Configuring Authentication, Authorization,

and Accounting

SYSTEM ADMINISTRATOR GUIDE

61/1543-CRA 119 1170/1 Uen L

Copyright

© Ericsson AB 2010-2012. All rights reserved. No part of this document may be

reproduced in any form without the written permission of the copyright owner.

Disclaimer

The contents of this document are subject to revision without notice due to
continued progress in methodology, design and manufacturing. Ericsson shall
have no liability for any error or damage of any kind resulting from the use
of this document.

Trademark List

SmartEdge is a registered trademark of Telefonaktiebolaget LM

Ericsson.

61/1543-CRA 119 1170/1 Uen L | 2012-12-04

 Contents

Contents

1 Overview 1
1.1 Authentication 1
1.2 Authorization and Reauthorization 5
1.3 Accounting 5
1.4 AAA Route Download Overview 7

2 Configuration and Operations 9

2.1 Configuring Global AAA 9
2.2 Configuring Authentication 11
2.3 Configuring Authorization and Reauthorization 17
2.4 Configuring Accounting 19
2.5 Performing Operation Tasks 24
2.6 Configuring AAA Route Download 25

3 Configuration Examples 27
3.1 Configuring Administrator Authentication 27
3.2 Configuring Administrator Accounting 27
3.3 Defining the Administrator Structured Username 27
3.4 Authenticating Subscribers 27
3.5 Reauthorizing Subscribers 28

61/1543-CRA 119 1170/1 Uen L | 2012-12-04

Configuring Authentication, Authorization, and Accounting

61/1543-CRA 119 1170/1 Uen L | 2012-12-04

 Overview

1 Overview

This document applies to both the Ericsson SmartEdge® and SM family routers.
However, the software that applies to the SM family of systems is a subset of
the SmartEdge OS; some of the functionality described in this document may
not apply to SM family routers.

For information specific to the SM family chassis, including line cards, refer to
the SM family chassis documentation.

For specific information about the differences between the SmartEdge and SM
family routers, refer to the Technical Product Description SM Family of Systems
(part number 5/221 02-CRA 119 1170/1) in the Product Overview folder of
this Customer Product Information library.

This document provides an overview of the authentication, authorization, and

accounting (AAA) features of the Ericsson SmartEdge and SM family routers
and describes the tasks used to configure, monitor, and administer AAA. This
document also provides AAA configuration examples.

Note: In the following sections, the term controller card refers to the
Cross-Connect Route Processor (XCRP4) Controller card. The term
controller carrier card refers to the controller functions on the carrier
card in the SmartEdge100 chassis.

1.1 Authentication
The following sections describe the authentication features for administrators
and subscribers.

1.1.1 Administrators

By default, router configuration authenticates the administrators. You can also

authenticate administrators through database records on a RADIUS server, on
a Terminal Access Controller Access Control System Plus (TACACS+) server,
or on both the servers sequentially.

You must configure the IP address of a reachable RADIUS or TACACS+

server (or both) in the context in which the administrator is configured. You
can set a maximum limit on the number of administrator sessions that can be
simultaneously active in each context. For information about RADIUS and
TACACS+, see Configuring RADIUS and Configuring TACACS+ respectively.

61/1543-CRA 119 1170/1 Uen L | 2012-12-04 1

 Configuring Authentication, Authorization, and Accounting

1.1.2 Subscribers

Authentication of Point-to-Point Protocol (PPP) subscribers now includes

support for IPv4, IPv6, and dual-stack subscribers. Dual-stack subscribers run
both IPv4 and IPv6. For information on IPv6 subscribers, refer to Configuring
IPv6 Subscriber Services. Authentication requests do not indicate if a session
is single or dual stack, but authentication responses do indicate.

An IPv6 subscriber must be authorized through AAA before PPP negotiates

connectivity and ND processes packets. If a protocol is not authorized, PPP
does not negotiate that protocol with a client, even when the PPP negotiation
process is initiated by a client.

1.1.2.1 Authentication Options

By default, operating system configuration authenticates the subscriber. You

can also authenticate subscribers through database records on a RADIUS
server.

When the IP address or hostname of the RADIUS server is configured in the

operating system local context, global RADIUS authentication is performed.
That is, although the subscribers are configured in a nonlocal context, they are
authenticated through the RADIUS server configured in the local context. With
global RADIUS authentication, the RADIUS server returns the Context-Name
vendor-specific attribute (VSA), indicating the name of the particular context to
which subscribers are bound.

When the IP address or the hostname of the RADIUS server is configured in a

context other than the local context, context-specific RADIUS authentication is
performed. This means that only subscribers bound to the context in which the
RADIUS server’s IP address or hostname is configured are authenticated.

You can also configure the router to authenticate through a RADIUS server
configured in the nonlocal context, and then through a RADIUS server
configured in the local context, if the previous server is unavailable; else,
proceed to router configuration.

