RADIUS Attribute 55 Event-Timestamp

The RADIUS Attribute 55 Event-Timestamp feature allows a network access server (NAS) to insert an event time-stamp attribute in accounting and authentication packets that are sent to the RADIUS server with or without Network Time Protocol (NTP) synchronization.

Prerequisites for RADIUS Attribute 55 Event-Timestamp

Before the Event-Timestamp attribute can be sent in accounting and authentication request packets, you must configure the clock on the network device. For information about setting the clock on your network device, see the “Performing Basic System Management” section in the “Basic System Management” chapter of Network Management Configuration Guide.

To avoid configuring the clock on the network device every time the network device is reloaded, you can enable the clock calendar-valid command. For information about this command, see the “Setting Time and Calendar Services” section in the “Basic System Management” chapter of Network Management Configuration Guide.

Information About RADIUS Attribute 55 Event-Timestamp

When a network device dials in to a network access server (NAS) that is configured for RADIUS authentication, the NAS begins the process of contacting the RADIUS server in preparation for user authentication. Typically, the RADIUS attribute 55 (Event-Timestamp) is not communicated to the RADIUS server until after a successful Network Time Protocol (NTP) synchronization. This feature enables a NAS to insert the Event-Timestamp attribute in accounting and authentication request packets even if NTP synchronization does not happen.

The Event-Timestamp attribute records the time at which the event occurred on the NAS. This times tamp is sent in seconds in RADIUS attribute 55 since January 1, 1970 00:00 UTC.

The Event-Timestamp attribute is saved in memory on the NAS for the life of the session. The RADIUS accounting and authentication start packet, all subsequent accounting and authentication packets, updates (if configured), and stop packets also include the same RADIUS attribute 55 Event-Timestamp representing the time at which the original packet was sent.

How to Configure RADIUS Attribute 55 Event-Timestamp

Configuring RADIUS Attribute 55 Event-Timestamp

Perform this task to send RADIUS attribute 55 in accounting and authentication requests.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. aaa new-model
  4. aaa authentication ppp default group radius
  5. aaa accounting network default start-stop group radius
  6. radius-server host ip-address
  7. radius-server attribute 55 include-in-acct-req
  8. radius-server attribute 55 access-req include
  9. exit

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

aaa new-model

Example:


Device(config)# aaa new-model

Enables authentication, authorization, and accounting (AAA).

Step 4

aaa authentication ppp default group radius

Example:


Device(config)# aaa authentication ppp default group radius

Specifies one or more AAA methods for use on serial interfaces that run PPP using the list of all RADIUS servers for authentication.

Step 5

aaa accounting network default start-stop group radius

Example:


Device(config)# aaa accounting network default start-stop group radius

Enables network accounting and sends start and stop accounting notices for the RADIUS accounting method list to the RADIUS server.

Step 6

radius-server host ip-address

Example:


Device(config)# radius-server host 192.0.2.3

Specifies the IP address of the RADIUS server host.

Step 7

radius-server attribute 55 include-in-acct-req

Example:


Device(config)# radius-server attribute 55 include-in-acct-req

Sends RADIUS attribute 55 in account-request packets.

Step 8

radius-server attribute 55 access-req include

Example:


Device(config)# radius-server attribute 55 access-req include

Sends RADIUS attribute 55 in access-request packets.

Step 9

exit

Example:


Device(config)# exit

Exits global configuration mode.

Verifying RADIUS Attribute 55 Event-Timestamp

Perform this task to verify that RADIUS attribute 55 is sent in accounting and authentication packets.

SUMMARY STEPS

  1. enable
  2. show running-config
  3. debug radius

DETAILED STEPS

Step 1

enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Example:


Device> enable

Step 2

show running-config

Displays the contents of the current running configuration file.

Example:


Device# show running-config

.
.
.
aaa group server radius sample
aaa accounting network default start-stop group radius group sample
aaa server radius dynamic-author
radius-server attribute 55 include-in-acct-req
radius-server attribute 55 access-request include
radius-server dead-criteria time 10 tries 3
radius-server host 192.0.2.3
radius-server retry method reorder
radius-server retransmit 2
radius-server deadtime 1
radius-server key rad123
radius server host
.
.
.
radius-server attribute 55 include-in-acct-req
radius-server attribute 55 access-request include

Step 3

debug radius

Displays information associated with RADIUS. The output of this command shows whether attribute 55 is being sent in accounting and authentication requests.

