- Read Me First
- Configuring Authentication
- RADIUS Change of Authorization
- Message Banners for AAA Authentication
- AAA-Domain Stripping at Server Group Level
- AAA Double Authentication Secured by Absolute Timeout
- Throttling of AAA RADIUS Records
- RADIUS Packet of Disconnect
- AAA Authorization and Authentication Cache
- Configuring Authorization
- Configuring Accounting
- AAA-SERVER-MIB Set Operation
- Per VRF AAA
- AAA Support for IPv6
- TACACS+ over IPv6
- AAA Dead-Server Detection
- Login Password Retry Lockout
- MSCHAP Version 2
- AAA Broadcast Accounting-Mandatory Response Support
- Prerequisites for Per VRF AAA
- Restrictions for Per VRF AAA
- Information About Per VRF AAA
- How to Configure Per VRF AAA
- Configuration Examples for Per VRF AAA
Per VRF AAA
The Per VRF AAA feature allows ISPs to partition authentication, authorization, and accounting (AAA) services on the basis of Virtual Private Network (VPN) routing and forwarding (VRF) instances, allowing their customers to control some of their own AAA services.
The list of servers in server groups is extended to include the definitions of private servers in addition to references to the hosts in the global configuration, allowing access to both customer servers and global service provider servers simultaneously.
In Cisco IOS XE Release 2.4 and later releases, a customer template can be used, which may be stored either locally or remotely, and AAA services can be performed on the information that is stored in the customer template. This feature is referred to as the Dynamic Per VRF AAA feature.
- Prerequisites for Per VRF AAA
- Restrictions for Per VRF AAA
- Information About Per VRF AAA
- How to Configure Per VRF AAA
- Configuration Examples for Per VRF AAA
- Additional References
- Feature Information for Per VRF AAA
- Glossary
Prerequisites for Per VRF AAA
Before configuring the Per VRF AAA feature, AAA must be enabled. See “How to Configure Per VRF AAA” section on page 6 for more information.
Restrictions for Per VRF AAA
This feature is supported only for RADIUS servers.
Operational parameters should be defined once per VRF rather than set per server group, because all functionality must be consistent between the network access server (NAS) and the AAA servers.
The ability to configure a customer template either locally or remotely is available only for Cisco IOS XE Release 2.4 and later releases.
Information About Per VRF AAA
When you use the Per VRF AAA feature, AAA services can be based on VRF instances. This feature permits the Provider Edge (PE) or Virtual Home Gateway (VHG) to communicate directly with the customer’s RADIUS server, which is associated with the customer’s Virtual Private Network (VPN), without having to go through a RADIUS proxy. Thus, ISPs can scale their VPN offerings more efficiently because they no longer have to use RADIUS proxies and ISPs can also provide their customers with additional flexibility.
How Per VRF AAA Works
To support AAA on a per customer basis, some AAA features must be made VRF aware. That is, ISPs must be able to define operational parameters--such as AAA server groups, method lists, system accounting, and protocol-specific parameters--and bind those parameters to a particular VRF instance. Defining and binding the operational parameters can be accomplished using one or more of the following methods:
Virtual private dialup network (VPDN) virtual template or dialer interfaces that are configured for a specific customer
Locally defined customer templates--Per VPN with customer definitions. The customer template is stored locally on the VHG. This method can be used to associate a remote user with a specific VPN based on the domain name or dialed number identification service (DNIS) and provide the VPN-specific configuration for virtual access interface and all operational parameters for the customer AAA server.
Remotely defined customer templates--Per VPN with customer definitions that are stored on the service provider AAA server in a RADIUS profile. This method is used to associate a remote user with a specific VPN based on the domain name or DNIS and provide the VPN-specific configuration for the virtual access interface and all operational parameters for the AAA server of the customer.
Note | The ability to configure locally or remotely defined customer templates is available only with Cisco IOS XE Release 2.4 and later releases. |
AAA Accounting Records
The Cisco implementation of AAA accounting provides “start” and “stop” record support for calls that have passed user authentication. Start and stop records are necessary for users employing accounting records to manage and monitor their networks.
New Vendor-Specific Attributes
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the network access server and the RADIUS server by using the vendor-specific attribute (VSA) attribute 26. Attribute 26 encapsulates VSAs, thereby, allowing vendors to support their own extended attributes otherwise not suitable for general use.
The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco’s vendor-ID is 9, and the supported option has vendor-type 1, which is named “cisco-avpair.” The value is a string of the following format:
protocol : attribute sep value *
“Protocol” is a value of the Cisco “protocol” attribute for a particular type of authorization. “Attribute” and “value” are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and “sep” is “=” for mandatory attributes and “*” for optional attributes. This format allows the full set of features available for TACACS+ authorization to be used also for RADIUS.
The table below summarizes the VSAs that are now supported with Per VRF AAA.
VRF Aware Framed-Routes
In Cisco IOS XE Release 2.3 and later, the Cisco ASR 1000 Series Aggregation Services Routers support VRF aware framed-routes. No configuration is required to enable support for this feature. Framed-routes are automatically detected and if the framed-route is part of a VRF associated with an interface, the rout is applied accordingly.
How to Configure Per VRF AAA
- Configuring Per VRF AAA
- Configuring Per VRF AAA Using Local Customer Templates
- Configuring Per VRF AAA Using Remote Customer Templates
- Verifying VRF Routing Configurations
- Troubleshooting Per VRF AAA Configurations
Configuring Per VRF AAA
- Configuring AAA
- Configuring Server Groups
- Configuring Authentication Authorization and Accounting for Per VRF AAA
- Configuring RADIUS-Specific Commands for Per VRF AAA
- Configuring Interface-Specific Commands for Per VRF AAA
Configuring AAA
To enable AAA you need to complete the following steps.
1.
enable
2.
configure
terminal
3.
aaa
new-model
DETAILED STEPS
Command or Action | Purpose |
---|
Configuring Server Groups
To configure server groups you need to complete the following steps.
1.
enable
2.
configure
terminal
3.
aaa
new-model
4.
aaa
group
server
radius
groupname
5.
server-private
ip-address
[auth-port port-number | acct-port port-number] [non-standard] [timeout seconds] [retransmit retries] [key string]
6.
exit
DETAILED STEPS
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
enable
Example: Router> enable |
Enables privileged EXEC mode.
| ||
Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. | ||
Step 3 |
aaa
new-model
Example: Router(config)# aaa new-model |
Enables AAA globally. | ||
Step 4 |
aaa
group
server
radius
groupname
Example: Router(config)# aaa group server radius v2.44.com |
Groups different RADIUS server hosts into distinct lists and distinct methods. Enters server-group configuration mode. | ||
Step 5 |
server-private
ip-address
[auth-port port-number | acct-port port-number] [non-standard] [timeout seconds] [retransmit retries] [key string] Example: Router(config-sg-radius)# server-private 10.10.130.2 auth-port 1600 key ww |
Configures the IP address of the private RADIUS server for the group server.
| ||
Step 6 |
exit
Example: Router(config-sg-radius)# exit |
Exits from server-group configuration mode; returns to global configuration mode. |
Configuring Authentication Authorization and Accounting for Per VRF AAA
To configure authentication, authorization, and accounting for Per VRF AAA, you need to complete the following steps.
