RADIUS Configuration Guide
RADIUS Configuration Guide
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version
of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
and coincidental.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http://
www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)
Example: Server Status Information for Named RADIUS Server Group 107
Example: Monitoring Idle Timer 108
Example: Server Configuration and Enabling Load Balancing for Idle Timer
Monitoring 109
Example: Debug Output for Idle Timer Monitoring 109
Example: Configuring the Preferred Server with the Same Authentication and Authorization
Server 110
Example: Configuring the Preferred Server with Different Authentication and Authorization
Servers 110
Example: Configuring the Preferred Server with Overlapping Authentication and
Authorization Servers 110
Example: Configuring the Preferred Server with Authentication Servers As a Subset of
Authorization Servers 111
Example: Configuring the Preferred Server with Authentication Servers As a Superset of
Authorization Servers 111
Additional References for RADIUS Server Load Balancing 111
Feature Information for RADIUS Server Load Balancing 112
MIBs 124
RFCs 124
Technical Assistance 124
Feature Information for RADIUS Server Reorder on Failure 125
CHAPTER 17 RADIUS Tunnel Preference for Load Balancing and Fail-Over 169
Finding Feature Information 169
Prerequisites 170
Restrictions 170
Information About RADIUS Tunnel Preference for Load Balancing and Fail-Over 170
Industry-Standard Rather Than Proprietary Attributes 170
Load Balancing and Fail-Over in a Multivendor Network 171
Related Features and Technologies 171
How RADIUS Tunnel Preference for Load Balancing and Fail-Over is Configured 172
Configuration Example for RADIUS Tunnel Preference for Load Balancing and Fail-Over 172
Additional References 172
Feature Information for RADIUS Tunnel Preference for Load Balancing and Fail-Over 174
Glossary 174
Note The Feature Information table in the technology configuration guide mentions when a feature was
introduced. It might or might not mention when other platforms were supported for that feature. To
determine if a particular feature is supported on your platform, look at the technology configuration guides
posted on your product landing page. When a technology configuration guide is displayed on your product
landing page, it indicates that the feature is supported on that platform.
• Use line and interface commands to enable the defined method lists to be used.
• Device-to-device situations. RADIUS does not provide two-way authentication. RADIUS can be used
to authenticate from one device to a non-Cisco device if the non-Cisco device requires RADIUS
authentication.
• Networks using a variety of services. RADIUS generally binds a user to one service model.
RADIUS Operation
When a user attempts to log in and authenticate to an access server using RADIUS, the following steps occur:
1 The user is prompted to enter the username and password.
2 The username and encrypted password are sent over the network to the RADIUS server.
3 The user receives one of the following responses from the RADIUS server:
1 ACCEPT—The user is authenticated.
2 CHALLENGE—A challenge is issued by the RADIUS server. The challenge collects additional data
from the user.
3 CHANGE PASSWORD—A request is issued by the RADIUS server, asking the user to select a new
password.
4 REJECT—The user is not authenticated and is prompted to reenter the username and password, or
access is denied.
The ACCEPT or REJECT response is bundled with additional data that is used for EXEC or network
authorization. You must first complete RADIUS authentication before using RADIUS authorization. The
additional data included with the ACCEPT or REJECT packets consists of the following:
• Services that the user can access, including connections such as Telnet, rlogin, or local-area transport
(LAT), and services such as PPP, Serial Line Protocol (SLIP), or EXEC services.
• Connection parameters, including the host or client IP address, access list, and user timeouts.
RADIUS Attributes
The network access server monitors the RADIUS authorization and accounting functions defined by RADIUS
attributes in each user profile:
Note The preauthentication profile must have “outbound” as the service type because the password is predefined
on the network access server (NAS). Setting up the preauthentication profile in this manner prevents users
from trying to log in to the NAS with the username of the DNIS number, CLID number, or call type and
an obvious password. The “outbound” service type is also included in the Access-Request packet sent to
the RADIUS server.
Note The preauthentication profile must have “outbound” as the service type because the password is predefined
on the NAS. Setting up the preauthentication profile in this manner prevents users from trying to log in
to the NAS with the username of the DNIS number, CLID number, or call type and an obvious password.
The “outbound” service type is also included in the Access-Request packet sent to the RADIUS server
and should be a checkin item if the RADIUS server supports checkin items.
Note The destination IP address is not required to be returned from the RADIUS server.
The following example shows a RADIUS profile configuration with a callback number of 555-0101 and the
service type set to outbound. The cisco-avpair = “preauth:send-name=<string>” uses the string “user1” and
the cisco-avpair = “preauth:send-secret=<string>” uses the password “cisco.”
cisco-avpair = "preauth:send-name=user1"
cisco-avpair = "preauth:send-secret=PASSWORD1"
cisco-avpair = "preauth:remote-name=Device2"
Command Argument
min-speed 300 to 56000, any
When the modem management string is received from the RADIUS server in the form of a VSA, the information
is passed to the Cisco software and applied on a per-call basis. Modem ISDN channel aggregation (MICA)
modems provide a control channel through which messages can be sent during the call setup time. Hence,
this modem management feature is supported only with MICA modems. This feature is not supported with
Microcom modems.
cisco-avpair = “preauth:auth-required=<
n
>”
where <n> has the same value range as attribute 201 (that is, 0 or 1).
If attribute 201 is missing in the preauthentication profile, a value of 1 is assumed, and subsequent authentication
is performed.
Note Before you can perform subsequent authentication, you must set up a regular user profile in addition to a
preauthentication profile.
cisco-avpair = “preauth:auth-type=<
string
>”
The table below lists the allowed values for the <string> element.
String Description
chap Requires the username and password for the
Challenge-Handshake Authentication Protocol
(CHAP) for PPP authentication.
To specify that multiple authentication types are allowed, you can configure more than one instance of this
VSA in the preauthentication profile. The sequence of the authentication type VSAs in the preauthentication
profile is significant because it specifies the order of authentication types to be used in the PPP negotiation.
This VSA is a per-user attribute and replaces the authentication type list in the ppp authentication interface
configuration command.
Note You should use this VSA only if subsequent authentication is required because it specifies the authentication
type for subsequent authentication.
cisco-avpair = “preauth:username=<
string
>”
If no username is specified, the DNIS number, CLID number, or call type is used, depending on the last
preauthentication command configured (for example, if clid was the last preauthentication command configured,
the CLID number is used as the username).
If subsequent authentication is used to authenticate a call, there might be two usernames: one provided by
RADIUS and one provided by the user. In this case, the username provided by the user overrides the one
contained in the RADIUS preauthentication profile. The username provided by the user is used for both
authentication and accounting.
Note Do not configure the ppp authentication command with the radius command.
To set up PAP, do not configure the ppp pap sent-name password command on the interface. The VSAs
“preauth:send-name” and “preauth:send-secret” are used as the PAP username and PAP password for outbound
authentication.
For CHAP, “preauth:send-name” is used not only for outbound authentication but also for inbound
authentication. For a CHAP inbound case, the NAS uses the name defined in “preauth:send-name” in the
challenge packet to the caller networking device. For a CHAP outbound case, both “preauth:send-name” and
“preauth:send-secret” are used in the response packet.
The following example shows a configuration that specifies two-way authentication:
Note Two-way authentication does not work when resource pooling is enabled.
cisco-avpair = “preauth:service-type=<
n
>”
where <n> is one of the standard RFC 2865 values for attribute 6.
Note If subsequent authentication is required, the authorization attributes in the preauthentication profile are
not applied.
RADIUS Authentication
After you have identified the RADIUS server and defined the RADIUS authentication key, you must define
method lists for RADIUS authentication. Because RADIUS authentication is facilitated through AAA, you
must enter the aaa authentication command, specifying RADIUS as the authentication method.
RADIUS Authorization
AAA authorization lets you set parameters that restrict a user’s access to the network. Authorization using
RADIUS provides one method for remote access control, including one-time authorization or authorization
for each service, per-user account list and profile, user group support, and support of IP, IPX, AppleTalk
Remote Access (ARA), and Telnet. Because RADIUS authorization is facilitated through AAA, you must
enter the aaa authorization command, specifying RADIUS as the authorization method.
RADIUS Accounting
The AAA accounting feature enables you to track the services users are accessing and the amount of network
resources they are consuming. Because RADIUS accounting is facilitated through AAA, you must enter the
aaa accounting command, specifying RADIUS as the accounting method.
RADIUS Login-IP-Host
To enable the network access server (NAS) to attempt more than one login host when trying to connect a
dial-in user, you can enter as many as three Login-IP-Host entries in the user’s profile on the RADIUS server.
The following example shows that three Login-IP-Host instances are configured for the user user1, and that
TCP-Clear is used for the connection:
RADIUS Prompt
To control whether user responses to Access-Challenge packets are echoed to the screen, you can configure
the Prompt attribute in the user profile on the RADIUS server. This attribute is included only in
Access-Challenge packets. The following example shows the Prompt attribute set to No-Echo, which prevents
the user’s responses from echoing:
Note If you want to use the Prompt attribute, your RADIUS server must be configured to support
Access-Challenge packets.
Reservation Protocol (RSVP), Serial Interface Processor (SIP), AirNet, and Outbound. “Attribute” and “value”
are an appropriate AV pair defined in the Cisco TACACS+ specification, and “sep” is “=” for mandatory
attributes and “*” for optional attributes, allowing the full set of features available for TACACS+ authorization
to also be used for RADIUS.
For example, the following AV pair causes Cisco’s “multiple named ip address pools” feature to be activated
during IP authorization (during PPP’s Internet Protocol Control Protocol (IPCP) address assignment):
cisco-avpair= ”ip:addr-pool=first“
If you insert an “*”, the AV pair “ip:addr-pool=first” becomes optional. Note that any AV pair can be made
optional:
cisco-avpair= ”ip:addr-pool*first“
The following example shows how to cause a user logging in from a network access server to have immediate
access to EXEC commands:
cisco-avpair= ”shell:priv-lvl=15“
Other vendors have their own unique vendor IDs, options, and associated VSAs.
Note The radius-server host command is deprecated from Cisco IOS Release 15.4(2)S. To configure an IPv4
or IPv6 RADIUS server, use the radius server name command. For more information about the radius
server command, see Cisco IOS Security Command Reference: Commands M to R.
SUMMARY STEPS
1. enable
2. configure terminal
3. radius-server vsa send [accounting | authentication]
4. radius server server-name
5. address ipv4 ip-address
6. non-standard
7. key {0 string | 7 string | string}
8. exit
DETAILED STEPS
Example:
Device# configure terminal
Step 3 radius-server vsa send [accounting | Enables the network access server to recognize and use VSAs as
authentication] defined by RADIUS IETF attribute 26.
Example:
Device(config)# radius-server vsa send
Step 4 radius server server-name Specifies the name for the RADIUS server.
Note The radius-server host command is deprecated from
Example: Cisco IOS Release 15.4(2)S. To configure an IPv4 or IPv6
Device(config)# radius server rad1 RADIUS server, use the radius server name command.
For more information about the radius server command,
see Cisco IOS Security Command Reference: Commands
M to R.
Example:
Device(config-radius-server)# address ipv4
10.45.1.2
Step 7 key {0 string | 7 string | string} Specifies the shared secret text string used between the device and
the vendor-proprietary RADIUS server.
