Per IP Subscriber DHCP Triggered RADIUS Accounting

Similar documents
DHCP Lease Limit per ATM/RBE Unnumbered Interface

Logging to Local Nonvolatile Storage (ATA Disk)

ISSU and SSO DHCP High Availability Features

PPPoE Session Recovery After Reload

IS-IS Incremental SPF

DHCP Option 82 Support for Routed Bridge Encapsulation

BGP Enforce the First Autonomous System Path

OSPF Incremental SPF

Configuring an Intermediate IP Multicast Helper Between Broadcast-Only Networks

Generic Routing Encapsulation Tunnel IP Source and Destination VRF Membership

Suppress BGP Advertisement for Inactive Routes

IP SLAs Random Scheduler

SSG Service Profile Caching

Extended NAS-Port-Type and NAS-Port Support

Modified LNS Dead-Cache Handling

RADIUS NAS-IP-Address Attribute Configurability

RADIUS Logical Line ID

QoS Child Service Policy for Priority Class

Frame Relay Conditional Debug Support

Configuring Multiple Basic Service Set Identifiers and Microsoft WPS IE SSIDL

IMA Dynamic Bandwidth

VPDN Group Session Limiting

VPDN LNS Address Checking

Configuring the Cisco IOS DHCP Relay Agent

Installing IEC Rack Mounting Brackets on the ONS SDH Shelf Assembly

PPPoE Client DDR Idle Timer

OSPF RFC 3623 Graceful Restart Helper Mode

DHCP ODAP Server Support

PPPoE Session Limits per NAS Port

Cisco Smart Business Communications System Teleworker Set Up

Protocol-Independent MAC ACL Filtering on the Cisco Series Internet Router

DHCP Relay MPLS VPN Support

Cisco Unity Express Voic System User s Guide

Contextual Configuration Diff Utility

RADIUS Tunnel Preference for Load Balancing and Fail-Over

MPLS MTU Command Changes

Configuring Token Ring LAN Emulation for Multiprotocol over ATM

Autosense of MUX/SNAP Encapsulation and PPPoA/PPPoE on ATM PVCs

PPP/MLP MRRU Negotiation Configuration

Cisco Software Licensing Information for Cisco Unified Communications 500 Series for Small Business

Wireless LAN Error Messages

LAN Emulation Overview

Configuring Route Maps to Control the Distribution of MPLS Labels Between Routers in an MPLS VPN

Troubleshooting ISA with Session Monitoring and Distributed Conditional Debugging

Cisco Report Server Readme

This feature was introduced. This feature was integrated into Cisco IOS Release 12.2(27)SBA.

ATM VP Average Traffic Rate

BECN and FECN Marking for Frame Relay over MPLS

Exclusive Configuration Change Access and Access Session Locking

PPPoE Agent Remote-ID and DSL Line Characteristics Enhancement

Chunk Validation During Scheduler Heapcheck

Wireless LAN Overview

Using Application Level Gateways with NAT

Cisco Voice Applications OID MIB

Configuring ISA Accounting

IP Event Dampening. Feature History for the IP Event Dampening feature

Cisco Aironet Directional Antenna (AIR-ANT-SE-WiFi-D)

Cisco 806, Cisco 820 Series, Cisco 830 Series, SOHO 70 Series and SOHO 90 Series Routers ROM Monitor Download Procedures

Maintenance Checklists for Cisco Unity VPIM Networking (with Microsoft Exchange)

Installing the Cisco ONS Deep Door Kit

Route Processor Redundancy Plus (RPR+)

Low Latency Queueing with Priority Percentage Support

Packet Classification Using the Frame Relay DLCI Number

MPLS VPN: VRF Selection Based on Source IP Address

Application Firewall Instant Message Traffic Enforcement

Maintenance Checklists for Microsoft Exchange on a Cisco Unity System

Configuring Virtual Interfaces

MPLS VPN OSPF and Sham-Link Support

Configuring MPLS Multi-VRF (VRF-lite)

PPPoE Service Selection

Cisco Unified Mobile Communicator 3.0 User Portal Guide

Configuration Replace and Configuration Rollback

Cisco Unified MeetingPlace for Microsoft Office Communicator

White Paper: Using Microsoft Windows Server 2003 with Cisco Unity 4.0(4)

Release Notes for Cisco ONS MA Release 9.01

Release Notes for Cisco Aironet Client Utility and Driver, Version 3.0 for Mac OS

Using Microsoft Outlook to Schedule and Join Cisco Unified MeetingPlace Express Meetings

Release Notes for Cisco Security Agent for Cisco Unified MeetingPlace Release 6.0(7)