1.
enable
2.
configure
terminal
3.
aaa
new-model
4.
aaa
authentication
ppp
{default | list-name} method1 [method2...]
5.
aaa
authorization
{network | exec | commands level | reverse-access | configuration}{default | list-name} method1 [method2...]
6.
aaa
accounting
system
default
[vrf vrf-name] {start-stop | stop-only | none} [broadcast] group groupname
7.
aaa
accounting
delay-start
[vrf vrf-name]
8.
aaa
accounting
send
stop-record
authentication
{failure | success remote-server} [vrf vrf-name]
DETAILED STEPS
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
enable
Example: Router> enable |
Enables privileged EXEC mode.
| ||
Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. | ||
Step 3 |
aaa
new-model
Example: Router(config)# aaa new-model |
Enables AAA globally. | ||
Step 4 |
aaa
authentication
ppp
{default | list-name} method1 [method2...] Example: Router(config)# aaa authentication ppp method_list_v2.44.com group v2.44.com |
Specifies one or more AAA authentication methods for use on serial interfaces that are running PPP. | ||
Step 5 |
aaa
authorization
{network | exec | commands level | reverse-access | configuration}{default | list-name} method1 [method2...] Example: Router(config)# aaa authorization network method_list_v2.44.com group v2.44.com |
Sets parameters that restrict user access to a network. | ||
Step 6 |
aaa
accounting
system
default
[vrf vrf-name] {start-stop | stop-only | none} [broadcast] group groupname Example: Router(config)# aaa accounting system default vrf v2.44.com start-stop group v2.44.com |
Enables AAA accounting of requested services for billing or security purposes when you use RADIUS. | ||
Step 7 |
aaa
accounting
delay-start
[vrf vrf-name] Example: Router(config)# aaa acounting delay-start vrf v2.44.com |
Displays generation of the start accounting records until the user IP address is established. | ||
Step 8 |
aaa
accounting
send
stop-record
authentication
{failure | success remote-server} [vrf vrf-name] Example: Router(config)# aaa accounting send stop-record authentication failure vrf v2.44.com |
Generates accounting stop records. When using the failure keyword a “stop” record will be sent for calls that are rejected during authentication. When using the success keyword a “stop” record will be sent for calls that meet one of the following criteria:
|
Configuring RADIUS-Specific Commands for Per VRF AAA
To configure RADIUS-specific commands for Per VRF AAA you need to complete the following steps.
1.
enable
2.
configure
terminal
3.
ip
radius
source-interface
subinterface-name
[vrf vrf-name]
4.
radius-server
attribute
44
include-in-access-req
[vrf vrf-name]
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable
Example: Router> enable |
Enables privileged EXEC mode.
|
Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. |
Step 3 |
ip
radius
source-interface
subinterface-name
[vrf vrf-name] Example: Router(config)# ip radius source-interface loopback55 |
Forces RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets and enables the specification on a per-VRF basis. |
Step 4 |
radius-server
attribute
44
include-in-access-req
[vrf vrf-name] Example: Router(config)# radius-server attribute 44 include-in-access-req vrf v2.44.com |
Sends RADIUS attribute 44 in access request packets before user authentication and enables the specification on a per-VRF basis. |
Configuring Interface-Specific Commands for Per VRF AAA
To configure interface-specific commands for Per VRF AAA, you need to complete the following steps.
1.
enable
2.
configure
terminal
3.
interface
type
number
[name-tag]
4.
ip
vrf
forwarding
vrf-name
5.
ppp
authentication
{protocol1 [protocol2...]} listname
6.
ppp
authorization
list-name
7.
ppp
accounting
default
8.
exit
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable
Example: Router> enable |
Enables privileged EXEC mode.
|
Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. |
Step 3 |
interface
type
number
[name-tag] Example: Router(config)# interface loopback11 |
Configures an interface type and enters interface configuration mode. |
Step 4 |
ip
vrf
forwarding
vrf-name
Example: Router(config-if)# ip vrf forwarding v2.44.com |
Associates a VRF with an interface. |
Step 5 |
ppp
authentication
{protocol1 [protocol2...]} listname Example: Router(config-if)# ppp authentication chap callin V2_44_com |
Enables Challenge Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP) or both and specifies the order in which CHAP and PAP authentication are selected on the interface. |
Step 6 |
ppp
authorization
list-name
Example: Router(config-if)# ppp authorization V2_44_com |
Enables AAA authorization on the selected interface. |
Step 7 |
ppp
accounting
default
Example: Router(config-if)# ppp accounting default |
Enables AAA accounting services on the selected interface. |
Step 8 |
exit
Example: Router(config)# exit |
Exits interface configuration mode. |
Configuring Per VRF AAA Using Local Customer Templates
- Configuring AAA
- Configuring Server Groups
- Configuring Authentication Authorization and Accounting for Per VRF AAA
- Configuring Authorization for Per VRF AAA with Local Customer Templates
- Configuring Local Customer Templates
Configuring AAA
Perform the tasks as outlined in the Configuring Per VRF AAA.
Configuring Server Groups
Perform the tasks as outlined in the Configuring Server Groups.
Configuring Authentication Authorization and Accounting for Per VRF AAA
Perform the tasks as outlined in the Configuring Authentication Authorization and Accounting for Per VRF AAA.
Configuring Authorization for Per VRF AAA with Local Customer Templates
To configure authorization for Per VRF AAA with local templates, you need to complete the following steps.
1.
enable
2.
configure
terminal
3.
aaa
authorization
template
4.
aaa
authorization
network
default
local
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable
Example: Router> enable |
Enables privileged EXEC mode.
|
Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. |
Step 3 |
aaa
authorization
template
Example: Router(config)# aaa authorization template |
Enables the use of local or remote templates. |
Step 4 |
aaa
authorization
network
default
local
Example: Router(config)# aaa authorization network default local |
Specifies local as the default method for authorization. |
Configuring Local Customer Templates
To configure local customer templates, you need to complete the following steps.
1.
enable
2.
configure
terminal
3.
vpdn
search-order
domain
4.
template
name
[default | exit | multilink | no | peer | ppp]
5.
peer
default
ip
address
pool
pool-name
6.
ppp
authentication
{protocol1 [protocol2...]} [if-needed] [list-name | default] [callin] [one-time]
7.
ppp
authorization
[default | list-name]
8.
aaa
accounting
{auth-proxy | system | network | exec | connection | commands level} {default | list-name} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] group groupname
9.
exit
DETAILED STEPS
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
enable
Example: Router> enable |
Enables privileged EXEC mode.
| ||
Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. | ||
Step 3 |
vpdn
search-order
domain
Example: Router (config)# vpdn search-order domain |
Looks up the profiles based on domain. | ||
Step 4 |
template
name
[default | exit | multilink | no | peer | ppp] Example: Router (config)# template v2.44.com |
Creates a customer profile template and assigns a unique name that relates to the customer that will be receiving it. Enters template configuration mode.
| ||
Step 5 |
peer
default
ip
address
pool
pool-name
Example: Router(config-template)# peer default ip address pool v2_44_com_pool |
(Optional) Specifies that the customer profile to which this template is attached will use a local IP address pool with the specified name. | ||
Step 6 |
ppp
authentication
{protocol1 [protocol2...]} [if-needed] [list-name | default] [callin] [one-time] Example: Router(config-template)# ppp authentication chap |
(Optional) Sets the PPP link authentication method. | ||
Step 7 |
ppp
authorization
[default | list-name] Example: Router(config-template)# ppp authorization v2_44_com |
(Optional) Sets the PPP link authorization method. | ||
Step 8 |
aaa
accounting
{auth-proxy | system | network | exec | connection | commands level} {default | list-name} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] group groupname Example: Router(config-template)# aaa accounting v2_44_com |
(Optional) Enables AAA operational parameters for the specified customer profile. | ||
Step 9 |
exit
Example: Router(config-template)# exit |
Exits from template configuration mode; returns to global configuration mode. |
Configuring Per VRF AAA Using Remote Customer Templates
- Configuring AAA
- Configuring Server Groups
- Configuring Authentication for Per VRF AAA with Remote Customer Profiles
- Configuring Authorization for Per VRF AAA with Remote Customer Profiles
- Configuring the RADIUS Profile on the SP RADIUS Server
Configuring AAA
Perform the tasks as outlined in the Configuring Per VRF AAA.
Configuring Server Groups
Perform the tasks as outlined in the Configuring Server Groups.
Configuring Authentication for Per VRF AAA with Remote Customer Profiles
To configure authentication for Per VRF AAA with remote customer profiles, you need to perform the following steps.
1.
enable
2.
configure
terminal
3.
aaa
authentication
ppp
{default | list-name} method1 [method2...]
4.
aaa
authorization
{network | exec | commands level | reverse-access | configuration} {default | list-name} [[method1 [method2...]
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable
Example: Router> enable |
Enables privileged EXEC mode.
|
Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. |
Step 3 |
aaa
authentication
ppp
{default | list-name} method1 [method2...] Example: Router(config)# ppp authentication ppp default group radius |
Specifies one or more authentication, authorization, and accounting (AAA) authentication methods for use on serial interfaces that are running PPP. |
Step 4 |
aaa
authorization
{network | exec | commands level | reverse-access | configuration} {default | list-name} [[method1 [method2...] Example: Router(config)# aaa authorization network default group sp |
Sets parameters that restrict user access to a network. |
Configuring Authorization for Per VRF AAA with Remote Customer Profiles
To configuring authorization for Per VRF AAA with remote customer profiles, you need to perform the following step.
1.
enable
2.
configure
terminal
3.
aaa
authorization
template
4.
aaa
authorization
{network | exec | commands level | reverse-access | configuration} {default | list-name} [[method1 [method2...]
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable
Example: Router> enable |
Enables privileged EXEC mode.
|
Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. |
Step 3 |
aaa
authorization
template
Example: Router(config)# aaa authorization template |
Enables use of local or remote templates. |
Step 4 |
aaa
authorization
{network | exec | commands level | reverse-access | configuration} {default | list-name} [[method1 [method2...] Example: Router(config)# aaa authorization network default sp |
Specifies the server group that is named as the default method for authorization. |
Configuring the RADIUS Profile on the SP RADIUS Server
Configure the RADIUS profile on the Service Provider (SP) RADIUS server. See the Per VRF AAA Using a Remote RADIUS Customer Template Example for an example of how to update the RADIUS profile.
Verifying VRF Routing Configurations
To verify VRF routing configurations, you need to complete the following steps:
1.
enable
2.
configure
terminal
3. show ip route vrf vrf-name
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable
Example: Router> enable |
Enables privileged EXEC mode.
