Both active and standby Home Agents receive registrations if the loopback interface is used; each will update the peer after accepting a registration. Otherwise, the active Home Agent receives registrations. Both active and standby Home Agents request mobility binding tables from each other. When Mobile IP standby is deconfigured, the standby or active Home Agent removes all bindings.
Examples
The following is sample output from the ip mobile home-agent redundancy command that specifies an HSRP group name of SanJoseHA:
Router# ip mobile home-agent redundancy SanJoseHA
ip mobile home-agent reject-static-addr
To configure the HA to reject Registration Requests from MNs under certain conditions, use the ip mobile home-agent reject-static-addr sub-command under the ip mobile home-agent global configuration command.
ip mobile home-agent reject-static-addr
Syntax Description
This command has not arguments or keywords
Command Modes
Sub-command of the ip mobile home-agent global configuration command.
Command History
Usage Guidelines
You must first configure the ip mobile home-agent command to use this sub-command.
If an MN which has binding to the HA with a static address, and tries to register with the same static address again, then the HA rejects the second RRQ from MN.
Examples
The following example illustrates the ip mobile home-agent reject-static-addr command:
Router# ip mobile home-agent reject-static-addr
ip mobile home-agent resync-sa
To configure the HA to clear out the old cached security associations and requery the AAA server, use the ip mobile home-agent resync-sa command global configuration command.
ip mobile home-agent resync-sa x
Syntax Description
Command Modes
Global configuration.
Command History
Usage Guidelines
When a MN tries to reregister with the HA, the time change from the original timestamp is checked. If that time period is less than x, and the MN fails authentication, then the HA will not requery the AAA server for another SA.
If the MN reregisters with the HA, and the time between registrations is greater than x, and the MN fails registrations, then the HA will clear out the old SA and requery the AAA server.
Examples
The following example illustrates the ip mobile home-agent resync-sa command:
Router# ip mobile home-agent resync-sa 10
ip mobile home-agent revocation
To enable support for MIPv4 Registration Revocation on the HA, use the ip mobile home-agent revocation command in global configuration mode. Use the no form of the command to disable this feature.
ip mobile home-agent revocation [timeout 1-100] [retransmit 0-100] [timestamp msec]
no ip mobile home-agent revocation [timeout 1-100] [retransmit 0-100] [timestamp msec]
Syntax Description
Defaults
The timeout default setting is 5 seconds, the retransmit default setting is 3 retransmissions, and the default timestamp setting is seconds.
Command Modes
Global configuration.
Command History
Examples
The following example illustrates the ip mobile home-agent revocation command:
Router# (config)#ip mobile home-agent revoc timeout ?
<1-100> Wait time (default 3 secs)
Router# (config)#ip mobile home-agent revoc retransmit ?
<0-100> Number of retries for a transaction (default 3)
ip mobile host
To configure the mobile host or mobile node group, use the ip mobile host global configuration command. For PDSN, use this command to configure the static IP address or address pool for multiple flows with the same NAI.
ip mobile host {lower [upper] | nai string {static-address {addr1 [addr2] [addr3] [addr4] [addr5] | local-pool name} | address {addr | pool {local name | dhcp-proxy-client [dhcp-server addr]} {interface name | virtual-network network_address mask} [skip-chap | aaa [load-sa [permanent]] [authorized-pool pool][skip-aaa-reauthentication]] [care-of-access acl] [lifetime number]
no ip mobile host {lower [upper] | nai string {static-address {addr1 [addr2] [addr3] [addr4] [addr5] | local-pool name} | address {addr | pool {local name | dhcp-proxy-client [dhcp-server addr]} {interface name | virtual-network network_address mask} [skip-chap | aaa [load-sa [permanent]] [authorized-pool pool][skip-aaa-reauthentication]] [care-of-access acl] [lifetime number]
Syntax Description
Defaults
No host is configured.
Command Modes
Global configuration
Command History
Usage Guidelines
This command configures the mobile host or mobile node group (ranging from lower address to upper address) to be supported by the Home Agent. These mobile nodes belong to the network on an interface or a virtual network (via the ip mobile virtual-network command). The security association for each mobile host must be configured using the ip mobile secure command or downloaded from an AAA server. When using an AAA server, the router will attempt to download all security associations when the command is entered. If no security associations are retrieved, retrieval will be attempted when a registration request arrives or the clear ip mobile secure command is entered.
