-
Cisco 10000 Series Router Software Configuration Guide
-
About This Guide
-
Broadband Aggregation and Leased-Line Overview
-
Scalability and Performance
-
Configuring Remote Access to MPLS VPN
-
Configuring Multiprotocol Label Switching
-
Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server
-
Configuring PPPoE over Ethernet and IEEE 802.1Q VLAN
-
Configuring IP Unnumbered on IEEE 802.1Q VLANs
-
Configuring ATM Permanent Virtual Circuit Autoprovisioning
-
Configuring the Multihop Feature
-
Configuring Address Pools
-
Configuring Local AAA Server, User Database--Domain to VRF
-
Configuring Traffic Filtering
-
Unicast Reverse Path Forwarding
-
Configuring Automatic Protection Switching
-
Configuring IP Multicast
-
Configuring RADIUS Features
-
Cisco 10000 Series Router PXF Stall Monitor
-
SSO - BFD
-
Configuring Link Noise Monitoring
-
Configuring L2 Virtual Private Networks
-
Configuring L2VPN Interworking
-
Configuring Multilink Point-to-Point Protocol Connections
-
Configuring Gigabit EtherChannel Features
-
Configuring IP Version 6
-
Configuring Template ACLs
-
Protecting the Router from DoS Attacks
-
IP Tunneling
-
RADIUS Attributes
-
Glossary
-
Feedback
Table Of Contents
Feature History for RADIUS Attribute Screening
Restrictions for RADIUS Attribute Screening
Prerequisites for RADIUS Attribute Screening
Configuration Tasks for RADIUS Attribute Screening
Configuration Examples for RADIUS Attribute Screening
Authorization Accept Configuration Example
Accounting Reject Configuration Example
Authorization Reject and Accounting Accept Configuration Example
Rejecting Required Attributes Configuration Example
Feature History for RADIUS Transmit Retries
Restrictions for RADIUS Transmit Retries
Configuring RADIUS Transmit Retries
Configuration Example for RADIUS Transmit Retries
Monitoring and Troubleshooting RADIUS Transmit Retries
Extended NAS-Port-Type and NAS-Port Support
Feature History for Extended NAS-Port-Type and NAS-Port Support
NAS-Port-Type (RADIUS Attribute 61)
NAS-Port-ID (RADIUS Attribute 87)
Prerequisites for Extended NAS-Port-Type and NAS-Port Attributes Support
Configuring Extended NAS-Port-Type and NAS-Port Attributes Support
Verifying Extended NAS-Port-Type and NAS-Port-ID Attributes Support
Configuration Examples for Extended NAS-Port-Type Attribute Support
RADIUS Attribute 31: PPPoX Calling Station ID
Feature History for PPPoX Calling Station ID
Restrictions for PPPoX Calling Station ID
Related Documents for PPPoX Calling Station ID
Configuration Tasks for PPPoX Calling Station ID
Configuring the Calling-Station-ID Format
Verifying the Calling-Station-ID
Configuration Example for PPPoX Calling Station ID
Related Commands for PPPoX Calling Station ID
Feature History for RADIUS Packet of Disconnect
Benefits for RADIUS Packet of Disconnect
Restrictions for RADIUS Packet of Disconnect
Related Documents for RADIUS Packet of Disconnect
Prerequisites for RADIUS Packet of Disconnect
Configuration Tasks for RADIUS Packet of Disconnect
Monitoring and Maintaining AAA POD Server
Configuration Example for RADIUS Packet of Disconnect
Configuring RADIUS Features
This chapter describes the following features:
•
Extended NAS-Port-Type and NAS-Port Support
•
RADIUS Attribute Screening
The RADIUS Attribute Screening feature allows you to configure a list of "accept" or "reject" RADIUS attributes on the Cisco 10000 router for authorization and accounting purposes. Based on the accept or reject list you configure for a particular purpose, the Cisco 10000 series router:
•
•
Before you configure a RADIUS accept or reject list, enable AAA using the aaa new-model command in global configuration mode. For more information, see the Cisco IOS Command Summary, Volume 2 of 3, Release 12.2.
The Cisco 10000 series router supports the RADIUS Attribute Screening feature in the following deployment models:
•
•
•
Note
The RADIUS Attribute Screening feature is described in the following topics:
•
•
•
•
•
Feature History for RADIUS Attribute Screening
Restrictions for RADIUS Attribute Screening
The following restrictions apply to the RADIUS Attribute Screening feature:
•
To enable the RADIUS Attribute Screening feature, you should configure the Cisco 10000 router, acting as the NAS, for authorization with RADIUS groups.
•
The two filters used to configure accept or reject lists are mutually exclusive; therefore, you can configure only one accept list or one reject list for each purpose and for each server group.
•
The RADIUS Attribute Screening feature does not support vendor-specific attribute (VSA) screening. However, you can specify attribute 26 (Vendor-Specific) in an accept or reject list, which will accept or reject all VSAs.
•
Required attributes in a reject list are allowed to pass through. Do not reject the following required attributes:
–
–
Note
Prerequisites for RADIUS Attribute Screening
Before you configure a RADIUS accept or reject list, enable AAA using the aaa new-model command in global configuration mode. For more information, see the Cisco IOS Command Summary, Volume 2 of 3, Release 12.2.
Configuration Tasks for RADIUS Attribute Screening
To configure and verify the RADIUS Attribute Screening feature, see the "Configuring RADIUS Attribute Accept or Reject Lists" section on page 5-37.
Configuration Examples for RADIUS Attribute Screening
This section provides the following configuration examples:
•
•
•
•
Authorization Accept Configuration Example
The following example shows how to configure an accept list for attribute 6 (Service-Type) and attribute 7(Framed-Protocol). All other attributes (including VSAs) are rejected for RADIUS authorization.
aaa new-modelaaa authentication ppp default group radius-sgaaa authorization network default group radius-sgaaa group server radius radius-sgserver 10.1.1.1authorization accept min-author!radius-server host 10.1.1.1 key mykey1radius-server attribute list min-authorattribute 6-7Accounting Reject Configuration Example
The following example shows how to configure a reject list for attribute 66 (Tunnel-Client-Endpoint) and attribute 67 (Tunnel-Server-Endpoint). All other attributes (including VSAs) are accepted for RADIUS accounting.
aaa new-modelaaa authentication ppp default group radius-sgaaa authorization network default group radius-sgaaa group server radius radius-sgserver 10.1.1.1accounting reject tnl-x-endpoint!radius-server host 10.1.1.1 key mykey1radius-server attribute list tnl-x-endpointattribute 66-67Authorization Reject and Accounting Accept Configuration Example
The following example shows how to configure a reject list for RADIUS authorization and configure an accept list for RADIUS accounting. Although you cannot configure more than one accept or reject list per server group for authorization or accounting, you can configure one list for authorization and one list for accounting per server group.
aaa new-modelaaa authentication ppp default group radius-sgaaa authorization network default group radius-sgaaa group server radius radius-sgserver 10.1.1.1authorization reject bad-authoraccounting accept usage-only!radius-server host 10.1.1.1 key mykey1radius-server attribute list usage-onlyattribute 1,40,42-43,46!radius-server attribute list bad-authorattribute 22,27-28,56-59Rejecting Required Attributes Configuration Example
The following example shows debug output for the debug aaa accounting command. In this example, required attributes 44, 40, and 41 have been added to the reject list:
Router# debug aaa authorizationAAA/ACCT(6): Accounting method=radius-sg (radius)RADIUS: attribute 44 cannot be rejectedRADIUS: attribute 61 rejectedRADIUS: attribute 31 rejectedRADIUS: attribute 40 cannot be rejectedRADIUS: attribute 41 cannot be rejected
Caution
RADIUS Transmit Retries
The Cisco 10000 router supports an extended RADIUS transmit retries range. Extending the range of RADIUS transmit retries can protect against lost records if the RADIUS server goes down or communication to it is lost.
You use the radius-server command to specify the number of times you want the router to retry transmitting to the RADIUS server. The extended range of values is from 1 to a value higher than 17280.
The RADIUS Transmit Retries feature is described in the following topics:
•
•
•
•
•
Feature History for RADIUS Transmit Retries
Restrictions for RADIUS Transmit Retries
The extended range of RADIUS transmit retries has the following restrictions:
•
•
Configuring RADIUS Transmit Retries
To configure RADIUS transmit retries, enter the following command in global configuration mode:
Note
Configuration Example for RADIUS Transmit Retries
Example 16-1 configures the router to retransmit up to 5 times to the RADIUS server.
Example 16-1 Configuring RADIUS Transmit Retries
Router(config)# radius-server host 10.16.1.2 retransmit 5Monitoring and Troubleshooting RADIUS Transmit Retries
To monitor and troubleshoot RADIUS transmit retries, enter any of the following commands in privileged EXEC mode:
Caution
Extended NAS-Port-Type and NAS-Port Support
In Cisco IOS Release 12.3(7)XI1, support for NAS-Port-Type (RADIUS attribute 61), NAS-Port (RADIUS attribute 5), and NAS-Port-ID (RADIUS attribute 87) were changed in the The Extended NAS-Port-Type Attribute Support feature.
The Extended NAS-Port-Type Attribute Support feature is described in the following topics:
•
•
•
•
•
•
•
•
Feature History for Extended NAS-Port-Type and NAS-Port Support
12.3(7)XI1
This feature was introduced on the Cisco 10000 series router.
PRE2
12.2(28)SB
This feature was integrated into Cisco IOS Release 12.2(28)SB.
PRE2
NAS-Port-Type (RADIUS Attribute 61)
Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific Authentication, Authorization, and Accounting (AAA) elements in a user profile, which is stored on the RADIUS daemon. Currently the Internet Engineering Task Force (IETF) RADIUS attributes that are supported include an attribute 61, NAS-Port-Type. NAS-Port-Type indicates the type of physical port the network access server (NAS) is using to authenticate the user.
However there was no method to identify NAS-Port-Type based on a specific broadband service type because the RADIUS RFC does not support extended types that defines these types of ports. Basically all PPPoA, PPPoEoE, and PPPoEoA sessions were identified as being VIRTUAL and all PPPoEoVLAN and PPPoEoQinQ as ETHERNET.
The Extended NAS-Port-Type Attribute Support feature expands NAS-Port-Type, attribute 61, in order that the client can better identify what type of service is taking place on the different types of ports.
One advantage of this feature is that service providers can have their own coding mechanism to track users on given ports differently. Service providers may especially want to track customers using shared resources such as Ethernet or ATM interfaces that have VLANs (or Q-in-Q) and VCs connected to certain customers.
The configuration command radius-server attribute 61 extended enables identifying the following new non-RFC compliant, broadband service port types that are indicated by the following numeric values:
•
•
•
•
•
An additional capability is that subinterfaces such as VLAN, Q-in-Q, VC, or VC ranges are allowed to override the NAS-Port-Type attribute value to be sent on any session that resides on it. This capability provides an extra level of granularity for service providers in managing their end users and allows for further differentiation of different customer usage. This capability is provided with the radius attribute nas-port-type [value] command.
The value for NAS-Port-Type can be any number chosen by the customer. In particular, customizing your own value is useful when you need to differentiate the NAS-Port-Type based on which type of end client is actually using the port. For example if you want to track mobile clients behind a specific PVC, you can define your own NAS-Port-Type for mobile clients.
NAS-Port (RADIUS Attribute 5)
The NAS-Port (RADIUS attribute 5) is a 32 bit value that uniquely represents the physical or logical port the user is attempting to authenticate on. A logical port can be represented by the virtual path identifier (VPI) and virtual channel identifier (VCI) for an ATM interface, or by the VLAN ID or Q-in-Q ID for an Ethernet interface.
Because each platform and service may have different port information which are relevant to their environment, there is no one unique way to populate this attribute. Currently Cisco has 4 hard wired formats (a-d) which are service specific and 1 configurable format (e) which can be tailored to customer and platform-specific needs.
Previously format e only allowed customizing 1 global format for all call types on a device, which limited its usefulness on devices that contained multiple services. With the extended NAS-port support, you can now configure a custom format e string for any and all service types based on the value of the NAS-Port-Type (RADIUS attribute 61). That is, when building the RADIUS Access or Accounting request, the encoding routine will pick the specific format e string defined for the session's NAS-Port-Type value and use that first instead of using the default global format e string.
The only relationship between NAS-Port-Type extensions and NAS-Port extension is that the format e string chosen by the encoding routine will depend on the value of the NAS-Port-Type for the session. Therefore if you use the extended NAS-Port-Type values (values 30-34), you should also configure format e to use them. If you do not use the extended NAS-Port-Type support, then you should use the old values, specifically, value 5 for Virtual and value 15 for Ethernet service port types. Configuring back to these port types can also allow the user to revert to previous behavior for certain interfaces.
The radius-server attribute nas-port format e command was enhanced to support the custom format e string with the [type nas-port-type] keyword and option. The type option allows you to specify different format strings to represent different physical types of ports on the Cisco 10000 for any of the extended NAS-Port-Type values. For example, you can specify the string "SSSSAAAAPPPPIIIIIIIICCCCCCCCCCCC" for type 30 (all PPPoA ports), yet you can also specify the string "SSSSAAAAPPPPVVVVVVVVVVVVVVVVVVVV" for type 33 (all PPPoAoVLAN ports). In this case, the service provider can track VPI/VCI-specific information for a PPPoA user and VLAN-specific information for a PPPoEoVLAN user.
NAS-Port-ID (RADIUS Attribute 87)
The NAS-Port-ID (RADIUS attribute 87) contains the character text string identifier of the NAS port that is authenticating the user. This text string typically matches the interface description found under the CLI configuration. This attribute was previously available under Cisco Vendor Specific Attribute (VSA) "cisco-nas-port". But it is now sent by default under the IETF attribute 87 as per customer demand.
Prerequisites for Extended NAS-Port-Type and NAS-Port Attributes Support
Authentication, Authorization, and Accounting (AAA) must be enabled and already set up to use RADIUS.
Configuring Extended NAS-Port-Type and NAS-Port Attributes Support
To configure Extended NAS-Port-Type and NAS-Port Attributes Support, enter the following commands in global configuration mode:
You can override the NAS-Port-Type configured globally on the router at an interface or subinterface level. To override all global options on how the Extended NAS-Port-Type attribute is sent on any interfaces or subinterfaces such as for Ethernet, VLAN, Q-in-Q, VC, or VC ranges, enter the following commands in the PVC submode or Ethernet subinterface mode (beginning in global configuration mode):
Verifying Extended NAS-Port-Type and NAS-Port-ID Attributes Support
To verify the Extended NAS-Port-Type and NAS-Port-ID Attributes Support feature, enter the following command in privileged EXEC mode:
Router# show running-config
Displays the current configuration of the router. Check the output of this command to confirm the configuration.
The following example displays the current configuration of RADIUS command output, where you have enabled the extended NAS-Port-Types. You can use delimiting characters to display only the relevant parts of the configuration.
Router# show run | inc radiusaaa authentication ppp default group radiusaaa authorization network default group radiusaaa accounting network default start-stop group radiusradius-server attribute 61 extendedradius-server attribute nas-port format e SSSSAPPPUUUUUUUUUUUUUUUUUUUUUUUUradius-server attribute nas-port format e SSSSAPPPIIIIIIIICCCCCCCCCCCCCCCC type 30radius-server attribute nas-port format e SSSSAPPPIIIIIIIICCCCCCCCCCCCCCCC type 31radius-server attribute nas-port format e SSSSAAAAPPPPVVVVVVVVVVVVVVVVVVVV type 32radius-server attribute nas-port format e SSSSAPPPVVVVVVVVVVVVVVVVVVVVVVVV type 33radius-server attribute nas-port format e SSSSAPPPQQQQQQQQQQQQVVVVVVVVVVVV type 34radius-server host 10.76.86.91 auth-port 1645 acct-port 1646radius-server key rad123The following example displays the current configuration of RADIUS command output, where you have globally specified the format e string for all PPPoA ports (type 30).
Router# show run | inc radiusaaa authentication ppp default group radiusaaa authorization network default group radiusaaa accounting network default start-stop group radiusradius-server attribute nas-port format e SSSSSSSSAAAAAAAAPPPPPPPPIIIIIIIIradius-server attribute nas-port format e SSSSAAAAPPPPIIIIIIIICCCCCCCCCCCC type 30radius-server host 10.76.86.91 auth-port 1645 acct-port 1646radius-server key rad123Configuration Examples for Extended NAS-Port-Type Attribute Support
The following examples show how to configure global support for Extended NAS-Port-Type ports, and to specify two separate e format strings globally but for two different types of ports (type 30 which is PPPoA and type 33 which is PPPoEoVLAN):
Router# configure terminalRouter(config)#Router(config)# radius-server attribute 61 extendedRouter(config)# radius-server attribute nas-port format e SSSSAPPPIIIIIIIICCCCCCCCCCCCCCCC type 30Router(config)#Router(config)# radius-server attribute nas-port format e SSSSAPPPVVVVVVVVVVVVVVVVVVVVVVVV type 33Router(config)#The following example shows you first how to customize a format e string and port type for an ATM interface and then how to override the global value set for an extended NAS-Port-Type by applying the customer-customized NAS-Port-Type value of 36 on the ATM interface:
Router# configure terminalRouter(config)# radius-server attribute nas-port format e SSSSAPPPIIIIIIIICCCCCCCCCCCCCCCC type 36Router(config)# interface atm 5/0/0.1Router(config-subif)# pvc 1/33Router(config-if-atm-vc)#Router(config-if-atm-vc)# radius attribute nas-port-type 36RADIUS Attribute 31: PPPoX Calling Station ID
The RADIUS Attribute 31: PPPoX Calling Station ID feature enables service providers to provide more information about the call originator to the RADIUS server in a DSL environment, such as the physical lines on which customer calls originate. Specifically, this feature allows operators to track customers through the physical lines on which customer calls originate. Service providers can better maintain the profile database of their customers as they move from one physical line to another.
Because this feature provides a virtual port that does not change as customers move from one physical line to another, RADIUS attribute 31 (Calling-Station-ID) can also be used for additional security checks. The Calling-Station-ID attribute is included in both ACCESS-REQUEST and ACCOUNTING-REQUEST messages.
The PPPoX Calling Station ID feature is described in the following topics:
•
•
•
•
•
•
Feature History for PPPoX Calling Station ID
12.3(7)XI2
This feature was introduced on the Cisco 10000 series router.
PRE2
Calling-Station-ID Formats
The Calling-Station-ID attribute has 2 formats: Nas-Port and MAC-only. For Nas-Port, the system provides to the RADIUS server the host name and domain name of the node, an interface description, and VPI/VCI information (when the session is ATM-based, such as PPPoA or PPPoEoA). The MAC address is provided for PPPoEoE sessions instead of the VPI and VCI information that is provided for ATM-based sessions. For MAC-only, only the MAC address is specified for PPPoEoE sessions.
Table 16-1 summarizes the enabled Calling-Station-ID formats by session type. Notice that if both the MAC-only and Nas-Port types of Calling-Station-ID are enabled, the system provides only the MAC address to the RADIUS server for PPPoEoE sessions.
Table 16-2 describes the Calling-Station-ID attribute fields.
Note
Restrictions for PPPoX Calling Station ID
The following restrictions apply to the RADIUS Attribute 31: PPPoX Calling Station ID feature:
•
•
•
•
•
Related Documents for PPPoX Calling Station ID
•
•
•
Configuration Tasks for PPPoX Calling Station ID
To configure the RADIUS Attribute 31: PPPoX Calling Station ID feature, perform the following configuration tasks:
•
•
Configuring the Calling-Station-ID Format
To configure the Calling-Station-ID format, perform the following task in global configuration mode:
To verify the Extended NAS-Port-Type and NAS-Port-ID Attributes Support feature, enter the following command in privileged EXEC mode:
format—Specifies the type of Calling-Station-ID
•
•
You can enable one or both types of Calling-Station ID. If both the MAC-only and Nas-Port types of Calling-Station-ID are enabled, the system provides only the MAC address to the RADIUS server for PPPoEoE sessions. See Table 16-1 for a summary of enabled Calling-Station-ID formats by session type.
Verifying the Calling-Station-ID
To verify the Calling-Station-ID, perform the following task in EXEC mode use the debug radius command in privileged EXEC mode. The debug radius command verifies that RADIUS attribute 31, Calling-Station-ID, is in the ACCESS-REQUEST and ACCOUNTING-REQUEST. Example 16-2 shows sample output of the debug radius command.
Caution
Example 16-2 debug radius Command Output
*Sep 14 14:54:43.259: RADIUS(00000008): Send Access-Request to 10.0.0.8:1645 id1645/34, len 121 *Sep 14 14:54:43.259: RADIUS: authenticator C3 81 6B 7A F8 38 F9 FE - E6 82 A6 91 92 54 44 66 *Sep 14 14:54:43.259: RADIUS: Framed-Protocol [7] 6 PPP [1] *Sep 14 14:54:43.259: RADIUS: User-Name [1] 8 "johndoe" *Sep 14 14:54:43.259: RADIUS: CHAP-Password [3] 19 * *Sep 14 14:54:43.259: RADIUS: NAS-Port-Type [61] 6 Virtual [5] *Sep 14 14:54:43.259: RADIUS: NAS-Port [5] 6 0 *Sep 14 14:54:43.259: RADIUS: NAS-Port-Id [87] 9 "8/0/0/0" *Sep 14 14:54:43.259: RADIUS: Calling-Station-Id [31] 35 ":c10k.xtnet.com:my_interface:00b0.c2ef.8400" *Sep 14 14:54:43.259: RADIUS: Service-Type [6] 6 Framed [2] *Sep 14 14:54:43.259: RADIUS: NAS-IP-Address [4] 6 10.0.0.119Configuration Example for PPPoX Calling Station ID
The following PPP termination aggregation (PTA) and L2TP access concentrator (LAC) example shows how to configure your LAC for preauthorization by downloading the Logical Line ID:
aaa new-modelaaa authentication ppp default group radiusaaa authorization network default group radiusaaa session-id common!hostname c10kip domain-name xtnet.com!-------- hostname and domain name are included in the nas-port type CSID---vc-class atm ppp_auto1200vpn service service_controlprotocol pppoe group PPPOETESTencapsulation aal5autoppp Virtual-Template1 group PPPOETEST!interface Loopback0ip address 1.1.1.1 255.255.255.255!interface Loopback10ip address 172.16.1.1 255.255.255.0!interface FastEthernet0/0/0ip address 10.0.0.119 255.255.255.0speed 100full-duplex!interface ATM1/0/0no ip addressshutdownno atm pxf queuingatm ilmi-keepalivepvc 0/16 ilmi!!interface ATM1/0/1no ip addressatm clock INTERNALno atm auto-configurationatm ilmi-keepaliveno atm address-registrationpvc 0/16 ilmi!!interface ATM1/0/1.111 multipoint! -----This description is used in the calling-station-id ------description test_descrpvc 0/100class-vc ppp_auto1200!pvc 0/101class-vc ppp_auto1200!interface GigabitEthernet8/0/0ip address 10.10.0.1 255.255.255.0negotiation autopppoe enable group PPPOETEST!interface Virtual-Template1ip unnumbered Loopback0peer default ip address pool defaultppp authentication chap callin!ip local pool default 3.3.3.1 3.3.3.10!radius-server attribute 31 pppox nas-portradius-server attribute 31 pppox mac-addrradius-server attribute 32 include-in-access-reqradius-server host 10.0.0.8 auth-port 1645 acct-port 1646 key ciscoRelated Commands for PPPoX Calling Station ID
ip radius source-interface
Requires RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets
RADIUS Packet of Disconnect
The RADIUS Packet of Disconnect feature consists of a method for terminating a session that has already been connected. This packet of disconnect (POD) is a RADIUS access_request packet and is intended to be used in situations where the authenticating agent server wants to disconnect the user after the session has been accepted by the RADIUS access_accept packet. This may be needed in at least two situations:
•
•
The data parameters are the following RADIUS attributes:
•
•
•
•
For information about RADIUS attributes, see Appendix A, "RADIUS Attributes".
The RADIUS Packet of Disconnect feature is discussed in the following topics:
•
•
•
•
•
•
•
•
Feature History for RADIUS Packet of Disconnect
12.3(7)XI1
This feature was introduced on the Cisco 10000 series router.
PRE2
12.2(28)SB
This feature was integrated into Cisco IOS Release 12.2(28)SB.
PRE2
Benefits for RADIUS Packet of Disconnect
•
Restrictions for RADIUS Packet of Disconnect
Proper matching identification information must be communicated by the:
•
•
•
Related Documents for RADIUS Packet of Disconnect
•
•
•
•
Prerequisites for RADIUS Packet of Disconnect
•
Configuration Tasks for RADIUS Packet of Disconnect
To configure the RADIUS Packet of Disconnect feature, perform the following configuration tasks:
Configuring AAA POD Server
To configure the Calling-Station-ID format, perform the following task in global configuration mode:
Verifying AAA POD Server
To verify that the router is configured correctly to performs an AAA POD server, enter the show running-configuration command in privileged EXEC mode to display the command settings for the router.
Router# show running-configuration!aaa new-modelaaa authentication ppp default group radiusaaa authorization network default group radiusaaa accounting network default start-stop group radiusaaa pod server clients <ip address> port <port number> auth-type [all/ any/ session-key] server-key ciscoMonitoring and Maintaining AAA POD Server
To monitor an AAA POD server and troubleshoot problems:
•
•
•
–
–
–
–
The following example shows output from the debug aaa pod command and indicates a successful POD request.
Router# debug aaa podAAA POD packet processing debugging is onGeneral OS:AAA POD packet processing debugging is onRouter#4d18h: ++++++ POD Attribute List ++++++4d18h: 6291C598 0 00000009 username(336) 8 pod_user4d18h: 7085EE1C 0 00000001 nas-ip-address(439) 4 23.3.7.34d18h:4d18h: POD: 2.0.0.210 user pod_user 0.0.0.0 sessid 0x0 key 0x04d18h: POD: Line User IDB Session Id Key4d18h: POD: Skip <NULL> 0.0.0.0 0x363 0x04d18h: POD: KILL Virtual- pod_user 104.1.2.38 0x421A 0xD41053974d18h: POD: Skip Virtual- <NULL> 0.0.0.0 0x421B 0x04d18h: POD: Sending ACK from port 3799 to 2.0.0.210/64917
Caution
Configuration Example for RADIUS Packet of Disconnect
Example 16-3 provides a configuration example for a router performing as an AAA POD server:
Example 16-3 Configuring a Router as an AAA POD Server
Router(config)# aaa pod server server-key xyz123