PPPoE Agent Remote-ID and DSL Line Characteristics Enhancement

Cisco Aironet 1500 Series Access Point Large Pole Mounting Kit Instructions

Maintenance Checklists for Active Directory on a Cisco Unity System with Exchange as the Message Store

Corporate Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA USA

Release Notes for Cisco ONS SDH Release 9.01

Connecting Cisco DSU/CSU High-Speed WAN Interface Cards

Connecting Cisco WLAN Controller Enhanced Network Modules to the Network

QoS: Classification of Locally Sourced Packets

Site Preparation and Network Communications Requirements

RSVP Message Authentication

Configuring ISG VRF Transfer (Cisco IOS Release 12.2(28)SB)

Protected URL Database

Cisco Unified Web and Interaction Manager Supervision Console User s Guide

Cisco Video Surveillance Virtual Matrix Client Configuration Guide

Behavioral Change for Buffer Recarving

Cisco Virtual Office End User Instructions for Cisco 1811 Router Set Up at Home or Small Office

Cisco BTS Softswitch Site Preparation and Network Communications Requirements, Release 6.0. Safety and Compliance

IP SLAs Proactive Threshold Monitoring

QoS: Color-Aware Policer

This module was first published on May 2, 2005, and last updated on May 2, 2005.

Configuring LDAP. Finding Feature Information. Contents

Support of Provisionable QoS for Signaling Traffic

Transcription:

Per IP Subscriber DHCP Triggered RADIUS First Published: February 19, 2007 Last Updated: February 19, 2007 The Per IP Subscriber DHCP Triggered RADIUS feature enables system administrators to track IP session activity on a per-subscriber basis and periodically extract subscriber accounting records. Transactions between the client and the RADIUS accounting server are authenticated via an Access Client module that maintains per-subscriber accounting statistics. Per IP Subscriber RADIUS works with DHCP IP address assignment on Cisco 7600 series routers only, and it improves the authentication, authorization, and accounting (AAA) of broadband service delivery. Subscribers are attributed a unique AAA ID in addition to the unique ID created by DHCP in order to process secure START and STOP accounting messages and allow them to abstract accounting information in a client-server environment. Finding Feature Information in This Module Your Cisco IOS software release may not support all of the features documented in this module. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the Feature Information for Per IP Subscriber DHCP Triggered RADIUS section on page 10. Finding Support Information for Platforms and Cisco IOS and Catalyst OS Software Images Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/com. An account on Cisco.com is not required. Contents Prerequisites for Per IP Subscriber DHCP Triggered RADIUS, page 2 Restrictions for Per IP Subscriber DHCP Triggered RADIUS, page 2 Information About Per IP Subscriber DHCP Triggered RADIUS, page 2 How to Configure Per IP Subscriber DHCP Triggered RADIUS, page 5 Americas Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA 2007 Cisco Systems, Inc. All rights reserved.

Prerequisites for Per IP Subscriber DHCP Triggered RADIUS Per IP Subscriber DHCP Triggered RADIUS Configuration Examples for Per IP Subscriber DHCP Triggered RADIUS, page 6 Additional References, page 7 Command Reference, page 8 Feature Information for Per IP Subscriber DHCP Triggered RADIUS, page 10 Prerequisites for Per IP Subscriber DHCP Triggered RADIUS You must configure accounting on a subset of RADIUS servers to which subscriber accounting statistics will be exported, as defined by the aaa accounting command. You must configure the number of IP address assignment leases offered to DHCP clients to only one per subscriber, as defined by the ip dhcp limit lease per interface 1 command. Restrictions for Per IP Subscriber DHCP Triggered RADIUS The Per IP Subscriber DHCP Triggered RADIUS feature is enabled only for subscribers operating with Access Type interfaces on a Cisco 7600 series Broadband Remote Access Server (B-RAS). This feature does not support the collection of IP statistics from each source IP address. The feature collects IP statistics for each subinterface rather than each subscriber, and it is triggered only if the command to allow one IP address assignment via DHCP is configured. Information About Per IP Subscriber DHCP Triggered RADIUS To configure this feature, you should understand the following concepts: Per IP Subscriber DHCP Triggered RADIUS Network Topology, page 2 Per IP Subscriber Triggered RADIUS Behavior, page 3 Per IP Subscriber DHCP Triggered RADIUS Network Topology Per IP Subscriber DHCP Triggered RADIUS is implemented in a distributed networking environment, based on the following client-server components: Access Interface Used by subscribers to operate on a Cisco 7600 router. DHCP Server Grants permission to the DHCP client to use a particular IP address for a specified lease time. AAA Server Transmits secure START and STOP accounting messages. 2

Per IP Subscriber DHCP Triggered RADIUS Information About Per IP Subscriber DHCP Triggered RADIUS After the periodic timer is configured on the unit under test (UUT), the AAA module on the UUT sends an interim periodic update to the RADIUS server. RADIUS Server Receives and responds to accounting requests. Figure 1 shows how the Access Client, referred to as the aaa-access-client module, is initialized to serve as a client of the RADIUS accounting server. The module is independent of existing DHCP RADIUS modules. Figure 1 AAA Access Client Module Interaction Access- Interface Access- Interface DHCP Server Start/Stop messages Access Client Periodic collection of statistics AAA RADIUS accounting request RADIUS server DHCP IP address assignment Access- Interface Maintain statistics RADIUS accounting response 230302 The Access Client comprises two sub-modules that enable improved IP session awareness, tracking, and reporting functionality: Access-Subscriber Management module (Access-Acct-Mgmt): Invoked by a successful DHCP IP assignment, this sub-module generates a unique AAA ID for each subscriber that combines with the DHCP unique ID to track an accounting session. Access-Subscriber Management (Access-Acct-Update): Invoked by the AAA server, this sub-module collects subscriber statistics and periodically reports on the accounting session. Benefits of Per IP Subscriber DHCP Triggered RADIUS IP Session Awareness and Security RADIUS accounting provides information about subscribers network connections and usage in the form of accounting records. The Access Client passes per-subscriber accounting statistics to the designated server, with a secure unique AAA ID. The periodic reporting of IP session activity gives system administrators the accounting information they need to make informed security, billing, and resource allocation decisions. Per IP Subscriber Triggered RADIUS Behavior When a client with an Access Type of interface is configured for Per IP Subscriber RADIUS, the statistics collection and reporting mechanism can be invoked by the DHCP module. A successful DHCP IP assignment or release triggers three types of accounting events via the Access Client module: 1. RADIUS accounting start: An Start packet, ACCT_START, is sent to the accounting server to flag the start of service delivery, the type of service being delivered, and the user it is being delivered to. 3

Information About Per IP Subscriber DHCP Triggered RADIUS Per IP Subscriber DHCP Triggered RADIUS 2. RADIUS accounting interim-update: An Interim Update packet, ACCT_UPDATE, is sent to the accounting server to flag an ongoing client association and IP session activity. 3. RADIUS accounting stop: An Stop packet, ACCT_STOP, is sent to the accounting server to flag the end of service delivery, the type of service that was delivered and optional statistics such as elapsed time, and input and output packets. requests, for any packet type, are submitted to the RADIUS accounting server via the network, and are acknowledged in these forms: RADIUS Response (START) RADIUS Interim Response RADIUS Response (STOP) Figure 2 shows the AAA Access Client process flow and how the client interacts with the required modules. Figure 2 AAA Access Client Process Flow Subscriber DHCP Module Access Client AAA Successful IP address assignment DHCP binding assignment notify RADIUS accounting start session create session start RADIUS accounting request AAA get attributes/statistics RADIUS accounting response RADIUS interim accounting update RADIUS interim accounting response IP address release DHCP binding destroy notification RADIUS accounting stop session delete session stop RADIUS accounting request (stop) RADIUS accounting response (stop) 230303 4

Per IP Subscriber DHCP Triggered RADIUS How to Configure Per IP Subscriber DHCP Triggered RADIUS How to Configure Per IP Subscriber DHCP Triggered RADIUS This section contains the following procedure: Configuring Method Lists for Per IP Subscriber DHCP Triggered RADIUS, page 5. Configuring Method Lists for Per IP Subscriber DHCP Triggered RADIUS SUMMARY STEPS DETAILED STEPS Each subscriber is configured on a per-interface basis. To invoke the Access Client and trigger the statistics collection mechanism on a subinterface, you must specify RADIUS as the accounting method and define a backup system for accounting in case the initial method fails. A method list is a named list describing the accounting methods to be queried in sequence. Perform this task to configure a named method list for Per IP Subscriber DHCP Triggered RADIUS. 1. enable 2. configure terminal 3. interface type number [name-tag] access 4. encapsulation dot1q vlan-id [native] 5. ip address ip-address mask [secondary] 6. accounting dhcp source-ip aaa list method-list-name 7. end Step 1 Step 2 Command or Action enable Router> enable configure terminal Purpose Enables privileged EXEC mode. Enter your password if prompted. Enters global configuration mode. Step 3 Router# configure terminal interface type number [name-tag] access Router(config)# interface gigabitethernet 1/0/1.2 access Configures an interface type and enters access interface configuration mode. 5

Configuration Examples for Per IP Subscriber DHCP Triggered RADIUS Per IP Subscriber DHCP Triggered RADIUS Step 4 Step 5 Command or Action encapsulation dot1q vlan-id [native] Router(config-subif)# encapsulation dot1q 102 ip address ip-address mask [secondary] Purpose Enables IEEE 802.1q encapsulation of traffic on a specified subinterface in a virtual LAN (VLAN). Sets a primary or secondary IP address for an interface. Step 6 Step 7 Router(config-subif)# ip address 10.0.2.1 255.255.255.0 accounting dhcp source-ip aaa list method-list-name Router(config-subif)# accounting dhcp source-ip aaa list default end Router(config-subif)# end Enables the Per IP Subscriber DHCP RADIUS feature for DCHP clients, and configures accounting method lists that define the way accounting will be performed and the sequence in which methods are performed. Use the method-list-name argument to apply the accounting method list to a subinterface. Ends the current configuration session and returns to privileged EXEC mode. Configuration Examples for Per IP Subscriber DHCP Triggered RADIUS This section provides the following configuration example: Subinterface RADIUS Configuration: Example, page 6 Subinterface RADIUS Configuration: Example In the following example, the aaa accounting command for periodic RADIUS accounting is issued in the context of an IP address assignment via DHCP. A named method list is not explicitly defined, and the default method list automatically applies to the subinterface. If no method list is defined, no accounting takes place. configure terminal aaa new-model radius-server host 75.0.1.1 auth-port 1645 acct-port 1646 key lab radius-server key lab! aaa accounting network default start-stop group radius aaa accounting update periodic 1 end! configure terminal ip dhcp pool pool1 network 10.0.1.0 255.255.255.0 lease 0 0 3! 6

Per IP Subscriber DHCP Triggered RADIUS Additional References configure terminal interface Gigabitethernet 1/0/1.2 access encapsulation dot1q 102 ip address 10.0.2.1 255.255.255.0 accounting dhcp source-ip aaa list default end Additional References The following sections provide references related to the Per IP Subscriber DHCP Triggered RADIUS feature. Related Documents Related Topic Configuring Security commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples. Document Title Configuring chapter in the Cisco IOS Security Configuration Guide, Release 12.4 Cisco IOS Security Command Reference, Release 12.4T Standards Standard Title None MIBs MIB None MIBs Link To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs RFCs RFC Title None 7

Command Reference Per IP Subscriber DHCP Triggered RADIUS Technical Assistance Description The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register on Cisco.com. Link http://www.cisco.com/techsupport Command Reference This section documents the following new command only. accounting dhcp source-ip aaa list 8

Per IP Subscriber DHCP Triggered RADIUS accounting dhcp source-ip aaa list accounting dhcp source-ip aaa list To enable Per IP Subscriber DHCP Triggered RADIUS for billing or security purposes, use the accounting dhcp source-ip aaa list command in access interface configuration mode. To disable Per IP Subscriber DHCP Triggered RADIUS, use the no form of this command. accounting dhcp source-ip aaa list method-list-name no accounting Syntax Description method-list-name Character string used to name at least one of the accounting methods, tried in a given sequence. Valid values are default or a named method list as defined by the aaa accounting command. Command Default This command is disabled by default. If the accounting dhcp source-ip aaa list command for RADIUS accounting is issued without a named method list specified, the default method list is automatically applied to all interfaces except those that have a named method list explicitly defined. A defined method list overrides the default method list. If no default method list is defined, then no accounting takes place. Command Modes Access interface Command History Release 12.2(33)SRB Modification This command was introduced. Usage Guidelines Enter the accounting dhcp source-ip aaa list command to enable accounting. Use the aaa accounting command to create a named method list. Examples The following example shows how to define a command accounting method list named default. accounting dhcp source-ip aaa list default Related Commands Command aaa accounting ip dhcp limit lease per interface Description Enables AAA accounting of requested services for billing or security purposes when you use RADIUS or TACACS+. Limits the number of leases offered to DHCP clients behind an ATM RBE unnumbered or serial unnumbered interface. 9

Feature Information for Per IP Subscriber DHCP Triggered RADIUS Per IP Subscriber DHCP Triggered RADIUS Feature Information for Per IP Subscriber DHCP Triggered RADIUS Table 1 lists the release history for this feature. Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation. Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required. Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature. Table 1 Feature Information for Per IP Subscriber DHCP Triggered RADIUS Feature Name Releases Feature Information Per IP Subscriber DHCP Triggered RADIUS 12.2(33)SRB The Per IP Subscriber DHCP Triggered RADIUS feature enables system administrators to track IP session activity on a per-subscriber basis and periodically extract subscriber accounting records. In 12.2(33)SRB, this feature was introduced on the Cisco 7600 router. The following command was introduced by this feature: accounting dhcp source-ip aaa list. CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iphone, IP/TV, iq Expertise, the iq logo, iq Net Readiness Scorecard, iquick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0711R) Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. 2007 Cisco Systems, Inc. All rights reserved. 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback