- Securing User Services Overview
- Autosecure
-
-
-
- Configuring RADIUS
- AAA Dead-Server Detection
- ACL Default Direction
- Attribute Screening for Access Requests
- Enable Multilink PPP via RADIUS for Preauthentication User
- Enhanced Test Command
- Framed-Route in RADIUS Accounting
- Offload Server Accounting Enhancement
- Per VRF AAA
- RFC-2867 RADIUS Tunnel Accounting
- RADIUS Attribute Screening
- RADIUS Centralized Filter Management
- RADIUS Debug Enhancements
- RADIUS Logical Line ID
- RADIUS NAS-IP-Address Attribute Configurability
- RADIUS Route Download
- RADIUS Support of 56-Bit Acct Session-Id
- RADIUS Tunnel Preference for Load Balancing and Fail-Over
- RADIUS Server Reorder on Failure
- Tunnel Authentication via RADIUS on Tunnel Terminator
-
-
-
- RADIUS Attributes Overview and RADIUS IETF Attributes
- RADIUS Vendor-Proprietary Attributes
- Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values
- Connect-Info RADIUS Attribute 77
- Encrypted Vendor Specific Attributes
- Local AAA Server
- Per-User QoS via AAA Policy Name
- RADIUS Attribute 5 (NAS-Port) Format Specified on a Per-Server Group Level
- RADIUS Attribute 8 (Framed-IP-Address) in Access Requests
- RADIUS Attribute 82: Tunnel Assignment ID
- RADIUS Attribute 104
- RADIUS Progress Codes
- RADIUS Timeout Set During Pre-Authentication
- RADIUS Tunnel Attribute Extensions
- V.92 Reporting Using RADIUS Attribute v.92-info
-
- Cisco IOS Login Enhancements (Login Block)
- Cisco IOS Resilient Configuration
- Image Verification
- IP Source Tracker
- Role-Based CLI Access
- Finding Feature Information
- Contents
- Restrictions for RFC-2867 RADIUS Tunnel Accounting
- Information About RFC-2867 RADIUS Tunnel Accounting
- How to Configure RADIUS Tunnel Accounting
- Configuration Examples for RADIUS Tunnel Accounting
- Additional References
- Feature Information for RFC-2867 RADIUS Tunnel Accounting
RFC-2867 RADIUS Tunnel Accounting
The RFC-2867 RADIUS Tunnel Accounting introduces six new RADIUS accounting types that are used with the RADIUS accounting attribute Acct-Status-Type (attribute 40), which indicates whether an accounting request marks the beginning of user service (start) or the end (stop).
This feature also introduces two virtual private virtual private dialup network (VPDN) commands that help users better troubleshoot VPDN session events.
Without RADIUS tunnel accounting support, VPDN with network accounting, which allows users to determine tunnel-link status changes, did not report all possible attributes to the accounting record file. Now that all possible attributes can be displayed, users can better verify accounting records with their Internet Service Providers (ISPs).
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for RFC-2867 RADIUS Tunnel Accounting" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
Contents
•Restrictions for RFC-2867 RADIUS Tunnel Accounting
•Information About RFC-2867 RADIUS Tunnel Accounting
•How to Configure RADIUS Tunnel Accounting
•Configuration Examples for RADIUS Tunnel Accounting
Restrictions for RFC-2867 RADIUS Tunnel Accounting
RADIUS tunnel accounting works only with L2TP tunnel support.
Information About RFC-2867 RADIUS Tunnel Accounting
To use RADIUS tunnel attributes and commands, you should understand the following concepts:
•RADIUS Attributes Support for RADIUS Tunnel Accounting
RADIUS Attributes Support for RADIUS Tunnel Accounting
Table 1 outlines the new RADIUS accounting types that are designed to support the provision of compulsory tunneling in dialup networks; that is, these attribute types allow you to better track tunnel status changes.
Note The accounting types are divided into two separate tunnel types so users can decide if they want tunnel type, tunnel-link type, or both types of accounting.
|
|
|
|
---|---|---|---|
Tunnel-Start |
9 |
Marks the beginning of a tunnel setup with another node. |
•User-Name (1)—from client •NAS-IP-Address (4)—from AAA •Acct-Delay-Time (41)—from AAA •Event-Timestamp (55)—from AAA •Tunnel-Type (64)—from client •Tunnel-Medium-Type (65)—from client •Tunnel-Client-Endpoint (66)—from client •Tunnel-Server-Endpoint (67)—from client •Acct-Tunnel-Connection (68)—from client |
Tunnel-Stop |
10 |
Marks the end of a tunnel connection to or from another node. |
•User-Name (1)—from client •NAS-IP-Address (4)—from AAA •Acct-Delay-Time (41)—from AAA •Acct-Input-Octets (42)—from AAA •Acct-Output-Octets (43)—from AAA •Acct-Session-Id (44)—from AAA •Acct-Session-Time (46)—from AAA •Acct-Input-Packets (47)—from AAA •Acct-Output-Packets (48)—from AAA •Acct-Terminate-Cause (49)—from AAA •Acct-Multi-Session-Id (51)—from AAA •Event-Timestamp (55)—from AAA •Tunnel-Type (64)—from client •Tunnel-Medium-Type (65)—from client •Tunnel-Client-Endpoint (66)—from client •Tunnel-Server-Endpoint (67)—from client •Acct-Tunnel-Connection (68)—from client •Acct-Tunnel-Packets-Lost (86)—from client |
Tunnel-Reject |
11 |
Marks the rejection of a tunnel setup with another node. |
•User-Name (1)—from client •NAS-IP-Address (4)—from AAA •Acct-Delay-Time (41)—from AAA •Acct-Terminate-Cause (49)—from client •Event-Timestamp (55)—from AAA •Tunnel-Type (64)—from client •Tunnel-Medium-Type (65)—from client •Tunnel-Client-Endpoint (66)—from client •Tunnel-Server-Endpoint (67)—from client •Acct-Tunnel-Connection (68)—from client |
Tunnel-Link-Start |
12 |
Marks the creation of a tunnel link. Only some tunnel types (Layer 2 Transport Protocol [L2TP]) support the multiple links per tunnel; this value should be included only in accounting packets for tunnel types that support multiple links per tunnel. |
•User-Name (1)—from client •NAS-IP-Address (4)—from AAA •NAS-Port (5)—from AAA •Acct-Delay-Time (41)—from AAA •Event-Timestamp (55)—from AAA •Tunnel-Type (64)—from client •Tunnel-Medium-Type (65)—from client •Tunnel-Client-Endpoint (66)—from client •Tunnel-Server-Endpoint (67)—from client •Acct-Tunnel-Connection (68)—from client |
Tunnel-Link-Stop |
13 |
Marks the end of a tunnel link. Only some tunnel types (L2TP) support the multiple links per tunnel; this value should be included only in accounting packets for tunnel types that support multiple links per tunnel. |
•User-Name (1)—from client •NAS-IP-Address (4)—from AAA •NAS-Port (5)—from AAA •Acct-Delay-Time (41)—from AAA •Acct-Input-Octets (42)—from AAA •Acct-Output-Octets (43)—from AAA •Acct-Session-Id (44)—from AAA •Acct-Session-Time (46)—from AAA •Acct-Input-Packets (47)—from AAA •Acct-Output-Packets (48)—from AAA •Acct-Terminate-Cause (49)—from AAA •Acct-Multi-Session-Id (51)—from AAA •Event-Timestamp (55)—from AAA •NAS-Port-Type (61)—from AAA •Tunnel-Type (64)—from client •Tunnel-Medium-Type (65)—from client •Tunnel-Client-Endpoint (66)—from client •Tunnel-Server-Endpoint (67)—from client •Acct-Tunnel-Connection (68)—from client •Acct-Tunnel-Packets-Lost (86)—from client |
Tunnel-Link-Reject |
14 |
Marks the rejection of a tunnel setup for a new link in an existing tunnel. Only some tunnel types (L2TP) support the multiple links per tunnel; this value should be included only in accounting packets for tunnel types that support multiple links per tunnel. |
•User-Name (1)—from client •NAS-IP-Address (4)—from AAA •Acct-Delay-Time (41)—from AAA •Acct-Terminate-Cause (49)—from AAA •Event-Timestamp (55)—from AAA •Tunnel-Type (64)—from client •Tunnel-Medium-Type (65)—from client •Tunnel-Client-Endpoint (66)—from client •Tunnel-Server-Endpoint (67)—from client •Acct-Tunnel-Connection (68)—from client |
1 If the specified tunnel type is used, these attributes should also be included in the accounting request packet. |
How to Configure RADIUS Tunnel Accounting
This section contains the following procedures:
•Enabling Tunnel Type Accounting Records
•Verifying RADIUS Tunnel Accounting
Enabling Tunnel Type Accounting Records
Use this task to configure your LAC to send tunnel and tunnel-link accounting records to be sent to the RADIUS server.
Two new command line interfaces (CLIs)—vpdn session accounting network (tunnel-link-type records) and vpdn tunnel accounting network (tunnel-type records)—are supported to help identify the following events:
•A VPDN tunnel is brought up or destroyed
•A request to create a VPDN tunnel is rejected
•A user session within a VPDN tunnel is brought up or brought down
•A user session create request is rejected
Note The first two events are tunnel-type accounting records: authentication, authorization, and accounting (AAA) sends Tunnel-Start, Tunnel-Stop, or Tunnel-Reject accounting records to the RADIUS server. The next two events are tunnel-link-type accounting records: AAA sends Tunnel-Link-Start, Tunnel-Link-Stop, or Tunnel-Link-Reject accounting records to the RADIUS server.
SUMMARY STEPS
1. enable
2. configure terminal
3. aaa accounting network {default | list-name} {start-stop | stop-only | wait-start | none} group groupname
4. vpdn enable
5. vpdn tunnel accounting network list-name
6. vpdn session accounting network list-name
DETAILED STEPS
What To Do Next
After you have enabled RADIUS tunnel accounting, you can verify your configuration via the following optional task ""Verifying RADIUS Tunnel Accounting" section."
Verifying RADIUS Tunnel Accounting
Use either one or both of the following optional steps to verify your RADIUS tunnel accounting configuration.
SUMMARY STEPS
1. enable
2. show accounting
3. show vpdn [session | tunnel]
DETAILED STEPS
Configuration Examples for RADIUS Tunnel Accounting
This section provides the following configuration examples:
•Configuring RADIUS Tunnel Accounting on LAC: Example
•Configuring RADIUS Tunnel Accounting on LNS: Example
Configuring RADIUS Tunnel Accounting on LAC: Example
The following example shows how to configure your L2TP access concentrator (LAC) to send tunnel and tunnel-link accounting records to the RADIUS server:
aaa new-model
!
!
aaa authentication ppp default group radius
aaa authorization network default local
aaa accounting network m1 start-stop group radius
aaa accounting network m2 stop-only group radius
aaa session-id common
enable secret 5 $1$IDjH$iL7puCja1RMlyOM.JAeuf/
enable password lab
!
username ISP_LAC password 0 tunnelpass
!
!
resource-pool disable
!
!
ip subnet-zero
ip cef
no ip domain-lookup
ip host dirt 171.69.1.129
!
vpdn enable
vpdn tunnel accounting network m1
vpdn session accounting network m1
vpdn search-order domain dnis
!
vpdn-group 1
request-dialin
protocol l2tp
domain cisco.com
initiate-to ip 10.1.26.71
local name ISP_LAC
!
isdn switch-type primary-5ess
!
!
fax interface-type fax-mail
mta receive maximum-recipients 0
!
controller T1 7/4
framing esf
linecode b8zs
pri-group timeslots 1-24
!
!
!
interface FastEthernet0/0
ip address 10.1.27.74 255.255.255.0
no ip mroute-cache
duplex half
speed auto
no cdp enable
!
interface FastEthernet0/1
no ip address
no ip mroute-cache
shutdown
duplex auto
speed auto
no cdp enable
!
interface Serial7/4:23
ip address 60.0.0.2 255.255.255.0
encapsulation ppp
dialer string 2000
dialer-group 1
isdn switch-type primary-5ess
ppp authentication chap
!
interface Group-Async0
no ip address
shutdown
group-range 1/00 3/107
!
ip default-gateway 10.1.27.254
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.27.254
no ip http server
ip pim bidir-enable
!
!
dialer-list 1 protocol ip permit
no cdp run
!
!
radius-server host 172.19.192.26 auth-port 1645 acct-port 1646 key rad123
radius-server retransmit 3
call rsvp-sync
!
Configuring RADIUS Tunnel Accounting on LNS: Example
The following example shows how to configure your L2TP network server (LNS) to send tunnel and tunnel-link accounting records to the RADIUS server:
aaa new-model
!
!
aaa accounting network m1 start-stop group radius
aaa accounting network m2 stop-only group radius
aaa session-id common
enable secret 5 $1$ftf.$wE6Q5Yv6hmQiwL9pizPCg1
!
username ENT_LNS password 0 tunnelpass
username user1@cisco.com password 0 lab
username user2@cisco.com password 0 lab
spe 1/0 1/7
firmware location system:/ucode/mica_port_firmware
spe 2/0 2/9
firmware location system:/ucode/mica_port_firmware
!
!
resource-pool disable
clock timezone est 2
!
ip subnet-zero
no ip domain-lookup
ip host CALLGEN-SECURITY-V2 64.24.80.28 3.47.0.0
ip host dirt 171.69.1.129
!
vpdn enable
vpdn tunnel accounting network m1
vpdn session accounting network m1
!
vpdn-group 1
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname ISP_LAC
local name ENT_LNS
!
isdn switch-type primary-5ess
!
!
!
!
!
!
!
fax interface-type modem
mta receive maximum-recipients 0
!
interface Loopback0
ip address 70.0.0.101 255.255.255.0
!
interface Loopback1
ip address 80.0.0.101 255.255.255.0
!
interface Ethernet0
ip address 10.1.26.71 255.255.255.0
no ip mroute-cache
no cdp enable
!
interface Virtual-Template1
ip unnumbered Loopback0
peer default ip address pool vpdn-pool1
ppp authentication chap
!
interface Virtual-Template2
ip unnumbered Loopback1
peer default ip address pool vpdn-pool2
ppp authentication chap
!
interface FastEthernet0
no ip address
no ip mroute-cache
shutdown
duplex auto
speed auto
no cdp enable
!
ip local pool vpdn-pool1 70.0.0.1 70.0.0.100
ip local pool vpdn-pool2 80.0.0.1 80.0.0.100
ip default-gateway 10.1.26.254
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.26.254
ip route 90.1.1.2 255.255.255.255 10.1.26.254
no ip http server
ip pim bidir-enable
!
!
dialer-list 1 protocol ip permit
no cdp run
!
!
radius-server host 172.19.192.80 auth-port 1645 acct-port 1646 key rad123
radius-server retransmit 3
call rsvp-sync
Additional References
The following sections provide references related to RFC-2867 RADIUS Tunnel Accounting.
Related Documents
|
|
---|---|
RADIUS attributes |
"RADIUS Attributes" feature module. |
VPDN |
Cisco IOS VPDN Configuration Guide, Release 12.4T. |
Network accounting |
"Configuring Accounting" feature module. |
Standards
|
|
---|---|
None |
— |
MIBs
|
|
---|---|
None |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFCs
|
|
---|---|
RFC 2867 |
RADIUS Accounting Modifications for Tunnel Protocol Support |
Technical Assistance
Feature Information for RFC-2867 RADIUS Tunnel Accounting
Table 2 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
Note Table 2 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2003-2009 Cisco Systems, Inc. All rights reserved.