Configuring Authentication, Authorization,
and Accounting
SYSTEM ADMINISTRATOR GUIDE
61/1543-CRA 119 1170/1 Uen L
Copyright
© Ericsson AB 2010-2012. All rights reserved. No part of this document may be
reproduced in any form without the written permission of the copyright owner.
Disclaimer
The contents of this document are subject to revision without notice due to
continued progress in methodology, design and manufacturing. Ericsson shall
have no liability for any error or damage of any kind resulting from the use
of this document.
Trademark List
SmartEdge
is a registered trademark of Telefonaktiebolaget LM
Ericsson.
61/1543-CRA 119 1170/1 Uen L | 2012-12-04
Contents
Contents
1 Overview 1
1.1 Authentication 1
1.2 Authorization and Reauthorization 5
1.3 Accounting 5
1.4 AAA Route Download Overview 7
2 Configuration and Operations 9
2.1 Configuring Global AAA 9
2.2 Configuring Authentication 11
2.3 Configuring Authorization and Reauthorization 17
2.4 Configuring Accounting 19
2.5 Performing Operation Tasks 24
2.6 Configuring AAA Route Download 25
3 Configuration Examples 27
3.1 Configuring Administrator Authentication 27
3.2 Configuring Administrator Accounting 27
3.3 Defining the Administrator Structured Username 27
3.4 Authenticating Subscribers 27
3.5 Reauthorizing Subscribers 28
61/1543-CRA 119 1170/1 Uen L | 2012-12-04
Configuring Authentication, Authorization, and Accounting
61/1543-CRA 119 1170/1 Uen L | 2012-12-04
1 Overview
This document applies to both the Ericsson SmartEdge®and SM family routers.
However, the software that applies to the SM family of systems is a subset of
the SmartEdge OS; some of the functionality described in this document may
not apply to SM family routers.
For information specific to the SM family chassis, including line cards, refer to
the SM family chassis documentation.
For specific information about the differences between the SmartEdge and SM
family routers, refer to the Technical Product Description SM Family of Systems
(part number 5/221 02-CRA 119 1170/1) in the Product Overview folder of
this Customer Product Information library.
Overview
This document provides an overview of the authentication, authorization, and
accounting (AAA) features of the Ericsson SmartEdge and SM family routers
and describes the tasks used to configure, monitor, and administer AAA. This
document also provides AAA configuration examples.
Note: In the following sections, the term controller card refers to the
Cross-Connect Route Processor (XCRP4) Controller card. The term
controller carrier card refers to the controller functions on the carrier
card in the SmartEdge100 chassis.
1.1 Authentication
The following sections describe the authentication features for administrators
and subscribers.
1.1.1 Administrators
By default, router configuration authenticates the administrators. You can also
authenticate administrators through database records on a RADIUS server, on
a Terminal Access Controller Access Control System Plus (TACACS+) server,
or on both the servers sequentially.
You must configure the IP address of a reachable RADIUS or TACACS+
server (or both) in the context in which the administrator is configured. You
can set a maximum limit on the number of administrator sessions that can be
simultaneously active in each context. For information about RADIUS and
TACACS+, see Configuring RADIUS and Configuring TACACS+ respectively.
61/1543-CRA 119 1170/1 Uen L | 2012-12-04
1
Configuring Authentication, Authorization, and Accounting
1.1.2 Subscribers
Authentication of Point-to-Point Protocol (PPP) subscribers now includes
support for IPv4, IPv6, and dual-stack subscribers. Dual-stack subscribers run
both IPv4 and IPv6. For information on IPv6 subscribers, refer to Configuring
IPv6 Subscriber Services. Authentication requests do not indicate if a session
is single or dual stack, but authentication responses do indicate.
An IPv6 subscriber must be authorized through AAA before PPP negotiates
connectivity and ND processes packets. If a protocol is not authorized, PPP
does not negotiate that protocol with a client, even when the PPP negotiation
process is initiated by a client.
1.1.2.1 Authentication Options
By default, operating system configuration authenticates the subscriber. You
can also authenticate subscribers through database records on a RADIUS
server.
When the IP address or hostname of the RADIUS server is configured in the
operating system local context, global RADIUS authentication is performed.
That is, although the subscribers are configured in a nonlocal context, they are
authenticated through the RADIUS server configured in the local context. With
global RADIUS authentication, the RADIUS server returns the Context-Name
vendor-specific attribute (VSA), indicating the name of the particular context to
which subscribers are bound.
When the IP address or the hostname of the RADIUS server is configured in a
context other than the local context, context-specific RADIUS authentication is
performed. This means that only subscribers bound to the context in which the
RADIUS server’s IP address or hostname is configured are authenticated.
You can also configure the router to authenticate through a RADIUS server
configured in the nonlocal context, and then through a RADIUS server
configured in the local context, if the previous server is unavailable; else,
proceed to router configuration.
