Contents
- IPsec VPN Accounting
- Finding Feature Information
- Prerequisites for IPsec VPN Accounting
- Information About IPsec VPN Accounting
- RADIUS Accounting
- RADIUS Start Accounting
- RADIUS Stop Accounting
- RADIUS Update Accounting
- IKE and IPsec Subsystem Interaction
- Accounting Start
- Accounting Stop
- Accounting Updates
- How to Configure IPsec VPN Accounting
- Configuring IPsec VPN Accounting
- Configuring Accounting Updates
- Troubleshooting for IPsec VPN Accounting
- Configuration Examples for IPsec VPN Accounting
- Accounting and ISAKMP-Profile Example
- Accounting Without ISAKMP Profiles Example
- Additional References
- Related Documents
- Standards
- MIBs
- RFCs
- Technical Assistance
- Feature Information for IPsec VPN Accounting
- Glossary
IPsec VPN Accounting
The IPsec VPN Accounting feature allows for a session to be accounted for by indicating when the session starts and when it stops.
A VPN session is defined as an Internet Key Exchange (IKE) security association (SA) and the one or more SA pairs that are created by the IKE SA. The session starts when the first IP Security (IPsec) pair is created and stops when all IPsec SAs are deleted.
Session identifying information and session usage information is passed to the Remote Authentication Dial-In User Service (RADIUS) server through standard RADIUS attributes and vendor-specific attributes (VSAs).
- Finding Feature Information
- Prerequisites for IPsec VPN Accounting
- Information About IPsec VPN Accounting
- How to Configure IPsec VPN Accounting
- Configuration Examples for IPsec VPN Accounting
- Additional References
- Related Documents
- Feature Information for IPsec VPN Accounting
- Glossary
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for IPsec VPN Accounting
Understand how to configure RADIUS and authentication, authorization, and accounting (AAA) accounting.
Understand how to configure IPsec accounting.
Information About IPsec VPN Accounting
RADIUS Accounting
For many large networks, it is required that user activity be recorded for auditing purposes. The method that is used most is RADIUS accounting.
RADIUS accounting allows for a session to be accounted for by indicating when the session starts and when it stops. Additionally, session identifying information and session usage information is passed to the RADIUS server through RADIUS attributes and VSAs.
RADIUS Start Accounting
The RADIUS Start packet contains many attributes that generally identify who is requesting the service and of what the property of that service consists. The table below represents the attributes required for the start.
RADIUS Attributes Value |
Attribute |
Description |
---|---|---|
1 |
user-name |
Username used in extended authentication (XAUTH).The username may be NULL when XAUTH is not used. |
4 |
nas-ip-address |
Identifying IP address of the network access server (NAS) that serves the user. It should be unique to the NAS within the scope of the RADIUS server. |
5 |
nas-port |
Physical port number of the NAS that serves the user. |
8 |
framed-ip-address |
Private address allocated for the IP Security (IPsec) session. |
40 |
acct-status-type |
Status type. This attribute indicates whether this accounting request marks the beginning (start), the end (stop), or an update of the session. |
41 |
acct-delay-time |
Number of seconds the client has been trying to send a particular record. |
44 |
acct-session-id |
Unique accounting identifier that makes it easy to match start and stop records in a log file. |
26 |
vrf-id |
String that represents the name of the Virtual Route Forwarder (VRF). |
26 |
isakmp-initiator-ip |
Endpoint IP address of the remote Internet Key Exchange (IKE) initiator (V4). |
26 |
isakmp-group-id |
Name of the VPN group profile used for accounting. |
26 |
isakmp-phase1-id |
Phase 1 identification (ID) used by IKE (for example, domain name [DN], fully qualified domain name [FQDN], IP address) to help identify the session initiator. |
RADIUS Stop Accounting
The RADIUS Stop packet contains many attributes that identify the usage of the session. Table 2 represents the additional attributes required for the RADIUS stop packet. It is possible that only the stop packet is sent without the start if configured to do so. If only the stop packet is sent, this allows an easy way to reduce the number of records going to the AAA server.
RADIUS Attributes Value |
Attribute |
Description |
---|---|---|
42 |
acct-input-octets |
Number of octets that have been received from the Unity client over the course of the service that is being provided. |
43 |
acct-output-octets |
Number of octets that have been sent to the Unity client in the course of delivering this service. |
46 |
acct-session-time |
Length of time (in seconds) that the Unity client has received service. |
47 |
acct-input-packets |
Quantity of packets that have been received from the Unity client in the course of delivering this service. |
48 |
acct-output-packets |
Quantity of packets that have been sent to the Unity client in the course of delivering this service. |
49 |
acct-terminate-cause |
For future use. |
52 |
acct-input-gigawords |
How many times the Acct-Input-Octets counter has wrapped around the 232 (2 to the 32nd power) over the course of this service. |
52 |
acct-output-gigawords |
How many times the Acct-Input-Octets counter has wrapped around the 232 (2 to the 32nd power) over the course of this service. |
RADIUS Update Accounting
RADIUS accounting updates are supported. Packet and octet counts are shown in the updates.
IKE and IPsec Subsystem Interaction
Accounting Start
If IPsec accounting is configured, after IKE phases are complete, an accounting start record is generated for the session. New accounting records are not generated during a rekeying.
The following is an account start record that was generated on a router and that is to be sent to the AAA server that is defined:
*Aug 23 04:06:20.131: RADIUS(00000002): sending *Aug 23 04:06:20.131: RADIUS(00000002): Send Accounting-Request to 10.1.1.4:1646 id 4, len 220 *Aug 23 04:06:20.131: RADIUS: authenticator 38 F5 EB 46 4D BE 4A 6F - 45 EB EF 7D B7 19 FB 3F *Aug 23 04:06:20.135: RADIUS: Acct-Session-Id [44] 10 "00000001" *Aug 23 04:06:20.135: RADIUS: Vendor, Cisco [26] 31 *Aug 23 04:06:20.135: RADIUS: Cisco AVpair [1] 25 "isakmp-group-id=cclient" *Aug 23 04:06:20.135: RADIUS: Framed-IP-Address [8] 6 10.13.13.1 *Aug 23 04:06:20.135: RADIUS: Vendor, Cisco [26] 20 *Aug 23 04:06:20.135: RADIUS: Cisco AVpair [1] 14 "vrf-id=cisco" *Aug 23 04:06:20.135: RADIUS: Vendor, Cisco [26] 35 *Aug 23 04:06:20.135: RADIUS: Cisco AVpair [1] 29 "isakmp-initator-ip=10.1.2.2" *Aug 23 04:06:20.135: RADIUS: Vendor, Cisco [26] 36 *Aug 23 04:06:20.135: RADIUS: Cisco AVpair [1] 30 "connect-progress=No Progress" *Aug 23 04:06:20.135: RADIUS: User-Name [1] 13 "username1" *Aug 23 04:06:20.135: RADIUS: Acct-Status-Type [40] 6 Start [1] *Aug 23 04:06:20.135: RADIUS: Vendor, Cisco [26] 25 *Aug 23 04:06:20.135: RADIUS: cisco-nas-port [2] 19 "FastEthernet0/0.1" *Aug 23 04:06:20.135: RADIUS: NAS-Port [5] 6 0 *Aug 23 04:06:20.135: RADIUS: NAS-IP-Address [4] 6 10.1.1.147 *Aug 23 04:06:20.135: RADIUS: Acct-Delay-Time [41] 6 0 *Aug 23 04:06:20.139: RADIUS: Received from id 21645/4 10.1.1.4:1646, Accounting-response, len 20 *Aug 23 04:06:20.139: RADIUS: authenticator B7 E3 D0 F5 61 9A 89 D8 - 99 A6 8A 8A 98 79 9D 5D
Accounting Stop
An accounting stop packet is generated when there are no more flows (IPsec SA pairs) with the remote peer.
The accounting stop records contain the following information:
Packets out
Packets in
Octets out
Gigawords in
Gigawords out
Below is an account start record that was generated on a router. The account start record is to be sent to the AAA server that is defined.
*Aug 23 04:20:16.519: RADIUS(00000003): Using existing nas_port 0 *Aug 23 04:20:16.519: RADIUS(00000003): Config NAS IP: 100.1.1.147 *Aug 23 04:20:16.519: RADIUS(00000003): sending *Aug 23 04:20:16.519: RADIUS(00000003): Send Accounting-Request to 100.1.1.4:1646 id 19, len 238 *Aug 23 04:20:16.519: RADIUS: authenticator 82 65 5B 42 F0 3F 17 C3 - 23 F3 4C 35 A2 8A 3E E6 *Aug 23 04:20:16.519: RADIUS: Acct-Session-Id [44] 10 "00000002" *Aug 23 04:20:16.519: RADIUS: Vendor, Cisco [26] 20 *Aug 23 04:20:16.519: RADIUS: Cisco AVpair [1] 14 "vrf-id=cisco" *Aug 23 04:20:16.519: RADIUS: Vendor, Cisco [26] 35 *Aug 23 04:20:16.519: RADIUS: Cisco AVpair [1] 29 "isakmp-initator-ip=10.1.1.2" *Aug 23 04:20:16.519: RADIUS: Vendor, Cisco [26] 36 *Aug 23 04:20:16.519: RADIUS: Cisco AVpair [1] 30 "connect-progress=No Progress" *Aug 23 04:20:16.519: RADIUS: Acct-Session-Time [46] 6 709 *Aug 23 04:20:16.519: RADIUS: Acct-Input-Octets [42] 6 152608 *Aug 23 04:20:16.519: RADIUS: Acct-Output-Octets [43] 6 152608 *Aug 23 04:20:16.519: RADIUS: Acct-Input-Packets [47] 6 1004 *Aug 23 04:20:16.519: RADIUS: Acct-Output-Packets [48] 6 1004 *Apr 23 04:20:16.519: RADIUS: Acct-Input-Giga-Word[52] 6 0 *Apr 23 04:20:16.519: RADIUS: Acct-Output-Giga-Wor[53] 6 0 *Aug 23 04:20:16.519: RADIUS: Acct-Terminate-Cause[49] 6 none [0] *Aug 23 04:20:16.519: RADIUS: Vendor, Cisco [26] 32 *Aug 23 04:20:16.519: RADIUS: Cisco AVpair [1] 26 "disc-cause-ext=No Reason" *Aug 23 04:20:16.519: RADIUS: Acct-Status-Type [40] 6 Stop [2] *Aug 23 04:20:16.519: RADIUS: Vendor, Cisco [26] 25 *Aug 23 04:20:16.519: RADIUS: cisco-nas-port [2] 19 "FastEthernet0/0.1" *Aug 23 04:20:16.519: RADIUS: NAS-Port [5] 6 0 *Aug 23 04:20:16.519: RADIUS: NAS-IP-Address [4] 6 100.1.1.147 *Aug 23 04:20:16.519: RADIUS: Acct-Delay-Time [41] 6 0 *Aug 23 04:20:16.523: RADIUS: Received from id 21645/19 100.1.1.4:1646, Accounting-response, len 20 *Aug 23 04:20:16.523: RADIUS: authenticator F1 CA C1 28 CE A0 26 C9 - 3E 22 C9 DA EA B8 22 A0
Accounting Updates
If accounting updates are enabled, accounting updates are sent while a session is “up.” The update interval is configurable. To enable the accounting updates, use the aaa accounting update command.
The following is an accounting update record that is being sent from the router:
Router# *Aug 23 21:46:05.263: RADIUS(00000004): Using existing nas_port 0 *Aug 23 21:46:05.263: RADIUS(00000004): Config NAS IP: 100.1.1.147 *Aug 23 21:46:05.263: RADIUS(00000004): sending *Aug 23 21:46:05.263: RADIUS(00000004): Send Accounting-Request to 100.1.1.4:1646 id 22, len 200 *Aug 23 21:46:05.263: RADIUS: authenticator 30 FA 48 86 8E 43 8E 4B - F9 09 71 04 4A F1 52 25 *Aug 23 21:46:05.263: RADIUS: Acct-Session-Id [44] 10 "00000003" *Aug 23 21:46:05.263: RADIUS: Vendor, Cisco [26] 20 *Aug 23 21:46:05.263: RADIUS: Cisco AVpair [1] 14 "vrf-id=cisco" *Aug 23 21:46:05.263: RADIUS: Vendor, Cisco [26] 35 *Aug 23 21:46:05.263: RADIUS: Cisco AVpair [1] 29 "isakmp-initator-ip=10.1.1.2" *Aug 23 21:46:05.263: RADIUS: Vendor, Cisco [26] 36 *Aug 23 21:46:05.263: RADIUS: Cisco AVpair [1] 30 "connect-progress=No Progress" *Aug 23 21:46:05.263: RADIUS: Acct-Session-Time [46] 6 109 *Aug 23 21:46:05.263: RADIUS: Acct-Input-Octets [42] 6 608 *Aug 23 21:46:05.263: RADIUS: Acct-Output-Octets [43] 6 608 *Aug 23 21:46:05.263: RADIUS: Acct-Input-Packets [47] 6 4 *Aug 23 21:46:05.263: RADIUS: Acct-Output-Packets [48] 6 4 *Aug 23 21:46:05.263: RADIUS: Acct-Status-Type [40] 6 Watchdog [3] *Aug 23 21:46:05.263: RADIUS: Vendor, Cisco [26] 25 *Aug 23 21:46:05.263: RADIUS: cisco-nas-port [2] 19 "FastEthernet0/0.1" *Aug 23 21:46:05.263: RADIUS: NAS-Port [5] 6 0 *Aug 23 21:46:05.263: RADIUS: NAS-IP-Address [4] 6 100.1.1.147 *Aug 23 21:46:05.263: RADIUS: Acct-Delay-Time [41] 6 0 *Aug 23 21:46:05.267: RADIUS: Received from id 21645/22 100.1.1.4:1646, Accounting-response, len 20 *Aug 23 21:46:05.267: RADIUS: authenticator 51 6B BB 27 A4 F5 D7 61 - A7 03 73 D3 0A AC 1C
How to Configure IPsec VPN Accounting
- Configuring IPsec VPN Accounting
- Configuring Accounting Updates
- Troubleshooting for IPsec VPN Accounting
Configuring IPsec VPN Accounting
IPsec must be configured first before configuring IPsec VPN accounting.
1.
enable
2.
configure
terminal
3.
aaa
new-model
4.
aaa
authentication
login
list-name
method
5.
aaa
authorization
network
list-name
method
6.
aaa
accounting
network
list-name
start-stop
[broadcast] group group-name
7.
aaa
session-id
common
8.
crypto
isakmp
profile
profile-name
9.
vrf
ivrf
10.
match
identity
group
group-name
11.
client
authentication
list
list-name
12.
isakmp
authorization
list
list-name
13.
client
configuration
address
[initiate | respond]
14.
accounting
list-name
15.
exit
16.
crypto
dynamic-map
dynamic-map-name
dynamic-seq-num
17.
set
transform-set
transform-set-name
18.
set
isakmp-profile
profile-name
19.
reverse-route
[remote-peer]
20.
exit
21.
crypto
map
map-name
ipsec-isakmp
dynamic
dynamic-template-name
22.
radius-server
host
ip-address
[auth-port port-number]
[acct-port port-number]
23.
radius-server
key
string
24.
radius-server
vsa
send
accounting
25.
interface
type
slot
/
port
26.
crypto
map
map-name
DETAILED STEPS
Configuring Accounting Updates
To send accounting updates while a session is “up,” perform the following optional task:
IPsec VPN accounting must be configured before accounting updates are configured. See Configuring IPsec VPN Accounting for more information.
1.
enable
2.
configure
terminal
3.
aaa
accounting
update
periodic
number
DETAILED STEPS
Troubleshooting for IPsec VPN Accounting
To display messages about IPsec accounting events, perform the following optional task:
1.
enable
2.
debug
crypto
isakmp
aaa
DETAILED STEPS
Command or Action | Purpose |
---|
Configuration Examples for IPsec VPN Accounting
Accounting and ISAKMP-Profile Example
The following example shows a configuration for supporting remote access clients with accounting and ISAKMP profiles:
version 2.1 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname sheep ! aaa new-model ! ! aaa accounting network ipsecaaa start-stop group radius aaa accounting update periodic 1 aaa session-id common ip subnet-zero ip cef ! ! no ip domain lookup ip domain name cisco.com ip name-server 172.29.2.133 ip name-server 172.29.11.48 ! ! crypto isakmp policy 1 authentication pre-share group 2 ! crypto isakmp policy 10 hash md5 authentication pre-share lifetime 200 crypto isakmp key cisco address 172.31.100.2 crypto iakmp client configuration group cclient key jegjegjhrg pool addressA crypto-isakmp profile groupA vrf cisco match identity group cclient client authentication list cisco-client isakmp authorization list cisco-client client configuration address respond accounting acc ! ! crypto ipsec transform-set esp-des-md5 esp-des esp-md5-hmac ! crypto dynamic-map remotes 1 set peer 172.31.100.2 set security-association lifetime seconds 120 set transform-set esp-des-md5 reverse-route ! crypto map test 10 ipsec-isakmp dynamic remotes ! voice call carrier capacity active ! interface Loopback0 ip address 10.20.20.20 255.255.255.0 no ip route-cache no ip mroute-cache ! interface FastEthernet0/0 ip address 10.2.80.203 255.255.255.0 no ip mroute-cache load-interval 30 duplex full ! interface FastEthernet1/0 ip address 192.168.219.2 255.255.255.0 no ip mroute-cache duplex auto speed auto ! interface FastEthernet1/1 ip address 172.28.100.1 255.255.255.0 no ip mroute-cache duplex auto speed auto crypto map test ! no fair-queue ip default-gateway 10.2.80.1 ip classless ip route 10.0.0.0 0.0.0.0 10.2.80.1 ip route 10.20.0.0 255.0.0.0 10.2.80.56 ip route 10.10.10.0 255.255.255.0 172.31.100.2 ip route 10.0.0.2 255.255.255.255 10.2.80.73 ip local pool addressA 192.168.1.1 192.168.1.253 no ip http server ip pim bidir-enable ! ! ip access-list extended encrypt permit ip host 10.0.0.1 host 10.5.0.1 ! access-list 101 permit ip host 10.20.20.20 host 10.10.10.10 ! ! radius-server host 172.27.162.206 auth-port 1645 acct-port 1646 key cisco123 radius-server retransmit 3 radius-server authorization permit missing Service-Type radius-server vsa send accounting call rsvp-sync ! ! mgcp profile default ! dial-peer cor custom ! ! gatekeeper shutdown ! ! line con 0 exec-timeout 0 0 exec prompt timestamp line aux 0 line vty 5 15 ntp server 172.31.150.52 end
Accounting Without ISAKMP Profiles Example
The following example shows a full Cisco IOS XE configuration that supports accounting remote access peers when ISAKMP profiles are not used:
version 2.1 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname sheep ! aaa new-model ! ! aaa accounting network ipsecaaa start-stop group radius aaa accounting update periodic 1 aaa session-id common ip subnet-zero ip cef ! ! no ip domain lookup ip domain name cisco.com ip name-server 172.29.2.133 ip name-server 172.29.11.48 ! ! crypto isakmp policy 1 authentication pre-share group 2 ! crypto isakmp policy 10 hash md5 authentication pre-share lifetime 200 crypto isakmp key cisco address 172.31.100.2 ! ! crypto ipsec transform-set esp-des-md5 esp-des esp-md5-hmac ! crypto map test client accounting list ipsecaaa crypto map test 10 ipsec-isakmp set peer 172.31.100.2 set security-association lifetime seconds 120 set transform-set esp-des-md5 match address 101 ! voice call carrier capacity active ! interface Loopback0 ip address 10.20.20.20 255.255.255.0 no ip route-cache no ip mroute-cache ! interface FastEthernet0/0 ip address 10.2.80.203 255.255.255.0 no ip mroute-cache load-interval 30 duplex full ! interface FastEthernet1/0 ip address 192.168.219.2 255.255.255.0 no ip mroute-cache duplex auto speed auto ! interface FastEthernet1/1 ip address 172.28.100.1 255.255.255.0 no ip mroute-cache duplex auto speed auto crypto map test ! no fair-queue ip default-gateway 10.2.80.1 ip classless ip route 10.0.0.0 0.0.0.0 10.2.80.1 ip route 10.30.0.0 255.0.0.0 10.2.80.56 ip route 10.10.10.0 255.255.255.0 172.31.100.2 ip route 10.0.0.2 255.255.255.255 10.2.80.73 no ip http server ip pim bidir-enable ! ! ip access-list extended encrypt permit ip host 10.0.0.1 host 10.5.0.1 ! access-list 101 permit ip host 10.20.20.20 host 10.10.10.10 ! ! radius-server host 172.27.162.206 auth-port 1645 acct-port 1646 key cisco123 radius-server retransmit 3 radius-server authorization permit missing Service-Type radius-server vsa send accounting call rsvp-sync ! ! mgcp profile default ! dial-peer cor custom ! ! gatekeeper shutdown ! ! line con 0 exec-timeout 0 0 exec prompt timestamp line aux 0 line vty 5 15 ! exception core-file ioscrypto/core/sheep-core exception dump 172.25.1.129 ntp clock-period 17208229 ntp server 172.71.150.52 ! end
Additional References
Related Documents
Standards
Standard |
Title |
---|---|
None. |
-- |
MIBs
MIB |
MIBs Link |
---|---|
None. |
To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFCs
RFC |
Title |
---|---|
None. |
|
Technical Assistance
Description |
Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feature Information for IPsec VPN Accounting
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
IPsec VPN Accounting |
Cisco IOS XE Release 2.1 |
The IPsec VPN Accounting feature allows for a session to be accounted for by indicating when the session starts and when it stops. A VPN session is defined as an IKE SA and the one or more SA pairs that are created by the IKE SA. The session starts when the first IPsec pair is created and stops when all IPsec SAs are deleted. Session identifying information and session usage information is passed to the RADIUS server through standard RADIUS attributes and VSAs. The following commands were introduced or modified: client authentication list, client configuration address, crypto isakmp profile, crypto map (global IPsec), debug crypto isakmp, isakmp authorization list, match identity, set isakmp-profile, vrf. |
Glossary
IKE --Internet Key Exchange. IKE establishes a shared security policy and authenticates keys for services (such as IP security [IPsec]) that require keys. Before any IPsec traffic can be passed, each router, firewall, and host must verify the identity of its peer. This can be done by manually entering preshared keys into both hosts or by a certification authority (CA) service.
IPsec --IP security. IPsec is A framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPsec provides these security services at the IP layer. IPsec uses IKE to handle the negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPsec. IPsec can protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.
ISAKMP --Internet Security Association and Key Management Protocol. ISAKMP is an Internet IPsec protocol (RFC 2408) that negotiates, establishes, modifies, and deletes security associations. It also exchanges key generation and authentication data (independent of the details of any specific key generation technique), key establishment protocol, encryption algorithm, or authentication mechanism.
L2TP session --Layer 2 Transport Protocol. L2TP are communications transactions between the L2TP access concentrator (LAC) and the L2TP network server (LNS) that support tunneling of a single PPP connection. There is a one-to-one relationship among the PPP connection, L2TP session, and L2TP call.
NAS --network access server. A NAS is a Cisco platform (or collection of platforms, such as an AccessPath system) that interfaces between the packet world (for example, the Internet) and the circuit world (for example, the public switched telephone network [PSTN]).
PFS --perfect forward secrecy. PFS is a cryptographic characteristic associated with a derived shared secret value. With PFS, if one key is compromised, previous and subsequent keys are not compromised because subsequent keys are not derived from previous keys.
QM --Queue Manager. The Cisco IP Queue Manager (IP QM) is an intelligent, IP-based, call-treatment and routing solution that provides powerful call-treatment options as part of the Cisco IP Contact Center (IPCC) solution.
RADIUS --Remote Authentication Dial-In User Service. RADIUS is a database for authenticating modem and ISDN connections and for tracking connection time.
RSA --Rivest, Shamir, and Adelman. Rivest, Shamir, and Adelman are the inventors of the Public-key cryptographic system that can be used for encryption and authentication.
SA --security association. A SA is an instance of security policy and keying material that is applied to a data flow.
TACACS+ --Terminal Access Controller Access Control System Plus. TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server.
VPN --Virtual Private Network. A VPN enables IP traffic to travel securely over a public TCP/IP network by encrypting all traffic from one network to another. A VPN uses "tunneling" to encrypt all information at the IP level.
VRF --A VPN routing/forwarding instance. A VRF consists of an IP routing table, a derived forwarding table, a set of interfaces that use the forwarding table, and a set of rules and routing protocols that determine what goes into the forwarding table. In general, a VRF includes the routing information that defines a customer VPN site that is attached to a PE router.
VSA --vendor-specific attribute. A VSA is an attribute that has been implemented by a particular vendor. It uses the attribute Vendor-Specific to encapsulate the resulting AV pair: essentially, Vendor-Specific = protocol:attribute = value.
XAUTH --Extended authentication. XAUTH is an optional exchange between IKE Phase 1 and IKE Phase 2, in which the router demands additional authentication information in an attempt to authenticate the actual user (as opposed to authenticating the peer).