RADIUS NAS-IP-Address Attribute Configurability

Similar documents
DHCP Lease Limit per ATM/RBE Unnumbered Interface

BGP Enforce the First Autonomous System Path

PPPoE Session Recovery After Reload

SSG Service Profile Caching

VPDN Group Session Limiting

Suppress BGP Advertisement for Inactive Routes

RADIUS Tunnel Preference for Load Balancing and Fail-Over

OSPF Incremental SPF

IS-IS Incremental SPF

PPP/MLP MRRU Negotiation Configuration

Generic Routing Encapsulation Tunnel IP Source and Destination VRF Membership

RADIUS Logical Line ID

DHCP Option 82 Support for Routed Bridge Encapsulation

PPPoE Client DDR Idle Timer

This feature was introduced. This feature was integrated into Cisco IOS Release 12.2(27)SBA.

PPPoE Session Limits per NAS Port

IMA Dynamic Bandwidth

Configuring Multiple Basic Service Set Identifiers and Microsoft WPS IE SSIDL

Per IP Subscriber DHCP Triggered RADIUS Accounting

Using Application Level Gateways with NAT

VPDN LNS Address Checking

Troubleshooting ISA with Session Monitoring and Distributed Conditional Debugging

Logging to Local Nonvolatile Storage (ATA Disk)

Cisco Unity Express Voic System User s Guide

DHCP Relay MPLS VPN Support

Modified LNS Dead-Cache Handling

Configuring an Intermediate IP Multicast Helper Between Broadcast-Only Networks

OSPF RFC 3623 Graceful Restart Helper Mode

Extended NAS-Port-Type and NAS-Port Support

Configuring the Cisco IOS DHCP Relay Agent

Autosense of MUX/SNAP Encapsulation and PPPoA/PPPoE on ATM PVCs

ISSU and SSO DHCP High Availability Features

Protocol-Independent MAC ACL Filtering on the Cisco Series Internet Router

QoS Child Service Policy for Priority Class

Installing IEC Rack Mounting Brackets on the ONS SDH Shelf Assembly

Cisco Voice Applications OID MIB

MPLS MTU Command Changes

DHCP ODAP Server Support

Configuring ISA Accounting

Cisco Smart Business Communications System Teleworker Set Up

Configuring Route Maps to Control the Distribution of MPLS Labels Between Routers in an MPLS VPN

Contextual Configuration Diff Utility

IP SLAs Random Scheduler

Frame Relay Conditional Debug Support

PPPoE Service Selection

Route Processor Redundancy Plus (RPR+)

BECN and FECN Marking for Frame Relay over MPLS

Wireless LAN Error Messages

Packet Classification Using the Frame Relay DLCI Number

Cisco 806, Cisco 820 Series, Cisco 830 Series, SOHO 70 Series and SOHO 90 Series Routers ROM Monitor Download Procedures

Configuring MPLS Multi-VRF (VRF-lite)

Cisco Software Licensing Information for Cisco Unified Communications 500 Series for Small Business

PPPoE Agent Remote-ID and DSL Line Characteristics Enhancement

Application Firewall Instant Message Traffic Enforcement

Cisco Aironet Directional Antenna (AIR-ANT-SE-WiFi-D)

Cisco Report Server Readme

IP Event Dampening. Feature History for the IP Event Dampening feature

LAN Emulation Overview

Connecting Cisco DSU/CSU High-Speed WAN Interface Cards

MPLS VPN: VRF Selection Based on Source IP Address

RSVP Message Authentication

Wireless LAN Overview

Configuring Virtual Interfaces

Cisco Unified MeetingPlace for Microsoft Office Communicator

Installing the Cisco ONS Deep Door Kit

This feature was introduced. This feature was integrated into Cisco IOS Release 12.2(27)SBA.

