Cisco IOS Security Configuration Guide: Securing User Services, Release 12.4

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

Cisco IOS Security Configuration Guide: Securing User Services, Release 12.4

Chapter Title

RFC-2867 RADIUS Tunnel Accounting

Results

Updated:
March 26, 2008

Chapter: RFC-2867 RADIUS Tunnel Accounting


RFC-2867 RADIUS Tunnel Accounting

First Published: November 3, 2003
Last Updated: October 19, 2009

The RFC-2867 RADIUS Tunnel Accounting introduces six new RADIUS accounting types that are used with the RADIUS accounting attribute Acct-Status-Type (attribute 40), which indicates whether an accounting request marks the beginning of user service (start) or the end (stop).

This feature also introduces two virtual private virtual private dialup network (VPDN) commands that help users better troubleshoot VPDN session events.

Without RADIUS tunnel accounting support, VPDN with network accounting, which allows users to determine tunnel-link status changes, did not report all possible attributes to the accounting record file. Now that all possible attributes can be displayed, users can better verify accounting records with their Internet Service Providers (ISPs).

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for RFC-2867 RADIUS Tunnel Accounting" section.

Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.

Contents

Restrictions for RFC-2867 RADIUS Tunnel Accounting

Information About RFC-2867 RADIUS Tunnel Accounting

How to Configure RADIUS Tunnel Accounting

Configuration Examples for RADIUS Tunnel Accounting

Additional References

Restrictions for RFC-2867 RADIUS Tunnel Accounting

RADIUS tunnel accounting works only with L2TP tunnel support.

Information About RFC-2867 RADIUS Tunnel Accounting

To use RADIUS tunnel attributes and commands, you should understand the following concepts:

RADIUS Attributes Support for RADIUS Tunnel Accounting

RADIUS Attributes Support for RADIUS Tunnel Accounting

Table 1 outlines the new RADIUS accounting types that are designed to support the provision of compulsory tunneling in dialup networks; that is, these attribute types allow you to better track tunnel status changes.

Note The accounting types are divided into two separate tunnel types so users can decide if they want tunnel type, tunnel-link type, or both types of accounting.

Table 1 RADIUS Accounting Types for the Acct-Status-Type Attribute 

Type-Name
Number
Description
Additional Attributes 1

Tunnel-Start

9

Marks the beginning of a tunnel setup with another node.

User-Name (1)—from client

NAS-IP-Address (4)—from AAA

Acct-Delay-Time (41)—from AAA

Event-Timestamp (55)—from AAA

Tunnel-Type (64)—from client

Tunnel-Medium-Type (65)—from client

Tunnel-Client-Endpoint (66)—from client

Tunnel-Server-Endpoint (67)—from client

Acct-Tunnel-Connection (68)—from client

Tunnel-Stop

10

Marks the end of a tunnel connection to or from another node.

User-Name (1)—from client

NAS-IP-Address (4)—from AAA

Acct-Delay-Time (41)—from AAA

Acct-Input-Octets (42)—from AAA

Acct-Output-Octets (43)—from AAA

Acct-Session-Id (44)—from AAA

Acct-Session-Time (46)—from AAA

Acct-Input-Packets (47)—from AAA

Acct-Output-Packets (48)—from AAA

Acct-Terminate-Cause (49)—from AAA

Acct-Multi-Session-Id (51)—from AAA

Event-Timestamp (55)—from AAA

Tunnel-Type (64)—from client

Tunnel-Medium-Type (65)—from client

Tunnel-Client-Endpoint (66)—from client

Tunnel-Server-Endpoint (67)—from client

Acct-Tunnel-Connection (68)—from client

Acct-Tunnel-Packets-Lost (86)—from client

Tunnel-Reject

11

Marks the rejection of a tunnel setup with another node.

User-Name (1)—from client

NAS-IP-Address (4)—from AAA

Acct-Delay-Time (41)—from AAA

Acct-Terminate-Cause (49)—from client

Event-Timestamp (55)—from AAA

Tunnel-Type (64)—from client

Tunnel-Medium-Type (65)—from client

Tunnel-Client-Endpoint (66)—from client

Tunnel-Server-Endpoint (67)—from client

Acct-Tunnel-Connection (68)—from client

Tunnel-Link-Start

12

Marks the creation of a tunnel link. Only some tunnel types (Layer 2 Transport Protocol [L2TP]) support the multiple links per tunnel; this value should be included only in accounting packets for tunnel types that support multiple links per tunnel.

