Radius Accounting - Cisco IE-4000 Software Configuration Manual

Configuring Switch-Based Authentication
Information About Configuring Switch-Based Authentication

RADIUS Accounting

The AAA accounting feature tracks the services that users are accessing and the amount of network resources that they
are consuming. When AAA accounting is enabled, the switch reports user activity to the RADIUS security server in the
form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the
security server. This data can then be analyzed for network management, client billing, or auditing.
Establishing a Session with a Router if the AAA Server is Unreachable
The aaa accounting system guarantee-first command guarantees system accounting as the first record, which is the
default condition. In some situations, users might be prevented from starting a session on the console or terminal
connection until after the system reloads, which can take more than 3 minutes.
To establish a console or Telnet session with the router if the AAA server is unreachable when the router reloads, use
the no aaa accounting system guarantee-first command.
Vendor-Specific RADIUS Attributes
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific
information between the switch and the RADIUS server by using the vendor-specific attribute (attribute 26).
Vendor-specific attributes (VSAs) allow vendors to support their own extended attributes not suitable for general use.
The Cisco RADIUS implementation supports one vendor-specific option by using the format recommended in the
specification. Cisco's vendor-ID is 9, and the supported option has vendor-type 1, which is named cisco-avpair. The
value is a string with this format:
protocol : attribute sep value *
protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an
appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes
and is * for optional attributes. The full set of features available for TACACS+ authorization can then be used for RADIUS.
For example, this AV pair activates Cisco's multiple named ip address pools feature during IP authorization (during PPP
IPCP address assignment):
cisco-avpair= "ip:addr-pool=first"
Vendor-Proprietary RADIUS Server Communication
Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information
between the switch and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way.
Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.
As mentioned earlier, to configure RADIUS (whether vendor-proprietary or IETF draft-compliant), you must specify the
host running the RADIUS server daemon and the secret text string it shares with the switch. You specify the RADIUS host
and secret text string by using the radius-server global configuration commands.
Switch Access with Kerberos
This section describes how to enable and configure the Kerberos security system, which authenticates requests for
network resources by using a trusted third party. To use this feature, the cryptographic (that is, supports encryption)
versions of the switch software must be installed on your switch.
You must obtain authorization to use this feature and to download the cryptographic software files from Cisco.com. For
more information, see the release notes for this release.
157