All hosts must have security associations for registration authentication. Mobile nodes can have more than one security association. The memory consumption calculations shown in Table A-7 are based on the assumption of one security association per mobile node.
The nai keyword allows you to specify a particular mobile station or range of mobile stations. The mobile station can request a static IP address (static-address keyword), which is configured using the addr1 variable (for a specific address) or the local-pool keyword (for an IP address from an address pool). Or, the mobile station can request a dynamic address (address keyword), which is configured using the addr variable (for a specific address) or the pool keyword (for an IP address from a pool or DHCP server). If this command is used with the PDSN proxy Mobile IP feature and a realm is specified in the ip mobile proxy-host nai command, then only a pool of addresses can be specified in this command.
The address pool can be defined by a local pool or using a DHCP proxy client. For DHCP, the interface name specifies the address pool from which the DHCP server selects and dhcp-server specifies DHCP server address.
Security associations can be stored using one of three methods:
•
•
•
Each method has advantages and disadvantages, which are described in Table A-7
.
Note
Examples
The following example configures a mobile node group to reside on virtual network 20.0.0.0 and store its security associations on the AAA server:
ip mobile host 20.0.0.1 20.0.0.3 virtual-network 20.0.0.0 aaaThe following example configures a local pool of dynamic addresses to be used in assigning IP addresses to mobile stations in the cisco.com domain.
ip mobile host nai @cisco.com address pool local mobilenodes virtual-network 9.0.0.0 255.0.0.0 aaa lifetime 65535The following example configures a local pool of static addresses to be used in assigning IP addresses to mobile stations in the cisco.com domain.
ip mobile host nai @cisco.com static-address local-pool mobilenodesRelated Commands
ip mobile radius disconnect
To enable the processing Radius Disconnect messages on the HA, use the ip mobile radius disconnect command in global configuration mode. Use the no form of this command to disable processing Radius Disconnect messages on the HA.
ip mobile radius disconnect
no ip mobile radius disconnect
Syntax Description
There are no arguments or keywords for this command.
Defaults
The default setting is that there is no processing of Radius Disconnect messages.
Command Modes
Global configuration.
Command History
Usage Guidelines
Note
Note
Examples
The following example illustrates the ip mobile radius disconnect command:
Router# ip mobile radius disconnect
ip mobile realm
To enable inbound user sessions to be disconnected when specific session attributes are presented, use the ip mobile realm command in global configuration mode. Use the no form of the command to disable this feature.
ip mobile realm @xyz.com vrf vrf-name ha-addr ip-address [aaa-group [accounting aaa-acct-group | authentication aaa-auth-group]]
no ip mobile realm ip mobile realm @xyz.com vrf vrf-name ha-addr ip-address [aaa-group [accounting aaa-acct-group]]
Defaults
There are no default values for this command.
Command Modes
Global configuration
Command History
Usage Guidelines
This CLI defines the VRF for the domain "@xyz.com". The IP address of the Home Agent corresponding to the VRF is also defined at which the MOIP tunnel will terminate. IP address of the Home Agent should be a routable IP address on the box. Optionally, the AAA accounting and/or authentication server groups can be defined per VRF. If AAA accounting server group is defined, all accounting records for the users of the realm will be sent to the specified group. If AAA authentication server group is defined, HA-CHAP is sent to the server(s) defined in the group.
Examples
ip mobile secure
To specify the mobility security associations for the mobile host, visitor, Home Agent, Foreign Agent, and proxy host, use the ip mobile secure global configuration command. To remove the mobility security associations, use the no form of this command.
ip mobile secure {host lower-address [upper-address] | visitor address | home-agent address | foreign-agent address} {inbound-spi spi-in outbound-spi spi-out | spi spi} key hex string [replay timestamp [number] algorithm md5 mode prefix-suffix]
no ip mobile secure {host lower-address [upper-address] | visitor address | home-agent address | foreign-agent address} {inbound-spi spi-in outbound-spi spi-out | spi spi} key hex string [replay timestamp [number] algorithm md5 mode prefix-suffix]
Syntax Description
Defaults
No security association is specified.
Command Modes
Global configuration
Command History
12.0(1)T
This command was introduced.
12.2
The lower-address and upper-address arguments were added.
Usage Guidelines
The security association consists of the entity address, SPI, key, replay protection method, authentication algorithm, and mode.
The SPI is the 4-byte index that selects the specific security parameters to be used to authenticate the peer. The security parameters consist of the authentication algorithm and mode, replay attack protection method, timeout, and IP address.
