RADIUS Packet of Disconnect

The RADIUS Packet of Disconnect feature is used to terminate a connected voice call.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for RADIUS Packet of Disconnect

Configure AAA as described in the Cisco IOS XE Security Configuration Guide: Securing User Services , Release 2.

Restrictions for RADIUS Packet of Disconnect

Proper matching identification information must be communicated by the following:

  • Billing server and gateway configuration

  • Gateway’s original accounting start request

  • Server’s POD request

Information About RADIUS Packet of Disconnect

The Packet of Disconnect (POD) is a RADIUS access_request packet and is intended to be used in situations where the authenticating agent server wants to disconnect the user after the session has been accepted by the RADIUS access_accept packet.

When the POD is Needed

The POD may be needed in at least two situations:

  • Detection of fraudulent use, which cannot be performed before accepting the call. A price structure so complex that the maximum session duration cannot be estimated before accepting the call. This may be the case when certain types of discounts are applied or when multiple users use the same subscription simultaneously.

  • To prevent unauthorized servers from disconnecting users, the authorizing agent that issues the POD packet must include three parameters in its packet of disconnect request. For a call to be disconnected, all parameters must match their expected values at the gateway. If the parameters do not match, the gateway discards the packet of disconnect packet and sends a NACK (negative acknowledgement message) to the agent.

POD Parameters

The POD has the following parameters:

  • An h323-conf-id vendor-specific attribute (VSA) with the same content as received from the gateway for this call.

  • An h323-call-origin VSA with the same content as received from the gateway for the leg of interest.

  • A 16-byte MD5 hash value that is carried in the authentication field of the POD request.

  • Cisco IOS XE software allocates POD code 50 as the code value for the Voice POD Request based on RFC 3576 Dynamic Authorization Extensions to RADIUS, which extends RADIUS standards to officially support both a Disconnect Message (DM) and Change-of-Authorization (CoA) that are supported through the POD.

RFC 3576 specifies the following POD codes:

    • 40 - Disconnect-Request
    • 41 - Disconnect-ACK
    • 42 - Disconnect-NAK
    • 43 - CoA-Request
    • 44 - CoA-ACK
    • 45 - CoA-NAK

How to Configure the RADIUS Packet of Disconnect

Configuring the RADIUS POD

Use the following tasks to configure the RADIUS POD:

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. Router (config)# aaa pod server [port port-number ] [auth-type {any | all | session-key }] server-key [encryption-type ] string
  4. Router# end
  5. Router# show running-configuration

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:


Router> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Router# configure terminal

Enters global configuration mode.

Step 3

Router (config)# aaa pod server [port port-number ] [auth-type {any | all | session-key }] server-key [encryption-type ] string

Example:


Router(config)# aaa  pod  server  server-key  xyz123

Enables inbound user sessions to be disconnected when specific session attributes are presented, where:

  • port port-number --(Optional) The network access server User Datagram Protocol (UDP) port to use for POD requests. Default value is 1700.

  • auth-type --(Optional) The type of authorization required for disconnecting sessions.
    • any --Session that matches all of the attributes sent in the POD packet is disconnected. The POD packet may contain one or more of four key attributes (user-name, framed-IP-address, session-ID, and session-key).
    • all --Only a session that matches all four key attributes is disconnected. All is the default.
    • session-key --Session with a matching session-key attribute is disconnected. All other attributes are ignored.

  • server-key-- Configures the shared-secret text string.

  • encryption-type --(Optional) Single-digit number that defines whether the text immediately following is encrypted, and, if so, what type of encryption is used. Defined encryption types are 0, which means that the text immediately following is not encrypted, and 7, which means that the text is encrypted using an encryption algorithm defined by Cisco.

  • string-- The shared-secret text string that is shared between the network access server and the client workstation. This shared-secret string must be the same on both systems.

Step 4

Router# end

Exits global configuration mode and returns to privileged EXEC mode.

Step 5

Router# show running-configuration

Example:


Router# show  running-configuration

Example:


!

Example:


aaa authentication login h323 group radius

Example:


aaa authorization exec h323 group radius

Example:


aaa accounting update newinfo

Example:


aaa accounting connection h323 start-stop group radius

Example:


aaa pod server server-key cisco

Example:


aaa session-id common

Example:


!

Verifies that the gateway is configured correctly in privileged EXEC mode.

Troubleshooting Tips

After you have configured AAA Dead-Server Detection, you should verify your configuration using the show running-config command. This verification is especially important if you have used the no form of the radius-server dead-criteria command. The output of the show running-config command must show the same values in the “Dead Criteria Details” field that you configured using the radius-server dead-criteria command.

Verifying the RADIUS POD Configuration

To verify the RADIUS POD configuration, use the show running configuration privileged EXEC command as shown in the following example: 


Router# show running-configuration
!
aaa authentication login h323 group radius
aaa authorization exec h323 group radius
aaa accounting update newinfo
aaa accounting connection h323 start-stop group radius
aaa pod server server-key cisco
aaa session-id common
.
.
.

Additional References

The following sections provide references related to the RADIUS Packet of Disconnect feature.

Related Documents

Related Topic

Document Title

AAA

Authentication, Authorization, and Accounting (AAA) section of the Cisco IOS XE Security Configuration Guide, Securing User Services, Release 2.

Security commands

Cisco IOS Security Command Reference

CLI Configuration

Cisco IOS XE Configuration Fundamentals Configuration Guide, Release 2

Standards

Standard

Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

--

MIBs

MIB

MIBs Link

No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.

To locate and download MIBs for selected platforms, Cisco IOS XE software releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

RFCs

RFC

Title

RFC 2865

Remote Authentication Dial-in User Service

RFC 3576

Dynamic Authorization Extensions to RADIUS

Technical Assistance

Description

Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport

Feature Information for RADIUS Packet of Disconnect

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1. Feature Information for RADIUS Packet of Disconnect

Feature Name

Releases

Feature Information

RADIUS Packet of Disconnect

Cisco IOS XE Release 2.1

The RADIUS Packet of Disconnect feature is used to terminate a connected voice call.

In Cisco IOS XE Release 2.1, this feature was introduced on the on Cisco ASR 1000 Series Aggregation Services Routers.

The following commands were introduced or modified: aaa pod server, debug aaa pod

Glossary

AAA --authentication, authorization, and accounting. A framework of security services that provide the method for identifying users (authentication), for remote access control (authorization), and for collecting and sending security server information used for billing, auditing, and reporting (accounting).

L2TP --Layer 2 Tunnel Protocol. A Layer 2 tunneling protocol that enables an ISP or other access service to create a virtual tunnel to link customer remote sites or remote users with corporate home networks. In particular, a network access server (NAS) at the ISP point of presence (POP) exchanges PPP messages with the remote users and communicates by L2F or L2TP requests and responses with the customer tunnel server to set up tunnels.

PE --Provider Edge. Networking devices that are located on the edge of a service provider network.

RADIUS --Remote Authentication Dial-In User Service. RADIUS is a distributed client/server system that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server that contains all user authentication and network service access information.

VPN --Virtual Private Network. A system that permits dial-in networks to exist remotely to home networks, while giving the appearance of being directly connected. VPNs use L2TP and L2F to terminate the Layer 2 and higher parts of the network connection at the LNS instead of the LAC.

VRF --Virtual Route Forwarding. Initially, a router has only one global default routing/forwarding table. VRFs can be viewed as multiple disjoined routing/forwarding tables, where the routes of a user have no correlation with the routes of another user.