Radius Accounting Inspection - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Chapter 25
Configuring Application Layer Protocol Inspection
However, when used for VPN by Windows, the interaction is inverted. The PNS is a remote single-user
PC that initiates connection to the head-end PAC to gain access to a central network.
RADIUS Accounting Inspection
One of the well known problems is the over-billing attack in GPRS networks. The over-billing attack
can cause consumers anger and frustration by being billed for services that they have not used. In this
case, a malicious attacker sets up a connection to a server and obtains an IP address from the SGSN.
When the attacker ends the call, the malicious server will still send packets to it, which gets dropped by
the GGSN, but the connection from the server remains active. The IP address assigned to the malicious
attacker gets released and reassigned to a legitimate user who will then get billed for services that the
attacker will use.
RADIUS accounting inspection prevents this type of attack using by ensuring the traffic seen by the
GGSN is legitimate. With the RADIUS accounting feature properly configured, the security appliance
tears down a connection based on matching the Framed IP attribute in the Radius Accounting Request
Start message with the Radius Accounting Request Stop message. When the Stop message is seen with
the matching IP address in the Framed IP attribute, the security appliance looks for all connections with
the source matching the IP address.
You have the option to configure a secret pre-shared key with the RADIUS server so the security
appliance can validate the message. If the shared secret is not configured, the security appliance does
not need to validate the source of the message and will only check that the source IP address is one of
the configured addresses allowed to send the RADIUS messages.
Configuring a RADIUS Inspection Policy Map for Additional Inspection Control
In order to use this feature, the radius-accounting-map will need to be specified in the policy-map type
management and then applied to the service-policy using the new control-plane keyword to specify
that this traffic is for to-the-box inspection.
The following example shows the complete set of commands in context to properly configure this
feature:
Configure the class map and the port:
Step 1
class-map type management c1
match port udp eq 1888
Create the policy map, and configure the parameters for RADIUS accounting inspection using the
Step 2
parameter command to access the proper mode to configure the attributes, host, and key.
policy-map type inspect radius-accounting radius_accounting_map
parameters
Configure the service policy and control-plane keywords.
Step 3
policy-map type management global_policy
class c1
service-policy global_policy control-plane abc global
OL-10088-01
host 10.1.1.1 inside key 123456789
send response
enable gprs
validate-attribute 22
inspect radius-accounting radius_accounting_map
Cisco Security Appliance Command Line Configuration Guide
RADIUS Accounting Inspection
25-59
Advertisement
Table of Contents
Troubleshooting