Example:


Device# debug radius

AAA/BIND(0000000D): Bind i/f Virtual-Template1
AAA/AUTHEN/PPP (0000000D): Pick method list 'default'
RADIUS/ENCODE(0000000D):Orig. component type = PPPoE
RADIUS: DSL line rate attributes successfully added
RADIUS(0000000D): Config NAS IP: 0.0.0.0
RADIUS(0000000D): Config NAS IPv6: ::
RADIUS/ENCODE(0000000D): acct_session_id: 2
RADIUS(0000000D): sending
RADIUS/ENCODE: Best Local IP-Address 192.0.2.3 for Radius-Server 192.0.2.1
RADIUS(0000000D): Sending a IPv4 Radius Packet
RADIUS(0000000D): Send Access-Request to 192.0.2.1:1645 id 1645/1,len 130
RADIUS:  authenticator 66 D8 24 42 BC 45 5B 3D - 0E DC 74 D7 E9 3D 81 85
RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
RADIUS:  User-Name           [1]   6   "test"
RADIUS:  User-Password       [2]   18  *
RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
RADIUS:  NAS-Port            [5]   6   0
RADIUS:  NAS-Port-Id         [87]  9   "0/0/0/0"
RADIUS:  Vendor, Cisco       [26]  41
RADIUS:   Cisco AVpair       [1]   35  "client-mac-address=aabb.cc00.6500"
RADIUS:  Service-Type        [6]   6   Framed                    [2]
RADIUS:  NAS-IP-Address      [4]   6   1.1.1.2
RADIUS:  Event-Timestamp     [55]  6   1362041578
RADIUS(0000000D): Started 5 sec timeout
RADIUS: Received from id 1645/192.0.2.1:1645, Access-Accept, len 20
.
.
.
RADIUS:  authenticator 2A 2B 24 47 06 44 23 8A - CB CC 8C 96 8D 21 76 DD
RADIUS(0000000D): Received from id 1645/1
AAA/BIND(0000000D): Bind i/f Virtual-Access2.1
RADIUS/ENCODE(0000000D):Orig. component type = PPPoE
.
.
.
RADIUS(0000000D): Config NAS IP: 0.0.0.0
RADIUS(0000000D): Config NAS IPv6: ::
RADIUS(0000000D): sending
RADIUS/ENCODE: Best Local IP-Address 192.0.2.3 for Radius-Server 192.0.2.1
RADIUS(0000000D): Sending a IPv4 Radius Packet
RADIUS(0000000D): Send Accounting-Request to 192.0.2.1:1646 id 1646/1,len 182
RADIUS:  authenticator C6 81 D0 D7 EA BA 9A A9 - 19 4B 1B 90 B8 D1 66 BF
RADIUS:  Acct-Session-Id     [44]  10  "00000002"
RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
RADIUS:  User-Name           [1]   6   "test"
RADIUS:  Vendor, Cisco       [26]  32
RADIUS:   Cisco AVpair       [1]   26  "connect-progress=Call Up"
RADIUS:  Acct-Authentic      [45]  6   RADIUS                    [1]
RADIUS:  Acct-Status-Type    [40]  6   Start                     [1]
RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
RADIUS:  NAS-Port            [5]   6   0
RADIUS:  NAS-Port-Id         [87]  9   "0/0/0/0"
RADIUS:  Vendor, Cisco       [26]  41
RADIUS:   Cisco AVpair       [1]   35  "client-mac-address=aabb.cc00.6500"
RADIUS:  Service-Type        [6]   6   Framed                    [2]
RADIUS:  NAS-IP-Address      [4]   6   1.1.1.2
RADIUS:  home-hl-prefix      [151] 10  "163BD6D4"
RADIUS:  Event-Timestamp     [55]  6   1362041588
RADIUS:  Acct-Delay-Time     [41]  6   0
RADIUS(0000000D): Started 5 sec timeout
.
.
.
RADIUS: Received from id 1646/1 1.1.1.1:1646, Accounting-response, len 20
RADIUS:  authenticator 79 F1 6A 38 07 C3 C8 F9 - 96 66 BE EF 5C FA 91 E6

Configuration Example for RADIUS Attribute 55 Event-Timestamp

Example: RADIUS Attribute 55 in Accounting and Authentication Packets

The following example shows a configuration that sends RADIUS attribute 55 in accounting and authentication packets: 


Device> enable
Device# configure terminal
Device(config)# aaa new-model
Device(config)# aaa authentication ppp default group radius
Device(config)# aaa accounting network default start-stop group radius
Device(config)# radius-server host 192.0.2.3
Device(config)# radius-server attribute 55 include-in-acct-req
Device(config)# radius-server attribute 55 access-req include
Device(config)# exit

Additional References for RADIUS Attribute 55 Event-Timestamp

Related Documents

Related Topic

Document Title

Cisco IOS commands

Cisco IOS Master Command List, All Releases

Security commands

Configuring Authentication

“Configuring Authentication” chapter in Authentication, Authorization, and Accounting Configuration Guide

Configuring RADIUS

“Configuring RADIUS” chapter in RADIUS Configuration Guide

Standards and RFCs

Standard/RFC

Title

RFC 2138

Remote Authentication Dial In User Service (RADIUS)

Technical Assistance

Description

Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for RADIUS Attribute 55 Event-Timestamp

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1. Feature Information for RADIUS Attribute 55 Event-Timestamp

Feature Name

Releases

Feature Information

RADIUS Attribute 55 Event-Timestamp

Cisco IOS XE Release 3.9S

The RADIUS Attribute 55 Event-Timestamp feature allows a network access server (NAS) to insert an event time-stamp attribute in accounting and authentication packets sent to the RADIUS server with or without Network Time Protocol (NTP) synchronization.

The following commands were introduced or modified: radius-server attribute 55 access-req include and radius-server attribute 55 include-in-acct-req .