Per IP Subscriber DHCP Triggered RADIUS Accounting
First Published: February 19, 2007
Last Updated: August 25, 2009
The Per IP Subscriber DHCP Triggered RADIUS Accounting feature enables system administrators to track IP session activity on a per-subscriber basis and periodically extract subscriber accounting records. Transactions between the client and the RADIUS accounting server are authenticated via an Access Client module that maintains per-subscriber accounting statistics.
Per IP Subscriber RADIUS Accounting works with DHCP IP address assignment on Cisco 7600 series routers only, and it improves the authentication, authorization, and accounting (AAA) of broadband service delivery. Subscribers are attributed a unique AAA ID in addition to the unique ID created by DHCP in order to process secure START and STOP accounting messages and allow them to abstract accounting information in a client-server environment.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Per IP Subscriber DHCP Triggered RADIUS Accounting" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
Contents
•Prerequisites for Per IP Subscriber DHCP Triggered RADIUS Accounting
•Restrictions for Per IP Subscriber DHCP Triggered RADIUS Accounting
•Information About Per IP Subscriber DHCP Triggered RADIUS Accounting
•How to Configure Per IP Subscriber DHCP Triggered RADIUS Accounting
•Configuration Examples for Per IP Subscriber DHCP Triggered RADIUS Accounting
•Additional References
•Feature Information for Per IP Subscriber DHCP Triggered RADIUS Accounting
Prerequisites for Per IP Subscriber DHCP Triggered RADIUS Accounting
•You must configure accounting on a subset of RADIUS servers to which subscriber accounting statistics will be exported, as defined by the aaa accounting command.
•You must configure the number of IP address assignment leases offered to DHCP clients to only one per subscriber, as defined by the ip dhcp limit lease per interface 1 command.
Restrictions for Per IP Subscriber DHCP Triggered RADIUS Accounting
•The Per IP Subscriber DHCP Triggered RADIUS Accounting feature is enabled only for subscribers operating with Access Type interfaces on a Cisco 7600 series Broadband Remote Access Server (B-RAS).
•This feature does not support the collection of IP statistics from each source IP address. The feature collects IP statistics for each subinterface rather than each subscriber, and it is triggered only if the command to allow one IP address assignment via DHCP is configured.
Information About Per IP Subscriber DHCP Triggered RADIUS Accounting
To configure this feature, you should understand the following concepts:
•Per IP Subscriber DHCP Triggered RADIUS Accounting Network Topology
•Per IP Subscriber Triggered RADIUS Accounting Behavior
Per IP Subscriber DHCP Triggered RADIUS Accounting Network Topology
Per IP Subscriber DHCP Triggered RADIUS Accounting is implemented in a distributed networking environment, based on the following client-server components:
•Access Interface—Used by subscribers to operate on a Cisco 7600 router.
•DHCP Server—Grants permission to the DHCP client to use a particular IP address for a specified lease time.
•AAA Server—Transmits secure START and STOP accounting messages.
After the periodic timer is configured on the unit under test (UUT), the AAA module on the UUT sends an interim periodic update to the RADIUS server.
•RADIUS Server—Receives and responds to accounting requests.
Figure 1 shows how the Access Client, referred to as the "aaa-access-client" module, is initialized to serve as a client of the RADIUS accounting server. The module is independent of existing DHCP RADIUS Accounting modules.
Figure 1 AAA Access Client Module Interaction
The Access Client comprises two sub-modules that enable improved IP session awareness, tracking, and reporting functionality:
•Access-Subscriber Management module (Access-Acct-Mgmt): Invoked by a successful DHCP IP assignment, this sub-module generates a unique AAA ID for each subscriber that combines with the DHCP unique ID to track an accounting session.
•Access-Subscriber Accounting Management (Access-Acct-Update): Invoked by the AAA server, this sub-module collects subscriber statistics and periodically reports on the accounting session.
Benefits of Per IP Subscriber DHCP Triggered RADIUS Accounting
IP Session Awareness and Security
RADIUS accounting provides information about subscribers' network connections and usage in the form of accounting records.
The Access Client passes per-subscriber accounting statistics to the designated server, with a secure unique AAA ID. The periodic reporting of IP session activity gives system administrators the accounting information they need to make informed security, billing, and resource allocation decisions.
Per IP Subscriber Triggered RADIUS Accounting Behavior
When a client with an Access Type of interface is configured for Per IP Subscriber RADIUS Accounting, the statistics collection and reporting mechanism can be invoked by the DHCP module. A successful DHCP IP assignment or release triggers three types of accounting events via the Access Client module:
1. RADIUS accounting start: An Accounting Start packet, ACCT_START, is sent to the accounting server to flag the start of service delivery, the type of service being delivered, and the user it is being delivered to.
