RFC-2867 RADIUS Tunnel Accounting


First Published: November 3, 2003
Last Updated: October 19, 2009

The RFC-2867 RADIUS Tunnel Accounting introduces six new RADIUS accounting types that are used with the RADIUS accounting attribute Acct-Status-Type (attribute 40), which indicates whether an accounting request marks the beginning of user service (start) or the end (stop).

This feature also introduces two virtual private virtual private dialup network (VPDN) commands that help users better troubleshoot VPDN session events.

Without RADIUS tunnel accounting support, VPDN with network accounting, which allows users to determine tunnel-link status changes, did not report all possible attributes to the accounting record file. Now that all possible attributes can be displayed, users can better verify accounting records with their Internet Service Providers (ISPs).

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for RFC-2867 RADIUS Tunnel Accounting" section.

Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.

Contents

Restrictions for RFC-2867 RADIUS Tunnel Accounting

Information About RFC-2867 RADIUS Tunnel Accounting

How to Configure RADIUS Tunnel Accounting

Configuration Examples for RADIUS Tunnel Accounting

Additional References

Restrictions for RFC-2867 RADIUS Tunnel Accounting

RADIUS tunnel accounting works only with L2TP tunnel support.

Information About RFC-2867 RADIUS Tunnel Accounting

To use RADIUS tunnel attributes and commands, you should understand the following concepts:

RADIUS Attributes Support for RADIUS Tunnel Accounting

RADIUS Attributes Support for RADIUS Tunnel Accounting

Table 1 outlines the new RADIUS accounting types that are designed to support the provision of compulsory tunneling in dialup networks; that is, these attribute types allow you to better track tunnel status changes.


Note The accounting types are divided into two separate tunnel types so users can decide if they want tunnel type, tunnel-link type, or both types of accounting.


Table 1 RADIUS Accounting Types for the Acct-Status-Type Attribute 

Type-Name
Number
Description
Additional Attributes 1

Tunnel-Start

9

Marks the beginning of a tunnel setup with another node.

User-Name (1)—from client

NAS-IP-Address (4)—from AAA

Acct-Delay-Time (41)—from AAA

Event-Timestamp (55)—from AAA

Tunnel-Type (64)—from client

Tunnel-Medium-Type (65)—from client

Tunnel-Client-Endpoint (66)—from client

Tunnel-Server-Endpoint (67)—from client

Acct-Tunnel-Connection (68)—from client

Tunnel-Stop

10

Marks the end of a tunnel connection to or from another node.

User-Name (1)—from client

NAS-IP-Address (4)—from AAA

Acct-Delay-Time (41)—from AAA

Acct-Input-Octets (42)—from AAA

Acct-Output-Octets (43)—from AAA

Acct-Session-Id (44)—from AAA

Acct-Session-Time (46)—from AAA

Acct-Input-Packets (47)—from AAA

Acct-Output-Packets (48)—from AAA

Acct-Terminate-Cause (49)—from AAA

Acct-Multi-Session-Id (51)—from AAA

Event-Timestamp (55)—from AAA

Tunnel-Type (64)—from client

Tunnel-Medium-Type (65)—from client

Tunnel-Client-Endpoint (66)—from client

Tunnel-Server-Endpoint (67)—from client

Acct-Tunnel-Connection (68)—from client

Acct-Tunnel-Packets-Lost (86)—from client

Tunnel-Reject

11

Marks the rejection of a tunnel setup with another node.

User-Name (1)—from client

NAS-IP-Address (4)—from AAA

Acct-Delay-Time (41)—from AAA

Acct-Terminate-Cause (49)—from client

Event-Timestamp (55)—from AAA

Tunnel-Type (64)—from client

Tunnel-Medium-Type (65)—from client

Tunnel-Client-Endpoint (66)—from client

Tunnel-Server-Endpoint (67)—from client

Acct-Tunnel-Connection (68)—from client

Tunnel-Link-Start

12

Marks the creation of a tunnel link. Only some tunnel types (Layer 2 Transport Protocol [L2TP]) support the multiple links per tunnel; this value should be included only in accounting packets for tunnel types that support multiple links per tunnel.

