|
|
This feature module describes the RADIUS Attribute 44 (Accounting Session ID) in Access Requests feature. It includes information on the benefits of the new feature, supported platforms, and related documents.
This document includes the following sections:
Call accounting through RADIUS is done with accounting records that contain data describing various aspects of a call. Records include start records, update records, and stop records that contain per-call information. The network access server (NAS) may send accounting on and off records to inform the accounting system of the status of the NAS itself. For per-call accounting records, the association of start, update, and stop records is done with the Accounting Session ID, which is RADIUS attribute 44.
The Accounting Session ID is a unique integer that is consistent for a given link of a call through the lifetime of that call. This value is traditionally generated at net start time (just before the accounting start record is generated). For certain operations, such as Dialed Number Identification Service (DNIS) access requests and other "early" RADIUS requests, it is desirable to have the Accounting Session ID available at an earlier stage in the call.
The RADIUS Attribute 44 (Accounting Session ID) in Access Requests feature allows the RADIUS daemon to track a call from the beginning of the call to the end of the call (for example, from the preauthentication stage to the accounting stop-record stage). Specifically, this feature allows RADIUS attribute 44 to be generated and sent in all access requests to the RADIUS server before the generation of accounting packets (including access requests for preauthentication).
The Accounting Session ID is a unique identifier used to calculate the session context. It is the only identifier provided by the RADIUS protocol that can relate authentication and accounting requests to one another with absolute certainty.
The radius-server attribute 44 include-in-access-req command, introduced in this feature, triggers the sending of RADIUS attribute 44 (Accounting Session ID) in all RADIUS packets, not just in accounting packets sent after user authentication. This method of operation allows service providers to track all packets associated with a given call by the Accounting Session ID.
When used with the Preauthentication with ISDN PRI feature and a preauthentication RADIUS server application, attribute 44 allows user authentication on the basis of the Calling Line Identification (CLID) number in the same transaction with DNIS authentication. This feature set enables service providers to add Cisco dial ports to their existing networks and to manage the ports with the installed base of RADIUS server solutions.
This feature works for ISDN calls only. A later release of Cisco IOS software will add support for channel associated signaling (CAS) calls.
The Cisco IOS Release 12.1(2)T feature Preauthentication with ISDN PRI makes use of the functionality in this feature.
The following documents provide information related to this feature:
This feature is supported on any platform running Cisco IOS Release 12.0(7)T software or later, including the following:
Standards
This feature supports the following IETF draft standard: RADIUS Accounting , draft-ietf-radius-accounting-v2-05.txt.
MIBs
No new or modified MIBs are supported by this feature.
For descriptions of supported MIBs and how to use MIBs, see the Cisco MIB web site on Cisco Connection Online (CCO) at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
RFCs
No new or modified RFCs are supported by this feature.
See the following section for configuration tasks for the RADIUS Attribute 44 (Accounting Session ID) in Access Requests feature: Configuring RADIUS Attribute 44 in Access Requests (required).
To send RADIUS attribute 44 in access-request packets, use the following global configuration command:
| Command | Purpose |
|---|---|
Router(config)# radius-server attribute 44 include-in-access-req | Sends RADIUS attribute 44 in access-request packets. |
To verify that RADIUS attribute 44 is being sent in access requests, use the following commands in privileged EXEC mode. Attribute 44 should be present in all call-specific access requests, and its values should be the same for all access requests and accounting requests for the call link.
| Command | Purpose |
|---|---|
Router# more system:running-config | Displays the contents of the current running configuration file. (Note that the more system:running-config command has replaced the show running-config command.) |
Router# debug radius | Displays information associated with RADIUS. The output of this command shows whether attribute 44 is being sent in access requests. The output, however, does not show the entire value for attribute 44. To view the entire value for attribute 44, see your RADIUS server log. |
This feature should be enabled only with RADIUS servers that do not malfunction when attribute 44 is sent in normal access requests, such as those for preauthentication and virtual private dial-up networks (VPDNs).
This section provides the following configuration examples:
The following example shows a configuration that sends RADIUS attribute 44 in access-request packets:
aaa new-model aaa authentication ppp default group radius radius-server host 10.100.1.34 radius-server attribute 44 include-in-access-req
The following example shows an access request that contains RADIUS attribute 44:
13:26:32.645597 radius-server > 10.100.1.34.radius: Access-Request ID: 49 PLen: 90 NAS-IP-Address [4] Len:006 10.100.1.2 NAS-Port-Type [61] Len:006 Async [0] User-Name [1] Len:012 "2025551212" Called-Station-Id [30] Len:012 "2025551212" User-Password [2] Len:018 1a a9 81 17 cc 55 e9 56 e7 a8 9b 9b 4b 36 cc 77 Service-Type [6] Len:006 Outbound [5] Acct-Session-Id [44] Len:010 "00000027" 13:26:32.646559 10.100.1.34.radius > radius-server: Access-Accept ID: 49 PLen: 33 Class [25] Len:007 "ISP01" Service-Type [6] Len:006 Outbound [5]
The same Accounting Session ID (for example, the attribute 44 value 00000027 above) will be used in all subsequent access requests and accounting requests as a result of a call. (For interactive login calls, accounting requests for the network layer are treated internally as a different session; therefore, they will have a different Accounting Session ID from that for access requests and accounting requests before the stop accounting record for the NAS-Prompt.)
This section documents new commands. All other commands used with this feature are documented in the Cisco IOS Release 12.1 command reference publications.
radius-server attribute 44 include-in-access-req
To send RADIUS attribute 44 (Accounting Session ID) in access-request packets before user authentication (including requests for preauthentication), use the radius-server attribute 44 include-in-access-req global configuration command. To remove this command from your configuration, use the no form of this command.
radius-server attribute 44 include-in-access-reqSyntax Description
This command has no arguments or keywords.
Defaults
This command is disabled by default.
Command Modes
Global configuration
Command History
12.0(7)T This command was introduced.
Release
Modification
Usage Guidelines
There is no guarantee that the Accounting Session IDs will increment uniformly and consistently. In other words, between two calls, the Accounting Session ID can increase by more than one.
Examples
The following example shows a configuration that sends RADIUS attribute 44 in access-request packets:
aaa new-model aaa authentication ppp default group radius radius-server host 10.100.1.34 radius-server attribute 44 include-in-access-req
Caller ID---See CLID.
Calling Line Identification---See CLID.
CAS---channel associated signaling. Call signaling that enables the access server to send or receive analog calls.
channel associated signaling---See CAS.
CLID---Calling Line Identification. Also called Caller ID. CLID provides the number from which a call originates.
Dialed Number Identification Service---See DNIS.
DNIS---Dialed Number Identification Service. DNIS provides the number that is dialed.
Integrated Services Digital Network---See ISDN.
ISDN---Integrated Services Digital Network. Communications protocol, offered by telephone companies, that permits telephone networks to carry data, voice, and other source traffic.
NAS---network access server. Cisco platform (or collection of platforms such as an AccessPath system) that interfaces between the packet world (for example, the Internet) and the circuit world (for example, the Public Switched Telephone Network).
network access server---See NAS.
RADIUS---Remote Authentication Dial-In User Service. Database for authenticating modem and ISDN connections and for tracking connection time.
Remote Authentication Dial-In User Service---See RADIUS.
virtual private dial network---See VPDN.
virtual private dial-up network---See VPDN.
VPDN---virtual private dial network. A VPDN is a network that extends remote access to a private network using a shared infrastructure. VPDNs use Layer 2 tunnel technologies (L2F, L2TP, and PPTP) to extend the Layer 2 and higher parts of the network connection from a remote user across an ISP network to a private network. VPDNs are a cost effective method of establishing a long distance, point-to-point connection between remote dial users and a private network. Also known as virtual private dial-up network.
Posted: Fri Jul 7 10:21:02 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.