Restrictions for Multicast User Authentication and Profile Support
The port, interface, VC, or VLAN ID is the user or subscriber identity. User identity by hostname, user ID, or password is not supported.
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The port, interface, VC, or VLAN ID is the user or subscriber identity. User identity by hostname, user ID, or password is not supported.
IPv6 multicast by design allows any host in the network to become a receiver or a source for a multicast group. Therefore, multicast access control is needed to control multicast traffic in the network. Access control functionality consists mainly of source access control and accounting, receiver access control and accounting, and provisioning of this access control mechanism.
Multicast access control provides an interface between multicast and authentication, authorization, and accounting (AAA) for provisioning, authorizing, and accounting at the last-hop device, receiver access control functions in multicast, and group or channel disabling capability in multicast.
When you deploy a new multicast service environment, it is necessary to add user authentication and provide a user profile download on a per-interface basis. The use of AAA and IPv6 multicast supports user authentication and downloading of the user profile in a multicast environment.
The event that triggers the download of a multicast access-control profile from the RADIUS server to the access device is arrival of an MLD join on the access device. When this event occurs, a user can cause the authorization cache to time out and request download periodically or use an appropriate multicast clear command to trigger a new download in case of profile changes.
Accounting occurs via RADIUS accounting. Start and stop accounting records are sent to the RADIUS server from the access device. In order for you to track resource consumption on a per-stream basis, these accounting records provide information about the multicast source and group. The start record is sent when the last-hop device receives a new MLD report, and the stop record is sent upon MLD leave or if the group or channel is deleted for any reason.
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable Example:
|
Enables privileged EXEC mode.
|
Step 2 |
configure terminal Example:
|
Enters global configuration mode. |
Step 3 |
aaa new-model Example:
|
Enables the AAA access control system. |
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable Example:
|
Enables privileged EXEC mode.
|
Step 2 |
configure terminal Example:
|
Enters global configuration mode. |
Step 3 |
aaa authorization multicast default [method3 | method4 Example:
|
Enables AAA authorization and sets parameters that restrict user access to an IPv6 multicast network. |
Step 4 |
aaa accounting multicast default [start-stop | stop-only ] [broadcast ] [method1 ] [method2 ] [method3 ] [method4 Example:
|
Enables AAA accounting of IPv6 multicast services for billing or security purposes when you use RADIUS. |
Step 5 |
interface type number Example:
|
Specifies an interface type and number, and places the device in interface configuration mode. |
Step 6 |
ipv6 multicast aaa account receive access-list-name [throttle throttle-number Example:
|
Enables AAA accounting on specified groups or channels. |
In some situations, access control may be needed to prevent multicast traffic from being received unless the subscriber is authenticated and the channels are authorized as per access control profiles. That is, there should be no traffic at all unless specified otherwise by access control profiles.
Command or Action | Purpose | |
---|---|---|
Step 1 |
enable Example:
|
Enables privileged EXEC mode.
|
Step 2 |
configure terminal Example:
|
Enters global configuration mode. |
Step 3 |
ipv6 multicast group-range [access-list-name ] Example:
|
Disables multicast protocol actions and traffic forwarding for unauthorized groups or channels on all the interfaces in a device. |
Device(config)# aaa new-model
Device(config)# aaa authorization multicast default
Device(config)# aaa accounting multicast default
Device(config)# interface FastEthernet 1/0
Device(config-if)# ipv6 multicast aaa account receive list1
Related Topic |
Document Title |
---|---|
IPv6 addressing and connectivity |
IPv6 Configuration Guide |
IPv4 services configuration |
IP Application Services Configuration Guide |
Cisco IOS commands |
|
IPv6 commands |
Cisco IOS IPv6 Command Reference |
Cisco IOS IPv6 features |
Standard/RFC |
Title |
---|---|
RFCs for IPv6 |
IPv6 RFCs |
MIB |
MIBs Link |
---|---|
None. |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to https://cfnng.cisco.com/. An account on Cisco.com is not required.