Mailing List Archive: RADIUS IP Question

RADIUS IP Question

Oct 3, 2003, 7:39 AM

Post #1 of 4 (1265 views)

We use Funk's Steel Belted RADIUS v04.00.248 to terminate PPP traffic on our NAS's. We have AS5400s, AS5800, and 6400s. I recently moved the handing out of dynamic IP addresses off of RADIUS and locally onto the NAS's using the "IP local pool" command.

Ever since the change, I've noticed that I no longer get the dynamic IP address noted in the RADIUS accounting records. Other non-Cisco NAS's are configured in a similar manner where they hand out the IPs themselves and I do get the IP address in the RADIUS accounting logs.

I'm sure I must be missing some AAA or RADIUS command to correct this. Any advice?

6400 config portions:

aaa new-model
aaa authentication ppp default local group radius
aaa authorization network default local group radius
aaa accounting network default start-stop group radius
!
interface Virtual-Template1
ip unnumbered Loopback0
no logging event link-status
load-interval 30
no snmp trap link-status
peer default ip address pool dyn-pool
ppp authentication pap
!
ip local pool dyn-pool xxx.xxx.xxx.1 xxx.xxx.xxx.254 (actual IP replaced with "x")
!
ip radius source-interface Loopback0
!
radius-server host xxx.xxx.xxx.10 auth-port 1645 acct-port 1646 key 7 xxxxxxxxxx
radius-server retransmit 3

Thanks,

Dave

**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender and delete this e-mail message. The contents do not represent the opinion of D&E except to the extent that it relates to their official business.

RE: RADIUS IP Question [ In reply to ]

vfayet at cisco

Oct 3, 2003, 7:52 AM

Post #2 of 4 (1216 views)

Permalink

Dave,

Can you try with "aaa accounting update newinfo"

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/
fsecur_c/fsaaa/scfacct.htm#1001449 indicates:

"When the aaa accounting update command is activated, the Cisco IOS
software issues interim accounting records for all users on the system.
If the keyword newinfo is used, interim accounting records will be sent
to the accounting server every time there is new accounting information
to report. An example of this would be when IPCP completes IP address
negotiation with the remote peer. The interim accounting record will
include the negotiated IP address used by the remote peer."

It sounds it will do what you want but may be it does "too much"...

Cheers

Vincent

------------------------------------------------------------------------
---------------
Vincent Fayet
Systems Engineer
Cisco Systems
------------------------------------------------------------------------
---------------

> -----Original Message-----
> From: Dave Lechlitner [mailto:dlechlitner@decommunications.com]
> Sent: vendredi 3 octobre 2003 16:40
> To: cisco-nas@puck.nether.net
> Subject: [cisco-nas] RADIUS IP Question
>
>
> We use Funk's Steel Belted RADIUS v04.00.248 to terminate PPP
> traffic on our NAS's. We have AS5400s, AS5800, and 6400s. I
> recently moved the handing out of dynamic IP addresses off of
> RADIUS and locally onto the NAS's using the "IP local pool" command.
>
> Ever since the change, I've noticed that I no longer get the
> dynamic IP address noted in the RADIUS accounting records.
> Other non-Cisco NAS's are configured in a similar manner
> where they hand out the IPs themselves and I do get the IP
> address in the RADIUS accounting logs.
>
> I'm sure I must be missing some AAA or RADIUS command to
> correct this. Any advice?
>
> 6400 config portions:
>
> aaa new-model
> aaa authentication ppp default local group radius
> aaa authorization network default local group radius
> aaa accounting network default start-stop group radius
> !
> interface Virtual-Template1
> ip unnumbered Loopback0
> no logging event link-status
> load-interval 30
> no snmp trap link-status
> peer default ip address pool dyn-pool
> ppp authentication pap
> !
> ip local pool dyn-pool xxx.xxx.xxx.1 xxx.xxx.xxx.254 (actual
> IP replaced with "x")
> !
> ip radius source-interface Loopback0
> !
> radius-server host xxx.xxx.xxx.10 auth-port 1645 acct-port
> 1646 key 7 xxxxxxxxxx
> radius-server retransmit 3
>
>
> Thanks,
>
> Dave
>
>
>
> **DISCLAIMER
> This e-mail message and any files transmitted with it are
> intended for the use of the individual or entity to which
> they are addressed and may contain information that is
> privileged, proprietary and confidential. If you are not the
> intended recipient, you may not use, copy or disclose to
> anyone the message or any information contained in the
> message. If you have received this communication in error,
> please notify the sender and delete this e-mail message. The
> contents do not represent the opinion of D&E except to the
> extent that it relates to their official business.
>
> _______________________________________________
> cisco-nas mailing list
> cisco-nas@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nas
>

RE: RADIUS IP Question [ In reply to ]

Aaron at cisco

Oct 3, 2003, 9:35 AM

Post #3 of 4 (1216 views)

Permalink

I believe that "aaa accounting delay-start" should fit the bill
here. http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter09186a00800ca7af.html#1033002

(This command was hidden for a long time, as I recall it.)

Aaron

---

> Dave,

> Can you try with "aaa accounting update newinfo"

> http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/
> fsecur_c/fsaaa/scfacct.htm#1001449 indicates:

> "When the aaa accounting update command is activated, the Cisco IOS
> software issues interim accounting records for all users on the system.
> If the keyword newinfo is used, interim accounting records will be sent
> to the accounting server every time there is new accounting information
> to report. An example of this would be when IPCP completes IP address
> negotiation with the remote peer. The interim accounting record will
> include the negotiated IP address used by the remote peer."

> It sounds it will do what you want but may be it does "too much"...

> Cheers

> Vincent

> ------------------------------------------------------------------------
> ---------------
> Vincent Fayet
> Systems Engineer
> Cisco Systems
> ------------------------------------------------------------------------
> ---------------

> > -----Original Message-----
> > From: Dave Lechlitner [mailto:dlechlitner@decommunications.com]
> > Sent: vendredi 3 octobre 2003 16:40
> > To: cisco-nas@puck.nether.net
> > Subject: [cisco-nas] RADIUS IP Question
> >
> >
> > We use Funk's Steel Belted RADIUS v04.00.248 to terminate PPP
> > traffic on our NAS's. We have AS5400s, AS5800, and 6400s. I
> > recently moved the handing out of dynamic IP addresses off of
> > RADIUS and locally onto the NAS's using the "IP local pool" command.
> >
> > Ever since the change, I've noticed that I no longer get the
> > dynamic IP address noted in the RADIUS accounting records.
> > Other non-Cisco NAS's are configured in a similar manner
> > where they hand out the IPs themselves and I do get the IP
> > address in the RADIUS accounting logs.
> >
> > I'm sure I must be missing some AAA or RADIUS command to
> > correct this. Any advice?
> >
> > 6400 config portions:
> >
> > aaa new-model
> > aaa authentication ppp default local group radius
> > aaa authorization network default local group radius
> > aaa accounting network default start-stop group radius
> > !
> > interface Virtual-Template1
> > ip unnumbered Loopback0
> > no logging event link-status
> > load-interval 30
> > no snmp trap link-status
> > peer default ip address pool dyn-pool
> > ppp authentication pap
> > !
> > ip local pool dyn-pool xxx.xxx.xxx.1 xxx.xxx.xxx.254 (actual
> > IP replaced with "x")
> > !
> > ip radius source-interface Loopback0
> > !
> > radius-server host xxx.xxx.xxx.10 auth-port 1645 acct-port
> > 1646 key 7 xxxxxxxxxx
> > radius-server retransmit 3
> >
> >
> > Thanks,
> >
> > Dave
> >
> >
> >
> > **DISCLAIMER
> > This e-mail message and any files transmitted with it are
> > intended for the use of the individual or entity to which
> > they are addressed and may contain information that is
> > privileged, proprietary and confidential. If you are not the
> > intended recipient, you may not use, copy or disclose to
> > anyone the message or any information contained in the
> > message. If you have received this communication in error,
> > please notify the sender and delete this e-mail message. The
> > contents do not represent the opinion of D&E except to the
> > extent that it relates to their official business.
> >
> > _______________________________________________
> > cisco-nas mailing list
> > cisco-nas@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nas
> >

> _______________________________________________
> cisco-nas mailing list
> cisco-nas@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nas

RE: RADIUS IP Question [ In reply to ]

dlechlitner at decommunications

Oct 3, 2003, 10:39 AM

Post #4 of 4 (1219 views)

Permalink

Thanks Aaron. That did the trick :-)

Dave Lechlitner

>>> Aaron Leonard <Aaron@cisco.com> 10/3/2003 12:35:13 PM >>>
I believe that "aaa accounting delay-start" should fit the bill
here. http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter09186a00800ca7af.html#1033002

(This command was hidden for a long time, as I recall it.)

Aaron

---

> Dave,

> Can you try with "aaa accounting update newinfo"

> http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/
> fsecur_c/fsaaa/scfacct.htm#1001449 indicates:

> "When the aaa accounting update command is activated, the Cisco IOS
> software issues interim accounting records for all users on the system.
> If the keyword newinfo is used, interim accounting records will be sent
> to the accounting server every time there is new accounting information
> to report. An example of this would be when IPCP completes IP address
> negotiation with the remote peer. The interim accounting record will
> include the negotiated IP address used by the remote peer."

> It sounds it will do what you want but may be it does "too much"...

> Cheers

> Vincent

> ------------------------------------------------------------------------
> ---------------
> Vincent Fayet
> Systems Engineer
> Cisco Systems
> ------------------------------------------------------------------------
> ---------------

> > -----Original Message-----
> > From: Dave Lechlitner [mailto:dlechlitner@decommunications.com]
> > Sent: vendredi 3 octobre 2003 16:40
> > To: cisco-nas@puck.nether.net
> > Subject: [cisco-nas] RADIUS IP Question
> >
> >
> > We use Funk's Steel Belted RADIUS v04.00.248 to terminate PPP
> > traffic on our NAS's. We have AS5400s, AS5800, and 6400s. I
> > recently moved the handing out of dynamic IP addresses off of
> > RADIUS and locally onto the NAS's using the "IP local pool" command.
> >
> > Ever since the change, I've noticed that I no longer get the
> > dynamic IP address noted in the RADIUS accounting records.
> > Other non-Cisco NAS's are configured in a similar manner
> > where they hand out the IPs themselves and I do get the IP
> > address in the RADIUS accounting logs.
> >
> > I'm sure I must be missing some AAA or RADIUS command to
> > correct this. Any advice?
> >
> > 6400 config portions:
> >
> > aaa new-model
> > aaa authentication ppp default local group radius
> > aaa authorization network default local group radius
> > aaa accounting network default start-stop group radius
> > !
> > interface Virtual-Template1
> > ip unnumbered Loopback0
> > no logging event link-status
> > load-interval 30
> > no snmp trap link-status
> > peer default ip address pool dyn-pool
> > ppp authentication pap
> > !
> > ip local pool dyn-pool xxx.xxx.xxx.1 xxx.xxx.xxx.254 (actual
> > IP replaced with "x")
> > !
> > ip radius source-interface Loopback0
> > !
> > radius-server host xxx.xxx.xxx.10 auth-port 1645 acct-port
> > 1646 key 7 xxxxxxxxxx
> > radius-server retransmit 3
> >
> >
> > Thanks,
> >
> > Dave
> >
> >
> >
> > **DISCLAIMER
> > This e-mail message and any files transmitted with it are
> > intended for the use of the individual or entity to which
> > they are addressed and may contain information that is
> > privileged, proprietary and confidential. If you are not the
> > intended recipient, you may not use, copy or disclose to
> > anyone the message or any information contained in the
> > message. If you have received this communication in error,
> > please notify the sender and delete this e-mail message. The
> > contents do not represent the opinion of D&E except to the
> > extent that it relates to their official business.
> >
> > _______________________________________________
> > cisco-nas mailing list
> > cisco-nas@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nas
> >

> _______________________________________________
> cisco-nas mailing list
> cisco-nas@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nas

**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender and delete this e-mail message. The contents do not represent the opinion of D&E except to the extent that it relates to their official business.