AAA includes the following Layer 2 Tunneling Protocol (L2TP) attribute-value
pairs (AVPs), RADIUS standard attributes, and vendor-specific attributes
(VSAs) provided by Ericsson in RADIUS Access-Request messages for L2TP
network server (LNS) subscribers that are authenticated using RADIUS:
• Tunnel-Client-Endpoint (66)
• Tunnel-Server-Endpoint (67)
• Acct-Tunnel-Connection (68)
• Tunnel-Assignment-ID (82)
• Tunnel-Client-Auth-ID (90)
2
61/1543-CRA 119 1170/1 Uen L | 2012-12-04
Overview
• Tunnel-Server-Auth-ID (91)
• Tunnel-Function (VSA 18)
• Tx-Connect-Speed (L2TP AVP 24)
• Rx-Connect-Speed (L2TP AVP 38)
If you have IPv6 PPP subscriber sessions, the following standard RADIUS
attributes and Ericsson VSAs are supported:
• NAS-IPv6-Address (95)
• Framed-Interface-Id (96)
• Framed-IPv6-Prefix (97)
• Framed-IPv6-Route (99)
• Framed-IPv6-Pool (100)
• Delegated-IPv6-Prefix (123)
• RB-IPv6-DNS (207)
• RB-IPv6-Option (208)
• Delegated-Max-Prefix (212)
For more information about RADIUS standard attributes and vendor VSAs
provided by Ericsson AB, see RADIUS Attributes. For more information about
L2TP AVPs, see Configuring L2TP.
1.1.2.2 Maximum Subscriber Sessions
You can set a maximum limit on the number of subscriber sessions that can be
simultaneously active in a given context and for all configured contexts.
1.1.2.3 Limited Subscriber Services
You can limit the services provided to subscribers based on volume of traffic.
You can monitor volume-based services in the upstream and downstream
directions independently, separately, or aggregated in both directions.
However, you cannot simultaneously monitor aggregated traffic and either
upstream or downstream traffic.
Volume limits are imposed by the RADIUS VSA 113 in Access-Accept and
Accounting-Request messages.
AAA supports inbound and outbound traffic counters, as well as an aggregated
counter of both incoming and outgoing traffic. If the aggregated counter
exceeds the configured value for aggregated traffic limit, AAA sends a RADIUS
61/1543-CRA 119 1170/1 Uen L | 2012-12-04
3
Configuring Authentication, Authorization, and Accounting
accounting message or tears down the subscriber session, depending on the
configured action to perform.
If the RADIUS attribute does not include the direction to which the limit is
applied, the downstream direction is assumed. If no limit is included, the traffic
volume is unlimited in both the directions and is not monitored. If a limit of 0
is configured for a direction, traffic is treated as unlimited in that direction and
is not monitored.
VSA 113 is also supported in a subscriber reauthorize Access-Accept message.
1.1.2.4 Binding Order
If a subscriber circuit has been configured with a dynamic binding, using the
bind authentication command (in the circuit’s configuration mode),
AAA uses subscriber attributes in messages received during subscriber
authentication to determine which IPv4 address (and the associated interface)
to use when binding the subscriber circuit.
By default, the router considers L2TP attributes before considering RADIUS
attributes. You can reverse this order so that the IPv4 address provided in the
RADIUS record is used before one provided by L2TP.
1.1.2.5 IP Address Assignment
By default, the router uses a round-robin algorithm to allocate subscriber
IPv4 addresses from the IP pool. You can also configure the router to use a
first-available algorithm.
AAA typically assigns an IPv4 address to a PPP subscriber from an IP pool
after receiving an Access-Accept packet from a RADIUS server. However,
you can configure AAA to provide an IPv4 address from an IP pool in the
Framed-IP-Address attribute in the RADIUS Access-Request packet. This IPV4
IP address is provided to the RADIUS server as a preferred address. If there
are no unassigned IPv4 addresses in the pool, the authentication request is
sent without an IPv4 address.
The RADIUS server may or may not accept the address ; Table 1 lists the
RADIUS server responses and the corresponding router actions.
Table 1 RADIUS Server Response and Router Actions
RADIUS Server Response Corresponding Router Action
Framed-IP-Address attribute
The router assigns preferred IPv4 address.
contains 255.255.255.254,
0.0.0.0, or is missing.
Framed-IP-Address attribute
contains a different IPv4
address.
The router assigns the IPv4 address in the
Framed-IP-Address attribute and returns the
preferred IPv4 address to its pool.
4 61/1543-CRA 119 1170/1 Uen L | 2012-12-04
1.2 Authorization and Reauthorization
The following sections describe the authorization and reauthorization features.
1.2.1 CLI Commands Authorization
You can specify that commands with a matching privilege level (or higher)
require authorization through TACACS+.
1.2.2 Dynamic Subscriber Reauthorization
When subscribers request new or modified services during active sessions, the
requests can be translated to changes that are applied during the active session
through dynamic subscriber reauthorization. Reauthentication occurs without
PPP renegotiation and without interrupting or dropping the active session.
Overview
1.3 Accounting
The following sections describe the accounting features.
1.3.1 CLI Commands Accounting
You can configure the router so that accounting messages are sent to a
TACACS+ server whenever an administrator enters commands at the specified
privilege level (or higher).
1.3.2 Administrator Accounting
You can configure administrator accounting, which tracks messages for the
administrator sessions; the messages are sent to a RADIUS or TACACS+
server.
1.3.3 Subscriber Accounting
You can configure subscriber accounting, which tracks messages for subscriber
sessions; the messages are sent to a RADIUS accounting server. Use the
aaa accounting subscriber command with the radius keyword to
configure subscriber accounting. When the IP address or hostname of the
RADIUS accounting server is configured in the router local context, global
authentication is performed. That is, although the subscribers are configured
in a non-local context, accounting messages for subscribers sessions in the
context are sent through the RADIUS accounting server configured in the local
context. When using global RADIUS subscriber accounting, configuring global
RADIUS subscriber authentication is required.
61/1543-CRA 119 1170/1 Uen L | 2012-12-04
5
Configuring Authentication, Authorization, and Accounting
Note: Configuring the global keyword with the aaa accounting
subscriber command allows you to enable global RADIUS
subscriber accounting even without global authentication. For more
information, refer to the Command Description document.
When the IP address or hostname of the RADIUS accounting server is
configured in a context other than the local context, context-specific accounting
is performed; accounting messages are sent only for subscribers bound to
the context in which the RADIUS accounting server IP address or hostname
is configured.
You can configure two-stage accounting where the router sends accounting
messages to a RADIUS accounting server configured in the non-local context
and to a RADIUS accounting server configured in the local context. For
example, a copy of the accounting data can be sent to both a wholesaler's
and an upstream service provider’s RADIUS accounting server, so that the
end-of-period accounting data can be reconciled and validated by both the
parties.
You can also specify the error conditions for which the router suppresses the
sending of accounting messages to a RADIUS accounting server.
1.3.4 L2TP Accounting
You can configure L2TP accounting that tracks messages for L2TP tunnels or
sessions in L2TP tunnels; the messages are sent to a RADIUS accounting
server. When the IP address or hostname of the RADIUS accounting server is
configured in the router local context, global accounting is performed. When
the IP address or hostname of the RADIUS accounting server is configured in a
context other than the local context, context-specific accounting is performed.
You can also configure two-stage accounting.
The router sends just a single accounting on message when more than
one type of RADIUS accounting is enabled. For example, if you enable
both subscriber accounting and L2TP accounting, the router sends only one
accounting on message to each RADIUS accounting server, even if you
enable L2TP accounting at a later time. Similarly, the accounting off
message is not sent until you have disabled all types of RADIUS accounting.
Note: Configuring the global keyword with the aaa accounting l2tp
session command allows you to enable global RADIUS accounting
for sessions in L2TP tunnels even without global authentication. For
more information, see the aaa accounting l2tp command.
If a subscriber session cannot be tunneled to a specific L2TP network server
(LNS) or to an LNS in a group of L2TP peers, or if the router has received a
Link Control Protocol (LCP) termination request from the subscriber before the
session establishment is complete, the Acct-Session-Time attribute is set to 0.
6
61/1543-CRA 119 1170/1 Uen L | 2012-12-04
1.4 AAA Route Download Overview
The router allows you to configure and advertise IPv4 access routes before the
routes have been assigned to subscribers. Pre-provisioning access routes
helps eliminate routing protocol scalability issues or delays when the protocol
is converging or when a large number of subscribers is being simultaneously
activated. More than one RADIUS server can be designated as a route
download server. While defining a route download server, RADIUS server
redundancy operates in the normal way.
When this feature is enabled, the router periodically sends a RADIUS
Access-Request message to the RADIUS server acting as a route download
server, requesting to download routes. To respond, the RADIUS server sends
an Access-Accept message containing a set of routes within the RFC-specified
RADIUS packet length, which the router downloads. The router repeats the
request until all the routes have been downloaded; the RADIUS server signals
completion by rejecting the Access-Request message. Once all the routes
have been downloaded successfully, the router installs the access routes in its
RIB. If the download fails at any point, all the routes are discarded; the router
never installs an incomplete batch of routes into its RIB.
Overview
A set of download requests is sent on a periodic basis, beginning at a
configured time of day and repeating at configured intervals thereafter. Routes
are carried in the Framed-Route attribute (standard attribute 22), which must
be formatted as specified in RFC 2865, RADIUS. The metric field in the
Framed-Route attribute is optional. The router uses the Context-Name attribute
(VSA attribute 4) to identify the context where the route is downloaded.
This feature assumes that the routes downloaded from the RADIUS route
download server have a more specific prefix than the prefix of the subscriber
route. The router does not check for configuration errors in this regard.
61/1543-CRA 119 1170/1 Uen L | 2012-12-04
7
Configuring Authentication, Authorization, and Accounting
8 61/1543-CRA 119 1170/1 Uen L | 2012-12-04
Configuration and Operations
2 Configuration and Operations
This section provides information on how to configure, administer, and
troubleshoot AAA.
Note: The command syntax in the task table displays only the root command.
For the complete command syntax, see Command List.
2.1 Configuring Global AAA
To configure global attributes for AAA, perform the tasks in the following
sections.
2.1.1 Limiting the Number of Active Administrator Sessions
To limit the number of administrator sessions that can be simultaneously active
in a given context, perform the task described in Table 2.
Table 2 Number of Active Administrator Sessions
Task Root Command Notes
Limit the number of
administrator sessions
that can be simultaneously
active in a given context.
aaa authentication administr
ator
Enter this command in the context
configuration mode.
To set the limit, use the maximum
sessions
num-sess construct.
2.1.2 Limiting the Number of Active Subscriber Sessions
To limit the number of subscriber sessions that can be simultaneously active,
perform the task described in Table 3.
Table 3 Number of Active Subscriber Sessions
Task Root Command Notes
Limit the number of subscriber
sessions that can be simultaneously
active in a given context.
aaa maximum subscriber Enter this command in the
context configuration mode.
961/1543-CRA 119 1170/1 Uen L | 2012-12-04
Configuring Authentication, Authorization, and Accounting
2.1.3 Preventing Subscriber Session Authentication When Session Limit
Reached
To prevent a new session from being authenticated when the maximum
configured number of sessions has been reached, perform the task described
in Table 4.
Table 4 Subscriber Session Authentication When Session Limit Reached
Task Root Command Notes
Prevent a new subscriber session
from being authenticated when the
maximum configured number of
sessions is established.
Prevent a new subscriber session
from being authenticated when the
maximum configured number of
sessions (combination of ARI and
ACI) is established.
aaa global suppress-authe
ntication slid-session-limit
aaa global suppress-authe
ntication slid-session-limit
agent-remote-circuit-id
Enter this command in the
global configuration mode.