Example: • The device and the RADIUS server use this text string to
Device(config-radius-server)# key encrypt passwords and exchange responses.
myRaDIUSpassword
Example:
Device(config)# exit
Note The radius-server attribute nas-port format command replaces the radius-server extended-portnames
command and the radius-server attribute nas-port extended command.
SUMMARY STEPS
1. enable
2. configure terminal
3. radius-server configure-nas
4. radius-server attribute nas-port format
5. exit
DETAILED STEPS
Example:
Device# configure terminal
Step 3 radius-server configure-nas (Optional) Tells the Cisco device or access server to query the
RADIUS server for the static routes and IP pool definitions used
Example: throughout its domain.
Example:
Device(config)# exit
SUMMARY STEPS
1. enable
2. configure terminal
3. radius-server vsa send [accounting | authentication]
4. aaa nas port extended
5. exit
DETAILED STEPS
Example:
Device# configure terminal
Step 3 radius-server vsa send [accounting | Enables the network access server to recognize and use
authentication] vendor-specific attributes as defined by RADIUS IETF
attribute 26.
Example:
Device(config)# radius-server vsa send
Step 4 aaa nas port extended Expands the size of the VSA NAS-Port field from 16 to 32
bits to display extended interface information.
Example:
Device(config)# aaa nas port extended
Example:
Device(config)# exit
1. enable
2. debug radius
3. show radius statistics
4. show aaa servers
5. exit
DETAILED STEPS
Example:
Device# debug radius
Step 3 show radius statistics Displays the RADIUS statistics for accounting and authentication
packets.
Example:
Device# show radius statistics
Step 4 show aaa servers Displays the status and number of packets that are sent to and
received from all public and private AAA RADIUS servers as
Example: interpreted by the AAA Server MIB.
Example:
Device# exit
line 1 16
autoselect ppp
autoselect during-login
login authentication admins
modem ri-is-cd
interface group-async 1
encaps ppp
ppp authentication pap dialins
The lines in this example RADIUS authentication, authorization, and accounting configuration are defined
as follows:
• The radius-server host command defines the IP address of the RADIUS server host.
• The radius-server key command defines the shared secret text string between the network access server
and the RADIUS server host.
• The aaa authentication ppp dialins group radius local command defines the authentication method
list “dialins,” which specifies that RADIUS authentication and then (if the RADIUS server does not
respond) local authentication is used on serial lines using PPP.
• The aaa authorization network default group radius local command is used to assign an address and
other network parameters to the RADIUS user.
• The aaa accounting network default start-stop group radius command tracks PPP usage.
• The aaa authentication login admins local command defines another method list, “admins,” for login
authentication.
• The login authentication admins command applies the “admins” method list for login authentication.
• The ppp authentication pap dialins command applies the “dialins” method list to the lines specified.
Note The radius-server host command is deprecated from Cisco IOS Release 15.4(2)S. To configure an IPv4
or IPv6 RADIUS server, use the radius server name command. For more information about the radius
server command, see Cisco IOS Security Command Reference: Commands M to R.
• The key command defines the shared secret text string between the network access server and the
RADIUS server host.
• The configure-nas command defines that the Cisco device or access server queries the RADIUS server
for static routes and IP pool definitions when the device first starts up.
• The aaa authentication ppp dialins group radius local command defines the authentication method
list “dialins,” which specifies that RADIUS authentication and then (if the RADIUS server does not
respond) local authentication is used on serial lines using PPP.
• The aaa authorization network default group radius local command assigns an address and other
network parameters to the RADIUS user.
• The aaa accounting network default start-stop group radius command tracks PPP usage.
• The aaa authentication login admins local command defines another method list, “admins,” for login
authentication.
Example: Multiple RADIUS Server Entries for the Same Server IP Address
The following example shows how to configure the network access server to recognize several RADIUS host
entries with the same IP address. Two different host entries on the same RADIUS server are configured for
the same services—authentication and accounting. The second host entry configured acts as failover backup
to the first one. (The RADIUS host entries are tried in the order they are configured.)
Additional References
Related Documents
RFCs
RFC Title
RFC 2138 Remote Authentication Dial-In User Service
(RADIUS)
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
• Use the aaa new-model global configuration command to enable AAA. AAA must be configured if
you plan to use RADIUS.
• Use the aaa authentication global configuration command to define method lists for RADIUS
authentication.
• Use line and interface commands to enable the defined method lists to be used.
RADIUS security servers are identified on the basis of their hostname or IP address, hostname and specific
UDP port numbers, or IP address and specific UDP port numbers. The combination of the IP address and
UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS
hosts providing a specific AAA service. This unique identifier enables RADIUS requests to be sent to multiple
UDP ports on a server at the same IP address. If two different host entries on the same RADIUS server are
configured for the same service—for example, accounting—the second host entry configured acts as a failover
backup to the first one. If the first host entry fails to provide accounting services, the network access server
tries the second host entry configured on the same device for accounting services. (The RADIUS host entries
are tried in the order they are configured.)
A RADIUS server and a Cisco device use a shared secret text string to encrypt passwords and exchange
responses. To configure RADIUS to use the AAA security commands, you must specify the host running the
RADIUS server daemon and a secret text (key) string that it shares with the device.
The timeout, retransmission, and encryption key values are configurable globally for all RADIUS servers, on
a per-server basis or in some combination of global and per-server settings. To apply these settings globally
to all RADIUS servers communicating with the device, use the three unique global commands: radius-server
timeout, radius-server retransmit, and radius-server key. To apply these values on a specific RADIUS
server, use the radius-server host command.
Note You can configure both global and per-server timeout, retransmission, and key value commands
simultaneously on the same Cisco network access server. If both global and per-server functions are
configured on a device, the per-server timer, retransmission, and key value commands override global
timer, retransmission, and key value commands.
1. enable
2. configure terminal
3. radius server server-name
4. address ipv4 ip-address
5. key {0 string | 7 string | string}
6. retransmit retries
7. timeout seconds
8. exit
DETAILED STEPS
Example:
Device# configure terminal
Step 3 radius server server-name Specifies the name for the RADIUS server.
Example:
Device(config)# radius server rad1
Example:
Device(config-radius-server)# address
ipv4 10.45.1.2
Step 5 key {0 string | 7 string | string} Specifies the shared secret text string used between the device and
a RADIUS server.
Example: Note In this step, the encryption key value is configured globally
Device(config-radius-server)# key for all RADIUS servers.
myRaDIUSpassword
• Use the 0 string option to configure an unencrypted shared
secret. Use the 7 string option to configure an encrypted shared
secret.
Step 6 retransmit retries Specifies how many times the device transmits each RADIUS
request to the server before giving up (the default is 3).
Example: Note In this step, the retransmission value is configured globally
Device(config-radius-server)# retransmit for all RADIUS servers.
25
Step 7 timeout seconds Specifies for how many seconds a device waits for a reply to a
RADIUS request before retransmitting the request.
Example: Note In this step, the timeout value is configured globally for
Device(config-radius-server)# timeout 6 all RADIUS servers.
Example:
Device(config)# exit
to 4 for all RADIUS servers. The host command configures specific timeout, retransmission, and key values
for the RADIUS server hosts with IP addresses 172.16.1.1 and 172.29.39.46.
Additional References
Related Documents
Security commands
• Cisco IOS Security Command Reference:
Commands A to C
• Cisco IOS Security Command Reference:
Commands D to L
• Cisco IOS Security Command Reference:
Commands M to R
• Cisco IOS Security Command Reference:
Commands S to Z
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
• Before configuring AAA preauthentication, you must configure the aaa new-model command and make
sure that the supporting preauthentication application is running on a RADIUS server in your network.
Because each of these AAA configuration methods can be configured simultaneously, Cisco has established
an order of precedence to determine which server or groups of servers provide AAA services. The order of
precedence is as follows:
• Per DNIS—If you configure the network access server to use DNIS to identify or determine which server
group provides AAA services, this method takes precedence over any additional AAA selection method.
• Per interface—If you configure the network access server per interface to use access lists to determine
how a server provides AAA services, this method takes precedence over any global configuration AAA
access lists.
• Globally—If you configure the network access server by using global AAA access lists to determine
how the security server provides AAA services, this method has the least precedence.
AAA Preauthentication
Configuring AAA preauthentication with ISDN PRI or channel-associated signaling (CAS) allows service
providers to better manage ports using their existing RADIUS solutions and efficiently manage the use of
shared resources to offer differing service-level agreements. With ISDN PRI or CAS, information about an
incoming call is available to the network access server (NAS) before the call is connected. The available call
information includes the following:
• The DNIS number, also referred to as the called number
• The Calling Line Identification (CLID) number, also referred to as the calling number
• The call type, also referred to as the bearer capability
The AAA preauthentication feature allows a Cisco NAS to decide--on the basis of the DNIS number, the
CLID number, or the call type--whether to connect an incoming call. (With ISDN PRI, it enables user
authentication and authorization before a call is answered. With CAS, the call must be answered; however,
the call can be dropped if preauthentication fails.)
When an incoming call arrives from the public network switch, but before it is connected, AAA
preauthentication enables the NAS to send the DNIS number, CLID number, and call type to a RADIUS
server for authorization. If the server authorizes the call, the NAS accepts the call. If the server does not
authorize the call, the NAS sends a disconnect message to the public network switch to reject the call.
In the event that the RADIUS server application becomes unavailable or is slow to respond, a guard timer
can be set in the NAS. When the timer expires, the NAS uses a configurable parameter to accept or reject the
incoming call that has no authorization.
The AAA preauthentication feature supports the use of attribute 44 by the RADIUS server application and
the use of RADIUS attributes that are configured in the RADIUS preauthentication profiles to specify
preauthentication behavior. They can also be used, for instance, to specify whether subsequent authentication
should occur and, if so, what authentication method should be used.
The following restrictions apply to AAA preauthentication with ISDN PRI and CAS:
• Attribute 44 is available for CAS calls only when preauthentication or resource pooling is enabled.
• Multichassis Multilink PPP (MMP) is not available with ISDN PRI.
• AAA preauthentication is available only on some hardware platforms.
• ISDN PRI is supported only on some hardware platforms.
SUMMARY STEPS
1. enable
2. configure terminal
3. aaa preauthorization
4. group {radius | tacacs+ | server-group}
5. dnis [password string]
6. end
DETAILED STEPS
Example:
Device# configure terminal
Example:
Device(config)# aaa preauthorization
Step 4 group {radius | tacacs+ | server-group} (Optional) Selects the security server to use for AAA
preauthentication requests.
Example: • The default is RADIUS.
Device(config-preauth)# group radius
Step 5 dnis [password string] Enables preauthentication using DNIS and optionally specifies
a password to use in Access-Request packets.
Example:
Device(config-preauth)# dnis password
dnispass
SUMMARY STEPS
1. enable
2. configure terminal
3. aaa dnis map enable
4. aaa dnis map dnis-number authentication ppp group server-group-name
5. aaa dnis map dnis-number authorization network group server-group-name
6. aaa dnis map dnis-number accounting network [none | start-stop | stop-only] group
server-group-name
7. exit
DETAILED STEPS
Example:
Device# configure terminal
Example:
Device(config)# aaa dnis map enable
Step 4 aaa dnis map dnis-number authentication ppp group Maps a DNIS number to a defined AAA server group;
server-group-name the servers in this server group are being used for
authentication.