|
Step 2 |
configure
terminal
Example: Router# configure terminal |
Enters global configuration mode. |
Step 3 |
show ip route vrf vrf-name Example: Router(config)# show ip route vrf northvrf |
Displays the IP routing table associated with a VRF. |
Troubleshooting Per VRF AAA Configurations
To troubleshoot the Per VRF AAA feature, use at least one of the following commands in EXEC mode:
Command |
Purpose |
---|---|
Router# debug aaa accounting
|
Displays information on accountable events as they occur. |
Router# debug aaa authentication
|
Displays information on AAA authentication. |
Router# debug aaa authorization
|
Displays information on AAA authorization. |
Router# debug ppp negotiation
|
Displays information on traffic and exchanges in an internetwork implementing PPP. |
Router# debug radius
|
Displays information associated with RADIUS. |
Router# debug vpdn event
|
Displays Layer 2 Transport Protocol (L2TP) errors and events that are a part of normal tunnel establishment or shutdown for VPNs. |
Router# debug vpdn error
|
Displays debug traces for VPN. |
Configuration Examples for Per VRF AAA
Per VRF Configuration Examples
- Per VRF AAA Example
- Per VRF AAA Using a Locally Defined Customer Template Example
- Per VRF AAA Using a Remote RADIUS Customer Template Example
Per VRF AAA Example
The following example shows how to configure the Per VRF AAA feature using a AAA server group with associated private servers:
aaa new-model aaa authentication ppp method_list_v1.55.com group v1.55.com aaa authorization network method_list_v1.55.com group v1.55.com aaa accounting network method_list_v1.55.com start-stop group v1.55.com aaa accounting system default vrf v1.55.com start-stop group v1.55.com aaa accounting delay-start vrf v1.55.com aaa accounting send stop-record authentication failure vrf v1.55.com aaa group server radius v1.55.com server-private 10.10.132.4 auth-port 1645 acct-port 1646 key ww ip vrf forwarding v1.55.com ip radius source-interface loopback55 radius-server attribute 44 include-in-access-req vrf v1.55.com
Per VRF AAA Using a Locally Defined Customer Template Example
The following example shows how to configure the Per VRF AAA feature using a locally defined customer template with a AAA server group that has associated private servers:
aaa new-model aaa authentication ppp method_list_v1.55.com group v1.55.com aaa authorization network method_list_v1.55.com group v1.55.com aaa authorization network default local aaa authorization template aaa accounting network method_list_v1.55.com start-stop group v1.55.com aaa accounting system default vrf v1.55.com start-stop group v1.55.com aaa group server radius V1_55_com server-private 10.10.132.4 auth-port 1645 acct-port 1646 key ww ip vrf forwarding V1.55.com template V1.55.com peer default ip address pool V1_55_com_pool ppp authentication chap callin V1_55_com ppp authorization V1_55_com ppp accounting V1_55_com aaa accounting delay-start aaa accounting send stop-record authentication failure radius-server attribute 44 include-in-access-req ip vrf forwarding v1.55.com ip radius source-interface Loopback55
Per VRF AAA Using a Remote RADIUS Customer Template Example
The following examples shows how to configure the Per VRF AAA feature using a remotely defined customer template on the SP RADIUS server with a AAA server group that has associated private servers:
aaa new-model aaa authentication ppp default group radius aaa authorization template aaa authorization network default group sp aaa group server radius sp server 10.3.3.3 radius-server host 10.3.3.3 auth-port 1645 acct-port 1646 key sp_key
The following RADIUS server profile is configured on the SP RADIUS server:
cisco-avpair = "aaa:rad-serv#1=10.10.132.4 key ww" cisco-avpair = "aaa:rad-serv-vrf#1=V1.55.com" cisco-avpair = "aaa:rad-serv-source-if#1=Loopback 55" cisco-avpair = "template:ppp-authen-list=group 1" cisco-avpair = "template:ppp-author-list=group 1" cisco-avpair = "template:ppp-acct-list= start-stop group 1" cisco-avpair = "template:account-delay=on" cisco-avpair = "template:account-send-stop=on" cisco-avpair = "template:rad-attr44=access-req" cisco-avpair = "template:peer-ip-pool=V1.55-pool" cisco-avpair = "template:ip-vrf=V1.55.com" cisco-avpair = "template:ip-unnumbered=Loopback 55" framed-protocol = ppp service-type = framed
Customer Template Examples
- Locally Configured Customer Template with RADIUS Attribute Screening and Broadcast Accounting Example
- Remotely Configured Customer Template with RADIUS Attribute Screening and Broadcast Accounting Example
Locally Configured Customer Template with RADIUS Attribute Screening and Broadcast Accounting Example
The following example shows how to create a locally configured template for a single customer, configuring additional features including RADIUS attribute screening and broadcast accounting:
aaa authentication ppp default local group radius aaa authentication ppp V1_55_com group V1_55_com aaa authorization template aaa authorization network default local group radius aaa authorization network V1_55_com group V1_55_com aaa accounting network V1_55_com start-stop broadcast group V1_55_com group SP_AAA_server aaa group server radius SP_AAA_server server 10.10.100.7 auth-port 1645 acct-port 1646 aaa group server radius V1_55_com server-private 10.10.132.4 auth-port 1645 acct-port 1646 authorization accept min-author accounting accept usage-only ip vrf forwarding V1.55.com ip vrf V1.55.com rd 1:55 route-target export 1:55 route-target import 1:55 template V1.55.com peer default ip address pool V1.55-pool ppp authentication chap callin V1_55_com ppp authorization V1_55_com ppp accounting V1_55_com aaa accounting delay-start aaa accounting send stop-record authentication failure radius-server attribute 44 include-in-access-req vpdn-group V1.55 accept-dialin protocol l2tp virtual-template 13 terminate-from hostname lac-lb-V1.55 source-ip 10.10.104.12 lcp renegotiation always l2tp tunnel password 7 060506324F41 interface Virtual-Template13 ip vrf forwarding V1.55.com ip unnumbered Loopback55 ppp authentication chap callin ppp multilink ip local pool V1.55-pool 10.1.55.10 10.1.55.19 group V1.55-group ip radius source-interface Loopback0 ip radius source-interface Loopback55 vrf V1.55.com radius-server attribute list min-author attribute 6-7,22,27-28,242 radius-server attribute list usage-only attribute 1,40,42-43,46 radius-server host 10.10.100.7 auth-port 1645 acct-port 1646 key ww radius-server host 10.10.132.4 auth-port 1645 acct-port 1646 key ww
Remotely Configured Customer Template with RADIUS Attribute Screening and Broadcast Accounting Example
The following example shows how to create a remotely configured template for a single customer, configuring additional features including RADIUS attribute screening and broadcast accounting:
aaa authentication ppp default local group radius aaa authorization template aaa authorization network default local group radius ip vrf V1.55.com rd 1:55 route-target export 1:55 route-target import 1:55 vpdn-group V1.55 accept-dialin protocol l2tp virtual-template 13 terminate-from hostname lac-lb-V1.55 source-ip 10.10.104.12 lcp renegotiation always l2tp tunnel password 7 060506324F41 interface Virtual-Template13 no ip address ppp authentication chap callin ppp multilink ip local pool V1.55-pool 10.1.55.10 10.1.55.19 group V1.55-group radius-server attribute list min-author attribute 6-7,22,27-28,242 radius-server attribute list usage-only attribute 1,40,42-43,46
The customer template is stored as a RADIUS server profile for v1.55.com.
cisco-avpair = "aaa:rad-serv#1=10.10.132.4 key ww" cisco-avpair = "aaa:rad-serv-vrf#1=V1.55.com" cisco-avpair = "aaa:rad-serv-source-if#1=Loopback 55" cisco-avpair = "aaa:rad-serv#2=10.10.100.7 key ww" cisco-avpair = "aaa:rad-serv-source-if#2=Loopback 0" cisco-avpair = "template:ppp-authen-list=group 1" cisco-avpair = "template:ppp-author-list=group 1" cisco-avpair = "template:ppp-acct-list= start-stop group 1 group 2 broadcast" cisco-avpair = "template:account-delay=on" cisco-avpair = "template:account-send-stop=on" cisco-avpair = "template:rad-attr44=access-req" cisco-avpair = "aaa:rad-serv-filter#1=authorization accept min-author" cisco-avpair = "aaa:rad-serv-filter#1=accounting accept usage-only" cisco-avpair = "template:peer-ip-pool=V1.55-pool" cisco-avpair = "template:ip-vrf=V1.55.com" cisco-avpair = "template:ip-unnumbered=Loopback 55" framed-protocol = ppp service-type = framed
AAA Accounting Stop Record Examples
The following AAA accounting stop record examples show how to configure the aaa accounting send stop-record authentication command to control the generation of “stop” records when the aaa accounting command is issued with the start-stop or stop-only keyword.
Note | The success and remote-server keywords are available in Cisco IOS XE Release 2.4 and later releases. |
- AAA Accounting Stop Record and Rejected Call Example
- AAA Accounting Stop Record and Successful Call Example
AAA Accounting Stop Record and Rejected Call Example
The following example shows the “stop” record being sent for a rejected call during authentication when the aaa accounting send stop-record authenticationcommand is issued with the success keyword.
Router# show running-config | include aaa . . . aaa new-model aaa authentication ppp default group radius aaa authorization network default local aaa accounting send stop-record authentication success remote-server aaa accounting network default start-stop group radius Router# *Jul 7 03:39:40.199: AAA/BIND(00000026): Bind i/f Virtual-Template2 *Jul 7 03:39:40.199: ppp21 AAA/AUTHOR/LCP: Authorization succeeds trivially *Jul 7 03:39:42.199: RADIUS/ENCODE(00000026):Orig. component type = PPoE *Jul 7 03:39:42.199: RADIUS: AAA Unsupported [156] 7 *Jul 7 03:39:42.199: RADIUS: 30 2F 30 2F 30 [0/0/0] *Jul 7 03:39:42.199: RADIUS(00000026): Config NAS IP: 10.0.0.0 *Jul 7 03:39:42.199: RADIUS/ENCODE(00000026): acct_session_id: 55 *Jul 7 03:39:42.199: RADIUS(00000026): sending *Jul 7 03:39:42.199: RADIUS/ENCODE: Best Local IP-Address 10.0.1.123 for Radius-Server 172.19.192.238 *Jul 7 03:39:42.199: RADIUS(00000026): Send Access-Request to 172.19.192.238:2195 id 1645/14, len 94 *Jul 7 03:39:42.199: RADIUS: authenticator A6 D1 6B A4 76 9D 52 CF - 33 5D 16 BE AC 7E 5F A6 *Jul 7 03:39:42.199: RADIUS: Framed-Protocol [7] 6 PPP [1] *Jul 7 03:39:42.199: RADIUS: User-Name [1] 16 "user@example.com" *Jul 7 03:39:42.199: RADIUS: CHAP-Password [3] 19 * *Jul 7 03:39:42.199: RADIUS: NAS-Port-Type [61] 6 Virtual [5] *Jul 7 03:39:42.199: RADIUS: NAS-Port [5] 6 0 *Jul 7 03:39:42.199: RADIUS: NAS-Port-Id [87] 9 "0/0/0/0" *Jul 7 03:39:42.199: RADIUS: Service-Type [6] 6 Framed [2] *Jul 7 03:39:42.199: RADIUS: NAS-IP-Address [4] 6 10.0.1.123 *Jul 7 03:39:42.271: RADIUS: Received from id 1645/14 172.19.192.238:2195, Access-Accept, len 194 *Jul 7 03:39:42.271: RADIUS: authenticator 30 AD FF 8E 59 0C E4 6C - BA 11 23 63 81 DE 6F D7 *Jul 7 03:39:42.271: RADIUS: Framed-Protocol [7] 6 PPP [1] *Jul 7 03:39:42.275: RADIUS: Service-Type [6] 6 Framed [2] *Jul 7 03:39:42.275: RADIUS: Vendor, Cisco [26] 26 *Jul 7 03:39:42.275: RADIUS: Cisco AVpair [1] 20 "vpdn:tunnel- id=lac" *Jul 7 03:39:42.275: RADIUS: Vendor, Cisco [26] 29 *Jul 7 03:39:42.275: RADIUS: Cisco AVpair [1] 23 "vpdn:tunnel- type=l2tp" *Jul 7 03:39:42.275: RADIUS: Vendor, Cisco [26] 30 *Jul 7 03:39:42.275: RADIUS: Cisco AVpair [1] 24 "vpdn:gw- password=cisco" *Jul 7 03:39:42.275: RADIUS: Vendor, Cisco [26] 31 *Jul 7 03:39:42.275: RADIUS: Cisco AVpair [1] 25 "vpdn:nas- password=cisco" *Jul 7 03:39:42.275: RADIUS: Vendor, Cisco [26] 34 *Jul 7 03:39:42.275: RADIUS: Cisco AVpair [1] 28 "vpdn:ip- addresses=10.0.0.2" *Jul 7 03:39:42.275: RADIUS: Service-Type [6] 6 Framed [2] *Jul 7 03:39:42.275: RADIUS: Framed-Protocol [7] 6 PPP [1] *Jul 7 03:39:42.275: RADIUS(00000026): Received from id 1645/14 *Jul 7 03:39:42.275: ppp21 PPP/AAA: Check Attr: Framed-Protocol *Jul 7 03:39:42.275: ppp21 PPP/AAA: Check Attr: service-type *Jul 7 03:39:42.275: ppp21 PPP/AAA: Check Attr: tunnel-id *Jul 7 03:39:42.275: ppp21 PPP/AAA: Check Attr: tunnel-type *Jul 7 03:39:42.275: ppp21 PPP/AAA: Check Attr: gw-password *Jul 7 03:39:42.275: ppp21 PPP/AAA: Check Attr: nas-password *Jul 7 03:39:42.275: ppp21 PPP/AAA: Check Attr: ip-addresses *Jul 7 03:39:42.275: ppp21 PPP/AAA: Check Attr: service-type *Jul 7 03:39:42.275: ppp21 PPP/AAA: Check Attr: Framed-Protocol *Jul 7 03:39:42.279: AAA/BIND(00000027): Bind i/f *Jul 7 03:39:42.279: Tnl 21407 L2TP: O SCCRQ *Jul 7 03:39:42.279: Tnl 21407 L2TP: O SCCRQ, flg TLS, ver 2, len 134, tnl 0, ns 0, nr 0 C8 02 00 86 00 00 00 00 00 00 00 00 80 08 00 00 00 00 00 01 80 08 00 00 00 02 01 00 00 08 00 00 00 06 11 30 80 09 00 00 00 07 6C 61 63 00 19 00 00 00 08 43 69 73 63 6F 20 53 79 73 74 65 6D 73 2C 20 49 6E 63 2E 80 ... *Jul 7 03:39:49.279: Tnl 21407 L2TP: O StopCCN *Jul 7 03:39:49.279: Tnl 21407 L2TP: O StopCCN, flg TLS, ver 2, len 66, tnl 0, ns 1, nr 0 C8 02 00 42 00 00 00 00 00 01 00 00 80 08 00 00 00 00 00 04 80 1E 00 00 00 01 00 02 00 06 54 6F 6F 20 6D 61 6E 79 20 72 65 74 72 61 6E 73 6D 69 74 73 00 08 00 09 00 69 00 01 