Enter this command in the
global configuration mode.
2.1.4 Enabling a Direct Connection for Subscriber Circuits
To enable a direct connection for subscriber circuits, configure the router to
install the route specified by the RADIUS Framed-IP-Netmask attribute as
described in Table 5.
Table 5 Direct Connection for Subscriber Circuits
Task Root Command Notes
Enable use of the RADIUS
Framed-IP-Netmask attribute to
install the route to a remote router.
aaa provision route Enter this command in the context
configuration mode.
2.1.5 Defining Structured Username Formats
To define one or more schema for matching the format of structured usernames
(subscriber and administrator names), perform the task described in Table 6.
Table 6 Structured Username Formats
Task Root Command Notes
Define one or more schema
for matching the format of
structured usernames.
10 61/1543-CRA 119 1170/1 Uen L | 2012-12-04
aaa username-for
mat
Enter this command in the global
configuration mode.
If no username formats are explicitly
defined, the router checks the default format,
username@domain-name, for a match.
2.1.6 Authenticating Username
To specify a username for authentication, perform the task described in Table 7.
Table 7 Username for Authentication
Task Root Command Notes
Configuration and Operations
Specify that the Username
attribute is required in
Access-Request messages.
By default, the router sends Access-Request messages to the RADIUS server,
regardless of whether a username is specified.
aaa global reject
empty-username
Enter this command in the global
configuration mode.
If no value is specified for the
User-Name attribute, AAA suppresses the
Access-Request message, and thereby the
subscriber authentication fails.
2.1.7 Acknowledging RSE Service Activation via CoA on Stack Mismatch
To acknowledge an RSE service activation via CoA even if it is applying an
RSE service containing both IPv4 and IPv6 attributes to a single stack IPv4
subscriber, perform the tasks described Table 8.
Table 8 RSE Service Activation
Task Root Command Notes
Specify that RSE service activation
via CoA will be acknowledged even
if it is applying an RSE service
containing both IPv4 and IPv6
attributes to a single stack IPv4
subscriber.
aaa global coa ignore
rse-attr-stack-mismatch
Enter this command in global
configuration mode.
2.2 Configuring Authentication
To configure authentication, perform the tasks described in the following
sections.
2.2.1 Configuring Administrator Authentication
To configure administrator authentication, perform the task described in Table 9.
61/1543-CRA 119 1170/1 Uen L | 2012-12-04
11
Configuring Authentication, Authorization, and Accounting
Table 9 Administrator Authentication
Task Root Command Notes
Configure administrator
authentication.
aaa authentication admin
istrator
Enter this command in the context
configuration mode.
You have the option to configure either
the console port or a vty port for each
specified authentication method. By
default, both ports are enabled for use.
Use either the console or vty keyword
as needed.
2.2.2 Configuring Subscriber Authentication
To configure subscriber authentication, you must perform the following tasks:
• Configure IP Address Assignment
• Enable the Assignment of Preferred IP Addresses
• Change the Default Order for Determining Subscriber IP Addresses
• Configure Global RADIUS Authentication
• Configure Context-Specific RADIUS Authentication
• Authenticate Router (Local)
• Configure DHCPv6 Interface Authentication
• Configure Context-Specific RADIUS and Global RADIUS Authentication
• Authenticate Context-Specific RADIUS and Router (Local)
• Configure a Last-Resort Authentication Context
2.2.2.1 Configure IP Address Assignment
To configure the algorithm the router uses to assign subscriber IPv4 address,
perform the task described in Table 10.
Table 10 Assignment of IPv4 or IPv6 IP Addresses
Task Root Command Notes
Change the logic the router uses to
allocate subscriber IP addresses from
the default algorithm (round-robin) to a
aaa ip-pool
allocation
first-available
Enter this command in the global
configuration mode.
first-available algorithm.
12 61/1543-CRA 119 1170/1 Uen L | 2012-12-04
Configuration and Operations
2.2.2.2 Enable the Assignment of Preferred IP Addresses
To enable the router to provide a RADIUS server with preferred IP addresses
when performing subscriber authentication, perform the task described in
Table 11.
Table 11 Assignment of Preferred IP Addresses
Task Root Command Notes
Enable the router to provide the
RADIUS server with preferred IP
aaa hint ip-address Enter this command in the context
configuration mode.
addresses from unnamed IP pools.
2.2.2.3 Change the Default Order for Determining Subscriber IP Addresses
To change the default order for determining the IP address (and its interface) to
be used for binding a subscriber circuit, perform the task described in Table 12.
Table 12 Default Order for Determining Subscriber IP Addresses
Task Root Command Notes
Change the default order for
determining the IP address for
aaa provision bindingorder
Enter this command in the context
configuration mode.
binding a subscriber circuit.
2.2.2.4 Configure Global RADIUS Authentication
To configure global RADIUS authentication, perform the tasks described in
Table 13.
Table 13 Global RADIUS Authentication
Task Root Command Notes
Enable global RADIUS
authentication.
aaa global authentication
subscriber
Enter this command in the
global configuration mode.
At least one RADIUS server
IP address or hostname must
be configured in the local
context; for more information,
see Configuring RADIUS.
Authenticate subscribers in the
current context through one or more
aaa authentication subscriber Enter this command in the
context configuration mode.
RADIUS servers with IP addresses
or hostnames configured in the local
context.
Use the global keyword
with this command.