Example:
Device(config)# aaa dnis map 7777 authentication
ppp group sg1
Step 6 aaa dnis map dnis-number accounting network [none Maps a DNIS number to a defined AAA server group;
| start-stop | stop-only] group server-group-name the servers in this server group are being used for
accounting.
Example:
Device(config)# aaa dnis map 8888 accounting
network stop-only group sg2
1. enable
2. configure terminal
3. aaa preauthorization
4. group server-group
5. clid [if-avail | required] [accept-stop] [password string]
6. ctype [if-avail | required] [accept-stop] [password string]
7. dnis [if-avail | required] [accept-stop] [password string]
8. dnis bypass dnis-group-name
9. end
DETAILED STEPS
Example:
Device# configure terminal
Example:
Device(config)# aaa preauthorization
Step 4 group server-group Specifies the AAA RADIUS server group to use for
preauthentication.
Example:
Device(config-preauth)# group sg2
Step 5 clid [if-avail | required] [accept-stop] [password string] Preauthenticates calls on the basis of the CLID number.
Example:
Device(config-preauth)# clid required
Step 6 ctype [if-avail | required] [accept-stop] [password string] Preauthenticates calls on the basis of the call type.
Example:
Device(config-preauth)# ctype required
Step 7 dnis [if-avail | required] [accept-stop] [password string] Preauthenticates calls on the basis of the DNIS number.
Example:
Device(config-preauth)# dnis required
Step 8 dnis bypass dnis-group-name Specifies a group of DNIS numbers that will be
bypassed for preauthentication.
Example:
Device(config-preauth)# dnis bypass group1
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. isdn guard-timer milliseconds [on-expiry {accept | reject}]
5. call guard-timer milliseconds [on-expiry {accept | reject}]
6. end
DETAILED STEPS
Example:
Device# configure terminal
Example:
Device(config)# interface serial 1/0/0:23
Step 4 isdn guard-timer milliseconds [on-expiry {accept | Sets an ISDN guard timer to accept or reject a call in the
reject}] event that the RADIUS server fails to respond to a
preauthentication request.
Example:
Device(config-if)# isdn guard-timer 8000
on-expiry reject
! RADIUS server groups. In this configuration, all PPP connection requests using
! DNIS 7777 are sent to the sg1 server group. The accounting records for these
! connections (specifically, start-stop records) are handled by the sg2 server group.
! Calls with a DNIS of 8888 use server group sg3 for authentication and server group
! default-group for accounting. Calls with a DNIS of 9999 use server group
! default-group for authentication and server group sg3 for accounting records
! (stop records only). All other calls with DNIS other than the ones defined use the
! server group default-group for both authentication and stop-start accounting records.
aaa dnis map enable
aaa dnis map 7777 authentication ppp group sg1
aaa dnis map 7777 accounting network start-stop group sg2
aaa dnis map 8888 authentication ppp group sg3
aaa dnis map 9999 accounting network stop-only group sg3
aaa preauthentication
group radius
dnis required
The following example shows a configuration that specifies that both the DNIS number and the CLID number
be used for preauthentication. DNIS preauthentication is performed first, followed by CLID preauthentication.
aaa preauthentication
group radius
dnis required
clid required
The following example specifies that preauthentication be performed on all DNIS numbers except the two
DNIS numbers specified in the DNIS group called “dnis-group1”:
aaa preauthentication
group radius
dnis required
dnis bypass dnis-group1
dialer dnis group dnis-group1
number 12345
number 12346
The following is a sample AAA configuration with DNIS preauthentication:
aaa new-model
aaa authentication login CONSOLE none
aaa authentication login RADIUS_LIST group radius
aaa authentication login TAC_PLUS group tacacs+ enable
aaa authentication login V.120 none
aaa authentication enable default enable group tacacs+
aaa authentication ppp RADIUS_LIST if-needed group radius
aaa authorization exec RADIUS_LIST group radius if-authenticated
aaa authorization exec V.120 none
aaa authorization network default group radius if-authenticated
aaa authorization network RADIUS_LIST if-authenticated group radius
aaa authorization network V.120 group radius if-authenticated
aaa accounting suppress null-username
aaa accounting exec default start-stop group radius
aaa accounting commands 0 default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting connection default start-stop group radius
aaa accounting system default start-stop group radius
aaa preauthentication
dnis password Cisco-DNIS
aaa nas port extended
!
radius-server configure-nas
radius-server host 10.0.0.0 auth-port 1645 acct-port 1646 non-standard
radius-server host 10.255.255.255 auth-port 1645 acct-port 1646 non-standard
radius-server retransmit 2
radius-server deadtime 1
radius-server attribute nas-port format c
radius-server unique-ident 18
radius-server key MyKey
Note To configure preauthentication, you must also set up preauthentication profiles on the RADIUS server.
controller T1 0
framing esf
clock source line primary
linecode b8zs
ds0-group 0 timeslots 1-24 type e&m-fgb dtmf dnis
cas-custom 0
call guard-timer 20000 on-expiry accept
aaa preauthentication
group radius
dnis required
Additional References
Related Documents
Security commands
• Cisco IOS Security Command Reference:
Commands A to C
• Cisco IOS Security Command Reference:
Commands D to L
• Cisco IOS Security Command Reference:
Commands M to R
• Cisco IOS Security Command Reference:
Commands S to Z
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
service. A server group is used with a global server-host list. The server group lists the IP addresses of the
selected server hosts.
Server groups can also include multiple host entries for the same server, as long as each entry has a unique
identifier. The combination of an IP address and a UDP port number creates a unique identifier, allowing
different ports to be individually defined as RADIUS hosts providing a specific AAA service. This unique
identifier enables RADIUS requests to be sent to different UDP ports on a server at the same IP address. If
two different host entries on the same RADIUS server are configured for the same service—for example,
accounting—the second host entry that is configured acts as a failover backup to the first one. If the first host
entry fails to provide accounting services, the network access server tries the second host entry configured
on the same device for accounting services. (The RADIUS host entries are tried in the order in which they
are configured.)
Note Because one server has different timers and might have different deadtime values configured in the server
groups, the same server might, in the future, have different states (dead and alive) at the same time.
Note To change the state of a server, you must start and stop all configured timers in all server groups.
The size of the server group will be slightly increased because of the addition of new timers and the deadtime
attribute. The overall impact of the structure depends on the number and size of the server groups and how
the servers are shared among server groups in a specific configuration.
SUMMARY STEPS
1. enable
2. configure terminal
3. radius server server-name
4. aaa group server {radius | tacacs+} group-name
5. server ip-address [auth-port port-number] [acct-port port-number]
6. end
DETAILED STEPS
Example:
Device# configure terminal
Step 3 radius server server-name Specifies the name for the RADIUS server.
Example:
Device(config)# radius server rad1
Step 4 aaa group server {radius | tacacs+} group-name Defines the AAA server group with a group name.
• All members of a group must be the same type, that is,
Example: RADIUS or TACACS+. This command puts the device in
Device(config)# aaa group server radius server group RADIUS configuration mode.
group1
Step 5 server ip-address [auth-port port-number] Associates a particular RADIUS server with the defined server
[acct-port port-number] group.
• Each security server is identified by its IP address and UDP
Example: port number.
Device(config-sg-radius)# server 172.16.1.1
acct-port 1616 • Repeat this step for each RADIUS server in the AAA server
group.
1. enable
2. configure terminal
3. aaa group server radius group
4. deadtime minutes
5. end
DETAILED STEPS
Example:
Device# configure terminal
Step 3 aaa group server radius group Defines a RADIUS type server group and enters server group
RADIUS configuration mode.
Example:
Device(config)# aaa group server radius
group1
Note In cases where both global commands and server commands are used, the server command takes
precedence over the global command.
deadtime 1
! The following commands define the group2 RADIUS server group and associate servers
! with it and configures a deadtime of two minutes.
aaa group server radius group2
server 10.2.2.2 auth-port 2000 acct-port 2001
server 10.3.3.3 auth-port 1645 acct-port 1646
deadtime 2
! The following set of commands configures the RADIUS attributes for each host entry
! associated with one of the defined server groups.
radius-server host 10.1.1.1 auth-port 1645 acct-port 1646
radius-server host 10.2.2.2 auth-port 2000 acct-port 2001
radius-server host 10.3.3.3 auth-port 1645 acct-port 1646
Additional References
Related Documents
RFCs
RFC Title
RFC 2138 Remote Authentication Dial-In User Service
(RADIUS)
RFC Title
RFC 2868 RADIUS Attributes for Tunnel Protocol Support
Technical Assistance
Description Link
The Cisco Support and Documentation website http://www.cisco.com/cisco/web/support/index.html
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a Cisco.com user ID
and password.
Framed-Route Attribute 22
Framed-Route, attribute 22 as defined in Internet Engineering Task Force (IETF) standard RFC 2865, provides
for routing information to be configured for the user on the NAS. The Framed-Route attribute information is
usually sent from the RADIUS server to the NAS in Access-Accept packets. The attribute can appear multiple
times.
Note If there is more than one Framed-Route attribute in an Access-Accept packet, there can also be more than
one Framed-Route attribute in the Accounting-Request packet.
The Framed-Route information is returned in Stop and Interim accounting records and in Start accounting
records when accounting Delay-Start is configured.
No configuration is required to have the Frame-Route attribute information returned in the RADIUS accounting
packets.
ConfigurationExamplesforFramed-RouteinRADIUSAccounting
Additional References
Related Documents
Security commands: complete command syntax, Cisco IOS Security Command Reference
command modes, command history, defaults, usage
guidelines, and examples
Standards
Standard Title
No new or modified standards are supported by this --
feature, and support for existing standards has not
been modified by this feature.
MIBs
RFCs
RFC Title
RFC 2865 Remote Authentication Dial In User Service
(RADIUS)
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/cisco/web/support/index.html
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Note The accounting types are divided into two separate tunnel types so users can decide if they want tunnel
type, tunnel-link type, or both types of accounting.
1
Type-Name Number Description Additional Attributes
Tunnel-Start 9 Marks the beginning of a tunnel
setup with another node. • User-Name (1)--from
client
• NAS-IP-Address
(4)--from AAA
• Acct-Delay-Time
(41)--from AAA
• Event-Timestamp
(55)--from AAA
• Tunnel-Type (64)--from
client
• Tunnel-Medium-Type
(65)--from client
• Tunnel-Client-Endpoint
(66)--from client
• Tunnel-Server-Endpoint
(67)--from client
• Acct-Tunnel-Connection
(68)--from client
1
Type-Name Number Description Additional Attributes
Tunnel-Stop 10 Marks the end of a tunnel
connection to or from another • User-Name (1)--from
client
node.
• NAS-IP-Address
(4)--from AAA
• Acct-Delay-Time
(41)--from AAA
• Acct-Input-Octets
(42)--from AAA
• Acct-Output-Octets
(43)--from AAA
• Acct-Session-Id
(44)--from AAA
• Acct-Session-Time
(46)--from AAA
• Acct-Input-Packets
(47)--from AAA
• Acct-Output-Packets
(48)--from AAA
• Acct-Terminate-Cause
(49)--from AAA
• Acct-Multi-Session-Id
(51)--from AAA
• Event-Timestamp
(55)--from AAA
• Tunnel-Type (64)--from
client
• Tunnel-Medium-Type
(65)--from client
• Tunnel-Client-Endpoint
(66)--from client
• Tunnel-Server-Endpoint
(67)--from client
• Acct-Tunnel-Connection
(68)--from client
• Acct-Tunnel-Packets-Lost
(86)--from client
1
Type-Name Number Description Additional Attributes
Tunnel-Reject 11 Marks the rejection of a tunnel
setup with another node. • User-Name (1)--from
client
• NAS-IP-Address
(4)--from AAA
• Acct-Delay-Time
(41)--from AAA
• Acct-Terminate-Cause
(49)--from client
• Event-Timestamp
(55)--from AAA
• Tunnel-Type (64)--from
client
• Tunnel-Medium-Type
(65)--from client
• Tunnel-Client-Endpoint
(66)--from client
• Tunnel-Server-Endpoint
(67)--from client
• Acct-Tunnel-Connection
(68)--from client
1
Type-Name Number Description Additional Attributes
Tunnel-Link-Start 12 Marks the creation of a tunnel
link. Only some tunnel types • User-Name (1)--from
client
(Layer 2 Transport Protocol
[L2TP]) support the multiple • NAS-IP-Address
links per tunnel; this value (4)--from AAA
should be included only in
accounting packets for tunnel • NAS-Port (5)--from AAA
types that support multiple links • Acct-Delay-Time
per tunnel. (41)--from AAA
• Event-Timestamp
(55)--from AAA
• Tunnel-Type (64)--from
client
• Tunnel-Medium-Type
(65)--from client
• Tunnel-Client-Endpoint
(66)--from client
• Tunnel-Server-Endpoint
(67)--from client
• Acct-Tunnel-Connection
(68)--from client
1
Type-Name Number Description Additional Attributes
Tunnel-Link-Stop 13 Marks the end of a tunnel link.
Only some tunnel types (L2TP)
support the multiple links per
tunnel; this value should be
included only in accounting
packets for tunnel types that
support multiple links per
tunnel.
1
Type-Name Number Description Additional Attributes
• User-Name (1)--from
client
• NAS-IP-Address
(4)--from AAA
• NAS-Port (5)--from AAA
• Acct-Delay-Time
(41)--from AAA
• Acct-Input-Octets
(42)--from AAA
• Acct-Output-Octets
(43)--from AAA
• Acct-Session-Id
(44)--from AAA
• Acct-Session-Time
(46)--from AAA
• Acct-Input-Packets
(47)--from AAA
• Acct-Output-Packets
(48)--from AAA
• Acct-Terminate-Cause
(49)--from AAA
• Acct-Multi-Session-Id
(51)--from AAA
• Event-Timestamp
(55)--from AAA
• NAS-Port-Type
(61)--from AAA
• Tunnel-Type (64)--from
client
• Tunnel-Medium-Type
(65)--from client
• Tunnel-Client-Endpoint
(66)--from client
• Tunnel-Server-Endpoint
(67)--from client
• Acct-Tunnel-Connection
(68)--from client
• Acct-Tunnel-Packets-Lost
1
Type-Name Number Description Additional Attributes
(86)--from client
1 If the specified tunnel type is used, these attributes should also be included in the accounting request packet.
Note The first two events are tunnel-type accounting records: authentication, authorization, and accounting
(AAA) sends Tunnel-Start, Tunnel-Stop, or Tunnel-Reject accounting records to the RADIUS server. The
next two events are tunnel-link-type accounting records: AAA sends Tunnel-Link-Start, Tunnel-Link-Stop,
or Tunnel-Link-Reject accounting records to the RADIUS server.
SUMMARY STEPS
1. enable
2. configure terminal
3. Router(config)# aaa accounting network default list-name} {start-stop | stop-only | wait-start | none
group groupname
4. Router(config)# vpdn enable
5. Router(config)# vpdn tunnel accounting network list-name
6. Router(config)# vpdn session accounting network list-name
DETAILED STEPS
Example:
Router# configure terminal
Example:
Example:
Example:
Example:
Example:
Example:
Example:
Example:
Router(config)# aaa accounting network m1
start-stop group radius
Step 4 Router(config)# vpdn enable Enables virtual private dialup networking on the router and informs
the router to look for tunnel definitions in a local database and on a
Example: remote authorization server (if applicable).
Step 5 Router(config)# vpdn tunnel accounting Enables Tunnel-Start, Tunnel-Stop, and Tunnel-Reject accounting
network list-name records.
• list-name --The list-name must match the list-name defined in
Example: the aaa accountingcommand; otherwise, network accounting
Router(config)# vpdn tunnel accounting will not occur.
network m1
Step 6 Router(config)# vpdn session accounting Enables Tunnel-Link-Start, Tunnel-Link-Stop, and Tunnel-Link-Reject
network list-name accounting records.
• list-name --The list-name must match the list-name defined in
Example: the aaa accountingcommand; otherwise, network accounting
Router(config)# vpdn session accounting will not occur.
network m1
What To Do Next
After you have enabled RADIUS tunnel accounting, you can verify your configuration via the following
optional task Verifying RADIUS Tunnel Accounting.
SUMMARY STEPS
1. enable
2. Router# show accounting
3. Router# show vpdn [session] [tunnel]
DETAILED STEPS
Step 2 Router# show accounting Displays the active accountable events on the network and helps collect
information in the event of a data loss on the accounting server.
Example:
Router# show accounting
Step 3 Router# show vpdn [session] [tunnel] Displays information about active L2TP tunnel and message identifiers
in a VPDN.
Example: • session --Displays a summary of the status of all active tunnels.
• tunnel --Displays information about all active L2TP tunnels in
summary-style format.
Example:
Example:
Example:
Router# show vpdn session
aaa new-model
!
!
aaa authentication ppp default group radius
aaa authorization network default local
aaa accounting network m1 start-stop group radius
aaa accounting network m2 stop-only group radius
aaa session-id common
enable secret 5 $1$IDjH$iL7puCja1RMlyOM.JAeuf/
enable password lab
!
username ISP_LAC password 0 tunnelpass
!
!
resource-pool disable
!
!
ip subnet-zero
ip cef
no ip domain-lookup
ip host dirt 172.16.1.129
!
vpdn enable
vpdn tunnel accounting network m1
vpdn session accounting network m1
vpdn search-order domain dnis
!
vpdn-group 1
request-dialin
protocol l2tp
domain cisco.com
initiate-to ip 10.1.26.71
local name ISP_LAC
!
mta receive maximum-recipients 0
!
interface GigabitEthernet0/0/0
ip address 10.1.27.74 255.255.255.0
no ip mroute-cache
duplex half
speed auto
no cdp enable
!
interface FastEthernet0/0/1
no ip address
no ip mroute-cache
shutdown
duplex auto
speed auto
no cdp enable
!
ip default-gateway 10.1.27.254
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.27.254
no ip http server
ip pim bidir-enable
!
no cdp run
!
!
radius-server host 172.19.192.26 auth-port 1645 acct-port 1646 key rad123
radius-server retransmit 3
call rsvp-sync
!
aaa new-model
!
!
aaa accounting network m1 start-stop group radius
aaa accounting network m2 stop-only group radius
aaa session-id common
enable secret 5 $1$ftf.$wE6Q5Yv6hmQiwL9pizPCg1
!
username ENT_LNS password 0 tunnelpass
username user1@cisco.com password 0 lab
username user2@cisco.com password 0 lab
spe 1/0 1/7
firmware location system:/ucode/mica_port_firmware
spe 2/0 2/9
firmware location system:/ucode/mica_port_firmware
!
!
resource-pool disable
clock timezone est 2
!
ip subnet-zero
no ip domain-lookup
ip host CALLGEN-SECURITY-V2 172.24.80.28 10.47.0.0
ip host dirt 172.16.1.129
!
vpdn enable
vpdn tunnel accounting network m1
vpdn session accounting network m1
!
vpdn-group 1
accept-dialin
protocol l2tp
virtual-template 1
terminate-from hostname ISP_LAC
local name ENT_LNS
!
mta receive maximum-recipients 0
!
interface Loopback0
ip address 192.168.70.101 255.255.255.0
!
interface Loopback1
ip address 192.168.80.101 255.255.255.0
!
interface FastEthernet0/0/0
ip address 10.1.26.71 255.255.255.0
no ip mroute-cache
no cdp enable
!
interface Virtual-Template1
ip unnumbered Loopback0
peer default ip address pool vpdn-pool1
ppp authentication chap
!
interface Virtual-Template2
ip unnumbered Loopback1
peer default ip address pool vpdn-pool2
ppp authentication chap
!
interface FastEthernet0/0/1
no ip address
no ip mroute-cache
shutdown
duplex auto
speed auto
no cdp enable
!
ip local pool vpdn-pool1 192.168.70.1 192.168.70.100
ip local pool vpdn-pool2 192.168.80.1 192.168.80.100
ip default-gateway 10.1.26.254
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.26.254
ip route 10.90.1.2 255.255.255.255 10.1.26.254
no ip http server
ip pim bidir-enable
!
no cdp run
!
radius-server host 172.19.192.80 auth-port 1645 acct-port 1646 key rad123
radius-server retransmit 3
call rsvp-sync
Additional References
The following sections provide references related to RFC-2867 RADIUS Tunnel Accounting.
Related Documents
Standards
Standards Title
No new or modified standards are supported by this --
feature, and support for existing standards has not
been modified by this feature.
MIBs
RFCs
RFCs Title
RFC 2867 RADIUS Accounting Modifications for Tunnel
Protocol Support
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/techsupport
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Preauthorization
LLID is an alphanumeric string (which must be a minimum of one character and a maximum of 253 characters)
that is a logical identification of a subscriber line. LLID is maintained in a customer profile database on a
RADIUS server. When the customer profile database receives a preauthorization request from the access
router, the RADIUS server sends the LLID to the router as the Calling-Station-ID attribute (attribute 31).
The Layer 2 Tunneling Protocol (L2TP) access concentrator (LAC) sends a preauthorization request to the
customer profile database when the LAC is configured for preauthorization. Configure the LAC for
preauthorization using the subscriber access command.
Note Downloading the LLID is referred to as “preauthorization” because it occurs before either service (domain)
authorization or user authentication and authorization occur.
The customer profile database on the RADIUS server consists of user profiles for each physical network
access server (NAS) port that is connected to the router. Each user profile contains a profile matched to a
username (attribute 1) representing the physical port on the router. When the router is configured for
preauthorization, it queries the customer profile database using a username representative of the physical NAS
port making the connection to the router. When a match is found in the customer profile database, the customer
profile database returns an Access-Accept message containing the LLID in the user profile. The LLID is
defined in the Access-Accept record as the Calling-Station-ID attribute.
The preauthorization process can also provide the real username being used for authentication to the RADIUS
server. Because the physical NAS port information is being used as the username (attribute 1), RADIUS
attribute 77 (Connect-Info) can be configured to contain the authentication username. This configuration
allows the RADIUS server to provide additional validation on the authorization request if it chooses, such as
analyzing the username for privacy rules, before returning an LLID back to the router.