User-Name (1)—from client

NAS-IP-Address (4)—from AAA

NAS-Port (5)—from AAA

Acct-Delay-Time (41)—from AAA

Event-Timestamp (55)—from AAA

Tunnel-Type (64)—from client

Tunnel-Medium-Type (65)—from client

Tunnel-Client-Endpoint (66)—from client

Tunnel-Server-Endpoint (67)—from client

Acct-Tunnel-Connection (68)—from client

Tunnel-Link-Stop

13

Marks the end of a tunnel link. Only some tunnel types (L2TP) support the multiple links per tunnel; this value should be included only in accounting packets for tunnel types that support multiple links per tunnel.

User-Name (1)—from client

NAS-IP-Address (4)—from AAA

NAS-Port (5)—from AAA

Acct-Delay-Time (41)—from AAA

Acct-Input-Octets (42)—from AAA

Acct-Output-Octets (43)—from AAA

Acct-Session-Id (44)—from AAA

Acct-Session-Time (46)—from AAA

Acct-Input-Packets (47)—from AAA

Acct-Output-Packets (48)—from AAA

Acct-Terminate-Cause (49)—from AAA

Acct-Multi-Session-Id (51)—from AAA

Event-Timestamp (55)—from AAA

NAS-Port-Type (61)—from AAA

Tunnel-Type (64)—from client

Tunnel-Medium-Type (65)—from client

Tunnel-Client-Endpoint (66)—from client

Tunnel-Server-Endpoint (67)—from client

Acct-Tunnel-Connection (68)—from client

Acct-Tunnel-Packets-Lost (86)—from client

Tunnel-Link-Reject

14

Marks the rejection of a tunnel setup for a new link in an existing tunnel. Only some tunnel types (L2TP) support the multiple links per tunnel; this value should be included only in accounting packets for tunnel types that support multiple links per tunnel.

User-Name (1)—from client

NAS-IP-Address (4)—from AAA

Acct-Delay-Time (41)—from AAA

Acct-Terminate-Cause (49)—from AAA

Event-Timestamp (55)—from AAA

Tunnel-Type (64)—from client

Tunnel-Medium-Type (65)—from client

Tunnel-Client-Endpoint (66)—from client

Tunnel-Server-Endpoint (67)—from client

Acct-Tunnel-Connection (68)—from client

1 If the specified tunnel type is used, these attributes should also be included in the accounting request packet.


How to Configure RADIUS Tunnel Accounting

This section contains the following procedures:

Enabling Tunnel Type Accounting Records

Verifying RADIUS Tunnel Accounting

Enabling Tunnel Type Accounting Records

Use this task to configure your LAC to send tunnel and tunnel-link accounting records to be sent to the RADIUS server.

Two new command line interfaces (CLIs)—vpdn session accounting network (tunnel-link-type records) and vpdn tunnel accounting network (tunnel-type records)—are supported to help identify the following events:

A VPDN tunnel is brought up or destroyed

A request to create a VPDN tunnel is rejected

A user session within a VPDN tunnel is brought up or brought down

A user session create request is rejected


Note The first two events are tunnel-type accounting records: authentication, authorization, and accounting (AAA) sends Tunnel-Start, Tunnel-Stop, or Tunnel-Reject accounting records to the RADIUS server. The next two events are tunnel-link-type accounting records: AAA sends Tunnel-Link-Start, Tunnel-Link-Stop, or Tunnel-Link-Reject accounting records to the RADIUS server.


SUMMARY STEPS

1. enable

2. configure terminal

3. aaa accounting network {default | list-name} {start-stop | stop-only | wait-start | none} group groupname

4. vpdn enable

5. vpdn tunnel accounting network list-name

6. vpdn session accounting network list-name

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

Router(config)# aaa accounting network
{default | list-name} {start-stop | stop-only | wait-start | none} group groupname

Enables network accounting.

default—If the default network accounting method-list is configured and no additional accounting configurations are enabled on the interface, network accounting is enabled by default.