1361/1543-CRA 119 1170/1 Uen L | 2012-12-04
Configuring Authentication, Authorization, and Accounting
2.2.2.5 Configure Context-Specific RADIUS Authentication
To authenticate subscribers using one or more RADIUS servers with IP
addresses or hostnames configured in the current context, perform the task
described in Table 14.
Table 14 Context-Specific RADIUS Authentication
Task Root Command Notes
Configure context-specific RADIUS
authentication.
aaa authentication subs
criber
2.2.2.6 Authenticate Router (Local)
To authenticate subscribers through the router configuration, perform the task
described in Table 15.
Table 15 Router Configuration Authentication
Task Root Command Notes
Configure router configuration
authentication.
aaa authentication subs
criber
Enter this command in the context
configuration mode.
Use the local keyword with this
command to configure RADIUS
authentication.
Enter this command in the context
configuration mode.
Use the radius keyword with this
command to configure RADIUS
authentication.
At least one RADIUS server
IP address or hostname must
be configured in the current
context; for more information, see
Configuring RADIUS.
2.2.2.7 Configure DHCPv6 Interface Authentication
Enable AAA to authenticate subscribers through the router local database.
Subscribers are authenticated according to parameters set in the subscriber
profile for the current context. In the subscriber local context, to configure an
interface as a DHCPv6 interface, AAA must be enabled to provide subscriber
authentication. To authenticate subscribers through a DHCPv6 server, perform
the tasks described in Table 16.
14
61/1543-CRA 119 1170/1 Uen L | 2012-12-04
Table 16 Router DHCPv6 Interface Authentication
Task Root Command Notes
Configure an interface to be a
DHCPv6 server interface.
dhcpv6 server
interface
The DHCPv6 server uses the primary
IPv6 address of the interface as the
server IP address.
Configuration and Operations
Enable AAA to authenticate
subscribers through the router
local database or RADIUS.
aaa authentication
subscriber local
or
Subscribers are authenticated
according to the parameters set in
the subscriber profile for the current
context.
aaa authentication
subscriber radius
When the router is configured to provide dual-stack and IPv6 subscriber
services, DHCPv6 requests AAA for prefix delegation. In response to the
DHCPv6 request, AAA returns one or more prefixes. For more information
on DHCPv6 configuration, refer to Configuring DHCP. For an example of an
end-to-end IPv6 configuration to check where AAA subscriber authentication is
required, refer to Configuring IPv6 Subscriber Services.
2.2.2.8 Configure Context-Specific RADIUS and Global RADIUS Authentication
To configure context-specific RADIUS authentication, followed by global
RADIUS authentication, perform the tasks described in Table 17.
Table 17 Context-Specific RADIUS and Global RADIUS Authentication
Task Root Command Notes
Enable global RADIUS
authentication.
aaa global authentication
subscriber
Enter this command in the global
configuration mode.
At least one RADIUS server IP
address or hostname must be
configured in the local context;
for more information, see
Configuring RADIUS.
Configure context-specific
RADIUS followed by global
aaa authentication subscriber Enter this command in the
context configuration mode.
RADIUS authentication.
Use the radius global
construct with this command.
2.2.2.9 Authenticate Context-Specific RADIUS and Router (Local)
To authenticate subscribers using one or more RADIUS servers with IPv4
addresses or hostnames configured in the current context, followed by the
router, perform the task described in Table 18.
61/1543-CRA 119 1170/1 Uen L | 2012-12-04
15
Configuring Authentication, Authorization, and Accounting
Table 18 Context-Specific RADIUS and Router Authentication
Task Root Command Notes
Configure context-specific
RADIUS authentication,
aaa authentication subs
criber
Enter this command in the context
configuration mode.
followed by router configuration
authentication.
Use the radius keyword followed by
the local keyword with this command.
At least one RADIUS server IP address
or hostname must be configured in the
current context; for more information,
see Configuring RADIUS.
2.2.2.10 Configure a Last-Resort Authentication Context
To specify a context to attempt authentication of a subscriber when the domain
portion of the subscriber name cannot be matched, perform the task described
in Table 19.
Table 19 Last-Resort Authentication Context
Root Comma
Task
Configure a last-resort
authentication context.
nd Notes
aaa last-resortEnter this command in the global
configuration mode.
2.2.3 Disabling Subscriber Authentication
To disable authentication of subscribers in the current context, perform the
task described in Table 20.
Table 20 Disabling Subscriber Authentication
Task Root Command Notes
Disable subscriber
authentication.
aaa authentication subs
criber
Enter this command in the context
configuration mode. Use the none keyword
with this command if subscriber authentication
is not required, such as when Dynamic Host
Configuration Protocol (DHCP) is used to
obtain IPv4 addresses for subscriber hosts.
16 61/1543-CRA 119 1170/1 Uen L | 2012-12-04
Configuration and Operations
Caution!
Risk of security breach. If you disable subscriber authentication, individual
subscriber names and passwords will not be authenticated by the router, and
therefore, IP routes and ARP entries within individual subscriber records are
not installed. To reduce the risk, verify your network security setup before
disabling subscriber authentication.
2.3 Configuring Authorization and Reauthorization
To configure authorization and reauthorization, perform the tasks described in
the following sections.
2.3.1 Configuring CLI Commands Authorization
To specify that commands with a matching privilege level (or higher) require
authorization through TACACS+, perform the task described in Table 21.
Table 21 CLI Commands Authorization
Task Root Command Notes
Configure CLI commands
authorization.
aaa authorization comm
ands
Enter this command in the context
configuration mode.
A TACACS+ server must be
configured in the specified context;
for more information, see Configuring
TACACS+.
2.3.2 Configuring L2TP Peer Authorization
To determine whether L2TP peers are authorized by the router (local)
configuration or by a RADIUS server, perform the task described in Table 22.
Table 22 L2TP Peer Authorization
Task Root Command Notes
Configure L2TP peer
authorization.
aaa authorization tunnel Enter this command in the context
configuration mode.
By default, L2TP peers are
authorized through the router
configuration.
1761/1543-CRA 119 1170/1 Uen L | 2012-12-04
Configuring Authentication, Authorization, and Accounting
2.3.3 Configuring Dynamic Subscriber Reauthorization
To configure dynamic subscriber reauthorization, perform the task described
in Table 23.
Table 23 Dynamic Subscriber Reauthorization
Task Root Command Notes
Configure dynamic subscriber
reauthorization.
aaa reauthorization
bulk
Enter this command in the context
configuration mode.
For reauthorization to take effect, vendor VSA 94 provided by Ericsson AB,
Reauth-String, must be configured on the RADIUS server. Vendor VSA 95,
Reauth-More, is only needed if multiple reauthorization records are used for one
command. For example, if you have the following records, the
reauthorize
bulk 1 command causes the RADIUS server to process reauthorization for
reauth-1@local followed by reauth-2@local:
reauth-1@local
Password="redback"
Reauth-String="ID-type;subID;attr-num;attr-value;attr-num;attr-value...
Reauth-More=1
reauth-2@local
Password="redback"
Reauth-String="ID-type;subID;attr-num;attr-value;attr-num;attr-value...
Reauth_String
Attribute number: 94
Value: String
Format: "xxx"*
Send in Access-Request packet: No
Send in Accounting-Request packet: No
Receivable in Access-Request packet: Yes
18
61/1543-CRA 119 1170/1 Uen L | 2012-12-04
Configuration and Operations
Description: (SE)
* Format for Reauth String
"type;sub_id;attr#;attr_val;attr#;;attr#;attr_val;..."
(vsa_attr: vid-vsa_attr_#)
Reauth_More
Attribute number: 95
Value: integer
Format: 1
Send in Access-Request packet: No
Send in Accounting-Request packet: No
Receivable in Access-Request packet: Yes
Description: More reauth request is needed (SE)
For a list of the standard RADIUS attributes and vendor-specific attributes
(VSAs) that are supported as part of Reauth-String and their details , see
RADIUS Attributes.
2.4 Configuring Accounting
To configure accounting, perform the tasks described in the following sections.
2.4.1 Configuring CLI Commands Accounting
To specify that accounting messages are sent to a TACACS+ server whenever
an administrator enters commands at the specified privilege level (or higher),
perform the task described in Table 24.
Table 24 CLI Commands Accounting
Task Root Command Notes
Configure CLI commands
accounting.
aaa accounting
commands
Enter this command in the context
configuration mode.
A TACACS+ server must be configured in the
specified context; see Configuring TACACS+.
1961/1543-CRA 119 1170/1 Uen L | 2012-12-04
Configuring Authentication, Authorization, and Accounting
2.4.2 Configuring Administrator Accounting
To enable accounting messages for administrator sessions to be sent to the
TACACS+ server, perform the task described in Table 25.
Table 25 Administrator Accounting
Task Root Command Notes
Configure administrator
aaa accounting administrator Enter this command in the context
accounting.
2.4.3 Configuring Subscriber Accounting
To configure subscriber accounting, you must perform the following tasks:
• Configure Global Subscriber Accounting
• Configure Context-Specific Subscriber Accounting
• Configure Two-Stage Subscriber Accounting
2.4.3.1 Configure Global Subscriber Accounting
To configure global subscriber accounting, perform the tasks described in
Table 26.
configuration mode.
A TACACS+ server must be
configured in the specified context;
see Configuring TACACS+.
Note: Before configuring global subscriber accounting, you must configure
local subscriber authentication; for more information, see Configure
Global RADIUS Authentication earlier in this section. You must also
configure at least one RADIUS accounting server in the local context;
for more information, see Configuring RADIUS.
Table 26 Global Subscriber Accounting
Task Root Command Notes
Enable global
subscriber session
aaa global accounting subscriber Enter this command in the global
configuration mode.
accounting
messages.
Accounting messages for
subscriber sessions in all
contexts are sent to one or more
RADIUS accounting servers
with IP addresses or hostnames
configured in the local context.
20 61/1543-CRA 119 1170/1 Uen L | 2012-12-04
Configuration and Operations
Table 26 Global Subscriber Accounting
Task Root Command Notes
Enable global
subscriber session
accounting update
messages.
Enable global
accounting messages
for the reauthorize
command.
Enable global
accounting messages
for the subscriber
session DHCP lease,
DHCPv6 prefix
delegation (PD),
reauthorization, or
ANCP events.
aaa global update subscriber Enter this command in global
configuration mode.
Updated accounting records for
the subscriber sessions in all
the contexts are sent to one or
more RADIUS accounting servers
with IP addresses or hostnames
configured in the local context.
aaa global accounting reauthorization
subscriber
Enter this command in the global
configuration mode.
Accounting messages for the
reauthorize command issued
in any context are sent to one or
more RADIUS accounting servers
with IP addresses or hostnames
configured in the local context.
aaa global accounting event Enter this command in global
configuration mode.
Accounting updates for the
following are sent to one or more
RADIUS accounting servers
with IP addresses or hostnames
configured in the local context:
• DHCP lease
• DHCPv6 PD
• IPv4 and IPV6 single
• stack to dual-stack transitions
• IPv4 and IPV6dual-stack to
single-stack transitions
• reauthorization
• ANCP events for subscriber
sessions in all contexts
2.4.3.2 Configure Context-Specific Subscriber Accounting
To configure context-specific subscriber accounting, perform the tasks
described in Table 27. Enter all the commands in the context configuration
mode.