80 08 00 00 00 09 53 9F *Jul 7 03:39:49.279: RADIUS/ENCODE(00000026):Orig. component type = PPoE *Jul 7 03:39:49.279: RADIUS(00000026): Config NAS IP: 10.0.0.0 *Jul 7 03:39:49.279: RADIUS(00000026): sending *Jul 7 03:39:49.279: RADIUS/ENCODE: Best Local IP-Address 10.0.1.123 for Radius-Server 172.19.192.238 *Jul 7 03:39:49.279: RADIUS(00000026): Send Accounting-Request to 172.19.192.238:2196 id 1646/32, len 179 *Jul 7 03:39:49.279: RADIUS: authenticator 0A 85 2F F0 65 6F 25 E1 - 97 54 CC BF EA F7 62 89 *Jul 7 03:39:49.279: RADIUS: Acct-Session-Id [44] 10 "00000037" *Jul 7 03:39:49.279: RADIUS: Framed-Protocol [7] 6 PPP [1] *Jul 7 03:39:49.279: RADIUS: Tunnel-Medium-Type [65] 6 00:IPv4 [1] *Jul 7 03:39:49.279: RADIUS: Tunnel-Client-Endpoi[66] 10 "10.0.0.1" *Jul 7 03:39:49.279: RADIUS: Tunnel-Server-Endpoi[67] 10 "10.0.0.2" *Jul 7 03:39:49.283: RADIUS: Tunnel-Type [64] 6 00:L2TP [3] *Jul 7 03:39:49.283: RADIUS: Acct-Tunnel-Connecti[68] 3 "0" *Jul 7 03:39:49.283: RADIUS: Tunnel-Client-Auth-I[90] 5 "lac" *Jul 7 03:39:49.283: RADIUS: User-Name [1] 16 "user@example.com" *Jul 7 03:39:49.283: RADIUS: Acct-Authentic [45] 6 RADIUS [1] *Jul 7 03:39:49.283: RADIUS: Acct-Session-Time [46] 6 0 *Jul 7 03:39:49.283: RADIUS: Acct-Input-Octets [42] 6 0 *Jul 7 03:39:49.283: RADIUS: Acct-Output-Octets [43] 6 0 *Jul 7 03:39:49.283: RADIUS: Acct-Input-Packets [47] 6 0 *Jul 7 03:39:49.283: RADIUS: Acct-Output-Packets [48] 6 0 *Jul 7 03:39:49.283: RADIUS: Acct-Terminate-Cause[49] 6 nas- error [9] *Jul 7 03:39:49.283: RADIUS: Acct-Status-Type [40] 6 Stop [2] *Jul 7 03:39:49.283: RADIUS: NAS-Port-Type [61] 6 Virtual [5] *Jul 7 03:39:49.283: RADIUS: NAS-Port [5] 6 0 *Jul 7 03:39:49.283: RADIUS: NAS-Port-Id [87] 9 "0/0/0/0" *Jul 7 03:39:49.283: RADIUS: Service-Type [6] 6 Framed [2] *Jul 7 03:39:49.283: RADIUS: NAS-IP-Address [4] 6 10.0.1.123 *Jul 7 03:39:49.283: RADIUS: Acct-Delay-Time [41] 6 0 *Jul 7 03:39:49.335: RADIUS: Received from id 1646/32 172.19.192.238:2196, Accounting-response, len 20 *Jul 7 03:39:49.335: RADIUS: authenticator C8 C4 61 AF 4D 9F 78 07 - 94 2B 44 44 17 56 EC 03
AAA Accounting Stop Record and Successful Call Example
The following example shows “start” and “stop” records being sent for a successful call when the aaa accounting send stop-record authentication command is issued with the failure keyword.
Router# show running-config | include aaa . . . aaa new-model aaa authentication ppp default group radius aaa authorization network default local aaa accounting send stop-record authentication failure aaa accounting network default start-stop group radius . . . *Jul 7 03:28:31.543: AAA/BIND(00000018): Bind i/f Virtual-Template2 *Jul 7 03:28:31.547: ppp14 AAA/AUTHOR/LCP: Authorization succeeds trivially *Jul 7 03:28:33.555: AAA/AUTHOR (0x18): Pick method list 'default' *Jul 7 03:28:33.555: AAA/BIND(00000019): Bind i/f *Jul 7 03:28:33.555: Tnl 5192 L2TP: O SCCRQ *Jul 7 03:28:33.555: Tnl 5192 L2TP: O SCCRQ, flg TLS, ver 2, len 141, tnl 0, ns 0, nr 0 C8 02 00 8D 00 00 00 00 00 00 00 00 80 08 00 00 00 00 00 01 80 08 00 00 00 02 01 00 00 08 00 00 00 06 11 30 80 10 00 00 00 07 4C 41 43 2D 74 75 6E 6E 65 6C 00 19 00 00 00 08 43 69 73 63 6F 20 53 79 73 74 65 6D 73 ... *Jul 7 03:28:33.563: Tnl 5192 L2TP: Parse AVP 0, len 8, flag 0x8000 (M) *Jul 7 03:28:33.563: Tnl 5192 L2TP: Parse SCCRP *Jul 7 03:28:33.563: Tnl 5192 L2TP: Parse AVP 2, len 8, flag 0x8000 (M) *Jul 7 03:28:33.563: Tnl 5192 L2TP: Protocol Ver 256 *Jul 7 03:28:33.563: Tnl 5192 L2TP: Parse AVP 3, len 10, flag 0x8000 (M) *Jul 7 03:28:33.563: Tnl 5192 L2TP: Framing Cap 0x0 *Jul 7 03:28:33.563: Tnl 5192 L2TP: Parse AVP 4, len 10, flag 0x8000 (M) *Jul 7 03:28:33.567: Tnl 5192 L2TP: Bearer Cap 0x0 *Jul 7 03:28:33.567: Tnl 5192 L2TP: Parse AVP 6, len 8, flag 0x0 *Jul 7 03:28:33.567: Tnl 5192 L2TP: Firmware Ver 0x1120 *Jul 7 03:28:33.567: Tnl 5192 L2TP: Parse AVP 7, len 16, flag 0x8000 (M) *Jul 7 03:28:33.567: Tnl 5192 L2TP: Hostname LNS-tunnel *Jul 7 03:28:33.567: Tnl 5192 L2TP: Parse AVP 8, len 25, flag 0x0 *Jul 7 03:28:33.567: Tnl 5192 L2TP: Vendor Name Cisco Systems, Inc. *Jul 7 03:28:33.567: Tnl 5192 L2TP: Parse AVP 9, len 8, flag 0x8000 (M) *Jul 7 03:28:33.567: Tnl 5192 L2TP: Assigned Tunnel ID 6897 *Jul 7 03:28:33.567: Tnl 5192 L2TP: Parse AVP 10, len 8, flag 0x8000 (M) *Jul 7 03:28:33.567: Tnl 5192 L2TP: Rx Window Size 20050 *Jul 7 03:28:33.567: Tnl 5192 L2TP: Parse AVP 11, len 22, flag 0x8000 (M) *Jul 7 03:28:33.567: Tnl 5192 L2TP: Chlng 81 13 03 F6 A8 E4 1D DD 25 18 25 6E 67 8C 7C 39 *Jul 7 03:28:33.567: Tnl 5192 L2TP: Parse AVP 13, len 22, flag 0x8000 (M) *Jul 7 03:28:33.567: Tnl 5192 L2TP: Chlng Resp 4D 52 91 DC 1A 43 B3 31 B4 F5 B8 E1 88 22 4F 41 *Jul 7 03:28:33.571: Tnl 5192 L2TP: No missing AVPs in SCCRP *Jul 7 03:28:33.571: Tnl 5192 L2TP: I SCCRP, flg TLS, ver 2, len 157, tnl 5192, ns 0, nr 1 contiguous pak, size 157 C8 02 00 9D 14 48 00 00 00 00 00 01 80 08 00 00 00 00 00 02 80 08 00 00 00 02 01 00 80 0A 00 00 00 03 00 00 00 00 80 0A 00 00 00 04 00 00 00 00 00 08 00 00 00 06 11 20 80 10 00 00 00 07 4C 4E 53 2D 74 75 6E 6E 65 6C ... *Jul 7 03:28:33.571: Tnl 5192 L2TP: I SCCRP from LNS-tunnel *Jul 7 03:28:33.571: Tnl 5192 L2TP: O SCCCN to LNS-tunnel tnlid 6897 *Jul 7 03:28:33.571: Tnl 5192 L2TP: O SCCCN, flg TLS, ver 2, len 42, tnl 6897, ns 1, nr 1 C8 02 00 2A 1A F1 00 00 00 01 00 01 80 08 00 00 00 00 00 03 80 16 00 00 00 0D 32 24 17 BC 6A 19 B1 79 F3 F9 A9 D4 67 7D 9A DB *Jul 7 03:28:33.571: uid:14 Tnl/Sn 5192/11 L2TP: O ICRQ to LNS-tunnel 6897/0 *Jul 7 03:28:33.571: uid:14 Tnl/Sn 5192/11 L2TP: O ICRQ, flg TLS, ver 2, len 63, tnl 6897, lsid 11, rsid 0, ns 2, nr 1 C8 02 00 3F 1A F1 00 00 00 02 00 01 80 08 00 00 00 00 00 0A 80 0A 00 00 00 0F C8 14 B4 03 80 08 00 00 00 0E 00 0B 80 0A 00 00 00 12 00 00 00 00 00 0F 00 09 00 64 0F 10 09 02 02 00 1B 00 00 *Jul 7 03:28:33.575: uid:14 Tnl/Sn 5192/11 L2TP: Parse AVP 0, len 8, flag 0x8000 (M) *Jul 7 03:28:33.575: uid:14 Tnl/Sn 5192/11 L2TP: Parse ICRP *Jul 7 03:28:33.575: uid:14 Tnl/Sn 5192/11 L2TP: Parse AVP 14, len 8, flag 0x8000 (M) *Jul 7 03:28:33.575: uid:14 Tnl/Sn 5192/11 L2TP: Assigned Call ID 5 *Jul 7 03:28:33.575: uid:14 Tnl/Sn 5192/11 L2TP: No missing AVPs in ICRP *Jul 7 03:28:33.575: uid:14 Tnl/Sn 5192/11 L2TP: I ICRP, flg TLS, ver 2, len 28, tnl 5192, lsid 11, rsid 0, ns 1, nr 3 contiguous pak, size 28 C8 02 00 1C 14 48 00 0B 00 01 00 03 80 08 00 00 00 00 00 0B 80 08 00 00 00 0E 00 05 *Jul 7 03:28:33.579: uid:14 Tnl/Sn 5192/11 L2TP: O ICCN to LNS-tunnel 6897/5 *Jul 7 03:28:33.579: uid:14 Tnl/Sn 5192/11 L2TP: O ICCN, flg TLS, ver 2, len 167, tnl 6897, lsid 11, rsid 5, ns 3, nr 2 C8 02 00 A7 1A F1 00 05 00 03 00 02 80 08 00 00 00 00 00 0C 80 0A 00 00 00 18 06 1A 80 00 00 0A 00 00 00 26 06 1A 80 00 80 0A 00 00 00 13 00 00 00 01 00 15 00 00 00 1B 01 04 05 D4 03 05 C2 23 05 05 06 0A 0B E2 7A ... *Jul 7 03:28:33.579: RADIUS/ENCODE(00000018):Orig. component type = PPoE *Jul 7 03:28:33.579: RADIUS(00000018): Config NAS IP: 10.0.0.0 *Jul 7 03:28:33.579: RADIUS(00000018): sending *Jul 7 03:28:33.579: RADIUS/ENCODE: Best Local IP-Address 10.0.1.123 for Radius-Server 172.19.192.238 *Jul 7 03:28:33.579: RADIUS(00000018): Send Accounting-Request to 172.19.192.238:2196 id 1646/23, len 176 *Jul 7 03:28:33.579: RADIUS: authenticator 3C 81 D6 C5 2B 6D 21 8E - 19 FF 43 B5 41 86 A8 A5 *Jul 7 03:28:33.579: RADIUS: Acct-Session-Id [44] 10 "00000023" *Jul 7 03:28:33.579: RADIUS: Framed-Protocol [7] 6 PPP [1] *Jul 7 03:28:33.579: RADIUS: Tunnel-Medium-Type [65] 6 00:IPv4 [1] *Jul 7 03:28:33.583: RADIUS: Tunnel-Client-Endpoi[66] 10 "10.0.0.1" *Jul 7 03:28:33.583: RADIUS: Tunnel-Server-Endpoi[67] 10 "10.0.0.2" *Jul 7 03:28:33.583: RADIUS: Tunnel-Assignment-Id[82] 5 "lac" *Jul 7 03:28:33.583: RADIUS: Tunnel-Type [64] 6 00:L2TP [3] *Jul 7 03:28:33.583: RADIUS: Acct-Tunnel-Connecti[68] 12 "3356800003" *Jul 7 03:28:33.583: RADIUS: Tunnel-Client-Auth-I[90] 12 "LAC-tunnel" *Jul 7 03:28:33.583: RADIUS: Tunnel-Server-Auth-I[91] 12 "LNS-tunnel" *Jul 7 03:28:33.583: RADIUS: User-Name [1] 16 "user@example.com" *Jul 7 03:28:33.583: RADIUS: Acct-Authentic [45] 6 Local [2] *Jul 7 03:28:33.583: RADIUS: Acct-Status-Type [40] 6 Start [1] *Jul 7 03:28:33.583: RADIUS: NAS-Port-Type [61] 6 Virtual [5] *Jul 7 03:28:33.583: RADIUS: NAS-Port [5] 6 0 *Jul 7 03:28:33.583: RADIUS: NAS-Port-Id [87] 9 "0/0/0/0" *Jul 7 03:28:33.583: RADIUS: Service-Type [6] 6 Framed [2] *Jul 7 03:28:33.583: RADIUS: NAS-IP-Address [4] 6 10.0.1.123 *Jul 7 03:28:33.583: RADIUS: Acct-Delay-Time [41] 6 0 *Jul 7 03:28:33.683: RADIUS: Received from id 1646/23 172.19.192.238:2196, Accounting-response, len 20 *Jul 7 03:28:33.683: RADIUS: authenticator 1C E9 53 42 A2 8A 58 9A - C3 CC 1D 79 9F A4 6F 3A
Additional References
The following sections provide references related to Per VRF AAA.
Related Documents
Related Topic |
Document Title |
---|---|
Configuring server groups |
Configuring RADIUS chapter in the Cisco IOS XE Security Configuration Guide: Securing User Services, Release 2. |
RADIUS attribute screening |
RADIUS Attribute Value Screening chapter in the Cisco IOS XE Security Configuration Guide: Securing User Services, Release 2. |
Configuring broadcast accounting |
Configuring Accounting chapter in the Cisco IOS XE Security Configuration Guide: Securing User Services, Release 2. |
Cisco IOS Security Commands |
Cisco IOS Security Command Reference |
Cisco IOS Switching Services Commands |
Cisco IOS IP Switching Command Reference |
Configuring Multiprotocol Label Switching |
Cisco IOS XE Multiprotocol Label Switching Configuration Guide, Release 2 |
Configuring virtual templates |
Virtual Templates and Profiles section of the Cisco IOS XE Dial Technologies Configuration Guide, Release 2 |
Standards
Standards |
Title |
---|---|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
-- |
MIBs
MIBs |
MIBs Link |
---|---|
No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature. |
To locate and download MIBs for selected platforms, Cisco IOS XE software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFCs
RFCs |
Title |
---|---|
No new or modified RFCs are supported by this feature. |
-- |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feature Information for Per VRF AAA
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
Per VRF AAA |
Cisco IOS XE Release 2.1 |
The Per VRF AAA feature allows authentication, authorization, and accounting (AAA) on the basis of Virtual Private Network (VPN) routing and forwarding (VRF) instances. In Cisco IOS XE Release 2.1, this feature was introduced on the Cisco ASR 1000 Series Aggregation Services Routers. The following commands were introduced or modified: aaa accounting, aaa accounting delay-start, ip radius source-interface, server-private (RADIUS), ip vrf forwarding (server-group), radius-server domain-stripping, aaa authorization template. |
RADIUS Per-VRF Server Group |
Cisco IOS XE Release 2.1 |
Using the Radius Per-VRF Server Group feature, Internet Service Providers (ISPs) can partition RADIUS server groups based on Virtual Route Forwarding (VRF). This means that you can define RADIUS server groups that belong to a VRF. This feature is supported by “aaa: rad-serv-vrf” VSA. In Cisco IOS XE Release 2.1, this feature was introduced on the Cisco ASR 1000 Series Aggregation Services Routers. The following commands were introduced or modified: ip vrf forwarding. |
Attribute Filtering Per-Domain and VRF Aware Framed-Routes |
Cisco IOS XE Release 2.3 |
The Attribute Filtering Per-Domain and VRF Aware Framed-Routes feature allows for attribute filtering per-domain and VRF aware Framed-Routes. It introduces support for the “aaa:rad-serv-filter” VSA. In Cisco IOS XE Release 2.3, this feature was introduced on the Cisco ASR 1000 Series Aggregation Services Routers. |
AAA CLI Stop Record Enhancement |
Cisco IOS XE Release 2.4 |
The AAA CLI Stop Record Enhancement feature enables sending an accounting stop record only when an access accept is received from the AAA server. In Cisco IOS XE Release 2.4, this feature was introduced on the Cisco ASR 1000 Series Aggregation Services Routers. The following commands were introduced or modified: aaa accounting send stop-record authentication. |
Dynamic Per VRF AAA |
Cisco IOS XE Release 2.4 |
The Dynamic Per VRF AAA feature allows you to use a customer template, which may be stored either locally or remotely, and AAA services can be performed on the information that is stored in the customer template. In Cisco IOS XE Release 2.4, this feature was introduced on the Cisco ASR 1000 Series Aggregation Services Routers. |
Glossary
AAA--authentication, authorization, and accounting. A framework of security services that provide the method for identifying users (authentication), for remote access control (authorization), and for collecting and sending security server information used for billing, auditing, and reporting (accounting).
L2TP--Layer 2 Tunnel Protocol. A Layer 2 tunneling protocol that enables an ISP or other access service to create a virtual tunnel to link customer remote sites or remote users with corporate home networks. In particular, a network access server (NAS) at the ISP point of presence (POP) exchanges PPP messages with the remote users and communicates by L2F or L2TP requests and responses with the customer tunnel server to set up tunnels.
PE--Provider Edge. Networking devices that are located on the edge of a service provider network.
RADIUS --Remote Authentication Dial-In User Service. RADIUS is a distributed client/server system that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server that contains all user authentication and network service access information.
VPN --Virtual Private Network. A system that permits dial-in networks to exist remotely to home networks, while giving the appearance of being directly connected. VPNs use L2TP and L2F to terminate the Layer 2 and higher parts of the network connection at the LNS instead of the LAC.
VRF --Virtual Route Forwarding. Initially, a router has only one global default routing/forwarding table. VRFs can be viewed as multiple disjoined routing/forwarding tables, where the routes of a user have no correlation with the routes of another user.