User-Name (1)—from client

NAS-IP-Address (4)—from AAA

NAS-Port (5)—from AAA

Acct-Delay-Time (41)—from AAA

Event-Timestamp (55)—from AAA

Tunnel-Type (64)—from client

Tunnel-Medium-Type (65)—from client

Tunnel-Client-Endpoint (66)—from client

Tunnel-Server-Endpoint (67)—from client

Acct-Tunnel-Connection (68)—from client

Tunnel-Link-Stop

13

Marks the end of a tunnel link. Only some tunnel types (L2TP) support the multiple links per tunnel; this value should be included only in accounting packets for tunnel types that support multiple links per tunnel.

User-Name (1)—from client

NAS-IP-Address (4)—from AAA

NAS-Port (5)—from AAA

Acct-Delay-Time (41)—from AAA

Acct-Input-Octets (42)—from AAA

Acct-Output-Octets (43)—from AAA

Acct-Session-Id (44)—from AAA

Acct-Session-Time (46)—from AAA

Acct-Input-Packets (47)—from AAA

Acct-Output-Packets (48)—from AAA

Acct-Terminate-Cause (49)—from AAA

Acct-Multi-Session-Id (51)—from AAA

Event-Timestamp (55)—from AAA

NAS-Port-Type (61)—from AAA

Tunnel-Type (64)—from client

Tunnel-Medium-Type (65)—from client

Tunnel-Client-Endpoint (66)—from client

Tunnel-Server-Endpoint (67)—from client

Acct-Tunnel-Connection (68)—from client

Acct-Tunnel-Packets-Lost (86)—from client

Tunnel-Link-Reject

14

Marks the rejection of a tunnel setup for a new link in an existing tunnel. Only some tunnel types (L2TP) support the multiple links per tunnel; this value should be included only in accounting packets for tunnel types that support multiple links per tunnel.

User-Name (1)—from client

NAS-IP-Address (4)—from AAA

Acct-Delay-Time (41)—from AAA

Acct-Terminate-Cause (49)—from AAA

Event-Timestamp (55)—from AAA

Tunnel-Type (64)—from client

Tunnel-Medium-Type (65)—from client

Tunnel-Client-Endpoint (66)—from client

Tunnel-Server-Endpoint (67)—from client

Acct-Tunnel-Connection (68)—from client

1 If the specified tunnel type is used, these attributes should also be included in the accounting request packet.


How to Configure RADIUS Tunnel Accounting

This section contains the following procedures:

Enabling Tunnel Type Accounting Records

Verifying RADIUS Tunnel Accounting

Enabling Tunnel Type Accounting Records

Use this task to configure your LAC to send tunnel and tunnel-link accounting records to be sent to the RADIUS server.

Two new command line interfaces (CLIs)—vpdn session accounting network (tunnel-link-type records) and vpdn tunnel accounting network (tunnel-type records)—are supported to help identify the following events:

A VPDN tunnel is brought up or destroyed

A request to create a VPDN tunnel is rejected

A user session within a VPDN tunnel is brought up or brought down

A user session create request is rejected

Note The first two events are tunnel-type accounting records: authentication, authorization, and accounting (AAA) sends Tunnel-Start, Tunnel-Stop, or Tunnel-Reject accounting records to the RADIUS server. The next two events are tunnel-link-type accounting records: AAA sends Tunnel-Link-Start, Tunnel-Link-Stop, or Tunnel-Link-Reject accounting records to the RADIUS server.

SUMMARY STEPS

1. enable

2. configure terminal

3. aaa accounting network {default | list-name} {start-stop | stop-only | wait-start | none} group groupname

4. vpdn enable

5. vpdn tunnel accounting network list-name

6. vpdn session accounting network list-name

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

Router(config)# aaa accounting network
{default | list-name} {start-stop | stop-only | wait-start | none} group groupname

Enables network accounting.

default—If the default network accounting method-list is configured and no additional accounting configurations are enabled on the interface, network accounting is enabled by default.