Configuring Preauthorization
To download the LLID and configure the LAC for preauthorization, perform the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip radius source-interface interface-name
4. subscriber access {pppoe | pppoa} pre-authorize nas-port-id [default | list-name] [send username]
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ip radius source-interface interface-name Specifies the IP address portion of the username for the
preauthorization request.
Example:
Example:
Router (config)# ip radius source-interface
Loopback1
Step 4 subscriber access {pppoe | pppoa} pre-authorize Enables the LLID to be downloaded so the router can be
nas-port-id [default | list-name] [send username] configured for preauthorization.
The send username option specifies that you include the
Example: authentication username of the session inside the
Connect-Info (attribute 77) in the Access-Request message.
Example:
Router (config)# subscriber access pppoe
pre-authorize nas-port-id mlist_llid send username
SUMMARY STEPS
1. UserName=nas_port: ip-address:slot/module/port/vpi.vci
2. User-Name=nas-port: ip-address:slot/module/port/vlan-id
3. Calling-Station-Id = “string (*,*)”
DETAILED STEPS
SUMMARY STEPS
1. enable
2. debug radius
DETAILED STEPS
Step 2 debug radius Checks to see that RADIUS attribute 31 is the LLID in the
Accounting-Request on LAC and in the Access-Request and
Example: Accounting-Request on the LNS.
aaa new-model
aaa group server radius sg_llid
server 172.31.164.106 auth-port 1645 acct-port 1646
aaa group server radius sg_water
server 172.31.164.106 auth-port 1645 acct-port 1646
aaa authentication ppp default group radius
aaa authorization confg-commands
aaa authorization network default group sg_water
aaa authorization network mlist_llid group sg_llid
aaa session-id common
!
username s7200_2 password 0 lab
username s5300 password 0 lab
username sg_water password 0 lab
vpdn enable
!
vpdn-group 2
request-dialin
protocol l2tp
domain example.com
domain example.com#184
initiate-to ip 10.1.1.1
local name s7200_2
l2tp attribute clid mask-method right * 255 match #184
!
vpdn-group 3
accept dialin
protocol pppoe
virtual-template 1
!
!
Enable the LLID to be downloaded.
subscriber access pppoe pre-authorize nas-port-id mlist_llid send username
!
interface Loopback0
ip address 10.1.1.2 255.255.255.0
!
interface Loopback1
ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet1/0/0
ip address 10.1.1.8 255.255.255.0 secondary
ip address 10.0.58.111 255.255.255.0
no cdp enable
!
interface ATM4/0/0
no ip address
no atm ilmi-keepalive
!
interface ATM4/0/0.1 point-to-point
pvc 1/100
encapsulation aa15snap
protocol pppoe
!
interface virtual-template1
no ip unnumbered Loopback0
no peer default ip address
ppp authentication chap
!
radius-server host 172.31.164.120 auth-port 1645 acct-port 1646 key rad123
radius-server host 172.31.164.106 auth-port 1645 acct-port 1646 key rad123
ip radius source-interface Loopback1
pppoeovlan
----------
nas-port:10.1.0.3:6/0/0/0 Password = "password1",
Service-Type = Outbound,
Calling-Station-ID = "cat-example"
pppoeoa
--------
nas-port:10.1.0.3:6/0/0/1.100 Password = "password1",
Service-Type = Outbound,
Calling-Station-ID = "cat-example"
Additional References
The following sections provide references related to RADIUS EAP Support feature.
Related Documents
Standards
Standard Title
None --
MIBs
RFCs
RFC Title
RFC 2284 PPP Extensible Authentication Protocol (EAP)
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/techsupport
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Calling Station ID Attribute 31 Cisco IOS XE Release 2.1 This feature was introduced on
Cisco ASR 1000 Series Routers.
LLID Blocking Cisco IOS XE Release 2.1 This feature was introduced on
Cisco ASR 1000 Series Routers.
Glossary
attribute --A RADIUS Internet Engineering Task Force (IETF) attribute is one of the original set of 255
standard attributes that are used to communicate authentication, authorization, and accounting (AAA)
information between a client and a server. Because IETF attributes are standard, the attribute data is predefined
and well known; thus all clients and servers that exchange AAA information through IETF attributes must
agree on attribute data such as the exact meaning of the attributes and the general bounds of the values for
each attribute.
CHAP --Challenge Handshake Authentication Protocol. Security feature that is supported on lines using PPP
encapsulation and prevents unauthorized access. CHAP does not itself prevent unauthorized access; it merely
identifies the remote end. The router or access server then determines whether that user is allowed access.
EAP --Extensible Authentication Protocol. A PPP authentication protocol that supports multiple authentication
mechanisms that are negotiated during the authentication phase (instead of the Link Control Protocol [LCP]
phase). EAP allows a third-party authentication server to interact with the PPP implementation through a
generic interface.
LCP --link control protocol. Protocol that establishes, configures, and tests data-link connections for use by
PPP.
MD5 (HMAC variant) --Message Digest 5. A hash algorithm used to authenticate packet data. HMAC is a
key hashing for message authentication.
NAS --network access server. A device providing local network access to users across a remote access network
such as the public switched telephone network (PSTN).
PAP --Password Authentication Protocol. Authentication protocol that allows PPP peers to authenticate one
another. The remote router attempting to connect to the local router is required to send an authentication
request. Unlike CHAP, PAP passes the password and host name or username in the clear (unencrypted). PAP
does not itself prevent unauthorized access; it merely identifies the remote end. The router or access server
then determines if that user is allowed access. PAP is supported only on PPP lines.
PPP --Point-to-Point Protocol. A protocol that encapsulates network layer protocol information over
point-to-point links. PPP is defined in RFC 1661.
RADIUS --Remote Authentication Dial-In User Service. Database for authenticating modem and ISDN
connections and for tracking connection time.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual
addresses and phone numbers. Any examples, command display output, network topology diagrams, and
other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses
or phone numbers in illustrative content is unintentional and coincidental. © 2001-2009 Cisco Systems, Inc.
All rights reserved.
for static route download requests sent by their NAS to authorization, authentication, and accounting (AAA)
servers.
Before this feature, RADIUS authorization for static route download requests was sent only to AAA servers
specified by the default method list.
This feature extends the functionality of the aaa route download command to allow users to specify the name
of the method list that will be used to direct static route download requests to the AAA servers. The aaa route
downloadcommandmay be used to specify a separate method list for downloading static routes. This method
list can be added by using the aaa authorization configuration command.
SUMMARY STEPS
DETAILED STEPS
aaa new-model
aaa group server radius rad1
server 10.2.2.2 auth-port 1645 acct-port 1646
!
aaa group server tacacs+ tac1
server 172.17.3.3
!
aaa authorization configuration default group radius
aaa authorization configuration list1 group rad1 group tac1
aaa route download 1 authorization list1
tacacs-server host 172.17.3.3
tacacs-server key cisco
tacacs-server administration
!
radius-server host 10.2.2.2 auth-port 1645 acct-port 1646
radius-server key cisco
Additional References
The following sections provide references related to RADIUS Route Download.
Related Documents
Standards
Standard Title
No new or modified standards are supported by this --
feature, and support for existing standards has not
been modified by this feature.
MIBs
RFCs
RFC Title
No new or modified RFCs are supported by this --
feature, and support for existing RFCs has not been
modified by this feature.
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/techsupport
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
• RADIUS must be configured for functions such as authentication, accounting, or static route download.
The batch size is a user-configured parameter. Changes in the batch size may impact CPU load and network
throughput. As batch size increases, CPU load decreases and network throughput increases. However, if a
large batch size is used, all available server resources may not be fully utilized. As batch size decreases, CPU
load increases and network throughput decreases.
Note There is no set number for large or small batch sizes. A batch with more than 50 transactions is considered
large and a batch with fewer than 25 transactions is considered small.
Note If a server group contains ten or more servers, we recommend that you set a high batch size to reduce
CPU load.
You can configure authentication and accounting to use the same RADIUS server or different servers. In
some cases, the same server can be used for preauthentication, authentication, or accounting transactions for
a session. The preferred server, which is an internal setting and is set as the default, informs AAA to use the
same server for the start and stop record for a session regardless of the server cost. When using the preferred
server setting, ensure that the server that is used for the initial transaction (for example, authentication), the
preferred server, is part of any other server group that is used for a subsequent transaction (for example,
accounting).
The preferred server is not used if one of the following criteria is true:
• The load-balance method least-outstanding ignore-preferred-server command is used.
• The preferred server is dead.
• The preferred server is in quarantine.
• The want server flag has been set, overriding the preferred server setting.
The want server flag, an internal setting, is used when the same server must be used for all stages of a multistage
transaction regardless of the server cost. If the want server is not available, the transaction fails.
You can use the load-balance method least-outstanding ignore-preferred-server command if you have
either of the following configurations:
• Dedicated authentication server and a separate dedicated accounting server
• Network where you can track all call record statistics and call record details, including start and stop
records and records that are stored on separate servers
If you have a configuration where authentication servers are a superset of accounting servers, the preferred
server is not used.
Caution We recommend that you use a test user that is not defined on the RADIUS server for the RADIUS server
automated testing to protect against security issues that may arise if the test user is not correctly configured.
Note Use the test aaa group command to check load-balancing transactions.
1. enable
2. configure terminal
3. aaa group server radius group-name
4. server ip-address [auth-port port-number] [acct-port port-number]
5. load-balance method least-outstanding [batch-size number] [ignore-preferred-server]
6. end
DETAILED STEPS
Example:
Device# configure terminal
Step 3 aaa group server radius group-name Enters server group configuration mode.
Example:
Device(config)# aaa group server radius rad-sg
Example:
Device (config-sg-radius)server 192.0.2.238 auth-port
2095 acct-port 2096
Step 5 load-balance method least-outstanding [batch-size Enables the least-outstanding load balancing for a
number] [ignore-preferred-server] named server group.
Example:
Device(config-sg-radius)# load-balance method
least-outstanding batch-size 30
SUMMARY STEPS
1. enable
2. configure terminal
3. radius-server host {hostname | ip-address} [test username name] [auth-port number]
[ignore-auth-port] [acct-port number] [ignore-acct-port] [idle-time seconds]
4. radius-server load-balance method least-outstanding [batch-size number]
[ignore-preferred-server]
5. load-balance method least-outstanding [batch-size number] [ignore-preferred-server]
6. end
DETAILED STEPS
Example:
Device# configure terminal
Step 3 radius-server host {hostname | ip-address} [test username Enables RADIUS automated testing.
name] [auth-port number] [ignore-auth-port] [acct-port
number] [ignore-acct-port] [idle-time seconds]
Example:
Device(config)# radius-server host 192.0.2.1 test
username test1 idle-time 1
Step 4 radius-server load-balance method least-outstanding Enables the least-outstanding load balancing for the
[batch-size number] [ignore-preferred-server] global RADIUS server group and enters server group
configuration mode.
Example: • The default batch size is 25. The batch size
Device(config)# radius-server load-balance method
least-outstanding range is from 1 to 2147483647.
Step 5 load-balance method least-outstanding [batch-size Enables least-outstanding load balancing for a global
number] [ignore-preferred-server] named server group.
Example:
Device(config-sg)# load-balance method
least-outstanding batch-size 5
SUMMARY STEPS
1. Use the debug aaa test command to determine when an idle timer or dead timer has expired, when test
packets are sent, the status of the server, or to verify the server state.
2. Use the debug aaa sg-server selection command to determine the server that is selected for load balancing.
3. Use the test aaa group command to manually verify the RADIUS load-balanced server status.
DETAILED STEPS
Step 1 Use the debug aaa test command to determine when an idle timer or dead timer has expired, when test packets are sent,
the status of the server, or to verify the server state.
The idle timer is used to check the server status and is updated with or without any incoming requests. Monitoring the
idle timer helps to determine if there are nonresponsive servers and to keep the RADIUS server status updated to efficiently
utilize available resources. For instance, an updated idle timer would help ensure that incoming requests are sent to
servers that are alive.
The dead timer is used either to determine that a server is dead or to update a dead server’s status appropriately.
Monitoring server selection helps to determine how often the server selection changes. Server selection is effective in
analyzing if there are any bottlenecks, a large number of queued requests, or if only specific servers are processing
incoming requests.
The following sample output from the debug aaa test command shows when the idle timer expired:
Example:
Device# debug aaa test
Step 2 Use the debug aaa sg-server selection command to determine the server that is selected for load balancing.
The following sample output from the debug aaa sg-server selection command shows five access requests being sent
to a server group with a batch size of three:
Example:
Device# debug aaa sg-server selection
Step 3 Use the test aaa group command to manually verify the RADIUS load-balanced server status.
The following sample output shows the response from a load-balanced RADIUS server that is alive when the username
“test” does not match a user profile. The server is verified alive when it issues an Access-Reject response to an
authentication, authorization, and accounting (AAA) packet generated using the test aaa group command.
Example:
Device# test aaa group SG1 test lab new-code
• The radius-server load-balance command enables load balancing for global RADIUS server groups
with the batch size specified.
The show debug sample output below shows the selection of the preferred server and the processing of
requests for the configuration:
Device# show debug
General OS:
AAA server group server selection debugging is on
#
<sending 10 pppoe requests>
Device#
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000014):No preferred server available.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Obtaining least loaded server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:No more transactions in batch. Obtaining a new
server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Obtaining a new least loaded server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Server[0] load:0
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Server[1] load:0
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Selected Server[0] with load 0
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:[5] transactions remaining in batch.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000014):Server (192.0.2.238:2095,2096) now being
used as preferred server
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000015):No preferred server available.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Obtaining least loaded server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:[4] transactions remaining in batch. Reusing
server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000015):Server (192.0.2.238:2095,2096) now being
used as preferred server
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000016):No preferred server available.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Obtaining least loaded server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:[3] transactions remaining in batch. Reusing
server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000016):Server (192.0.2.238:2095,2096) now being
used as preferred server
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000017):No preferred server available.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Obtaining least loaded server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:[2] transactions remaining in batch. Reusing
server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000017):Server (192.0.2.238:2095,2096) now being
used as preferred server
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000018):No preferred server available.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Obtaining least loaded server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:[1] transactions remaining in batch. Reusing
server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000018):Server (192.0.2.238:2095,2096) now being
used as preferred server
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000019):No preferred server available.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Obtaining least loaded server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:No more transactions in batch. Obtaining a new
server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Obtaining a new least loaded server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Server[1] load:0
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Server[0] load:5
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Selected Server[1] with load 0
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:[5] transactions remaining in batch.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000019):Server (192.0.2.238:2015,2016) now being
used as preferred server.
The following sample output from the show aaa servers command shows the AAA server status for the global
RADIUS server group configuration:
The sample output shows the status of two RADIUS servers. Both servers are up and successfully processed
in the last 2 minutes:
• Five out of six authentication requests
Example: Server Configuration and Enabling Load Balancing for Global RADIUS Server Group
The following example shows the relevant RADIUS configuration:
Device# show running-config | include radius
General OS:
AAA server group server selection debugging is on
#
<sending 10 pppoe requests>
Device#
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000014):No preferred server available.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Obtaining least loaded server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:No more transactions in batch. Obtaining a new
server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Obtaining a new least loaded server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Server[0] load:0
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Server[1] load:0
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Selected Server[0] with load 0
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:[5] transactions remaining in batch.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000014):Server (192.0.2.238:2095,2096) now being
used as preferred server
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000015):No preferred server available.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Obtaining least loaded server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:[4] transactions remaining in batch. Reusing
server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000015):Server (192.0.2.238:2095,2096) now being
used as preferred server
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000016):No preferred server available.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Obtaining least loaded server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:[3] transactions remaining in batch. Reusing
server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000016):Server (192.0.2.238:2095,2096) now being
used as preferred server
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000017):No preferred server available.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Obtaining least loaded server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:[2] transactions remaining in batch. Reusing
server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000017):Server (192.0.2.238:2095,2096) now being
used as preferred server
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000018):No preferred server available.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Obtaining least loaded server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:[1] transactions remaining in batch. Reusing
server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000018):Server (192.0.2.238:2095,2096) now being
used as preferred server
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000019):No preferred server available.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Obtaining least loaded server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:No more transactions in batch. Obtaining a new
server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Obtaining a new least loaded server.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Server[1] load:0
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Server[0] load:5
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:Selected Server[1] with load 0
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT:[5] transactions remaining in batch.
*Feb 28 13:40:32.199:AAA/SG/SERVER_SELECT(00000019):Server (192.0.2.238:2015,2016) now being
used as preferred server.
• The aaa accounting command enables sending of all accounting requests to the AAA server when the
client is authenticated and then disconnected using the start-stop keyword.
The show debug sample output below shows the selection of the preferred server and the processing of requests
for the preceding configuration:
Device# show debug
Example: Server Configuration and Enabling Load Balancing for Named RADIUS Server Group
The following sample output shows the relevant RADIUS configuration:
Device# show running-config
.
.
.
aaa group server radius server-group1
server 192.0.2.238 auth-port 2095 acct-port 2096
server 192.0.2.238 auth-port 2015 acct-port 2016
load-balance method least-outstanding batch-size 5
!
aaa authentication ppp default group server-group1
aaa accounting network default start-stop group server-group1
.
.
.
The lines in the current configuration of the RADIUS command output above are defined as follows:
• The aaa group server radius command shows the configuration of a server group with two member
servers.
• The load-balance command enables load balancing for global RADIUS server groups with the batch
size specified.
• The aaa authentication ppp command authenticates all PPP users using RADIUS.
• The aaa accounting command enables sending of all accounting requests to the AAA server when the
client is authenticated and then disconnected using the start-stop keyword.
The show debug sample output below shows test requests being sent to servers. The response to the test
request sent to the server is received, the server is removed from quarantine as appropriate, the server is marked
alive, and then the idle timer is reset.
Device# show debug
Example: Server Configuration and Enabling Load Balancing for Idle Timer Monitoring
The following sample output shows the relevant RADIUS configuration:
Device# show running-config | include radius
Example: Configuring the Preferred Server with the Same Authentication and
Authorization Server
The following example shows an authentication server group and an authorization server group that use the
same servers 209.165.200.225 and 209.165.200.226. Both server groups have the preferred server flag enabled.
aaa group server radius authentication-group
server 209.165.200.225 key radkey1
server 209.165.200.226 key radkey2
aaa group server radius accounting-group
server 209.165.200.225 key radkey1
server 209.165.200.226 key radkey2
When a preferred server is selected for a session, all transactions for that session will continue to use the
original preferred server. The servers 209.165.200.225 and 209.165.200.226 are load balanced based on
sessions rather than transactions.
AAA server groups and RADIUS configuration “Configuring RADIUS” module in the RADIUS
Configuration Guide
Failover retry reorder mode “RADIUS Server Reorder on Failure” module in the
RADIUS Configuration Guide
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/techsupport
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
RADIUS Server Load Balancing Cisco IOS XE Release 2.1 This feature was introduced on
porting Cisco ASR 1000 series routers.
If at any time during this process, a server meets the dead-server detection criteria (not configurable; it varies
depending on the version of software being used), the server is marked as dead for the configured deadtime.
• After the transmission is sent to the flagged server, the transmission is sent to the flagged server again
for the configured number of retransmissions.
• The NAS then sequentially sends the transmission through the list of nondead servers in the server group,
starting with the one listed after the flagged server, until the configured transaction maximum tries is
reached or until a response is received.
• At boot time, the flagged server is the first server in the server group list as was established using the
radius-server host command.
• If the flagged server is marked as dead (even if the dead time is zero), the first nondead server listed
after the flagged server becomes the flagged server.
• If the flagged server is the last server in the list, and it is marked as dead, the flagged server becomes
the first server in the list that is not marked as dead.
• If all servers are marked as dead, the transaction fails, and no change is made to the flagged server.
• If the flagged server is marked as dead, and the dead timer expires, nothing happens.
Note Some types of transmissions (for example, Challenge Handshake Authentication Protocol [CHAP],
Microsoft CHAP [MS-CHAP], and Extensible Authentication Protocol [EAP]) require multiple roundtrips
to a single server. For these special transactions, the entire sequence of roundtrips to the server are treated
as though they were one transmission.
SUMMARY STEPS
1. enable
2. configure terminal
3. aaa new-model
4. radius-server retry method reorder
5. radius-server retransmit {retries}
6. radius-server transaction max-tries { number }
7. radius-server host { hostname | ip-address } [ key string ]
8. radius-server host { hostname | ip-address } [ key string ]
DETAILED STEPS
Example:
Router# configure terminal
Example:
Router (config)# aaa new-model
Step 4 radius-server retry method reorder Specifies the reordering of RADIUS traffic retries among a server
group.
Example:
Example:
Router (config)# radius-server retry method
reorder
Step 5 radius-server retransmit {retries} Specifies the number of times the Cisco IOS XE software
searches the list of RADIUS server hosts before giving up.
Example: The retries argument is the maximum number of retransmission
Router (config)# radius-server retransmit 1 attempts. The default is 3 attempts.
SUMMARY STEPS
1. enable
2. debug aaa sg-server selection
3. debug radius
DETAILED STEPS
Step 3 debug radius Displays information about why the router is choosing a particular
RADIUS server.
Example:
Router# debug radius
Example
The following two debug outputs display the behavior of the RADIUS Server Reorder on Failure feature:
Debug 1
In the following sample output, the RADIUS Server Reorder on Failure feature is configured. The server
retransmits are set to 0 (so each server is tried just one time before failover to the next configured server), and
the transmissions per transaction are set to 4 (the transmissions stop on the third failover). The third server in
the server group (10.107.164.118) has accepted the transaction on the third transmission (second failover).
Debug 2
In the following sample output, the RADIUS Server Reorder on Failure feature is configured. The server
retransmits are set to 0, and the transmissions per transaction are set to 8. In this transaction, the transmission
to server 10.10.10.0 has failed on the eighth transmission.
aaa new-model
radius-server retransmit 0
10.2.3.4
10.5.6.7
10.2.3.4
10.5.6.7
10.2.3.4
10.5.6.7
If you configure the reorder as follows:
10.2.3.4
10.2.3.4
10.4.5.6
Subsequent transactions may be transmitted according to a different pattern. The transmissions depend on
whether the criteria for marking one (or both) servers as dead have been met, and as per the server flagging
pattern already described.
If you configure the reorder as follows:
10.1.1.1
10.1.1.1
10.2.2.2
For any additional transaction initiated for any transmissions before the server is marked as dead:
10.1.1.1
10.1.1.1
10.2.2.2
10.2.2.2
If servers 10.2.2.2 and 10.3.3.3 then go down as well, you see the following transmissions until servers 10.2.2.2
and 10.3.3.3 meet the criteria for being marked as dead:
10.2.2.2
10.2.2.2
10.3.3.3
10.3.3.3
10.1.1.1
10.1.1.1
10.2.2.2
10.2.2.2
The above is followed by the failure of the transmission and by the next method in the method list being used
(if any).
If servers 10.2.2.2 and 10.3.3.3 go down but server 10.1.1.1 comes up at the same time, you see the following:
10.2.2.2
10.2.2.2
10.3.3.3
10.3.3.3
10.1.1.1
When servers 10.2.2.2 and 10.3.3.3 are then marked as dead, you see the following:
10.1.1.1
Additional References
Related Documents
Related Topic Document Title
RADIUS “Configuring RADIUS” in the Cisco IOS XE Security
Configuration Guide: Securing User Services ,
Release 2
Standards
Standards Title
No new or modified standards are supported by this --
feature, and support for existing standards has not
been modified by this feature.
MIBs
MIB MIBs Link
No new or modified MIBs are supported by this To locate and download MIBs for selected platforms,
feature, and support for existing MIBs has not been Cisco IOS XE software releases, and feature sets, use
modified by this feature. Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
RFCs
RFCs Title
No new or modified RFCs are supported by this --
feature, and support for existing RFCs has not been
modified by this feature.
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/techsupport
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Benefits
With this feature, users can extend the time in which the RADIUS client (the router) sends accounting requests
to the RADIUS server in the event that the RADIUS server or the connection to the server is down and there
is no accounting response confirmation. This functionality enables accounting records to remain on the router
for up to 24 hours.
SUMMARY STEPS
1. enable
2. configure terminal
3. Router(config)# radius-server backoff exponential [max-delay minutes] [backoff-retry retransmits
4. Router(config)# radius-server host {hostname | ip-address} [test username user-name] [auth-port
port-number] [ignore-auth-port] [acct-port port-number] [ignore-acct-port] [timeout seconds]
[retransmit retries] [key string] [alias {hostname | ip-address}] [idle-time seconds] [backoff exponential
{backoff-retry number-of-retransmits | key encryption-key | max-delay minutes}]
DETAILED STEPS
Example:
Router# configure terminal
Step 3 Router(config)# radius-server backoff exponential [max-delay Configures the router for exponential backoff
minutes] [backoff-retry retransmits retransmit of accounting requests.
Example:
Router (config)# radius-server backoff exponential max-delay
60 backoff-retry 32
Step 4 Router(config)# radius-server host {hostname | ip-address} [test Specifies a RADIUS server host and configures
username user-name] [auth-port port-number] [ignore-auth-port] that RADIUS server host for exponential
[acct-port port-number] [ignore-acct-port] [timeout seconds] backoff retransmit of accounting requests.
[retransmit retries] [key string] [alias {hostname | ip-address}]
Example:
Router (config)# radius-server host 192.0.2.1 test username
test1 auth-port 1645 acct-port 1646
SUMMARY STEPS
1. enable
2. configure terminal
3. Router(config)# aaa group server radius group-name
4. Router(config -sg-radius)# backoff exponential max-delay minutes] [backoff-retry retransmits
DETAILED STEPS
Example:
Router (config)# configure terminal
Step 3 Router(config)# aaa group server radius Groups different RADIUS server hosts into distinct lists and
group-name distinct methods and enters server-group RADIUS
configuration mode.
Step 4 Router(config -sg-radius)# backoff exponential Configures the router for exponential backoff retransmit of
max-delay minutes] [backoff-retry retransmits accounting requests per RADIUS server group.
SUMMARY STEPS
1. enable
2. debug radius
3. show accounting
4. show radius statistics
DETAILED STEPS
Example:
Router# debug radius
Step 3 show accounting Displays all active sessions and prints all the accounting
records for actively accounted functions.
Example:
Router# show accounting
Step 4 show radius statistics Displays the RADIUS statistics for accounting packets.
Example:
Router# show radius statistics
aaa new-model
aaa authentication login default group radius
aaa authentication ppp default group radius
aaa authorization exec default group radius
aaa authorization network default group radius
aaa accounting send stop-record authentication failure
aaa accounting update periodic 1
aaa accounting network default start-stop group radius
!
radius-server host 172.107.164.206 auth-port 1645 acct-port 1646 backoff exponential max-delay
60 backoff-retry 32
radius-server backoff exponential max-delay 60 backoff-retry 32
radius-server retransmit 3
radius-server key rad123
end
t = 0 req sent
t = 5 retrans 1
t = 10 retrans 2
t = 15 retrans 3
t = 25 retrans 4
t = 45 retrans 5
t = 85 retrans 6
t = 165 retrans 7
t = 325 retrans 8
t = 645 retrans 9
t = 1285 retrans 10
t= 2565 retrans 11
t = 5125 retrans 12
t = 8725 retrans 13 (The interval has stabilized to 60 minutes here).
t = 12325 retrans 14 till retransmit 35
After all the retransmits are sent, the RADIUS request follows the same path that it would when all the normal
retransmits are done.
Additional References
The following sections provide references related to the RADIUS: Separate Retransmit Counter for Accounting.
Related Documents
Standards
Standard Title
No new or modified standards are supported by this --
feature, and support for existing standards has not
been modified by this feature.
MIBs
RFCs
RFC Title
No new or modified RFCs are supported by this --
feature, and support for existing RFCs has not been
modified by this feature.
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/techsupport
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Table 15: Feature Information for RADIUS: Separate Retransmit Counter for Accounting
SUMMARY STEPS
1. enable
2. configure terminal
3. interface BVI bridge-group
4. ip address address subnet
5. exit
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface BVI bridge-group Selects the combined Bridge-Group Virtual Interface
(BVI) NME interface and enters interface configuration
Example: mode.
Example:
Router(config-if)# ip address 209.165.200.225
255.255.255.224
Example:
Router(config)# exit
SUMMARY STEPS
1. enable
2. configure terminal
3. interface GigabitEthernet number
4. ip address address mask
5. exit
DETAILED STEPS
Example:
Router# configure terminal
Example:
Router(config)# interface GigabitEthernet
0/0/0
Example:
Router(config)# exit
SUMMARY STEPS
1. enable
2. configure terminal
3. radius-server attribute nas-port format d
4. exit
DETAILED STEPS
Example:
Router# configure terminal
Step 3 radius-server attribute nas-port format d Selects the ATM VC (virtual circuit) extended format
for the NAS port field.
Example:
Router(config)# radius-server attribute nas-port
format d
Example:
Router(config)# exit
Acct-Session-Id = "slot/subslot/port/VPI.VCI_acct-session-id"
Router> enable
Router# configure terminal
Router(config)# interface BVI1
ip address 209.165.200.225 255.255.255.224
Router(config)# exit
Router> enable
Router# configure terminal
Router(config)# interface GigabitEthernet 0/0/0
Router> enable
Router# configure terminal
Router(config)# radius-server attribute nas-port format d
Router(config)# exit
Additional References
Related Documents
MIBs
RFCs
RFC Title
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/cisco/web/support/index.html
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
If you need to add a dictionary file, ensure that your RADIUS server is nonstandard and that it can send the
newly introduced VSAs.
• You want to set up RADIUS network authentication so a remote user can dial in and get IP connectivity.
Note An appropriately configured cache should minimize delays; however, the first dialin user to require a filter
will always experience a longer delay because the ACL configuration is retrieved for the first time.
Cache Management
A global filter cache is maintained on the NAS of recently downloaded ACLs; thus, users no longer have to
repeatedly request the same ACL configuration information from a potentially overloaded RADIUS server.
Users are required to flush the cache when the following criteria have been met:
• After an entry becomes associated with a newly active call, the idle timer that is associated with that
entry will be reset, if configured to do so.
• After the idle-time stamp of an entry expires, the entry will be removed.
• After the global cache of entries reaches a specified maximum number, the entry whose idle-timer is
closest to the idle time limit will be removed.
A single timer is responsible for managing all cache entries. The timer is started after the first cache entry is
created, and it runs periodically until reboot. The period of the timer will correspond to the minimum granularity
offered when configuring cache idle timers, which is one expiration per minute. A single timer prevents users
from having to manage individual timers per cache entry.
Note The single timer introduces a lack of precision in timer expiration. There is an average error of
approximately 50 percent of the timer granularity. Although decreasing the timer granularity will decrease
the average error, the decreased timer granularity will negatively impact performance. Because precise
timing is not required for cache management, the error delay should be acceptable.
Note All RADIUS attributes will override any command-line interface (CLI) configurations.
Command Purpose
Enables AAA authorization caches and the
Router(config)# aaa authorization cache downloading of an ACL configuration from a
filterserver default methodlist[methodlist2...] RADIUS filter server.
• default --The default authorization list.
• methodlist [methodlist2...]--One of the keywords
listed on the password command page.
SUMMARY STEPS
1. enable
2. configure terminal
3. Router(config)# aaa cache filter
4. Router(config-aaa-filter)# password 0 7} password
5. Router(config-aaa-filter)# cache disable
6. Router(config-aaa-filter)# cache clear age minutes
7. Router(config-aaa-filter)# cache refresh
8. Router(config-aaa-filter)# cache max number
DETAILED STEPS
Example:
Router# configure terminal
Step 3 Router(config)# aaa cache filter Enables filter cache configuration and enters AAA filter configuration
mode.
Step 4 Router(config-aaa-filter)# password 0 (Optional) Specifies the optional password that is to be used for filter server
7} password authentication requests.
0 --Specifies that an unencrypted password will follow.
7 --Specifies that a hidden password will follow.
password --The unencrypted (clear text) password.
Note If a password is not specified, the default password (“cisco”) is
enabled.
Step 5 Router(config-aaa-filter)# cache disable (Optional) Disables the cache.
Step 6 Router(config-aaa-filter)# cache clear (Optional) Specifies, in minutes, when cache entries expire and the cache
age minutes is cleared.
Step 8 Router(config-aaa-filter)# cache max (Optional) Limits the absolute number of entries the cache can maintain
number for a particular server.
number --The maximum number of entries the cache can contain. Any value
between 0 to 4294967295.
Note If a number is not specified, the default (100 entries) is
enabled.
Note The show aaa cache filterserver command shows how many times a particular filter has been referenced
or refreshed. This function may be used in administration to determine which filters are actually being
used.
Troubleshooting Tips
To help troubleshoot your filter cache configurations, use the privileged EXEC debug aaa cache filterserver
command. To view sample output for the debug aaa cache filterserver command, refer to the section “Debug
Output Example” later in this document.
Command Purpose
Clears the cache status for a particular filter or all
Router# clear aaa cache filterserver acl filters.
[filter-name
aaa authorization cache filterserver group mygroup group radius local none
!
aaa group server radius mygroup
server 10.2.3.4
server 10.2.3.5
!
radius-server host 10.1.3.4
!
aaa cache filter
password mycisco
no cache refresh
cache max 100
!
Filter-Id = "myfilter",
Ascend:Ascend-Filter-Required = Filter-Required-Yes,
dictionary file:
Ascend.attr Ascend-Filter-Required 50 integer (*, 0, NOENCAPS)
Ascend.attr Ascend-Cache-Refresh 56 integer (*, 0, NOENCAPS)
Ascend.attr Ascend-Cache-Time 57 integer (*, 0, NOENCAPS)
Ascend.value Ascend-Cache-Refresh Refresh-No 0
Ascend.value Ascend-Cache-Refresh Refresh-Yes 1
Ascend.value Ascend-Filter-Required Filter-Required-No 0
Ascend.value Ascend-Filter-Required Filter-Required-Yes 1
vendors file:
50 50
56 56
57 57
Additional References
The following sections provide references related to RADIUS Centralized Filter Management.
Related Documents
Standards
Standard Title
None --
MIBs
RFCs
RFC Title
None --
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/techsupport
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
For more information on completing these tasks, refer to the “ Configuring Asynchronous SLIP and PPP ”
module.
Note EAP can also run in a local mode; the session is authenticated using the Message Digest 5 (MD5) algorithm
and obeys the same authentication rules as Challenge Handshake Authentication Protocol (CHAP). To
disable proxy mode and authenticate locally, you must use the ppp eap local command.
Configuring EAP
Perform this task to configure EAP on an interface configured for PPP encapsulation.
SUMMARY STEPS
1. enable
2. configure terminal
3. ppp authentication eap
4. ppp eap identity string
5. ppp eap password [number] string
6. ppp eap local
7. ppp eap wait
8. ppp eap refuse [callin]
DETAILED STEPS
Example:
Router# configure terminal
Example:
Router(config-if)# ppp authentication eap
Step 4 ppp eap identity string (Optional) Specifies the EAP identity when requested by the peer.
Example:
Step 5 ppp eap password [number] string (Optional) Sets the EAP password for peer authentication.
This command should only be configured on the client.
Example:
Step 6 ppp eap local (Optional) Authenticates locally instead of using a RADIUS
back-end server, which is the default.
Example: Note This command should only be configured on the
Router(config-if)# ppp eap local NAS.
Step 7 ppp eap wait (Optional) Waits for the caller to authenticate itself first. By
default, the client always authenticates itself before the caller does.
Example: Note This command should only be configured on the
Router(config-if)# ppp eap wait NAS.
Step 8 ppp eap refuse [callin] (Optional) Refuses to authenticate using EAP. If the callin
keyword is enabled, only incoming calls are not authenticated.
Example: Note This command should only be configured on the
Router(config-if)# ppp eap refuse NAS.
Verifying EAP
To verify EAP configurations on your client or NAS, use at least one of the following commands in privileged
EXEC configuration mode:
Command Purpose
Displays information about the active lines on the
Router# show users router.
Configuration Examples
interface Ethernet0/0
ip address 10.1.1.202 255.255.255.0
no ip mroute-cache
half-duplex
!
interface BRI0/0
ip address 192.168.101.100 255.255.255.0
encapsulation ppp
no ip mroute-cache
dialer map ip 192.168.101.101 56167
dialer-group 1
isdn switch-type basic-5ess
ppp eap identity user
ppp eap password 7 141B1309
!
!
ip default-gateway 10.1.1.1
ip classless
ip route 192.168.101.101 255.255.255.255 BRI0/0
no ip http server
!
dialer-list 1 protocol ip permit
Additional References
The following sections provide references related to RADIUS EAP Support feature.
Related Documents
Standards
Standard Title
None --
MIBs
RFCs
RFC Title
RFC 2284 PPP Extensible Authentication Protocol (EAP)
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/techsupport
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Glossary
attribute --A RADIUS Internet Engineering Task Force (IETF) attribute is one of the original set of 255
standard attributes that are used to communicate authentication, authorization, and accounting (AAA)
information between a client and a server. Because IETF attributes are standard, the attribute data is predefined
and well known; thus all clients and servers that exchange AAA information through IETF attributes must
agree on attribute data such as the exact meaning of the attributes and the general bounds of the values for
each attribute.
CHAP --Challenge Handshake Authentication Protocol. Security feature that is supported on lines using PPP
encapsulation and prevents unauthorized access. CHAP does not itself prevent unauthorized access; it merely
identifies the remote end. The router or access server then determines whether that user is allowed access.
EAP --Extensible Authentication Protocol. A PPP authentication protocol that supports multiple authentication
mechanisms that are negotiated during the authentication phase (instead of the Link Control Protocol [LCP]
phase). EAP allows a third-party authentication server to interact with the PPP implementation through a
generic interface.
LCP --link control protocol. Protocol that establishes, configures, and tests data-link connections for use by
PPP.
MD5 (HMAC variant) --Message Digest 5. A hash algorithm used to authenticate packet data. HMAC is a
key hashing for message authentication.
NAS --network access server. A device providing local network access to users across a remote access network
such as the public switched telephone network (PSTN).
PAP --Password Authentication Protocol. Authentication protocol that allows PPP peers to authenticate one
another. The remote router attempting to connect to the local router is required to send an authentication
request. Unlike CHAP, PAP passes the password and host name or username in the clear (unencrypted). PAP
does not itself prevent unauthorized access; it merely identifies the remote end. The router or access server
then determines if that user is allowed access. PAP is supported only on PPP lines.
PPP --Point-to-Point Protocol. A protocol that encapsulates network layer protocol information over
point-to-point links. PPP is defined in RFC 1661.
RADIUS --Remote Authentication Dial-In User Service. Database for authenticating modem and ISDN
connections and for tracking connection time.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual
addresses and phone numbers. Any examples, command display output, network topology diagrams, and
other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses
or phone numbers in illustrative content is unintentional and coincidental. © 2001-2009 Cisco Systems, Inc.
All rights reserved.
SUMMARY STEPS
1. enable
2. configure terminal
3. aaa new-model
4. gw-accounting aaa
5. aaa accounting update newinfo
DETAILED STEPS
Example:
Router# configure terminal
Step 3 aaa new-model Enables the authentication, authorization, and accounting (AAA).
Example:
Router(config)# aaa new-model
Step 4 gw-accounting aaa Enables an accounting through the AAA system and sends call
detail records (CDRs) to the RADIUS server in the form of
Example: vendor-specific attributes (VSAs).
Step 5 aaa accounting update newinfo Enables periodic interim accounting records to be sent to the
accounting server whenever there is new accounting information
Example: to report relating to the user in question.
Additional References
The following sections provide references related to the RADIUS Interim Update at Call Connect feature.
Related Documents
Configuring Dynamic Prompts, Customizing Cisco IOS Dial Technologies Configuration Guide ,
Accounting Templates, and Directing AAA Requests Release 12.4T and Cisco IOS VPDN Configuration
for Voice Gateways Guide , Release 12.4T.
Standards
Standard Title
None. --
MIBs
RFCs
RFC Title
RFC 2138 Remote Authentication Dial In User Service
(RADIUS)
Technical Assistance
Description Link
The Cisco Support website provides extensive online http://www.cisco.com/techsupport
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.
Table 19: Feature Information for RADIUS Interim Update at Call Connect
Prerequisites
Configuring VPDNs and HGW groups is beyond the scope of this document. See the Related Document
section for more information.
Restrictions
The following restrictions and limitations apply to the RADIUS Tunnel Preference for Load Balancing and
Fail-Over feature:
• This feature does not support VPDN dial-out networks; it is designed only for dial-in applications.
• The maximum number of LNSs allowed in the network is 1550, which is 50 per tag attribute group and
a limit of 31 tags.
• This feature requires a RADIUS server implementation to support RFC 2868.
for the first group for load balancing. New sessions are projected to these three addresses based on the
least-load-first algorithm. This algorithm uses its local knowledge to select an HGW that has the least load
to initiate the new session. In this example, the addresses 2.0.0.1 and 2.0.0.2 in the second group have a lower
priority and are applicable only when all HGWs specified in the first group fail to respond to the new connection
request, thereby making 2.0.0.1 and 2.0.0.2 the fail-over addresses. See the section Configuration Example
for RADIUS Tunnel Preference for Load Balancing and Fail-Over, on page 172 for an example of how to
configure these fail-over addresses in a RADIUS tunnel profile.
In the configuration shown in the figure above, the NAS uses tunnel profiles downloaded from the RADIUS
server to establish VPDN Layer 2 tunnels for load balancing and fail-over. The Point-to-Point over Ethernet
(PPPoE) protocol is used as the client to generate PPP sessions.
Additional References
The following sections provide references related to RADIUS Tunnel Preference for Load Balancing and
Fail-Over feature.
Related Documents
Virtual private dialup networks (VPDN) roadmap Cisco IOS VPDN Configuration Guide , Release 15.0.
Broadband Access: PPP and Routed Bridge Cisco IOS Broadband Access Aggregation and DSL
Encapsulation Configuration Guide , Release 12.4T
Standards
Standard Title
None. --
MIBs
RFCs
RFC Title
RFC 2868 RADIUS Attributes for Tunnel Protocol Support
Table 20: Feature Information for RADIUS Tunnel Preference for Load Balancing and Fail-Over
Glossary
HGW --home gateway. A gateway that terminates Layer 2 tunneling protocols such as L2TP.
home gateway --See HGW.
L2TP --Layer 2 Tunnel Protocol. An Internet Engineering Task Force (IETF) standards track protocol defined
in RFC 2661 that provides tunneling of PPP. Based upon the best features of L2F and PPTP, L2TP provides
an industry-wide interoperable method of implementing VPDN.
L2TP network server--See LNS.
Layer 2 Tunnel Protocol --See L2TP.
LNS --L2TP network server. A node that acts as one side of an L2TP tunnel endpoint and is a peer to the
NAS or L2TP access concentrator (LAC). The LNS is the logical termination point of a PPP session that is
being tunneled from the remote system by the access server. Analogous to the Layer 2 Forwarding (L2F)
HGW.
NAS --network access server. Cisco platform or collection of platforms that interfaces between the packet
world (the Internet, for example) and the circuit world (the public switched telephone network, for example).
network access server --See NAS.
Request for Comments --See RFCs.
RFCs --Request for Comments. A series of notes about the Internet collected by the Internet Engineering
Task Force (IETF). Started in 1969, the IETF is a large open international community of network designers,
operators, vendors, and researchers concerned with the evolution of the Internet architecture. RFCs define
many aspects of computer communication, focusing on networking protocols, procedures, programs, and
concepts.
virtual private dialup network --See VPDN.
VPDN --virtual private dialup network. Enables IP traffic to travel securely over a public TCP/IP network
by encrypting all traffic from one network to another.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual
addresses and phone numbers. Any examples, command display output, network topology diagrams, and
other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses
or phone numbers in illustrative content is unintentional and coincidental. © 2001-2009 Cisco Systems, Inc.
All rights reserved.