AAA includes the following Layer 2 Tunneling Protocol (L2TP) attribute-value

pairs (AVPs), RADIUS standard attributes, and vendor-specific attributes
(VSAs) provided by Ericsson in RADIUS Access-Request messages for L2TP
network server (LNS) subscribers that are authenticated using RADIUS:

• Tunnel-Client-Endpoint (66)

• Tunnel-Server-Endpoint (67)

• Acct-Tunnel-Connection (68)

• Tunnel-Assignment-ID (82)

• Tunnel-Client-Auth-ID (90)

2 61/1543-CRA 119 1170/1 Uen L | 2012-12-04

 Overview

• Tunnel-Server-Auth-ID (91)

• Tunnel-Function (VSA 18)

• Tx-Connect-Speed (L2TP AVP 24)

• Rx-Connect-Speed (L2TP AVP 38)

If you have IPv6 PPP subscriber sessions, the following standard RADIUS
attributes and Ericsson VSAs are supported:

• NAS-IPv6-Address (95)

• Framed-Interface-Id (96)

• Framed-IPv6-Prefix (97)

• Framed-IPv6-Route (99)

• Framed-IPv6-Pool (100)

• Delegated-IPv6-Prefix (123)

• RB-IPv6-DNS (207)

• RB-IPv6-Option (208)

• Delegated-Max-Prefix (212)

For more information about RADIUS standard attributes and vendor VSAs
provided by Ericsson AB, see RADIUS Attributes. For more information about
L2TP AVPs, see Configuring L2TP.

1.1.2.2 Maximum Subscriber Sessions

You can set a maximum limit on the number of subscriber sessions that can be
simultaneously active in a given context and for all configured contexts.

1.1.2.3 Limited Subscriber Services

You can limit the services provided to subscribers based on volume of traffic.
You can monitor volume-based services in the upstream and downstream
directions independently, separately, or aggregated in both directions.
However, you cannot simultaneously monitor aggregated traffic and either
upstream or downstream traffic.

Volume limits are imposed by the RADIUS VSA 113 in Access-Accept and
Accounting-Request messages.

AAA supports inbound and outbound traffic counters, as well as an aggregated

counter of both incoming and outgoing traffic. If the aggregated counter
exceeds the configured value for aggregated traffic limit, AAA sends a RADIUS

61/1543-CRA 119 1170/1 Uen L | 2012-12-04 3

 Configuring Authentication, Authorization, and Accounting

accounting message or tears down the subscriber session, depending on the

configured action to perform.

If the RADIUS attribute does not include the direction to which the limit is
applied, the downstream direction is assumed. If no limit is included, the traffic
volume is unlimited in both the directions and is not monitored. If a limit of 0
is configured for a direction, traffic is treated as unlimited in that direction and
is not monitored.

VSA 113 is also supported in a subscriber reauthorize Access-Accept message.

1.1.2.4 Binding Order

If a subscriber circuit has been configured with a dynamic binding, using the
bind authentication command (in the circuit’s configuration mode),
AAA uses subscriber attributes in messages received during subscriber
authentication to determine which IPv4 address (and the associated interface)
to use when binding the subscriber circuit.

By default, the router considers L2TP attributes before considering RADIUS

attributes. You can reverse this order so that the IPv4 address provided in the
RADIUS record is used before one provided by L2TP.

1.1.2.5 IP Address Assignment

By default, the router uses a round-robin algorithm to allocate subscriber

IPv4 addresses from the IP pool. You can also configure the router to use a
first-available algorithm.

AAA typically assigns an IPv4 address to a PPP subscriber from an IP pool

after receiving an Access-Accept packet from a RADIUS server. However,
you can configure AAA to provide an IPv4 address from an IP pool in the
Framed-IP-Address attribute in the RADIUS Access-Request packet. This IPV4
IP address is provided to the RADIUS server as a preferred address. If there
are no unassigned IPv4 addresses in the pool, the authentication request is
sent without an IPv4 address.

The RADIUS server may or may not accept the address ; Table 1 lists the
RADIUS server responses and the corresponding router actions.

Table 1 RADIUS Server Response and Router Actions

RADIUS Server Response Corresponding Router Action
Framed-IP-Address attribute The router assigns preferred IPv4 address.
contains 255.255.255.254,
0.0.0.0, or is missing.
Framed-IP-Address attribute The router assigns the IPv4 address in the
contains a different IPv4 Framed-IP-Address attribute and returns the
address. preferred IPv4 address to its pool.

4 61/1543-CRA 119 1170/1 Uen L | 2012-12-04

 Overview

1.2 Authorization and Reauthorization

The following sections describe the authorization and reauthorization features.

1.2.1 CLI Commands Authorization

You can specify that commands with a matching privilege level (or higher)
require authorization through TACACS+.

1.2.2 Dynamic Subscriber Reauthorization

When subscribers request new or modified services during active sessions, the
requests can be translated to changes that are applied during the active session
through dynamic subscriber reauthorization. Reauthentication occurs without
PPP renegotiation and without interrupting or dropping the active session.

1.3 Accounting
The following sections describe the accounting features.

1.3.1 CLI Commands Accounting

You can configure the router so that accounting messages are sent to a
TACACS+ server whenever an administrator enters commands at the specified
privilege level (or higher).

1.3.2 Administrator Accounting

You can configure administrator accounting, which tracks messages for the
administrator sessions; the messages are sent to a RADIUS or TACACS+
server.

1.3.3 Subscriber Accounting

You can configure subscriber accounting, which tracks messages for subscriber
sessions; the messages are sent to a RADIUS accounting server. Use the
aaa accounting subscriber command with the radius keyword to
configure subscriber accounting. When the IP address or hostname of the
RADIUS accounting server is configured in the router local context, global
authentication is performed. That is, although the subscribers are configured
in a non-local context, accounting messages for subscribers sessions in the
context are sent through the RADIUS accounting server configured in the local
context. When using global RADIUS subscriber accounting, configuring global
RADIUS subscriber authentication is required.

61/1543-CRA 119 1170/1 Uen L | 2012-12-04 5

 Configuring Authentication, Authorization, and Accounting

Note: Configuring the global keyword with the aaa accounting

subscriber command allows you to enable global RADIUS
subscriber accounting even without global authentication. For more
information, refer to the Command Description document.

When the IP address or hostname of the RADIUS accounting server is

configured in a context other than the local context, context-specific accounting
is performed; accounting messages are sent only for subscribers bound to
the context in which the RADIUS accounting server IP address or hostname
is configured.

You can configure two-stage accounting where the router sends accounting
messages to a RADIUS accounting server configured in the non-local context
and to a RADIUS accounting server configured in the local context. For
example, a copy of the accounting data can be sent to both a wholesaler's
and an upstream service provider’s RADIUS accounting server, so that the
end-of-period accounting data can be reconciled and validated by both the
parties.

You can also specify the error conditions for which the router suppresses the
sending of accounting messages to a RADIUS accounting server.

1.3.4 L2TP Accounting

You can configure L2TP accounting that tracks messages for L2TP tunnels or
sessions in L2TP tunnels; the messages are sent to a RADIUS accounting
server. When the IP address or hostname of the RADIUS accounting server is
configured in the router local context, global accounting is performed. When
the IP address or hostname of the RADIUS accounting server is configured in a
context other than the local context, context-specific accounting is performed.
You can also configure two-stage accounting.

The router sends just a single accounting on message when more than
one type of RADIUS accounting is enabled. For example, if you enable
both subscriber accounting and L2TP accounting, the router sends only one
accounting on message to each RADIUS accounting server, even if you
enable L2TP accounting at a later time. Similarly, the accounting off
message is not sent until you have disabled all types of RADIUS accounting.

Note: Configuring the global keyword with the aaa accounting l2tp
session command allows you to enable global RADIUS accounting
for sessions in L2TP tunnels even without global authentication. For
more information, see the aaa accounting l2tp command.

If a subscriber session cannot be tunneled to a specific L2TP network server

(LNS) or to an LNS in a group of L2TP peers, or if the router has received a
Link Control Protocol (LCP) termination request from the subscriber before the
session establishment is complete, the Acct-Session-Time attribute is set to 0.

6 61/1543-CRA 119 1170/1 Uen L | 2012-12-04

 Overview

1.4 AAA Route Download Overview

The router allows you to configure and advertise IPv4 access routes before the
routes have been assigned to subscribers. Pre-provisioning access routes
helps eliminate routing protocol scalability issues or delays when the protocol
is converging or when a large number of subscribers is being simultaneously
activated. More than one RADIUS server can be designated as a route
download server. While defining a route download server, RADIUS server
redundancy operates in the normal way.

When this feature is enabled, the router periodically sends a RADIUS

Access-Request message to the RADIUS server acting as a route download
server, requesting to download routes. To respond, the RADIUS server sends
an Access-Accept message containing a set of routes within the RFC-specified
RADIUS packet length, which the router downloads. The router repeats the
request until all the routes have been downloaded; the RADIUS server signals
completion by rejecting the Access-Request message. Once all the routes
have been downloaded successfully, the router installs the access routes in its
RIB. If the download fails at any point, all the routes are discarded; the router
never installs an incomplete batch of routes into its RIB.

A set of download requests is sent on a periodic basis, beginning at a

configured time of day and repeating at configured intervals thereafter. Routes
are carried in the Framed-Route attribute (standard attribute 22), which must
be formatted as specified in RFC 2865, RADIUS. The metric field in the
Framed-Route attribute is optional. The router uses the Context-Name attribute
(VSA attribute 4) to identify the context where the route is downloaded.

This feature assumes that the routes downloaded from the RADIUS route
download server have a more specific prefix than the prefix of the subscriber
route. The router does not check for configuration errors in this regard.

61/1543-CRA 119 1170/1 Uen L | 2012-12-04 7

 Configuring Authentication, Authorization, and Accounting

8 61/1543-CRA 119 1170/1 Uen L | 2012-12-04

 Configuration and Operations

2 Configuration and Operations

This section provides information on how to configure, administer, and

troubleshoot AAA.

Note: The command syntax in the task table displays only the root command.
For the complete command syntax, see Command List.

2.1 Configuring Global AAA

To configure global attributes for AAA, perform the tasks in the following
sections.

2.1.1 Limiting the Number of Active Administrator Sessions

To limit the number of administrator sessions that can be simultaneously active

in a given context, perform the task described in Table 2.

Table 2 Number of Active Administrator Sessions

Task Root Command Notes
Limit the number of aaa authentication administr Enter this command in the context
administrator sessions ator configuration mode.
that can be simultaneously
active in a given context. To set the limit, use the maximum
sessions num-sess construct.

2.1.2 Limiting the Number of Active Subscriber Sessions

To limit the number of subscriber sessions that can be simultaneously active,
perform the task described in Table 3.

Table 3 Number of Active Subscriber Sessions

Task Root Command Notes
Limit the number of subscriber aaa maximum subscriber Enter this command in the
sessions that can be simultaneously context configuration mode.
active in a given context.

61/1543-CRA 119 1170/1 Uen L | 2012-12-04 9

 Configuring Authentication, Authorization, and Accounting

2.1.3 Preventing Subscriber Session Authentication When Session Limit

Reached
To prevent a new session from being authenticated when the maximum
configured number of sessions has been reached, perform the task described
in Table 4.

Table 4 Subscriber Session Authentication When Session Limit Reached

Task Root Command Notes
Prevent a new subscriber session aaa global suppress-authe Enter this command in the
from being authenticated when the ntication slid-session-limit global configuration mode.
maximum configured number of
sessions is established.
Prevent a new subscriber session aaa global suppress-authe Enter this command in the
from being authenticated when the ntication slid-session-limit global configuration mode.
maximum configured number of agent-remote-circuit-id
sessions (combination of ARI and
ACI) is established.