If either the vpdn session accounting network command or the vpdn tunnel accounting network command is linked to the default method-list, all tunnel and tunnel-link accounting records are enabled for those sessions.

list-name—The list-name defined in the aaa accounting command must be the same as the list-name defined in the VPDN command; otherwise, accounting will not occur.

Step 4 

Router(config)# vpdn enable

Enables virtual private dialup networking on the router and informs the router to look for tunnel definitions in a local database and on a remote authorization server (if applicable).

Step 5 

Router(config)# vpdn tunnel accounting network list-name

Enables Tunnel-Start, Tunnel-Stop, and Tunnel-Reject accounting records.

list-name—The list-name must match the list-name defined in the aaa accounting command; otherwise, network accounting will not occur.

Step 6 

Router(config)# vpdn session accounting network list-name

Enables Tunnel-Link-Start, Tunnel-Link-Stop, and Tunnel-Link-Reject accounting records.

list-name—The list-name must match the list-name defined in the aaa accounting command; otherwise, network accounting will not occur.

What To Do Next

After you have enabled RADIUS tunnel accounting, you can verify your configuration via the following optional task ""Verifying RADIUS Tunnel Accounting" section."

Verifying RADIUS Tunnel Accounting

Use either one or both of the following optional steps to verify your RADIUS tunnel accounting configuration.

SUMMARY STEPS

1. enable

2. show accounting

3. show vpdn [session | tunnel]

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

Router# show accounting

Displays the active accountable events on the network and helps collect information in the event of a data loss on the accounting server.

Step 3 

Router# show vpdn [session] [tunnel]

Displays information about active L2TP tunnel and message identifiers in a VPDN.

session—Displays a summary of the status of all active tunnels.

tunnel—Displays information about all active L2TP tunnels in summary-style format.

Configuration Examples for RADIUS Tunnel Accounting

This section provides the following configuration examples:

Configuring RADIUS Tunnel Accounting on LAC: Example

Configuring RADIUS Tunnel Accounting on LNS: Example

Configuring RADIUS Tunnel Accounting on LAC: Example

The following example shows how to configure your L2TP access concentrator (LAC) to send tunnel and tunnel-link accounting records to the RADIUS server: 

aaa new-model

!

!

aaa authentication ppp default group radius

aaa authorization network default local

aaa accounting network m1 start-stop group radius

aaa accounting network m2 stop-only group radius

aaa session-id common

enable secret 5 $1$IDjH$iL7puCja1RMlyOM.JAeuf/

enable password lab

!

username ISP_LAC password 0 tunnelpass

!

!

resource-pool disable

!

!

ip subnet-zero

ip cef

no ip domain-lookup

ip host dirt 171.69.1.129

!

vpdn enable

vpdn tunnel accounting network m1

vpdn session accounting network m1

vpdn search-order domain dnis

!

vpdn-group 1

 request-dialin

  protocol l2tp

  domain cisco.com

 initiate-to ip 10.1.26.71

 local name ISP_LAC

!

isdn switch-type primary-5ess

!

!

fax interface-type fax-mail

mta receive maximum-recipients 0

!

controller T1 7/4

 framing esf

 linecode b8zs

 pri-group timeslots 1-24

!

!

!

interface FastEthernet0/0

 ip address 10.1.27.74 255.255.255.0

 no ip mroute-cache

 duplex half

 speed auto

 no cdp enable

!

interface FastEthernet0/1

 no ip address

 no ip mroute-cache

 shutdown

 duplex auto

 speed auto

 no cdp enable

!

interface Serial7/4:23

 ip address 60.0.0.2 255.255.255.0

 encapsulation ppp

 dialer string 2000

 dialer-group 1

 isdn switch-type primary-5ess

 ppp authentication chap

!

interface Group-Async0

 no ip address

 shutdown

 group-range 1/00 3/107

!

ip default-gateway 10.1.27.254

ip classless

ip route 0.0.0.0 0.0.0.0 10.1.27.254

no ip http server

ip pim bidir-enable

!

!

dialer-list 1 protocol ip permit

no cdp run

!

!

radius-server host 172.19.192.26 auth-port 1645 acct-port 1646 key rad123

radius-server retransmit 3

call rsvp-sync

!

