|
|
This feature module describes AAA Resource Accounting for the Cisco AS5300 and Cisco AS5800 universal access servers, and includes information on the benefits of the new feature set, supported platforms, related documents, and so forth.
This document includes the following sections:
The Cisco implementation of AAA Accounting provides only START and STOP record support for calls that have passed user authentication. An additional feature of generating STOP records for calls that fail to authenticate as part of user authentication is also supported. Previously, there was no method to provide accounting records for calls that failed to reach the user authentication stage of a call setup sequence. Such records are necessary for users employing accounting records to manage and monitor their networks and their wholesale customers. Figure 1 illustrates a standard modem dial in call setup sequence that is supported today:
:data.lnk
A call begins with a call setup request from a PSTN switch. The request usually contains a DNIS and CLID identifier, which may be used for call authentication to either validate or reject a call.
 |
Note Many ISPs use the call authentication requests to manage wholesale customer accessibility. |
If a call is accepted, or no call authentication is involved, a modem is allocated and connected to the DS0 port requested by the call setup. At this stage, the modem begins a training and negotiation sequence with the actual client modem. Once completed, a service layer application such as EXEC, PPP, SLIP, VPN, TCP-Clear, MPLS, or H.323 begins, which often involves a User Authentication request to validate a user and password. At this stage, Cisco AAA supports accounting.
If the user has been validated, a START record is generated. If the user is rejected, either no record is generated or a STOP record is generated to report on the failure, and the user is disconnected. All calls that have had a START record generated will have a corresponding STOP record generated upon call termination.
The time difference between the call setup request and the user authentication can be up to 30 seconds, depending on the connection medium. With the current implementation, any calls that terminate within that time frame have no form of AAA disconnect notification performed. This causes problems for network management servers that rely on AAA protocols to accurately manage and monitor their networks. Some of the problem for ISPs are as follows:
To address these shortcomings, it becomes immediately necessary to support generating STOP records from the moment of call setup.
:data.lnk
This functionality will generate a STOP record for any calls that do not reach user authentication. All calls that pass user authentication will behave as before; that is, no additional accounting records will be seen.
Furthermore, for users wanting to manage and monitor their wholesale customers from one source of data reporting (for example, accounting records), this feature supports the ability to send a START record at each call setup followed with a corresponding STOP record at the Call Disconnect.
There is separate call setup-call disconnect START-STOP accounting tracking the progress of the resource connection to the device (typically a DS0), and a separate user authentication START-STOP tracking the user management progress. These two sets of accounting records are inter-linked by using a unique session ID for the call.
:data.lnk
These capabilities are independent of each other. However, they share a common framework for managing resource progress data collection within AAA. Furthermore, resource failure accounting also supports generating STOP records for all calls that fail to reach user authentication.
The resource accounting contains the following accounting attributes (attribute number in parentheses):
Call Authentication performs DNIS and CLID authentication at the beginning of a call setup.
Standards
No new or modified standards are supported by this feature.
MIBs
No new or modified MIBs are supported by this feature.
RFCs
No new or modified RFCs are supported by this feature.
Before configuring the AAA Resource Accounting and its associated features, you must complete the following tasks on your network access server:
See the following sections for configuration tasks for the AAA Resource Accounting feature. Each task in the list is identified as either optional or required:
| Command | Purpose | |
|---|---|---|
Step 1 | Router# conf term | Enters global configuration mode. You have entered global configuration mode when the prompt changes to |
Step 2 | Router(config)# aaa new-model | Enables the AAA access control model. |
Step 3 | Router(config)# aaa accounting resource method-list start-stop group server-group | Enables full Resource Accounting. |
| Command | Purpose | |
|---|---|---|
Step 1 | Router# conf term | Enters global configuration mode. You have entered global configuration mode when the prompt changes to |
Step 2 | Router(config)# aaa new-model | Enables the AAA access control model. |
Step 3 | Router(config)# aaa accounting resource method-list stop-failure group server-group | Enables Resource Failure STOP Accounting support. |
| Command | Purpose | |
|---|---|---|
Step 1 | Router# show running-config | Displays the configuration information currently running on the terminal. |
The example includes AAA Cisco IOS commands which support dialup authentication, authorization, and other accounting features.
Router#conf term Router(config)# aaa new-model Router(config)# aaa authentication login AOL group radius localRouter(config)# aaa authentication ppp default group radius localRouter(config)# aaa authorization exec AOL group radius if-authenticatedRouter(config)# aaa authorization network default group radius if-authenticatedRouter(config)# aaa accounting exec default start-stop group radiusRouter(config)# aaa accounting network default start-stop group radiusRouter(config)# aaa accounting resource default start-stop group radius ! Router# show running-config Current configuration: ! ! Last configuration change at 15:02:43 PDT Tue Aug 29 2000 ! version 12.1 service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname Router ! no logging console aaa new-model aaa session-mib disconnect aaa authentication login default group radius aaa authentication login NO_AUTHENT none aaa authentication login AOL group radius local aaa authentication ppp default group radius local aaa authentication arap local local aaa authorization exec default local if-authenticated aaa authorization exec NO_AUTHOR none aaa authorization exec AOL group radius if-authenticated aaa authorization commands 15 default local if-authenticated aaa authorization commands 15 NO_AUTHOR none aaa authorization network default group radius if-authenticated aaa accounting exec default start-stop group radius aaa accounting exec NO_ACCOUNT none aaa accounting commands 15 default stop-only group tacacs+ aaa accounting commands 15 NO_ACCOUNT none aaa accounting network default start-stop group radius aaa accounting resource default start-stop group radius !
The example includes AAA Cisco IOS commands which support dialup authentication, authorization, and other accounting features.
Router(config)# aaa new-model Router(config)# aaa authentication login AOL group radius localRouter(config)# aaa authentication ppp default group radius localRouter(config)# aaa authorization exec AOL group radius if-authenticatedRouter(config)# aaa authorization network default group radius if-authenticatedRouter(config)# aaa accounting exec default start-stop group radiusRouter(config)# aaa accounting network default start-stop group radiusRouter(config)# aaa accounting resource default stop-failure group radius ! Router# show running-config Current configuration: ! ! Last configuration change at 15:02:43 PDT Tue Aug 29 2000 ! version 12.1 service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname Router ! no logging console aaa new-model aaa session-mib disconnect aaa authentication login default group radius aaa authentication login NO_AUTHENT none aaa authentication login AOL group radius local aaa authentication ppp default group radius local aaa authentication arap local local aaa authorization exec default local if-authenticated aaa authorization exec NO_AUTHOR none aaa authorization exec AOL group radius if-authenticated aaa authorization commands 15 default local if-authenticated aaa authorization commands 15 NO_AUTHOR none aaa authorization network default group radius if-authenticated aaa accounting exec default start-stop group radius aaa accounting exec NO_ACCOUNT none aaa accounting commands 15 default stop-only group tacacs+ aaa accounting commands 15 NO_ACCOUNT none aaa accounting network default start-stop group radius aaa accounting resource default stop-failure group radius !
This section documents new and modified commands. All other commands used with these features are documented in the Cisco IOS Release 12.1 command reference publications.
To enable full resource accounting, use the aaa accounting resource start-stop group global configuration command. To disable full resource accounting, use the no form of this command.
aaa accounting resource method-list start-stop group server-group
Syntax Description
method-list Method used for accounting services. Valid choices are: server-group Group to be used for accounting services. Valid choices are:
Defaults
None
Command Modes
Global configuration
Command History
12.1(3)T This command was introduced.
Release
Modification
Usage Guidelines
Sending START-STOP records for resource allocation along with User START-STOP records during User Authentication can lead to serious performance issues and is discouraged unless absolutely required. All existing AAA accounting method list and server group options are made available to this command.
Examples
The example includes AAA Cisco IOS commands which support dialup authentication, authorization, and other accounting features.
Router#conf term Router(config)# aaa new-model Router(config)# aaa authentication login AOL group radius localRouter(config)# aaa authentication ppp default group radius localRouter(config)# aaa authorization exec AOL group radius if-authenticatedRouter(config)# aaa authorization network default group radius if-authenticatedRouter(config)# aaa accounting exec default start-stop group radiusRouter(config)# aaa accounting network default start-stop group radiusRouter(config)# aaa accounting resource default start-stop group radius
Related Commands
aaa accounting resource stop-failure group Enables Resource Failure STOP Accounting support.
Command
Description
To enable resource failure STOP accounting support, use the
aaa accounting resource stop-failure group global configuraton command. To disable resource failure STOP accounting, use the no form of this command.
Syntax Description
method-list Method used for accounting services. Valid choices are: server-group Group to be used for accounting services. Valid choices are:
Defaults
None
Command Modes
Global configuration
Command History
12.1(3)T This command was introduced.
Release
Modification
Usage Guidelines
If no call termination takes place prior to User Authentication, no additional accounting record will be generated. All existing AAA accounting method list and server group options are made available to this command.
Examples
The example includes AAA Cisco IOS commands which support dialup authentication, authorization, and other accounting features.
Router#conf termRouter(config)# aaa new-modelRouter(config)# aaa authentication login AOL group radius localRouter(config)# aaa authentication ppp default group radius localRouter(config)# aaa authorization exec AOL group radius if-authenticatedRouter(config)# aaa authorization network default group radius if-authenticatedRouter(config)# aaa accounting exec default start-stop group radiusRouter(config)# aaa accounting network default start-stop group radiusRouter(config)# aaa accounting resource default stop-failure group radius
Related Commands
aaa accounting resource start-stop group Enables full Resource Accounting.
Command
Description
AAA—authentication, authorization, and accounting. Pronounced "triple a."
CAS—channel associated signaling. Call signaling that enables the access server to send or receive analog calls.
CLID—Calling Line Identification Digits, the calling party number (also referred to as ANI, Automatic Number Identification).
CSR—call success rate.
DNIS—Dialed Number Identification Service, also known as the called party number. The telephone number of the called party after translation occurs in the Public Switched Telephone Network. A given destination may have a different DNIS number based on how the call is placed (for example, 800 or direct dial).
ISDN—Integrated Services Digital Network. Communication protocol offered by telephone companies that permits telephone networks to carry data, voice, and other source traffic.
NAS—network access server. Cisco platform (or collection of platforms such as an AccessPath system) which interfaces between the packet world (e.g. the Internet) and the circuit world (e.g. the PSTN).
PSTN—Public Switched Telephone Network. General term referring to the variety of telephone networks and services in place worldwide. Sometimes called POTS.
RADIUS—Remote Authentication Dial-In User Service. RADIUS is a distributed client/server system that secures networks against unauthorized access. RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server containing all user authentication and network-service access information.
Tier 1 Authentication—Call Authentication using DNIS and CLID.
Tier 2 Authentication—User Authentication using UserId and Password.
|
Note For a list of other internetworking terms, see Internetworking Terms and Acronyms, available on the Documentation CD-ROM and Cisco Connection Online (CCO) at the following URL: http://www.cisco.com/univercd/cc/td/doc/cisintwk/ita/index.htm. |
Posted: Tue Sep 19 18:01:10 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.