Configure A Radius Accounting Inspection Policy Map - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
RADIUS Accounting Inspection
Configure a RADIUS Accounting Inspection Policy Map
You must create a RADIUS accounting inspection policy map to configure the attributes needed for the
inspection.
Procedure
Create a RADIUS accounting inspection policy map:
Step 1
hostname(config)# policy-map type inspect radius-accounting policy_map_name
hostname(config-pmap)#
Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration
mode.
Step 2
(Optional) Add a description to the policy map.
hostname(config-pmap)# description string
Step 3
Enter parameters configuration mode.
hostname(config-pmap)# parameters
hostname(config-pmap-p)#
Set one or more parameters. You can set the following options; use the no form of the command to
Step 4
disable the option.
•
•
•
•
•
Example
policy-map type inspect radius-accounting radius-acct-pmap
Cisco ASA Series Firewall CLI Configuration Guide
15-14
send response—Instructs the ASA to send Accounting-Request Start and Stop messages to the
sender of those messages (which are identified in the host command).
enable gprs—Implement GPRS over-billing protection. The ASA checks for the 3GPP VSA
26-10415 attribute in the Accounting-Request Stop and Disconnect messages in order to properly
handle secondary PDP contexts. If this attribute is present, then the ASA tears down all connections
that have a source IP matching the User IP address on the configured interface.
validate-attribute number—Additional criteria to use when building a table of user accounts when
receiving Accounting-Request Start messages. These attributes help when the ASA decides whether
to tear down connections.
If you do not specify additional attributes to validate, the decision is based solely on the IP address
in the Framed IP Address attribute. If you configure additional attributes, and the ASA receives a
start accounting message that includes an address that is currently being tracked, but the other
attributes to validate are different, then all connections started using the old attributes are torn down,
on the assumption that the IP address has been reassigned to a new user.
Values range from 1-191, and you can enter the command multiple times. For a list of attribute
numbers and their descriptions, see http://www.iana.org/assignments/radius-types.
host ip_address [key secret]—The IP address of the RADIUS server or GGSN. You can optionally
include a secret key so that the ASA can validate the message. Without the key, only the IP address
is checked. You can repeat this command to identify multiple RADIUS and GGSNs hosts. The ASA
receives a copy of the RADIUS accounting messages from these hosts.
timeout users time—Sets the idle timeout for users (in hh:mm:ss format). To have no timeout,
specify 00:00:00. The default is one hour.
Chapter 15
Inspection of Database, Directory, and Management Protocols
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
