Radius Accounting Records | Cisco Systems OL-4387-02 specification

Chapter 4 Authentication and Accounting

RADIUS Accounting Records

RADIUS Accounting Records

SSG sends accounting records with the associated attributes to the RADIUS accounting server when the following events occur:

•Account Login and Logout, page 4-2

•Service Connection and Termination, page 4-3

Account Login and Logout

SSG sends a RADIUS accounting-request record to the local RADIUS server when a user logs in to or out of the SSG. The Acct-Status-Type attribute included in the accounting-request record indicates if the accounting-request marks the start of the user service or the end of the service.

When a user logs in, SSG sends an accounting-start record to RADIUS. When a user logs out, SSG sends an accounting-stop record.

Configuration Examples for Account Login and Logout

Example 4-3shows the information contained in a RADIUS accounting-start record.

Example 4-3 RADIUS Accounting-Start Record

Acct-Status-Type = Start

NAS-IP-Address = ip_address

User-Name = "username"

Acct-Session-Id = "session_id"

Framed-IP-Address = user_ip

Proxy-State = "n"

Example 4-4shows the information contained in a RADIUS accounting-stop record.

Example 4-4 RADIUS Accounting-Stop Record

Acct-Status-Type = Stop

NAS-IP-Address = ip_address

User-Name = "username"

Acct-Session-Time = time

Acct-Terminate-Cause = cause

Acct-Session-Id = "session_id"

Framed-IP-Address = user_ip

Proxy-State = "n"

The Acct-Session-Time attribute indicates the length of session, expressed in seconds. The Acct-Terminate-Cause attribute indicates the reason for account termination, which can be due to the following events:

•User-Request

•Session-Timeout

•Idle-Timeout

•Lost-Carrier

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

4-2	OL-4387-02

Image 32

Cisco Systems OL-4387-02 Radius Accounting Records, Account Login and Logout, Example 4-3 Radius Accounting-Start Record

