- Configuring Authentication
- RADIUS Change of Authorization
- Message Banners for AAA Authentication
- AAA-Domain Stripping at Server Group Level
- AAA Double Authentication Secured by Absolute Timeout
- Throttling of AAA RADIUS Records
- RADIUS Packet of Disconnect
- AAA Authorization and Authentication Cache
- Configuring Authorization
- Configuring Accounting
- AAA-SERVER-MIB Set Operation
- Per VRF AAA
- AAA Support for IPv6
- TACACS+ over IPv6
- AAA Dead-Server Detection
- Login Password Retry Lockout
- MSCHAP Version 2
- AAA Broadcast Accounting-Mandatory Response Support
Contents
- AAA Broadcast Accounting-Mandatory Response Support
- Finding Feature Information
- Prerequisites for AAA Broadcast Accounting-Mandatory Response Support
- Restrictions for AAA Broadcast Accounting-Mandatory Response Support
- Information About AAA Broadcast Accounting-Mandatory Response Support
- AAA Broadcast Accounting
- Simultaneous Broadcast and Wait Accounting
- How AAA Broadcast Accounting is Supported for GGSN
- Configuring Broadcast and Wait Accounting on the GGSN
- Configuration Examples for AAA Broadcast Accounting-Mandatory Response Support
- AAA Broadcast Accounting-Mandatory Response Support Example
- Additional References
- Feature Information for AAA Broadcast Accounting-Mandatory Response Support
AAA Broadcast Accounting-Mandatory Response Support
The AAA Broadcast Accounting--Mandatory Response Support feature provides a mechanism to support broadcast accounting under each server group through a Gateway GPRS Support Node (GGSN), which acts as a gateway between a General Packet Radio Service (GPRS) wireless data network and other networks such as the Internet or private networks.
- Finding Feature Information
- Prerequisites for AAA Broadcast Accounting-Mandatory Response Support
- Restrictions for AAA Broadcast Accounting-Mandatory Response Support
- Information About AAA Broadcast Accounting-Mandatory Response Support
- How AAA Broadcast Accounting is Supported for GGSN
- Configuration Examples for AAA Broadcast Accounting-Mandatory Response Support
- Additional References
- Feature Information for AAA Broadcast Accounting-Mandatory Response Support
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for AAA Broadcast Accounting-Mandatory Response Support
See the Cisco GGSN Release 8.0 Configuration Guide for more information on preparing for the GGSN configuration.
Restrictions for AAA Broadcast Accounting-Mandatory Response Support
Accounting information can be sent simultaneously to a maximum of ten AAA servers.
Information About AAA Broadcast Accounting-Mandatory Response Support
The AAA Broadcast Accounting--Mandatory Response Support feature allows up to 10 server groups (methods) to be configured in a method list. The following sections describe the types of AAA accounting used to support GGSN:
AAA Broadcast Accounting
AAA broadcast accounting allows accounting information to be sent to multiple authentication, authorization, and accounting (AAA) servers at the same time; that is, accounting information can be broadcast to one or more AAA servers simultaneously. This functionality allows service providers to send accounting information to their own private AAA servers and to the AAA servers of their end customers. It also provides redundant billing information for voice applications.
Broadcasting is allowed among groups of servers, which can be either RADIUS or TACACS+, and each server group can define its backup servers for failover independently of other groups. Failover is a process that may occur when more than one server has been defined within a server group. Failover refers to the process by which information is sent to the first server in a server group; if the first server is unavailable, the information is sent to the next server in the server group. This process continues until the information is successfully sent to one of the servers within the server group or until the list of available servers within the server group is exhausted.
Simultaneous Broadcast and Wait Accounting
With Cisco GGSN Release 8.0 and later releases, broadcast and wait accounting can be configured to work together. The wait accounting feature is configured at the Access Point Name (APN) level, while broadcast accounting is specified at the AAA method level.
Broadcast accounting sends start, stop, and interim accounting records to all the server groups that are configured in a method list. Within a server group, the accounting records are sent to the first active server. If the active server cannot be reached, the accounting records are sent to the next server within a group.
Additionally, one or more server groups within a method list can be configured as “mandatory,” meaning that a server from that server group has to respond to the Accounting Start message. The APN-level wait accounting ensures that an accounting response has been received from all mandatory server groups before the packet data protocol (PDP) context is established.
The advantages of broadcast and wait accounting together include:
Accounting records are sent to multiple servers, and once the entry is made, the user can start using different services.