2.1.4 Enabling a Direct Connection for Subscriber Circuits

To enable a direct connection for subscriber circuits, configure the router to
install the route specified by the RADIUS Framed-IP-Netmask attribute as
described in Table 5.

Table 5 Direct Connection for Subscriber Circuits

Task Root Command Notes
Enable use of the RADIUS aaa provision route Enter this command in the context
Framed-IP-Netmask attribute to configuration mode.
install the route to a remote router.

2.1.5 Defining Structured Username Formats

To define one or more schema for matching the format of structured usernames
(subscriber and administrator names), perform the task described in Table 6.

Table 6 Structured Username Formats

Task Root Command Notes
Define one or more schema aaa username-for Enter this command in the global
for matching the format of mat configuration mode.
structured usernames.
If no username formats are explicitly
defined, the router checks the default format,
username@domain-name, for a match.

10 61/1543-CRA 119 1170/1 Uen L | 2012-12-04

 Configuration and Operations

2.1.6 Authenticating Username

To specify a username for authentication, perform the task described in Table 7.

Table 7 Username for Authentication

Task Root Command Notes
Specify that the Username aaa global reject Enter this command in the global
attribute is required in empty-username configuration mode.
Access-Request messages.
If no value is specified for the
User-Name attribute, AAA suppresses the
Access-Request message, and thereby the
subscriber authentication fails.

By default, the router sends Access-Request messages to the RADIUS server,

regardless of whether a username is specified.

2.1.7 Acknowledging RSE Service Activation via CoA on Stack Mismatch

To acknowledge an RSE service activation via CoA even if it is applying an
RSE service containing both IPv4 and IPv6 attributes to a single stack IPv4
subscriber, perform the tasks described Table 8.

Table 8 RSE Service Activation

Task Root Command Notes
Specify that RSE service activation aaa global coa ignore Enter this command in global
via CoA will be acknowledged even rse-attr-stack-mismatch configuration mode.
if it is applying an RSE service
containing both IPv4 and IPv6
attributes to a single stack IPv4
subscriber.

2.2 Configuring Authentication

To configure authentication, perform the tasks described in the following
sections.

2.2.1 Configuring Administrator Authentication

To configure administrator authentication, perform the task described in Table 9.

61/1543-CRA 119 1170/1 Uen L | 2012-12-04 11

 Configuring Authentication, Authorization, and Accounting

Table 9 Administrator Authentication

Task Root Command Notes
Configure administrator aaa authentication admin Enter this command in the context
authentication. istrator configuration mode.
You have the option to configure either
the console port or a vty port for each
specified authentication method. By
default, both ports are enabled for use.
Use either the console or vty keyword
as needed.

2.2.2 Configuring Subscriber Authentication

To configure subscriber authentication, you must perform the following tasks:

• Configure IP Address Assignment

• Enable the Assignment of Preferred IP Addresses

• Change the Default Order for Determining Subscriber IP Addresses

• Configure Global RADIUS Authentication

• Configure Context-Specific RADIUS Authentication

• Authenticate Router (Local)

• Configure DHCPv6 Interface Authentication

• Configure Context-Specific RADIUS and Global RADIUS Authentication

• Authenticate Context-Specific RADIUS and Router (Local)

• Configure a Last-Resort Authentication Context

2.2.2.1 Configure IP Address Assignment

To configure the algorithm the router uses to assign subscriber IPv4 address,
perform the task described in Table 10.

Table 10 Assignment of IPv4 or IPv6 IP Addresses

Task Root Command Notes
Change the logic the router uses to aaa ip-pool Enter this command in the global
allocate subscriber IP addresses from allocation configuration mode.
the default algorithm (round-robin) to a first-available
first-available algorithm.

12 61/1543-CRA 119 1170/1 Uen L | 2012-12-04

 Configuration and Operations

2.2.2.2 Enable the Assignment of Preferred IP Addresses

To enable the router to provide a RADIUS server with preferred IP addresses

when performing subscriber authentication, perform the task described in
Table 11.

Table 11 Assignment of Preferred IP Addresses

Task Root Command Notes
Enable the router to provide the aaa hint ip-address Enter this command in the context
RADIUS server with preferred IP configuration mode.
addresses from unnamed IP pools.

2.2.2.3 Change the Default Order for Determining Subscriber IP Addresses

To change the default order for determining the IP address (and its interface) to
be used for binding a subscriber circuit, perform the task described in Table 12.

Table 12 Default Order for Determining Subscriber IP Addresses

Task Root Command Notes
Change the default order for aaa provision binding- Enter this command in the context
determining the IP address for order configuration mode.
binding a subscriber circuit.

2.2.2.4 Configure Global RADIUS Authentication

To configure global RADIUS authentication, perform the tasks described in

Table 13.

Table 13 Global RADIUS Authentication

Task Root Command Notes
Enable global RADIUS aaa global authentication Enter this command in the
authentication. subscriber global configuration mode.
At least one RADIUS server
IP address or hostname must
be configured in the local
context; for more information,
see Configuring RADIUS.
Authenticate subscribers in the aaa authentication subscriber Enter this command in the
current context through one or more context configuration mode.
RADIUS servers with IP addresses
or hostnames configured in the local Use the global keyword
context. with this command.