61/1543-CRA 119 1170/1 Uen L | 2012-12-04
21
Configuring Authentication, Authorization, and Accounting
Note: At least one RADIUS accounting server must be configured in the
current context before any messages are sent; for more information,
see Configuring RADIUS.
Table 27 Context-Specific Subscriber Accounting
Task Root Command Notes
Enable context-specific
subscriber accounting
messages.
Enable context-specific
subscriber session
accounting update
messages.
Enable context-specific
accounting messages
for the reauthorize
command.
aaa accounting subscriber Accounting messages for
subscriber sessions in the
current context are sent to one
or more RADIUS accounting
servers with IP addresses or
hostnames configured in the
same context.
aaa update subscriber Sends updated accounting
records for subscriber sessions
in the current context to one
or more RADIUS accounting
servers with IP addresses or
hostnames configured in the
same context.
aaa accounting reauthorization
subscriber
Accounting messages for the
reauthorize command used
in the current context are sent to
one or more RADIUS accounting
servers with IP addresses or
hostnames configured in the
same context.
22 61/1543-CRA 119 1170/1 Uen L | 2012-12-04
Configuration and Operations
Table 27 Context-Specific Subscriber Accounting
Task Root Command Notes
Enable context-specific
accounting messages for
DHCP lease, DHCPv6
prefix delegation (PD),
reauthorization information,
or ANCP events.
Suppress accounting
messages when subscriber
sessions cannot be
established.
aaa accounting event Accounting messages for the
following are sent to one or more
RADIUS accounting servers
with IP addresses or hostnames
configured in the same context:
• DHCP lease
• DHCPv6 PD
• IPv4 and IPV6 single-stack
to dual-stack or dual-stack to
single-stack transition
• Reauthorization information
• ANCP events for subscriber
sessions in the current context
aaa accounting suppress-acct-on
-fail
Accounting messages are not
sent to the RADIUS server
when subscriber sessions
cannot be established due to
an authentication problem, a
changed IP address, and so on.
2.4.3.3 Configure Two-Stage Subscriber Accounting
Two-stage accounting collects RADIUS accounting data on both global
RADIUS servers and context-specific RADIUS servers. To configure
two-stage accounting for subscriber sessions, perform the tasks as shown in
Configure Subscriber Accounting and Configure Context-Specific Subscriber
Accountingsections.
2.4.4 Configuring L2TP Accounting
To configure L2TP accounting, you must perform the following tasks:
• Configure Global L2TP Accounting
• Configure Context-Specific L2TP Accounting
• Configure Two-Stage L2TP Accounting
2.4.4.1 Configure Global L2TP Accounting
To configure global L2TP accounting, perform the task described in Table 28.
61/1543-CRA 119 1170/1 Uen L | 2012-12-04
23
Configuring Authentication, Authorization, and Accounting
Table 28 Global L2TP Accounting
Task Root Command Notes
Configure global L2TP
accounting.
aaa global accounting l2tpsession
Enter this command in global
configuration mode.
For all contexts, accounting messages
for L2TP tunnels, or sessions in L2TP
tunnels, are sent to one or more RADIUS
accounting servers with IP addresses
or hostnames configured in the local
context.
2.4.4.2 Configure Context-Specific L2TP Accounting
To configure context-specific L2TP accounting, perform the task described
in Table 29.
Table 29 Context-Specific L2TP Accounting
Task Root Command Notes
Configure context-specific L2TP
accounting.
aaa accounting
l2tp
Enter this command in context configuration
mode.
For the current context, accounting
messages for L2TP tunnels, or sessions
in L2TP tunnels, are sent to one or more
RADIUS accounting servers with IP
addresses or hostnames configured in the
same context.
2.4.4.3 Configure Two-Stage L2TP Accounting
Two-stage accounting collects RADIUS accounting data on both global
RADIUS accounting servers and context-specific RADIUS accounting servers.
To configure two-stage accounting for subscriber sessions, perform the tasks
in Configure Global L2TP Accounting and Configure Context-Specific L2TP
Accounting sections.
2.5 Performing Operation Tasks
To administer and troubleshoot AAA features, perform the appropriate AAA
operations tasks as shown in Table 30. Enter all the commands in exec mode.
Note: The command syntax in the task table displays only the root command.
For the complete command syntax, see Command List.
24
61/1543-CRA 119 1170/1 Uen L | 2012-12-04
Configuration and Operations
Table 30 AAA Operations Tasks
Task Root Command
Generate AAA debug messages. debug aaa
Modify a subscriber attribute in real time during an active
session, using the CLI.
Modify a subscriber attribute in real time during an active
session, using the RADIUS authentication process.
Test the communications link to a RADIUS server.
policy-refresh
reauthorize
test aaa
2.6 Configuring AAA Route Download
To configure AAA route download, you must configure the AAA route-download
server and route-download capabilities.
2.6.1 Configuring the AAA Route-Download Server
To configure a route-download server:
1. Use the configure command to access global configuration mode.
2. Use the context command to access context configuration mode.
3. Use the radius route-download server command to designate a RADIUS
route-download server, and configure the shared key (encrypted or not) and
optional port. If the port is not specified, 1812 is used as the default value.
2.6.2 Configuring Route-Download Capabilities
Once you have configured a route-download server, you can configure
route-download capability in context configuration mode:
1. Use the radius route-download algorithm command to specify the
load-balancing algorithm to be used when multiple servers are configured.
By default , the request is sent to the first available RADIUS server. You
can also configure round-robin load balancing.
2. Use the radius route-download deadtime command to specify the interval in
minutes for declaring a RADIUS route-download server unavailable before
declaring it as available again. The range is 0 to 65,535. If not specified,
the server is not declared as available again. The default deadtime value
is 5 minutes.
3. Use the radius route-download max-retries command to specify the
maximum number of times a route download request is retried. The range
is 1 to 2,147,483,647. The default value is 3.
61/1543-CRA 119 1170/1 Uen L | 2012-12-04
25
Configuring Authentication, Authorization, and Accounting
4. Use the radius route-download server-timeout command to specify the
interval in seconds while waiting for a response from the RADIUS server
before declaring it unavailable. The range is 1 to 2,147,483,647. If not
specified, the server is never considered unavailable. By default, the
capability remains disabled.
5. Use the radius route-download timeout command to specify the interval in
seconds, for the waiting time before retrying a request. The range is 1 to
2,147,483,647. The default is 10 seconds.
26
61/1543-CRA 119 1170/1 Uen L | 2012-12-04
Configuration Examples
3 Configuration Examples
The following sections provide AAA configuration examples.
3.1 Configuring Administrator Authentication
The following example shows how to enable local administrator authentication
using remote console access, and limit the number of concurrent sessions to 10:
[local]Redback(config-ctx)#aaa authentication administrator vty local maximum sessions 10
3.2 Configuring Administrator Accounting
The following example shows how to enable RADIUS accounting messages for
administrator sessions for the local context:
[local]Redback(config-ctx)#aaa accounting administrator radius
3.3 Defining the Administrator Structured Username
The following example shows how to define a username. In this case, the
chassis checks for the far right separator and an @ symbol.
[local]Redback(config-ctx)#aaa username-format domain @ rightmost-separator
3.4 Authenticating Subscribers
You can configure subscriber authentication in several different ways. For
example, different subscribers can be authenticated by different RADIUS
servers in distinct contexts.
In the following example, subscriber janet in the AAA_local context is
authenticated by the configuration in that context; subscriber rene in the
AAA_radius context is authenticated by the RADIUS server in that context;
subscriber kevin in the AAA_global context is authenticated by the RADIUS
server in the local context:
61/1543-CRA 119 1170/1 Uen L | 2012-12-04
27
Configuring Authentication, Authorization, and Accounting
[local]Redback(config)#aaa global authentication subscriber radius context local
[local]Redback(config)#context local
[local]Redback(config-ctx)#radius server 10.1.1.1 key TopSecret
.
.
.
[local]Redback(config)#context AAA_local
[local]Redback(config-ctx)#aaa authentication subscriber local
[local]Redback(config-ctx)#interface corpA multibind
[local]Redback(config-if)#ip address 10.1.3.30 255.255.255.0
[local]Redback(config-if)#exit
[local]Redback(config-ctx)#subscriber name janet
[local]Redback(config-sub)#password dragon
[local]Redback(config-sub)#ip address 10.1.3.30 255.255.255.0
[local]Redback(config-sub)#exit
[local]Redback(config-ctx)#exit
[local]Redback(config)#port atm 6/1
[local]Redback(config-atm-oc)#atm pvc 1 100 profile ubr encapsulation bridge1483
[local]Redback(config-atm-pvc)#bind subscriber janet@AAA_local password dragon
.
.
.
[local]Redback(config)#context AAA_radius
[local]Redback(config-ctx)#aaa authentication subscriber radius
[local]Redback(config-ctx)#radius server 10.2.2.2 key TopSecret
[local]Redback(config-ctx)#interface corpB multibind
[local]Redback(config-if)#ip address 10.2.4.40 255.255.255.0
[local]Redback(config-if)#exit
[local]Redback(config-ctx)#exit
[local]Redback(config)#port atm 6/1
[local]Redback(config-atm-oc)#atm pvc 2 200 profile ubr encapsulation bridge1483
[local]Redback(config-atm-pvc)#bind subscriber rene@AAA_radius password tiger
.
.
.
[local]Redback(config)#context AAA_global
[local]Redback(config-ctx)#aaa authentication subscriber global
[local]Redback(config-ctx)#interface corpC multibind
[local]Redback(config-if)#ip address 10.3.5.50 255.255.255.0
[local]Redback(config-if)#exit
[local]Redback(config-ctx)#exit
[local]Redback(config)#port atm 6/1
[local]Redback(config-atm-oc)#atm pvc 3 300 profile ubr encapsulation bridge1483
[local]Redback(config-atm-pvc)#bind subscriber kevin@AAA_global password lion
3.5 Reauthorizing Subscribers
The following example enables RADIUS reauthorization for subscriber circuits
and accounting messages:
[local]Redback(config-ctx)#radius server 10.10.11.12 key redback
[local]Redback(config-ctx)#radius attribute nas-ip-address interface loop1
[local]Redback(config-ctx)#aaa authentication subscriber radius
[local]Redback(config-ctx)#aaa accounting subscriber radius
[local]Redback(config-ctx)#aaa accounting reauthorization subscriber radius
[local]Redback(config-ctx)#aaa update subscriber 10
[local]Redback(config-ctx)#aaa accounting event reauthorization
[local]Redback(config-ctx)#aaa reauthorization bulk radius
[local]Redback(config-ctx)#radius accounting server 10.10.11.2. key redback
28 61/1543-CRA 119 1170/1 Uen L | 2012-12-04
Loading...