If either the vpdn session accounting network command or the vpdn tunnel accounting network command is linked to the default method-list, all tunnel and tunnel-link accounting records are enabled for those sessions.

list-name—The list-name defined in the aaa accounting command must be the same as the list-name defined in the VPDN command; otherwise, accounting will not occur.

Step 4 

Router(config)# vpdn enable

Enables virtual private dialup networking on the router and informs the router to look for tunnel definitions in a local database and on a remote authorization server (if applicable).

Step 5 

Router(config)# vpdn tunnel accounting network list-name

Enables Tunnel-Start, Tunnel-Stop, and Tunnel-Reject accounting records.

list-name—The list-name must match the list-name defined in the aaa accounting command; otherwise, network accounting will not occur.

Step 6 

Router(config)# vpdn session accounting network list-name

Enables Tunnel-Link-Start, Tunnel-Link-Stop, and Tunnel-Link-Reject accounting records.

list-name—The list-name must match the list-name defined in the aaa accounting command; otherwise, network accounting will not occur.

What To Do Next

After you have enabled RADIUS tunnel accounting, you can verify your configuration via the following optional task ""Verifying RADIUS Tunnel Accounting" section."

Verifying RADIUS Tunnel Accounting

Use either one or both of the following optional steps to verify your RADIUS tunnel accounting configuration.

SUMMARY STEPS

1. enable

2. show accounting

3. show vpdn [session | tunnel]

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

Router# show accounting

Displays the active accountable events on the network and helps collect information in the event of a data loss on the accounting server.

Step 3 

Router# show vpdn [session] [tunnel]

Displays information about active L2TP tunnel and message identifiers in a VPDN.

session—Displays a summary of the status of all active tunnels.

tunnel—Displays information about all active L2TP tunnels in summary-style format.

Configuration Examples for RADIUS Tunnel Accounting

This section provides the following configuration examples:

Configuring RADIUS Tunnel Accounting on LAC: Example

Configuring RADIUS Tunnel Accounting on LNS: Example

Configuring RADIUS Tunnel Accounting on LAC: Example

The following example shows how to configure your L2TP access concentrator (LAC) to send tunnel and tunnel-link accounting records to the RADIUS server:

aaa new-model
!
!
aaa authentication ppp default group radius
aaa authorization network default local
aaa accounting network m1 start-stop group radius
aaa accounting network m2 stop-only group radius
aaa session-id common
enable secret 5 $1$IDjH$iL7puCja1RMlyOM.JAeuf/
enable password lab
!
username ISP_LAC password 0 tunnelpass
!
!
resource-pool disable
!
!
ip subnet-zero
ip cef
no ip domain-lookup
ip host dirt 171.69.1.129
!
vpdn enable
vpdn tunnel accounting network m1
vpdn session accounting network m1
vpdn search-order domain dnis
!
vpdn-group 1
 request-dialin
  protocol l2tp
  domain cisco.com
 initiate-to ip 10.1.26.71
 local name ISP_LAC
!
isdn switch-type primary-5ess
!
!
fax interface-type fax-mail
mta receive maximum-recipients 0
!
controller T1 7/4
 framing esf
 linecode b8zs
 pri-group timeslots 1-24
!
!
!
interface FastEthernet0/0
 ip address 10.1.27.74 255.255.255.0
 no ip mroute-cache
 duplex half
 speed auto
 no cdp enable
!
interface FastEthernet0/1
 no ip address
 no ip mroute-cache
 shutdown
 duplex auto
 speed auto
 no cdp enable
!
interface Serial7/4:23
 ip address 60.0.0.2 255.255.255.0
 encapsulation ppp
 dialer string 2000
 dialer-group 1
 isdn switch-type primary-5ess
 ppp authentication chap
!
interface Group-Async0
 no ip address
 shutdown
 group-range 1/00 3/107
!
ip default-gateway 10.1.27.254
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.27.254
no ip http server
ip pim bidir-enable
!
!
dialer-list 1 protocol ip permit
no cdp run
!
!
radius-server host 172.19.192.26 auth-port 1645 acct-port 1646 key rad123
radius-server retransmit 3
call rsvp-sync
!