61/1543-CRA 119 1170/1 Uen L | 2012-12-04 13

 Configuring Authentication, Authorization, and Accounting

2.2.2.5 Configure Context-Specific RADIUS Authentication

To authenticate subscribers using one or more RADIUS servers with IP

addresses or hostnames configured in the current context, perform the task
described in Table 14.

Table 14 Context-Specific RADIUS Authentication

Task Root Command Notes
Configure context-specific RADIUS aaa authentication subs Enter this command in the context
authentication. criber configuration mode.
Use the radius keyword with this
command to configure RADIUS
authentication.
At least one RADIUS server
IP address or hostname must
be configured in the current
context; for more information, see
Configuring RADIUS.

2.2.2.6 Authenticate Router (Local)

To authenticate subscribers through the router configuration, perform the task

described in Table 15.

Table 15 Router Configuration Authentication

Task Root Command Notes
Configure router configuration aaa authentication subs Enter this command in the context
authentication. criber configuration mode.
Use the local keyword with this
command to configure RADIUS
authentication.

2.2.2.7 Configure DHCPv6 Interface Authentication

Enable AAA to authenticate subscribers through the router local database.

Subscribers are authenticated according to parameters set in the subscriber
profile for the current context. In the subscriber local context, to configure an
interface as a DHCPv6 interface, AAA must be enabled to provide subscriber
authentication. To authenticate subscribers through a DHCPv6 server, perform
the tasks described in Table 16.

14 61/1543-CRA 119 1170/1 Uen L | 2012-12-04

 Configuration and Operations

Table 16 Router DHCPv6 Interface Authentication

Task Root Command Notes
Configure an interface to be a dhcpv6 server The DHCPv6 server uses the primary
DHCPv6 server interface. interface IPv6 address of the interface as the
server IP address.
Enable AAA to authenticate aaa authentication Subscribers are authenticated
subscribers through the router subscriber local according to the parameters set in
local database or RADIUS. the subscriber profile for the current
or context.
aaa authentication
subscriber radius

When the router is configured to provide dual-stack and IPv6 subscriber

services, DHCPv6 requests AAA for prefix delegation. In response to the
DHCPv6 request, AAA returns one or more prefixes. For more information
on DHCPv6 configuration, refer to Configuring DHCP. For an example of an
end-to-end IPv6 configuration to check where AAA subscriber authentication is
required, refer to Configuring IPv6 Subscriber Services.

2.2.2.8 Configure Context-Specific RADIUS and Global RADIUS Authentication

To configure context-specific RADIUS authentication, followed by global

RADIUS authentication, perform the tasks described in Table 17.

Table 17 Context-Specific RADIUS and Global RADIUS Authentication

Task Root Command Notes
Enable global RADIUS aaa global authentication Enter this command in the global
authentication. subscriber configuration mode.
At least one RADIUS server IP
address or hostname must be
configured in the local context;
for more information, see
Configuring RADIUS.
Configure context-specific aaa authentication subscriber Enter this command in the
RADIUS followed by global context configuration mode.
RADIUS authentication.
Use the radius global
construct with this command.

2.2.2.9 Authenticate Context-Specific RADIUS and Router (Local)

To authenticate subscribers using one or more RADIUS servers with IPv4

addresses or hostnames configured in the current context, followed by the
router, perform the task described in Table 18.

61/1543-CRA 119 1170/1 Uen L | 2012-12-04 15

 Configuring Authentication, Authorization, and Accounting

Table 18 Context-Specific RADIUS and Router Authentication

Task Root Command Notes
Configure context-specific aaa authentication subs Enter this command in the context
RADIUS authentication, criber configuration mode.
followed by router configuration
authentication. Use the radius keyword followed by
the local keyword with this command.
At least one RADIUS server IP address
or hostname must be configured in the
current context; for more information,
see Configuring RADIUS.

2.2.2.10 Configure a Last-Resort Authentication Context

To specify a context to attempt authentication of a subscriber when the domain

portion of the subscriber name cannot be matched, perform the task described
in Table 19.

Table 19 Last-Resort Authentication Context

Root Comma
Task nd Notes
Configure a last-resort aaa last-reso Enter this command in the global
authentication context. rt configuration mode.

2.2.3 Disabling Subscriber Authentication

To disable authentication of subscribers in the current context, perform the
task described in Table 20.

Table 20 Disabling Subscriber Authentication

Task Root Command Notes
Disable subscriber aaa authentication subs Enter this command in the context
authentication. criber configuration mode. Use the none keyword
with this command if subscriber authentication
is not required, such as when Dynamic Host
Configuration Protocol (DHCP) is used to
obtain IPv4 addresses for subscriber hosts.

16 61/1543-CRA 119 1170/1 Uen L | 2012-12-04

 Configuration and Operations

Caution!
Risk of security breach. If you disable subscriber authentication, individual
subscriber names and passwords will not be authenticated by the router, and
therefore, IP routes and ARP entries within individual subscriber records are
not installed. To reduce the risk, verify your network security setup before
disabling subscriber authentication.

2.3 Configuring Authorization and Reauthorization

To configure authorization and reauthorization, perform the tasks described in
the following sections.

2.3.1 Configuring CLI Commands Authorization

To specify that commands with a matching privilege level (or higher) require
authorization through TACACS+, perform the task described in Table 21.

Table 21 CLI Commands Authorization

Task Root Command Notes
Configure CLI commands aaa authorization comm Enter this command in the context
authorization. ands configuration mode.
A TACACS+ server must be
configured in the specified context;
for more information, see Configuring
TACACS+.

2.3.2 Configuring L2TP Peer Authorization

To determine whether L2TP peers are authorized by the router (local)
configuration or by a RADIUS server, perform the task described in Table 22.

Table 22 L2TP Peer Authorization

Task Root Command Notes
Configure L2TP peer aaa authorization tunnel Enter this command in the context
authorization. configuration mode.
By default, L2TP peers are
authorized through the router
configuration.

61/1543-CRA 119 1170/1 Uen L | 2012-12-04 17

 Configuring Authentication, Authorization, and Accounting

2.3.3 Configuring Dynamic Subscriber Reauthorization

To configure dynamic subscriber reauthorization, perform the task described

in Table 23.

Table 23 Dynamic Subscriber Reauthorization

Task Root Command Notes
Configure dynamic subscriber aaa reauthorization Enter this command in the context
reauthorization. bulk configuration mode.

For reauthorization to take effect, vendor VSA 94 provided by Ericsson AB,

Reauth-String, must be configured on the RADIUS server. Vendor VSA 95,
Reauth-More, is only needed if multiple reauthorization records are used for one
command. For example, if you have the following records, the reauthorize
bulk 1 command causes the RADIUS server to process reauthorization for
reauth-1@local followed by reauth-2@local:

reauth-1@local

Password="redback"

Reauth-String="ID-type;subID;attr-num;attr-value;attr-num;attr-value...

Reauth-More=1

reauth-2@local

Password="redback"

Reauth-String="ID-type;subID;attr-num;attr-value;attr-num;attr-value...

Reauth_String

Attribute number: 94

Value: String

Format: "xxx"*

Send in Access-Request packet: No

Send in Accounting-Request packet: No

Receivable in Access-Request packet: Yes

18 61/1543-CRA 119 1170/1 Uen L | 2012-12-04

 Configuration and Operations

Description: (SE)

* Format for Reauth String

"type;sub_id;attr#;attr_val;attr#;;attr#;attr_val;..."

(vsa_attr: vid-vsa_attr_#)

Reauth_More

Attribute number: 95

Value: integer

Format: 1

Send in Access-Request packet: No

Send in Accounting-Request packet: No

Receivable in Access-Request packet: Yes

Description: More reauth request is needed (SE)

For a list of the standard RADIUS attributes and vendor-specific attributes

(VSAs) that are supported as part of Reauth-String and their details , see
RADIUS Attributes.

2.4 Configuring Accounting

To configure accounting, perform the tasks described in the following sections.

2.4.1 Configuring CLI Commands Accounting

To specify that accounting messages are sent to a TACACS+ server whenever
an administrator enters commands at the specified privilege level (or higher),
perform the task described in Table 24.

Table 24 CLI Commands Accounting

Task Root Command Notes
Configure CLI commands aaa accounting Enter this command in the context
accounting. commands configuration mode.
A TACACS+ server must be configured in the
specified context; see Configuring TACACS+.

61/1543-CRA 119 1170/1 Uen L | 2012-12-04 19

 Configuring Authentication, Authorization, and Accounting

2.4.2 Configuring Administrator Accounting

To enable accounting messages for administrator sessions to be sent to the

TACACS+ server, perform the task described in Table 25.

Table 25 Administrator Accounting

Task Root Command Notes
Configure administrator aaa accounting administrator Enter this command in the context
accounting. configuration mode.
A TACACS+ server must be
configured in the specified context;
see Configuring TACACS+.

2.4.3 Configuring Subscriber Accounting

To configure subscriber accounting, you must perform the following tasks:

• Configure Global Subscriber Accounting

• Configure Context-Specific Subscriber Accounting

• Configure Two-Stage Subscriber Accounting

2.4.3.1 Configure Global Subscriber Accounting

To configure global subscriber accounting, perform the tasks described in

Table 26.

Note: Before configuring global subscriber accounting, you must configure

local subscriber authentication; for more information, see Configure
Global RADIUS Authentication earlier in this section. You must also
configure at least one RADIUS accounting server in the local context;
for more information, see Configuring RADIUS.

Table 26 Global Subscriber Accounting

Task Root Command Notes
Enable global aaa global accounting subscriber Enter this command in the global
subscriber session configuration mode.
accounting
messages. Accounting messages for
subscriber sessions in all
contexts are sent to one or more
RADIUS accounting servers
with IP addresses or hostnames
configured in the local context.

20 61/1543-CRA 119 1170/1 Uen L | 2012-12-04

 Configuration and Operations

Table 26 Global Subscriber Accounting

Task Root Command Notes
Enable global aaa global update subscriber Enter this command in global
subscriber session configuration mode.
accounting update
messages. Updated accounting records for
the subscriber sessions in all
the contexts are sent to one or
more RADIUS accounting servers
with IP addresses or hostnames
configured in the local context.
Enable global aaa global accounting reauthorization Enter this command in the global
accounting messages subscriber configuration mode.
for the reauthorize
command. Accounting messages for the
reauthorize command issued
in any context are sent to one or
more RADIUS accounting servers
with IP addresses or hostnames
configured in the local context.
Enable global aaa global accounting event Enter this command in global
accounting messages configuration mode.
for the subscriber
session DHCP lease, Accounting updates for the
DHCPv6 prefix following are sent to one or more
delegation (PD), RADIUS accounting servers
reauthorization, or with IP addresses or hostnames
ANCP events. configured in the local context:
• DHCP lease
• DHCPv6 PD
• IPv4 and IPV6 single
• stack to dual-stack transitions
• IPv4 and IPV6dual-stack to
single-stack transitions
• reauthorization
• ANCP events for subscriber
sessions in all contexts

2.4.3.2 Configure Context-Specific Subscriber Accounting

To configure context-specific subscriber accounting, perform the tasks

described in Table 27. Enter all the commands in the context configuration
mode.