On a Home Agent, the security association of the mobile host is mandatory for mobile host authentication. If desired, configure a Foreign Agent security association on your Home Agent. On a Foreign Agent, the security association of the visiting mobile host and security association of the Home Agent are optional. Multiple security associations for each entity can be configured.
If registration fails because the timestamp value is out of bounds, the time stamp of the Home Agent is returned so the mobile node can reregister with the time-stamp value closer to that of the Home Agent, if desired.
Note
Examples
The following example shows mobile node 20.0.0.1, which has a key that is generated by the MD5 hash of the string:
Router# ip mobile secure host 20.0.0.1 spi 100 key hex 12345678123456781234567812345678Related Commands
ip mobile tunnel
To specify the settings of tunnels created by Mobile IP, use the ip mobile tunnel interface configuration command.
ip mobile tunnel {crypto map map-name | route-cache | path-mtu-discovery | nat {inside | outside}}
Syntax Description
Defaults
Disabled.
Command Modes
Global configuration.
Command History
Usage Guidelines
Path MTU discovery is used by end stations to find a packet size that does not need fragmentation between them. Tunnels have to adjust their MTU to the smallest MTU interior to achieve this. This is described in RFC 2003.
The discovered tunnel MTU should be aged out periodically to possibly recover from case where sub-optimum MTU existed at time of discovery. It is reset to the outgoing interface's MTU.
Examples
The following example sets the discovered tunnel MTU to expire in ten minutes:
Router# ip mobile tunnel reset-mtu-time 600
ip mobile virtual-network
To define a virtual network, use the ip mobile virtual-network global configuration command. To remove the virtual network, use the no form of this command.
ip mobile virtual-network net mask [address addr]
no ip mobile virtual-network net mask [address addr]
Syntax Description
Defaults
No Home Agent addresses are specified.
Command Modes
Global configuration.
Command History
Usage Guidelines
This command inserts the virtual network into the routing table to allow mobile nodes to use the virtual network as their home network. The network is propagated when redistributed to other routing protocols.
Note
Examples
The following example adds the virtual network 20.0.0.0 to the routing table and specifies that the HA IP address is configured on the loopback interface for that virtual network:
Router# ip mobile virtual-network
int e0ip addr 1.0.0.1 255.0.0.0standby ip 1.0.0.10standby name SanJoseHAint lo0ip addr 20.0.0.1 255.255.255.255ip mobile home-agentip mobile virtual-network 20.0.0.0 255.255.0.0 20.0.0.1ip mobile home-agent standby SanJoseHA virtual-networkip mobile secure home-agent 1.0.0.2 spi 100 hex 00112233445566778899001122334455radius-server attribute 32 include-in-access-req
To send RADIUS attribute 32 (NAS-Identifier) in an access-request or accounting-request, use the radius-server attribute 32 include-in-access-req global configuration command. To disable sending RADIUS attribute 32, use the no form of this command.
radius-server attribute 32 include-in-access-req [format]
no radius-server attribute 32 include-in-access-req
Syntax Description
format
(Optional) A string sent in attribute 32 containing an IP address (%i), a hostname (%h), or a domain name (%d).
Defaults
RADIUS attribute 32 is not sent in access-request or accounting-request packets.
Command Modes
Global configuration.
Command History
Usage Guidelines
Using the radius-server attribute 32 include-in-access-req makes it possible to identify the network access server (NAS) manufacturer to the RADIUS server by sending RADIUS attribute 32 (NAS-Identifier) in an access-request or accounting-request. If you configure the format argument, the string sent in attribute 32 will include an IP address, a hostname, or a domain name; otherwise, the Fully Qualified Domain Name (FQDN) is sent by default.
Examples
The following example shows a configuration that sends RADIUS attribute 32 in the access-request with the format configured to identify a Cisco NAS:
router (config)# radius-server attribute 32 include-in-access-req format cisco %h.%d %i! The following string will be sent in attribute 32 (NAS-Identifier)."cisco router.nlab.cisco.com 10.0.1.67"radius-server host
To specify a RADIUS server host, use the radius-server host command in global configuration mode. To delete the specified RADIUS host, use the no form of this command.
radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] [alias {hostname | ip-address}]
no radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] [alias {hostname | ip-address}]
Syntax Description
Defaults
The auth-port port number defaults to 1645; the acct-port port number defaults to 1646.
Command Modes
Global configuration
Command History