Records are sent to multiple AAA servers for redundancy purposes.
A PDP context is established only when a valid Accounting Start record has been received by all essential servers, avoiding information loss.
Broadcast records can be sent to as many as ten server groups within a method list.
When configuring broadcast and wait accounting together, note the following:
Under the method list configuration, the mandatory keyword is available only if broadcast accounting is configured.
If wait accounting is not required, broadcast accounting to all server groups is available without any mandatory groups defined.
If you do not specify any mandatory server groups when configuring broadcast accounting, wait accounting will function as it does in Cisco GGSN Release 7.0 and earlier releases.
Wait accounting does not apply to PPP PDP contexts.
A PDP is successfully created only when a Accounting response is received from all the mandatory servers.
The periodic timer starts when an Accounting Response (PDP creation) is received.
Note | More than one server group can be defined as a mandatory server group in a method list. |
How AAA Broadcast Accounting is Supported for GGSN
Configuring Broadcast and Wait Accounting on the GGSN
The tasks in this section describe how to configure broadcast and wait accounting on the GGSN.
1.
enable
2.
configure
terminal
3.
aaa
new-model
4.
aaa
accounting
network
{method-list-name | default}
5.
action-type
{start-stop | stop-only| none}
6.
broadcast
7.
group
server-group
[mandatory]
8.
exit
9.
gprs
access-point-list
list-name
10.
access-point
access-point-index
11.
aaa-group
accounting
method-list
name
12.
gtp-response-message
wait-accounting
DETAILED STEPS
Configuration Examples for AAA Broadcast Accounting-Mandatory Response Support
AAA Broadcast Accounting-Mandatory Response Support Example
The following example globally configures the GGSN to wait for an accounting response from the RADIUS server before sending a Create PDP Context response to the SGSN. The GGSN waits for a response for PDP context requests received across all access points, except access-point 1. RADIUS response message waiting has been overridden at access-point 1 by using the no gtp response-message wait-accounting command.
! Enables AAA globally ! aaa new-model ! ! Defines AAA server group ! aaa group server radius abc server 10.2.3.4 auth-port 1645 acct-port 1646 server 10.6.7.8 auth-port 1645 acct-port 1646 ! ! Configures AAA authentication and authorization ! aaa authentication ppp abc group abc aaa authorization network abc group abc aaa accounting network abc action-type start-stop broadcast group SG1 mandatory group SG2 group SG3 mandatory ! gprs access-point-list gprs access-point 1 access-mode non-transparent access-point-name www.pdn1.com aaa-group authentication abc ! ! Disables waiting for RADIUS response ! message at APN 1 ! no gtp response-message wait-accounting exit access-point 2 access-mode non-transparent access-point-name www.pdn2.com aaa-group authentication abc ! ! Enables waiting for RADIUS response ! messages across all APNs (except APN 1) ! gprs gtp response-message wait-accounting ! ! Configures global RADIUS server hosts ! and specifies destination ports for ! authentication and accounting requests ! radius-server host 10.2.3.4 auth-port 1645 acct-port 1646 non-standard radius-server host 10.6.7.8 auth-port 1645 acct-port 1646 non-standard radius-server key ggsntel
Additional References
The following sections provide references related to the AAA Broadcast Accounting--Mandatory Response Support feature.
Related Documents
Related Topic |
Document Title |
---|---|
Preparation for the GGSN configuration |
Cisco GGSN Release 8.0 Configuration Guide |
AAA commands |
Cisco IOS Security Command Reference Guide |
AAA features |
Cisco IOS Security Configuration Guide: Securing User Services |
Standards
Standard |
Title |
---|---|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
-- |
MIBs
MIB |
MIBs Link |
---|---|
No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature. |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFCs
RFC |
Title |
---|---|
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature. |
-- |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feature Information for AAA Broadcast Accounting-Mandatory Response Support
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
AAA Broadcast Accounting--Mandatory Response Support |
Cisco IOS XE Release 3.9S |
The AAA Broadcast Accounting--Mandatory Response Support feature provides a mechanism to support broadcast accounting under each server group through a Gateway GPRS Support Node (GGSN), which acts as a gateway between a General Packet Radio Service (GPRS) wireless data network and other networks such as the Internet or private networks. The following commands were introduced or modified: aaa accounting network, aaa-group accounting, access-point, action-type, broadcast, gprs access-point-list, group, gtp-response-message wait-accounting |