Configuring RADIUS Tunnel Accounting on LNS: Example

The following example shows how to configure your L2TP network server (LNS) to send tunnel and tunnel-link accounting records to the RADIUS server:

aaa new-model
!
!
aaa accounting network m1 start-stop group radius
aaa accounting network m2 stop-only group radius
aaa session-id common
enable secret 5 $1$ftf.$wE6Q5Yv6hmQiwL9pizPCg1
!
username ENT_LNS password 0 tunnelpass
username user1@cisco.com password 0 lab
username user2@cisco.com password 0 lab
spe 1/0 1/7
 firmware location system:/ucode/mica_port_firmware
spe 2/0 2/9
 firmware location system:/ucode/mica_port_firmware
!
!
resource-pool disable
clock timezone est 2
!
ip subnet-zero
no ip domain-lookup
ip host CALLGEN-SECURITY-V2 64.24.80.28 3.47.0.0
ip host dirt 171.69.1.129
!
vpdn enable
vpdn tunnel accounting network m1
vpdn session accounting network m1
!
vpdn-group 1
accept-dialin
  protocol l2tp
  virtual-template 1
 terminate-from hostname ISP_LAC
 local name ENT_LNS
!
isdn switch-type primary-5ess
!
!
!
!
!
!
!
fax interface-type modem
mta receive maximum-recipients 0
!
interface Loopback0
 ip address 70.0.0.101 255.255.255.0
!
interface Loopback1
 ip address 80.0.0.101 255.255.255.0
!
interface Ethernet0
 ip address 10.1.26.71 255.255.255.0
 no ip mroute-cache
 no cdp enable
!
interface Virtual-Template1
 ip unnumbered Loopback0
 peer default ip address pool vpdn-pool1
 ppp authentication chap
!
interface Virtual-Template2
 ip unnumbered Loopback1
 peer default ip address pool vpdn-pool2
 ppp authentication chap
!
interface FastEthernet0
 no ip address
 no ip mroute-cache
 shutdown
 duplex auto
speed auto
 no cdp enable
!
ip local pool vpdn-pool1 70.0.0.1 70.0.0.100
ip local pool vpdn-pool2 80.0.0.1 80.0.0.100
ip default-gateway 10.1.26.254
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.26.254
ip route 90.1.1.2 255.255.255.255 10.1.26.254
no ip http server
ip pim bidir-enable
!
!
dialer-list 1 protocol ip permit
no cdp run
!
!
radius-server host 172.19.192.80 auth-port 1645 acct-port 1646 key rad123
radius-server retransmit 3
call rsvp-sync

Additional References

The following sections provide references related to RFC-2867 RADIUS Tunnel Accounting.

Related Documents

Related Topic
Document Title

RADIUS attributes

"RADIUS Attributes" feature module.

VPDN

Cisco IOS VPDN Configuration Guide, Release 12.4T.

Network accounting

"Configuring Accounting" feature module.


Standards

Standards
Title

None


MIBs

MIBs
MIBs Link

None

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFCs
Title

RFC 2867

RADIUS Accounting Modifications for Tunnel Protocol Support


Technical Assistance

Description
Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport


Feature Information for RFC-2867 RADIUS Tunnel Accounting

Table 2 lists the release history for this feature.

Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.


Note Table 2 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.


Table 2 Feature Information for RFC-2867 RADIUS Tunnel Accounting

Feature Name
Releases
Feature Information

RFC-2867 RADIUS Tunnel Accounting

12.2(15)B
12.3(4)T

The RFC-2867 RADIUS Tunnel Accounting introduces six new RADIUS accounting types that are used with the RADIUS accounting attribute Acct-Status-Type (attribute 40), which indicates whether an accounting request marks the beginning of user service (start) or the end (stop).

This feature also introduces two virtual private virtual private dialup network (VPDN) commands that help users better troubleshoot VPDN session events.

In 12.2(15)B, this feature was introduced on the Cisco 6400 series, Cisco 7200 series, and the Cisco 7400 series routers.

This feature was integrated into Cisco IOS Release 12.3(4)T.

The following commands were introduced or modified: aaa accounting, vpdn session accounting network, vpdn tunnel accounting network.


Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2003-2009 Cisco Systems, Inc. All rights reserved.