Configuring RADIUS Tunnel Accounting on LNS: Example

The following example shows how to configure your L2TP network server (LNS) to send tunnel and tunnel-link accounting records to the RADIUS server: 

aaa new-model

!

!

aaa accounting network m1 start-stop group radius

aaa accounting network m2 stop-only group radius

aaa session-id common

enable secret 5 $1$ftf.$wE6Q5Yv6hmQiwL9pizPCg1

!

username ENT_LNS password 0 tunnelpass

username user1@cisco.com password 0 lab

username user2@cisco.com password 0 lab

spe 1/0 1/7

 firmware location system:/ucode/mica_port_firmware

spe 2/0 2/9

 firmware location system:/ucode/mica_port_firmware

!

!

resource-pool disable

clock timezone est 2

!

ip subnet-zero

no ip domain-lookup

ip host CALLGEN-SECURITY-V2 64.24.80.28 3.47.0.0

ip host dirt 171.69.1.129

!

vpdn enable

vpdn tunnel accounting network m1

vpdn session accounting network m1

!

vpdn-group 1

accept-dialin

  protocol l2tp

  virtual-template 1

 terminate-from hostname ISP_LAC

 local name ENT_LNS

!

isdn switch-type primary-5ess

!

!

!

!

!

!

!

fax interface-type modem

mta receive maximum-recipients 0

!

interface Loopback0

 ip address 70.0.0.101 255.255.255.0

!

interface Loopback1

 ip address 80.0.0.101 255.255.255.0

!

interface Ethernet0

 ip address 10.1.26.71 255.255.255.0

 no ip mroute-cache

 no cdp enable

!

interface Virtual-Template1

 ip unnumbered Loopback0

 peer default ip address pool vpdn-pool1

 ppp authentication chap

!

interface Virtual-Template2

 ip unnumbered Loopback1

 peer default ip address pool vpdn-pool2

 ppp authentication chap

!

interface FastEthernet0

 no ip address

 no ip mroute-cache

 shutdown

 duplex auto

speed auto

 no cdp enable

!

ip local pool vpdn-pool1 70.0.0.1 70.0.0.100

ip local pool vpdn-pool2 80.0.0.1 80.0.0.100

ip default-gateway 10.1.26.254

ip classless

ip route 0.0.0.0 0.0.0.0 10.1.26.254

ip route 90.1.1.2 255.255.255.255 10.1.26.254

no ip http server

ip pim bidir-enable

!

!

dialer-list 1 protocol ip permit

no cdp run

!

!

radius-server host 172.19.192.80 auth-port 1645 acct-port 1646 key rad123

radius-server retransmit 3

call rsvp-sync

Additional References

The following sections provide references related to RFC-2867 RADIUS Tunnel Accounting.

Related Documents

Related Topic
Document Title

RADIUS attributes

"RADIUS Attributes" feature module.

VPDN

Cisco IOS VPDN Configuration Guide, Release 12.4T.

Network accounting

"Configuring Accounting" feature module.


Standards

Standards
Title

None


MIBs

MIBs
MIBs Link

None

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFCs
Title

RFC 2867

RADIUS Accounting Modifications for Tunnel Protocol Support


Technical Assistance

Description
Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport


Feature Information for RFC-2867 RADIUS Tunnel Accounting

Table 2 lists the release history for this feature.

Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.

Note Table 2 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.

Table 2 Feature Information for RFC-2867 RADIUS Tunnel Accounting

Feature Name
Releases
Feature Information

RFC-2867 RADIUS Tunnel Accounting

12.2(15)B
12.3(4)T

The RFC-2867 RADIUS Tunnel Accounting introduces six new RADIUS accounting types that are used with the RADIUS accounting attribute Acct-Status-Type (attribute 40), which indicates whether an accounting request marks the beginning of user service (start) or the end (stop).

This feature also introduces two virtual private virtual private dialup network (VPDN) commands that help users better troubleshoot VPDN session events.

In 12.2(15)B, this feature was introduced on the Cisco 6400 series, Cisco 7200 series, and the Cisco 7400 series routers.

This feature was integrated into Cisco IOS Release 12.3(4)T.

The following commands were introduced or modified: aaa accounting, vpdn session accounting network, vpdn tunnel accounting network.


Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2003-2009 Cisco Systems, Inc. All rights reserved.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco