Cisco ASA 5506-X Configuration Manual page 249

Chapter 10 Inspection for Management Application Protocols
Procedure
Step 1 Create a RADIUS accounting inspection policy map:
hostname(config)# policy-map type inspect radius-accounting policy_map_name
hostname(config-pmap)#
Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration
mode.
(Optional) Add a description to the policy map.
Step 2
hostname(config-pmap)# description string
Enter parameters configuration mode.
Step 3
hostname(config-pmap)# parameters
hostname(config-pmap-p)#
Step 4 Set one or more parameters. You can set the following options; use the no form of the command to
disable the option.
• send response—Instructs the ASA to send Accounting-Request Start and Stop messages to the
sender of those messages (which are identified in the host command).
enable gprs—Implement GPRS over-billing protection. The ASA checks for the 3GPP VSA
•
26-10415 attribute in the Accounting-Request Stop and Disconnect messages in order to properly
handle secondary PDP contexts. If this attribute is present, then the ASA tears down all connections
that have a source IP matching the User IP address on the configured interface.
validate-attribute number—Additional criteria to use when building a table of user accounts when
•
receiving Accounting-Request Start messages. These attributes help when the ASA decides whether
to tear down connections.
If you do not specify additional attributes to validate, the decision is based solely on the IP address
in the Framed IP Address attribute. If you configure additional attributes, and the ASA receives a
start accounting message that includes an address that is currently being tracked, but the other
attributes to validate are different, then all connections started using the old attributes are torn down,
on the assumption that the IP address has been reassigned to a new user.
Values range from 1-191, and you can enter the command multiple times. For a list of attribute
numbers and their descriptions, see http://www.iana.org/assignments/radius-types.
host ip_address [key secret]—The IP address of the RADIUS server or GGSN. You can optionally
•
include a secret key so that the ASA can validate the message. Without the key, only the IP address
is checked. You can repeat this command to identify multiple RADIUS and GGSNs hosts. The ASA
receives a copy of the RADIUS accounting messages from these hosts.
timeout users time—Sets the idle timeout for users (in hh:mm:ss format). To have no timeout,
•
specify 00:00:00. The default is one hour.
Example
policy-map type inspect radius-accounting radius-acct-pmap
parameters
send response
enable gprs
validate-attribute 31
host 10.2.2.2 key 123456789
host 10.1.1.1 key 12345
class-map type management radius-class
RADIUS Accounting Inspection
Cisco ASA Series Firewall CLI Configuration Guide
10-13