2. RADIUS accounting interim-update: An Accounting Interim Update packet, ACCT_UPDATE, is sent to the accounting server to flag an ongoing client association and IP session activity.
3. RADIUS accounting stop: An Accounting Stop packet, ACCT_STOP, is sent to the accounting server to flag the end of service delivery, the type of service that was delivered and optional statistics such as elapsed time, and input and output packets.
Accounting requests, for any packet type, are submitted to the RADIUS accounting server via the network, and are acknowledged in these forms:
•RADIUS Accounting Response (START)
•RADIUS Interim Accounting Response
•RADIUS Accounting Response (STOP)
Figure 2 shows the AAA Access Client process flow and how the client interacts with the required modules.
Figure 2 AAA Access Client Process Flow
How to Configure Per IP Subscriber DHCP Triggered RADIUS Accounting
This section contains the following procedure:
•Configuring Method Lists for Per IP Subscriber DHCP Triggered RADIUS Accounting.
Configuring Method Lists for Per IP Subscriber DHCP Triggered RADIUS Accounting
Each subscriber is configured on a per-interface basis. To invoke the Access Client and trigger the statistics collection mechanism on a subinterface, you must specify RADIUS as the accounting method and define a backup system for accounting in case the initial method fails. A method list is a named list describing the accounting methods to be queried in sequence.
Perform this task to configure a named method list for Per IP Subscriber DHCP Triggered RADIUS Accounting.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number [name-tag] access
4. encapsulation dot1q vlan-id [native]
5. ip address ip-address mask [secondary]
6. accounting dhcp source-ip aaa list method-list-name
7. end
DETAILED STEPS
|
|
|
Step 1 |
enable
Router> enable |
Enables privileged EXEC mode. •Enter your password if prompted. |
Step 2 |
configure terminal
Router# configure terminal |
Enters global configuration mode. |
Step 3 |
interface type number [name-tag] access
Router(config)# interface gigabitethernet 1/0/1.2 access |
Configures an interface type and enters access interface configuration mode. |
Step 4 |
encapsulation dot1q vlan-id [native]
Router(config-subif)# encapsulation dot1q 102 |
Enables IEEE 802.1q encapsulation of traffic on a specified subinterface in a virtual LAN (VLAN). |
Step 5 |
ip address ip-address mask [secondary]
Router(config-subif)# ip address 10.0.2.1 255.255.255.0 |
Sets a primary or secondary IP address for an interface. |
Step 6 |
accounting dhcp source-ip aaa list method-list-name
Router(config-subif)# accounting dhcp source-ip aaa list default |
Enables the Per IP Subscriber DHCP RADIUS Accounting feature for DCHP clients, and configures accounting method lists that define the way accounting will be performed and the sequence in which methods are performed. Use the method-list-name argument to apply the accounting method list to a subinterface. |
Step 7 |
end
Router(config-subif)# end |
Ends the current configuration session and returns to privileged EXEC mode. |
Configuration Examples for Per IP Subscriber DHCP Triggered RADIUS Accounting
This section provides the following configuration example:
•Subinterface RADIUS Accounting Configuration: Example
Subinterface RADIUS Accounting Configuration: Example
In the following example, the aaa accounting command for periodic RADIUS accounting is issued in the context of an IP address assignment via DHCP. A named method list is not explicitly defined, and the default method list automatically applies to the subinterface. If no method list is defined, no accounting takes place.
radius-server host 75.0.1.1 auth-port 1645 acct-port 1646 key lab
aaa accounting network default start-stop group radius
aaa accounting update periodic 1
network 10.0.1.0 255.255.255.0
interface Gigabitethernet 1/0/1.2 access
ip address 10.0.2.1 255.255.255.0
accounting dhcp source-ip aaa list default
Additional References
The following sections provide references related to the Per IP Subscriber DHCP Triggered RADIUS Accounting feature.
Related Documents
Standards
MIBs
|
|
None |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs |
RFCs
Technical Assistance
|
|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
http://www.cisco.com/techsupport |
Feature Information for Per IP Subscriber DHCP Triggered RADIUS Accounting
Table 1 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.
Table 1 Feature Information for Per IP Subscriber DHCP Triggered RADIUS Accounting
|
|
|
Per IP Subscriber DHCP Triggered RADIUS Accounting |
12.2(33)SRB |
The Per IP Subscriber DHCP Triggered RADIUS Accounting feature enables system administrators to track IP session activity on a per-subscriber basis and periodically extract subscriber accounting records. In 12.2(33)SRB, this feature was introduced on the Cisco 7600 router. The following command was introduced by this feature: accounting dhcp source-ip aaa list. |
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0910R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2007-2009 Cisco Systems, Inc. All rights reserved.