Contents

Corporate Headquarters Copyright 2004, Cisco Systems, Inc All rights reserved N T E N T S Iii Configuration Example for SSG AutoDomain Configuration Example for SSG Open Garden Configuration of VPI/VCI Static Binding to a Service Profile SSG Unconfig Vii Viii Document Organization About This GuideAudience Document Conventions Cisco.com Related DocumentationObtaining Documentation Documentation Feedback Obtaining Technical AssistanceDocumentation CD-ROM Ordering Documentation Cisco TAC Website Opening a TAC CaseTAC Case Priority Definitions Xiii Obtaining Additional Publications and Information Xiv Service Selection Gateway Overview Service Selection Gateway SSG Topology Example Default Network Access Protocols Supported SSG Features SSG Restrictions Service Selection Gateway Overview SSG Restrictions SSG Prerequisites SSG Architecture Model Service Selection Gateway Overview SSG Architecture Model OL-4387-02 Scalability and Performance Limitations and Restrictions Scalability and Performance Limitations and Restrictions Prerequisites for Single Host Logon SSG Logon and LogoffSingle Host Logon Restrictions for SSG Autologoff Configuration of SSG AutologoffSSG Autologoff SSG Prepaid Idle Timeout Configuration Example for SSG AutologoffExample 3-1 SSG Autologoff Using ARP Ping Example 3-2 SSG Autologoff Using Icmp Ping Service Authorization Service Reauthorization Restrictions for SSG Prepaid Idle Timeout Prerequisites for SSG Prepaid Idle TimeoutConfiguration of SSG Prepaid Idle Timeout Configuration Example for SSG Prepaid Idle Timeout SSG Session and Idle Timeout Example 3-5 SSG Service-Specific TCP RedirectExample 3-7 SSG Threshold Volume Example 3-6 SSG Threshold Time Authentication and Accounting SSG Full Username Radius AttributeRestrictions for SSG Full Username Radius Attribute Example 4-1 Radius Freeware Format Example Account Login and Logout Radius Accounting RecordsExample 4-3 Radius Accounting-Start Record Example 4-4 Radius Accounting-Stop Record Service Connection and Termination Authentication and Accounting Radius Accounting Records PTA-Multidomain Service Selection MethodsPPP Terminated Aggregation Web Service Selection Restrictions for PTA-MD Sesm and SSG Performance OL-4387-02 Service Connection SSG AutoDomain Restrictions for SSG AutoDomain Configuration of SSG AutoDomainConfiguration Example for SSG AutoDomain Example 6-3 AutoDomain Exclude File Format Example 6-1 SSG AutoDomainExample 6-2 AutoDomain Exclude Profile SSG VSA Format Restrictions for SSG Prepaid Configuration of SSG PrepaidSSG Prepaid Configuration Example for SSG Prepaid SSG Open Garden Configuration of SSG Open Garden Configuration Example for SSG Open GardenSSG Port-Bundle Host Key Restrictions for SSG Open Garden Restrictions for SSG Port-Bundle Host Key Mutually Exclusive Service Selection Configuration of SSG Port-Bundle Host KeyExclude Networks Prerequisites for SSG Port-Bundle Host Key Configuration of Mutually Exclusive Service Selection OL-4387-02 Service Profiles Downstream Access Control List Upstream Access Control List Service Authentication TypeDomain Name Full Username Service-Defined Cookie Service DescriptionService Mode Service Next-Hop Gateway Cached Service Profiles Type of ServiceService Profile Example Example 7-1 Service Profile Configuration of Cached Service Profiles OL-4387-02 SSG Hierarchical Policing Token Bucket Scheme SSG Hierarchical PolicingSSG Hierarchical Policing Overview SSG Hierarchical Policing Configuration Restrictions for SSG Hierarchical Policing Configuration Examples for SSG Hierarchical Policing Example 8-2 Enabling Per-Session Policing on a Router OL-4387-02 Interface Configuration Transparent Passthrough Access Side Interfaces For example Configuration of Transparent Passthrough Multicast Protocols on SSG InterfacesNetwork Side Interfaces Restrictions of Transparent Passthrough Configuration of Multicast Protocols on SSG Interfaces 10-1 Redirection for Unauthenticated UsersSSG TCP Redirect Redirection for Unauthorized Services 10-2 Initial Captivation 10-3 Configuration of SSG TCP Redirect Restrictions for SSG TCP RedirectPrerequisites for SSG TCP Redirect 10-4 Example 10-2 Limiting Redirected TCP Sessions 10-5Example 10-1 Binding a Server Group to a Port Configuring SSG TCP Redirect 10-6 Configuration Examples for SSG TCP Redirect 10-7Example 10-3 Defining a Captive Portal Server Group Example 10-4 Defining Network Lists 10-8 Example 10-5 Defining Port Lists 11-1 Miscellaneous SSG FeaturesVPI/VCI Static Binding to a Service Profile AAA Server Group Support for Proxy Services Configuration of Radius Virtual Circuit LoggingRadius Virtual Circuit Logging 11-2 Packet Filtering 11-3 Downstream Access Control List-outacl Upstream Access Control List-inaclRestrictions for Packet Filtering 11-4 SSG Unconfig Configuration of Packet FilteringConfiguration Example for Packet Filtering Restrictions for SSG Unconfig Prerequisites for SSG Unconfig Configuration of SSG UnconfigConfiguration Examples for SSG Unconfig 11-6 11-7 SSG Enhancements for Overlapping ServicesService Translation 11-8 Restrictions for Service Translation 11-9 Configuration of Service Translation 11-10 Expansion of Service IDs 11-11 Network Sets 11-12 Monitoring and Maintaining SSG 12-1 Troubleshooting Radius Per-Service StatisticsRestrictions for Per-Service Statistics 12-2 Monitoring the Parallel Express Forwarding Engine 12-3 12-4 SSG Configuration Example Figure A-1 SSG Example Topology Example A-1 Cisco 10000 Router SSG Configuration Username cisco password 0 cisco clock timezone PST Ssg accounting interval 300 ssg profile-cache Full-duplex Peer default ip address pool SSG-POOL Exec-timeout 0 0 password lab SSG Feature Implementation Notes SSG Implementation Notes Mpls Also see the Restrictions for SSG TCP Redirect section on OL-4387-02 O S S a R Y GL-1 GL-2 GL-3 GL-4 GL-5 GL-6 D E IN-1 DSL G-1 IN-2 ISP G-2 L2TP IN-3 Radius IN-4 Reauthorizing prepaid IN-5 TCP IN-6 VRF G-5 VSA IN-7 IN-8