Configuring Token Ring LAN Emulation for Multiprotocol over ATM

Low Latency Queueing with Priority Percentage Support

Maintenance Checklists for Microsoft Exchange on a Cisco Unity System

Chunk Validation During Scheduler Heapcheck

White Paper: Using Microsoft Windows Server 2003 with Cisco Unity 4.0(4)

ATM VP Average Traffic Rate

Maintenance Checklists for Cisco Unity VPIM Networking (with Microsoft Exchange)

Exclusive Configuration Change Access and Access Session Locking

MPLS VPN OSPF and Sham-Link Support

Release Notes for Cisco Aironet Client Utility and Driver, Version 3.0 for Mac OS

Cisco Aironet 1500 Series Access Point Large Pole Mounting Kit Instructions

Cisco Unified Mobile Communicator 3.0 User Portal Guide

Configuring ISG VRF Transfer (Cisco IOS Release 12.2(28)SB)

Using Microsoft Outlook to Schedule and Join Cisco Unified MeetingPlace Express Meetings

IP SLAs Proactive Threshold Monitoring

Control Messages APPENDIX

MPLS Traffic Engineering Fast Reroute Link Protection

Connecting Cisco WLAN Controller Enhanced Network Modules to the Network

Connecting Cisco 4-Port FXS/DID Voice Interface Cards

Site Preparation and Network Communications Requirements

Release Notes for Cisco Security Agent for Cisco Unified MeetingPlace Release 6.0(7)

QoS: Color-Aware Policer

Support of Provisionable QoS for Signaling Traffic

Cisco Video Surveillance Virtual Matrix Client Configuration Guide

QoS: Classification of Locally Sourced Packets

MIB Quick Reference for the Cisco ONS Series

Cisco Registered Envelope Recipient Guide

Cisco Unified CallConnector for Microsoft Windows 1.4 Mobility Service Quick Reference Guide

Cisco Virtual Office End User Instructions for Cisco 1811 Router Set Up at Home or Small Office

Protected URL Database

Applying the Tunnel Template on the Home Agent

Release Notes for Cisco ONS MA Release 9.01

Catalyst 2955 Switch DIN Rail Clip Installation Notes

Configuration Replace and Configuration Rollback

Transcription:

RADIUS NAS-IP-Address Attribute The RADIUS NAS-IP-Address Attribute feature allows you to configure an arbitrary IP address to be used as RADIUS attribute 4, NAS-IP-Address, without changing the source IP address in the IP header of the RADIUS packets. This feature may be used for situations in which service providers are using a cluster of small network access servers (NASs) to simulate a large NAS to improve scalability. This feature allows the NASs to behave as a single RADIUS client from the perspective of the RADIUS server. Feature History for RADIUS NAS-IP-Address Attribute Release 12.3(3)B 12.3(7)T 12.2(27)SBA Modification This feature was introduced. This feature was integrated into Cisco IOS Release 12.3(7)T. This feature was integrated into Cisco IOS Release 12.2(27)SBA. Finding Support Information for Platforms and Cisco IOS Software Images Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear. Corporate Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA Copyright 2003 2005 Cisco Systems, Inc. All rights reserved.

Contents RADIUS NAS-IP-Address Attribute Contents Prerequisites for RADIUS NAS-IP-Address Attribute, page 2 Restrictions for RADIUS NAS-IP-Address Attribute, page 2 Information About RADIUS NAS-IP-Address Attribute, page 3 How to Configure RADIUS NAS-IP-Address Attribute, page 4 Configuration Examples for RADIUS NAS-IP-Address Attribute, page 6 Additional References, page 6 Command Reference, page 7 Prerequisites for RADIUS NAS-IP-Address Attribute You must be familiar with IP Security (IPSec). You must be familiar with configuring both RADIUS servers and authentication, authorization, and accounting (AAA). Before configuring this feature, you must first set up the RADIUS server and the AAA lists. Restrictions for RADIUS NAS-IP-Address Attribute The following restrictions apply if a cluster of RADIUS clients are being used to simulate a single RADIUS client for scalability. Solutions, or workarounds, to the restrictions are also provided. RADIUS attribute 44, Acct-Session-Id, may overlap among sessions from different NASs. There are two solutions. Either the radius-server attribute 44 extend-with-addr or radius-server unique-ident command can be used on NAS routers to specify different prepending numbers for different NAS routers. RADIUS server-based IP address pool for different NASs must be managed. The solution is to configure different IP address pool profiles for different NASs on the RADIUS server. Different NASs use different pool usernames to retrieve them. RADIUS request message for sessions from different NASs must be differentiated. One of the solutions is to configure different format strings for RADIUS attribute 32, NAS-Identifier, using the radius-server attribute 32 include-in-access-req command on different NASs. 2

RADIUS NAS-IP-Address Attribute Information About RADIUS NAS-IP-Address Attribute Information About RADIUS NAS-IP-Address Attribute To configure the RADIUS NAS-IP-Address Attribute feature, you should understand the following concepts: Problem Definition and Solution Background Information, page 3 Using the RADIUS NAS-IP-Address Attribute Feature, page 4 Problem Definition and Solution Background Information To simulate a large NAS RADIUS client using a cluster of small NAS RADIUS clients, as shown in Figure 1, a Network Address Translation (NAT) or Port Address Translation (PAT) device is inserted in a network. The device is placed between a cluster of NASs and the IP cloud that is connected to a RADIUS server. When RADIUS traffic from different NASs goes through the NAT or PAT device, the source IP addresses of the RADIUS packets are translated to a single IP address, most likely an IP address on a loopback interface on the NAT or PAT device. Different User Datagram Protocol (UDP) source ports are assigned to RADIUS packets from different NASs. When the RADIUS reply comes back from the server, the NAT or PAT device receives it, uses the destination UDP port to translate the destination IP address back to the IP address of the NAS, and forwards the reply to the corresponding NAS. Figure 1 demonstrates how the source IP addresses of several NASs are translated to a single IP address as they pass through the NAT or PAT device on the way to the IP cloud. Figure 1 NAS Addresses Translated to a Single IP Address NAS NAS IP NAT/PAT RADIUS server NAS 95923 RADIUS servers normally check the source IP address in the IP header of the RADIUS packets to track the source of the RADIUS requests and to maintain security. The NAT or PAT solution satisfies these requirements because only a single source IP address is used even though RADIUS packets come from different NAS routers. However, when retrieving accounting records from the RADIUS database, some billing systems use RADIUS attribute 4, NAS-IP-Address, in the accounting records. The value of this attribute is recorded on the NAS routers as their own IP addresses. The NAS routers are not aware of the NAT or PAT that runs between them and the RADIUS server; therefore, different RADIUS attribute 4 addresses will be recorded in the accounting records for users from the different NAS routers. These addresses eventually expose different NAS routers to the RADIUS server and to the corresponding billing systems. 3

How to Configure RADIUS NAS-IP-Address Attribute RADIUS NAS-IP-Address Attribute Using the RADIUS NAS-IP-Address Attribute Feature The RADIUS NAS-IP-Address Attribute feature allows you to freely configure an arbitrary IP address as RADIUS NAS-IP-Address, RADIUS attribute 4. By manually configuring the same IP address, most likely the IP address on the loopback interface of the NAT or PAT device, for all the routers, you can hide a cluster of NAS routers behind the NAT or PAT device from the RADIUS server. How to Configure RADIUS NAS-IP-Address Attribute This section contains the following procedures: Configuring a RADIUS NAS-IP-Address Attribute, page 4 Monitoring and Maintaining RADIUS NAS-IP-Address Attribute, page 5 Configuring a RADIUS NAS-IP-Address Attribute DETAILED STEPS Before configuring the RADIUS NAS-IP-Address Attribute feature, you must have configured the RADIUS servers or server groups and AAA method lists. To configure the RADIUS NAS-IP-Address Attribute feature, perform the following steps. SUMMARY STEPS 1. enable 2. configure terminal 3. radius-server attribute 4 ip-address Step 1 Step 2 Command or Action enable Example: Router> enable configure terminal Purpose Enables privileged EXEC mode. Enter your password if prompted. Enters global configuration mode. Step 3 Example: Router# configure terminal radius-server attribute 4 ip-address Example: Router (config)# radius-server attribute 4 10.2.1.1 Configures an IP address to be used as the RADIUS NAS-IP-Address, attribute 4. 4

RADIUS NAS-IP-Address Attribute How to Configure RADIUS NAS-IP-Address Attribute Monitoring and Maintaining RADIUS NAS-IP-Address Attribute SUMMARY STEPS DETAILED STEPS To monitor the RADIUS attribute 4 address that is being used inside the RADIUS packets, use the debug radius command. 1. enable 2. debug radius Step 1 Step 2 Command or Action enable Example: Router> enable debug radius Purpose Enables privileged EXEC mode. Enter your password if prompted. Displays information associated with RADIUS. Example: Router# debug radius Examples The following sample output is from the debug radius command: Router# debug radius RADIUS/ENCODE(0000001C): acct_session_id: 29 RADIUS(0000001C): sending RADIUS(0000001C): Send Access-Request to 10.0.0.10:1645 id 21645/17, len 81 RADIUS: authenticator D0 27 34 C0 F0 C4 1C 1B - 3C 47 08 A2 7E E1 63 2F RADIUS: Framed-Protocol [7] 6 PPP [1] RADIUS: User-Name [1] 18 "shashi@pepsi.com" RADIUS: CHAP-Password [3] 19 * RADIUS: NAS-Port-Type [61] 6 Virtual [5] RADIUS: Service-Type [6] 6 Framed [2] RADIUS: NAS-IP-Address [4] 6 10.0.0.21 UDP: sent src=10.1.1.1(21645), dst=10.0.0.10(1645), length=109 UDP: rcvd src=10.0.0.10(1645), dst=10.1.1.1(21645), length=40 RADIUS: Received from id 21645/17 10.0.0.10:1645, Access-Accept, len 32 RADIUS: authenticator C6 99 EC 1A 47 0A 5F F2 - B8 30 4A 4C FF 4B 1D F0 RADIUS: Service-Type [6] 6 Framed [2] RADIUS: Framed-Protocol [7] 6 PPP [1] RADIUS(0000001C): Received from id 21645/17 5

Configuration Examples for RADIUS NAS-IP-Address Attribute RADIUS NAS-IP-Address Attribute Configuration Examples for RADIUS NAS-IP-Address Attribute This section provides the following configuration example: Configuring a RADIUS NAS-IP-Address Attribute : Example, page 6 Configuring a RADIUS NAS-IP-Address Attribute : Example The following example shows that IP address 10.0.0.21 has been configured as the RADIUS NAS-IP-Address attribute: radius-server attribute 4 10.0.0.21 radius-server host 10.0.0.10 auth-port 1645 acct-port 1646 key cisco Additional References The following sections provide references related to RADIUS NAS-IP-Address Attribute. Related Documents Related Topic Configuring AAA Configuring RADIUS RADIUS commands Other security commands Document Title Authentication, Authorization, and Accounting (AAA) section of Cisco IOS Security Configuration Guide Configuring RADIUS chapter of Cisco IOS Security Configuration Guide Cisco IOS Security Command Reference, Release 12.3 T Cisco IOS Security Command Reference, Release 12.3 T Standards Standards No new or modified standards are supported by this feature. Title 6

RADIUS NAS-IP-Address Attribute Command Reference MIBs MIBs No new or modified MIBs are supported by this feature. MIBs Link To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs RFCs RFCs No new or modified RFCs are supported by this feature. Title Technical Assistance Description Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content. Link http://www.cisco.com/public/support/tac/home.shtml Command Reference This section documents the following new command. radius-server attribute 4 7

radius-server attribute 4 RADIUS NAS-IP-Address Attribute radius-server attribute 4 To configure an IP address for the RADIUS attribute 4 address, use the radius-server attribute 4 command in global configuration mode. To delete an IP address as the RADIUS attribute 4 address, use the no form of this command. radius-server attribute 4 ip-address no radius-server attribute 4 ip-address Syntax Description ip-address IP address to be configured as RADIUS attribute 4 inside RADIUS packets. Defaults If this command is not configured, the RADIUS NAS-IP-Address attribute will be the IP address on the interface that connects the network access server (NAS) to the RADIUS server. Command Modes Global configuration Command History Release 12.3(3)B 12.3(7)T 12.2(27)SBA Modification This command was introduced. This command was integrated into Cisco IOS Release 12.3(7)T. This command was integrated into Cisco IOS Release 12.2(27)SBA. Usage Guidelines Normally, when the ip radius-source interface command is configured, the IP address on the interface that is specified in the command is used as the IP address in the IP headers of the RADIUS packets and as the RADIUS attribute 4 address inside the RADIUS packets. However, when the radius-server attribute 4 command is configured, the IP address in the command is used as the RADIUS attribute 4 address inside the RADIUS packets. There is no impact on the IP address in the IP headers of the RADIUS packets. If both commands are configured, the IP address that is specified in the radius-server attribute 4 command is used as the RADIUS attribute 4 address inside the RADIUS packets. The IP address on the interface that is specified in the ip radius-source interface command is used as the IP address in the IP headers of the RADIUS packets. Some authentication, authorization, and accounting (AAA) clients (such as PPP, virtual private dial-up network [VPDN] or Layer 2 Tunneling Protocol [L2TP], Voice over IP [VoIP], or Service Selection Gateway [SSG]) may try to set the RADIUS attribute 4 address using client-specific values. For example, on an L2TP network server (LNS), the IP address of the L2TP access concentrator (LAC) could be specified as the RADIUS attribute 4 address using a VPDN or L2TP command. When the radius-server attribute 4 command is configured, the IP address specified in the command takes precedence over all IP addresses from AAA clients. During RADIUS request retransmission and during RADIUS server failover, the specified IP address is always chosen as the value of the RADIUS attribute 4 address. 8

RADIUS NAS-IP-Address Attribute radius-server attribute 4 Examples The following example shows that the IP address 10.0.0.21 has been configured as the RADIUS NAS-IP-Address attribute: radius-server attribute 4 10.0.0.21 radius-server host 10.0.0.10 auth-port 1645 acct-port 1646 key cisco The following debug radius command output shows that 10.0.0.21 has been successfully configured. Router# debug radius RADIUS/ENCODE(0000001C): acct_session_id: 29 RADIUS(0000001C): sending RADIUS(0000001C): Send Access-Request to 10.0.0.10:1645 id 21645/17, len 81 RADIUS: authenticator D0 27 34 C0 F0 C4 1C 1B - 3C 47 08 A2 7E E1 63 2F RADIUS: Framed-Protocol [7] 6 PPP [1] RADIUS: User-Name [1] 18 "shashi@pepsi.com" RADIUS: CHAP-Password [3] 19 * RADIUS: NAS-Port-Type [61] 6 Virtual [5] RADIUS: Service-Type [6] 6 Framed [2] RADIUS: NAS-IP-Address [4] 6 10.0.0.21 UDP: sent src=11.1.1.1(21645), dst=10.0.0.10(1645), length=109 UDP: rcvd src=10.0.0.10(1645), dst=10.1.1.1(21645), length=40 RADIUS: Received from id 21645/17 10.0.0.10:1645, Access-Accept, len 32 RADIUS: authenticator C6 99 EC 1A 47 0A 5F F2 - B8 30 4A 4C FF 4B 1D F0 RADIUS: Service-Type [6] 6 Framed [2] RADIUS: Framed-Protocol [7] 6 PPP [1] RADIUS(0000001C): Received from id 21645/17 Related Commands Command ip radius-source interface Description Forces RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets. CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iphone, IP/TV, iq Expertise, the iq logo, iq Net Readiness Scorecard, iquick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0711R) Copyright 2003 2005 Cisco Systems, Inc. All rights reserved 9

radius-server attribute 4 RADIUS NAS-IP-Address Attribute CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iphone, IP/TV, iq Expertise, the iq logo, iq Net Readiness Scorecard, iquick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0711R) 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback