Step 1
|
enable
|
Enables
privileged EXEC mode.
|
Step 2
|
configure
terminal
Device# configure terminal
|
Enters global
configuration mode.
|
Step 3
|
aaa
intercept
Device(config)# aaa intercept
|
Enables lawful
intercept on the router.
|
Step 4
|
aaa
authentication
ppp
default
group
radius
Device(config)# aaa authentication ppp default group radius
|
Specifies the
authentication method to use on the serial interfaces that are running
Point-to-Point protocol (PPP).
Note
|
This command
is required because tap information resides only on the RADIUS server. You can
authenticate with locally configured information, but you cannot specify a tap
with locally configured information.
|
|
Step 5
|
aaa
accounting
delay-start
all
Device(config)# aaa accounting delay-start all
|
Delays the
generation of accounting start records until the user IP address is
established. Specifying the
all keyword
ensures that the delay applies to all VRF and non-VRF users.
Note
|
This command
is required so that the mediation device can see the IP address assigned to the
target.
|
|
Step 6
|
aaa
accounting
send
stop-record
authentication
failure
Device(config)# aaa accounting send stop-record authentication failure
|
(Optional)
Generates accounting stop records for users who fail to authenticate while
logging into or during session negotiation.
Note
|
If a lawful
intercept action of 1 does not start the tap, the stop record contains
Acct-Termination-Cause, attribute 49, set to 15 (Service Unavailable).
|
|
Step 7
|
aaa
accounting
network
default
start-stop
group
radius
Device(config)# aaa accounting network default start-stop group radius
|
(Optional)
Enables accounting for all network-related service requests.
Note
|
This
command is required only to determine the reason why a tap did not start.
|
|
Step 8
|
radius-server
attribute
44
include-in-access-req
Device(config)# radius-server attribute 44 include-in-access-req
|
(Optional)
Sends RADIUS attribute 44 (Accounting Session ID) in access request packets
before user authentication (including requests for preauthentication).
Note
|
Enter this
command to obtain attribute 44 from the Access-Request packet. Otherwise you
will have to wait for the accounting packets to be received before you can
determine the value of attribute 44.
|
|
Step 9
|
radius-server
host
host-name
Device(config)# radius-server host host1
|
(Optional)
Specifies the RADIUS server host.
|
Step 10
|
aaa
server
radius
dynamic-author
Device(config)# aaa server radius dynamic-author
|
Configures a
device as an Authentication, Authorization, and Accounting (AAA) server to
facilitate interaction with an external policy server and enters dynamic
authorization local server configuration mode.
Note
|
This is an
optional command if taps are always started with a session starts. The command
is required if CoA-Requests are used to start and stop taps in existing
sessions.
|
|
Step 11
|
client
ip-address
Device(config-locsvr-da-radius)# client 10.0.0.2
|
(Optional)
Specifies a RADIUS client from which the device will accept CoA-Request
packets.
|
Step 12
|
domain
{delimiter
character |
stripping
[right-to-left] }
Device(config-locsvr-da-radius)# domain stripping right-to-left
Device(config-locsvr-da-radius)# domain delimiter @
|
(Optional)
Configures username domain options for the RADIUS application.
-
The
delimiter
keyword specifies the domain delimiter. One of the following options can be
specified for the
character
argument:
@ ,
/ ,
$ ,
% ,
\ ,
# or
-
-
The
stripping
keyword compares the incoming username with the names oriented to the left of
the
@ domain
delimiter.
-
The
right-to-left
keyword terminates the string at the first delimiter going from right to left.
|
Step 13
|
server-key
word
Device(config-locsvr-da-radius)# server-key samplekey
|
(Optional)
Configures the RADIUS key to be shared between a device and RADIUS clients.
|
Step 14
|
port
port-number
Device(config-locsvr-da-radius)# port 1600
|
(Optional)
Specifies a RADIUS client from which the device will accept CoA-Request
packets.
|
Step 15
|
exit
Device(config-locsvr-da-radius)# exit
|
Exits dynamic
authorization local server configuration mode and returns to global
configuration mode.
|
Step 16
|
end
|
Exits the
current configuration mode and returns to privileged EXEC mode.
|