61/1543-CRA 119 1170/1 Uen L | 2012-12-04 21

 Configuring Authentication, Authorization, and Accounting

Note: At least one RADIUS accounting server must be configured in the

current context before any messages are sent; for more information,
see Configuring RADIUS.

Table 27 Context-Specific Subscriber Accounting

Task Root Command Notes
Enable context-specific aaa accounting subscriber Accounting messages for
subscriber accounting subscriber sessions in the
messages. current context are sent to one
or more RADIUS accounting
servers with IP addresses or
hostnames configured in the
same context.
Enable context-specific aaa update subscriber Sends updated accounting
subscriber session records for subscriber sessions
accounting update in the current context to one
messages. or more RADIUS accounting
servers with IP addresses or
hostnames configured in the
same context.
Enable context-specific aaa accounting reauthorization Accounting messages for the
accounting messages subscriber reauthorize command used
for the reauthorize in the current context are sent to
command. one or more RADIUS accounting
servers with IP addresses or
hostnames configured in the
same context.

22 61/1543-CRA 119 1170/1 Uen L | 2012-12-04

 Configuration and Operations

Table 27 Context-Specific Subscriber Accounting

Task Root Command Notes
Enable context-specific aaa accounting event Accounting messages for the
accounting messages for following are sent to one or more
DHCP lease, DHCPv6 RADIUS accounting servers
prefix delegation (PD), with IP addresses or hostnames
reauthorization information, configured in the same context:
or ANCP events.
• DHCP lease
• DHCPv6 PD
• IPv4 and IPV6 single-stack
to dual-stack or dual-stack to
single-stack transition
• Reauthorization information
• ANCP events for subscriber
sessions in the current context
Suppress accounting aaa accounting suppress-acct-on Accounting messages are not
messages when subscriber -fail sent to the RADIUS server
sessions cannot be when subscriber sessions
established. cannot be established due to
an authentication problem, a
changed IP address, and so on.

2.4.3.3 Configure Two-Stage Subscriber Accounting

Two-stage accounting collects RADIUS accounting data on both global

RADIUS servers and context-specific RADIUS servers. To configure
two-stage accounting for subscriber sessions, perform the tasks as shown in
Configure Subscriber Accounting and Configure Context-Specific Subscriber
Accountingsections.

2.4.4 Configuring L2TP Accounting

To configure L2TP accounting, you must perform the following tasks:

• Configure Global L2TP Accounting

• Configure Context-Specific L2TP Accounting

• Configure Two-Stage L2TP Accounting

2.4.4.1 Configure Global L2TP Accounting

To configure global L2TP accounting, perform the task described in Table 28.

61/1543-CRA 119 1170/1 Uen L | 2012-12-04 23

 Configuring Authentication, Authorization, and Accounting

Table 28 Global L2TP Accounting

Task Root Command Notes
Configure global L2TP aaa global accounting l2tp- Enter this command in global
accounting. session configuration mode.
For all contexts, accounting messages
for L2TP tunnels, or sessions in L2TP
tunnels, are sent to one or more RADIUS
accounting servers with IP addresses
or hostnames configured in the local
context.

2.4.4.2 Configure Context-Specific L2TP Accounting

To configure context-specific L2TP accounting, perform the task described

in Table 29.

Table 29 Context-Specific L2TP Accounting

Task Root Command Notes
Configure context-specific L2TP aaa accounting Enter this command in context configuration
accounting. l2tp mode.
For the current context, accounting
messages for L2TP tunnels, or sessions
in L2TP tunnels, are sent to one or more
RADIUS accounting servers with IP
addresses or hostnames configured in the
same context.

2.4.4.3 Configure Two-Stage L2TP Accounting

Two-stage accounting collects RADIUS accounting data on both global

RADIUS accounting servers and context-specific RADIUS accounting servers.

To configure two-stage accounting for subscriber sessions, perform the tasks

in Configure Global L2TP Accounting and Configure Context-Specific L2TP
Accounting sections.

2.5 Performing Operation Tasks

To administer and troubleshoot AAA features, perform the appropriate AAA
operations tasks as shown in Table 30. Enter all the commands in exec mode.

Note: The command syntax in the task table displays only the root command.
For the complete command syntax, see Command List.

24 61/1543-CRA 119 1170/1 Uen L | 2012-12-04

 Configuration and Operations

Table 30 AAA Operations Tasks

Task Root Command
Generate AAA debug messages. debug aaa
Modify a subscriber attribute in real time during an active policy-refresh
session, using the CLI.
Modify a subscriber attribute in real time during an active reauthorize
session, using the RADIUS authentication process.
Test the communications link to a RADIUS server. test aaa

2.6 Configuring AAA Route Download

To configure AAA route download, you must configure the AAA route-download
server and route-download capabilities.

2.6.1 Configuring the AAA Route-Download Server

To configure a route-download server:

1. Use the configure command to access global configuration mode.

2. Use the context command to access context configuration mode.

3. Use the radius route-download server command to designate a RADIUS

route-download server, and configure the shared key (encrypted or not) and
optional port. If the port is not specified, 1812 is used as the default value.

2.6.2 Configuring Route-Download Capabilities

Once you have configured a route-download server, you can configure

route-download capability in context configuration mode:

1. Use the radius route-download algorithm command to specify the

load-balancing algorithm to be used when multiple servers are configured.
By default , the request is sent to the first available RADIUS server. You
can also configure round-robin load balancing.

2. Use the radius route-download deadtime command to specify the interval in

minutes for declaring a RADIUS route-download server unavailable before
declaring it as available again. The range is 0 to 65,535. If not specified,
the server is not declared as available again. The default deadtime value
is 5 minutes.

3. Use the radius route-download max-retries command to specify the

maximum number of times a route download request is retried. The range
is 1 to 2,147,483,647. The default value is 3.

61/1543-CRA 119 1170/1 Uen L | 2012-12-04 25

 Configuring Authentication, Authorization, and Accounting

4. Use the radius route-download server-timeout command to specify the

interval in seconds while waiting for a response from the RADIUS server
before declaring it unavailable. The range is 1 to 2,147,483,647. If not
specified, the server is never considered unavailable. By default, the
capability remains disabled.

5. Use the radius route-download timeout command to specify the interval in

seconds, for the waiting time before retrying a request. The range is 1 to
2,147,483,647. The default is 10 seconds.

26 61/1543-CRA 119 1170/1 Uen L | 2012-12-04

 Configuration Examples

3 Configuration Examples

The following sections provide AAA configuration examples.

3.1 Configuring Administrator Authentication

The following example shows how to enable local administrator authentication
using remote console access, and limit the number of concurrent sessions to 10:
[local]Redback(config-ctx)#aaa authentication administrator vty local maximum sessions 10

3.2 Configuring Administrator Accounting

The following example shows how to enable RADIUS accounting messages for
administrator sessions for the local context:
[local]Redback(config-ctx)#aaa accounting administrator radius

3.3 Defining the Administrator Structured Username

The following example shows how to define a username. In this case, the
chassis checks for the far right separator and an @ symbol.
[local]Redback(config-ctx)#aaa username-format domain @ rightmost-separator

3.4 Authenticating Subscribers

You can configure subscriber authentication in several different ways. For
example, different subscribers can be authenticated by different RADIUS
servers in distinct contexts.

In the following example, subscriber janet in the AAA_local context is

authenticated by the configuration in that context; subscriber rene in the
AAA_radius context is authenticated by the RADIUS server in that context;
subscriber kevin in the AAA_global context is authenticated by the RADIUS
server in the local context:

61/1543-CRA 119 1170/1 Uen L | 2012-12-04 27

 Configuring Authentication, Authorization, and Accounting

[local]Redback(config)#aaa global authentication subscriber radius context local

[local]Redback(config)#context local
[local]Redback(config-ctx)#radius server 10.1.1.1 key TopSecret
.
.
.
[local]Redback(config)#context AAA_local
[local]Redback(config-ctx)#aaa authentication subscriber local
[local]Redback(config-ctx)#interface corpA multibind
[local]Redback(config-if)#ip address 10.1.3.30 255.255.255.0
[local]Redback(config-if)#exit
[local]Redback(config-ctx)#subscriber name janet
[local]Redback(config-sub)#password dragon
[local]Redback(config-sub)#ip address 10.1.3.30 255.255.255.0
[local]Redback(config-sub)#exit
[local]Redback(config-ctx)#exit
[local]Redback(config)#port atm 6/1
[local]Redback(config-atm-oc)#atm pvc 1 100 profile ubr encapsulation bridge1483
[local]Redback(config-atm-pvc)#bind subscriber janet@AAA_local password dragon
.
.
.
[local]Redback(config)#context AAA_radius
[local]Redback(config-ctx)#aaa authentication subscriber radius
[local]Redback(config-ctx)#radius server 10.2.2.2 key TopSecret
[local]Redback(config-ctx)#interface corpB multibind
[local]Redback(config-if)#ip address 10.2.4.40 255.255.255.0
[local]Redback(config-if)#exit
[local]Redback(config-ctx)#exit
[local]Redback(config)#port atm 6/1
[local]Redback(config-atm-oc)#atm pvc 2 200 profile ubr encapsulation bridge1483
[local]Redback(config-atm-pvc)#bind subscriber rene@AAA_radius password tiger
.
.
.
[local]Redback(config)#context AAA_global
[local]Redback(config-ctx)#aaa authentication subscriber global
[local]Redback(config-ctx)#interface corpC multibind
[local]Redback(config-if)#ip address 10.3.5.50 255.255.255.0
[local]Redback(config-if)#exit
[local]Redback(config-ctx)#exit
[local]Redback(config)#port atm 6/1
[local]Redback(config-atm-oc)#atm pvc 3 300 profile ubr encapsulation bridge1483
[local]Redback(config-atm-pvc)#bind subscriber kevin@AAA_global password lion

3.5 Reauthorizing Subscribers

The following example enables RADIUS reauthorization for subscriber circuits
and accounting messages:
[local]Redback(config-ctx)#radius server 10.10.11.12 key redback
[local]Redback(config-ctx)#radius attribute nas-ip-address interface loop1
[local]Redback(config-ctx)#aaa authentication subscriber radius
[local]Redback(config-ctx)#aaa accounting subscriber radius
[local]Redback(config-ctx)#aaa accounting reauthorization subscriber radius
[local]Redback(config-ctx)#aaa update subscriber 10
[local]Redback(config-ctx)#aaa accounting event reauthorization
[local]Redback(config-ctx)#aaa reauthorization bulk radius
[local]Redback(config-ctx)#radius accounting server 10.10.11.2. key redback

28 61/1543-CRA 119 1170/1 Uen L | 2012-12-04