RADIUS Debug Enhancements

This document describes the Remote Authentication Dial-In User Services (RADIUS) Debug Enhancements feature.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for RADIUS Debug Enhancements

  • Establish a working IP network. For more information about configuring IP refer to the Configuring IPv4 Addresses module.
  • Configure the gateway as a RADIUS client. Refer to the section “ Configuring the Voice Gateway as a RADIUS Client ” section in the CDR Accounting for Cisco IOS Voice Gateways document.
  • Be familiar with IETF RFC 2138.

Restrictions for RADIUS Debug Enhancements

Only Internet Engineering Task Force (IETF) attributes and Cisco vendor-specific attributes (VSAs) used in voice applications are supported. For unsupported attributes, “undebuggable” is displayed.

Information About RADIUS Debug Enhancements

RADIUS Overview

RADIUS is a distributed client/server system that provides the following functionality:

  • Secures networks against unauthorized access.
  • Enables authorization of specific service limits.
  • Provides accounting information so that services can be billed.

In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server that contains all user authentication and network service access information.

Benefits of RADIUS Debug Enhancements

The debug radius command displays information associated with RADIUS. Prior to the RADIUS Debug Enhancements feature, debug radius output was available only in an expanded, hexadecimal string format, resulting in displays that were difficult to interpret and analyze. Moreover, attribute value displays were truncated, particularly for VSAs.

This feature provides enhanced RADIUS display including the following:

  • Packet dump in a more readable, user-friendly ASCII format than before.
  • Complete display of attribute values without truncation.
  • Ability to select a brief RADIUS debug output display.
  • Allows a compact debugging output option that is useful for high-traffic, operational environments.

How to Enable RADIUS Debug Parameters

Enabling RADIUS Debug Parameters

Perform this task to enable RADIUS debug parameters. By default, event logging is enabled.


Note

Prior to Cisco IOS Release 12.2(11)T, the debug radius command enabled truncated debugging output in hexadecimal notation, rather than ASCII.
SUMMARY STEPS

    1.    enable

    2.    debug radius [accounting | authentication| brief | elog | failover| retransmit| verbose]


DETAILED STEPS
      Command or Action Purpose
    Step 1 enable


    Example: 
    Router> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.
     
    Step 2 debug radius [accounting | authentication| brief | elog | failover| retransmit| verbose]


    Example: 
    Router# debug radius accounting
     

    Enables debugging for the specified parameters associated with RADIUS configuration.

     

    Verifying RADIUS Debug Parameters

    Perform this task to verify RADIUS debug parameters.

    SUMMARY STEPS

      1.    enable

      2.    show debug


    DETAILED STEPS
        Command or Action Purpose
      Step 1 enable


      Example: 
      Router> enable
       

      Enables privileged EXEC mode.

      • Enter your password if prompted.
       
      Step 2 show debug


      Example: 
      Router# show debug
       

      Displays debug information.

       

      Configuration Examples for RADIUS Debug Enhancements

      Enabling RADIUS Debug Parameters Example

      The following example shows how to enable debugging of RADIUS accounting collection.

      Router> enable
Router# debug radius accounting
Radius protocol debugging is on
Radius protocol brief debugging is off
Radius protocol verbose debugging is off
Radius packet hex dump debugging is off
Radius packet protocol (authentication) debugging is off
Radius packet protocol (accounting) debugging is on
Radius packet retransmission debugging is off
Radius server fail-over debugging is off
Radius elog debugging is off

      Note

      The sample output above displays information that is found inside a RADIUS protocol message. For more information about RADIUS protocol messages, see IETF RFC 2138.

      Verifying RADIUS Debug Parameters Example

      The following example shows how to verify RADIUS debug parameters.

      Router> enable
Router# show debug
00:02:50: RADIUS: ustruct sharecount=3 
00:02:50: Radius: radius_port_info() success=0 radius_nas_port=1 
00:02:50: RADIUS: Initial Transmit ISDN 0:D:23 id 0 10.0.0.0:1824, Accounting-Request, len 358 
00:02:50: RADIUS: NAS-IP-Address [4] 6 10.0.0.1 
00:02:50: RADIUS: Vendor, Cisco [26] 19 VT=02 TL=13 ISDN 0:D:23 
00:02:50: RADIUS: NAS-Port-Type [61] 6 Async 
00:02:50: RADIUS: User-Name [1] 12 "4085274206" 
00:02:50: RADIUS: Called-Station-Id [30] 7 "52981" 
00:02:50: RADIUS: Calling-Station-Id [31] 12 "4085554206" 
00:02:50: RADIUS: Acct-Status-Type [40] 6 Start 
00:02:50: RADIUS: Service-Type [6] 6 Login 
00:02:50: RADIUS: Vendor, Cisco [26] 27 VT=33 TL=21 h323-gw-id=5300_43. 
00:02:50: RADIUS: Vendor, Cisco [26] 55 VT=01 TL=49 h323-incoming-conf-id=8F3A3163 B4980003 0 29BD0 
00:02:50: RADIUS: Vendor, Cisco [26] 31 VT=26 TL=25 h323-call-origin=answer 
00:02:50: RADIUS: Vendor, Cisco [26] 32 VT=27 TL=26 h323-call-type=Telephony 
00:02:50: RADIUS: Vendor, Cisco [26] 57 VT=25 TL=51 h323-setup-time=*16:02:48.681 PST Fri Dec 31 1999 
00:02:50: RADIUS: Vendor, Cisco [26] 46 VT=24 TL=40 h323-conf-id=8F3A3163 B4980003 029BD0 
00:02:50: RADIUS: Acct-Session-Id [44] 10 "00000002" 
00:02:50: RADIUS: Delay-Time [41] 6 0 
00:02:51: RADIUS: Received from id 0 10.0.0.0:1824, Accounting-response, len 20 
00:02:51: %ISDN-6-CONNECT: Interface Serial0:22 is now connected to 4085554206 
00:03:01: RADIUS: ustruct sharecount=3 
00:03:01: Radius: radius_port_info() success=0 radius_nas_port=1 
00:03:01: RADIUS: Initial Transmit ISDN 0:D:23 id 1 1.7.157.1:1823, Access-Request, len 171 
00:03:01: RADIUS: NAS-IP-Address [4] 6 10.0.0.1 
00:03:01: RADIUS: Vendor, Cisco [26] 19 VT=02 TL=13 ISDN 0:D:23 
00:03:01: RADIUS: NAS-Port-Type [61] 6 Async 
00:03:01: RADIUS: User-Name [1] 8 "123456" 
00:03:01: RADIUS: Vendor, Cisco [26] 46 VT=24 TL=40 h323-conf-id=8F3A3163 B4980003 0 29BD0 
00:03:01: RADIUS: Calling-Station-Id [31] 12 "4085274206" 
00:03:01: RADIUS: User-Password [2] 18 * 
00:03:01: RADIUS: Vendor, Cisco [26] 36 VT=01 TL=30 h323-ivr-out=transactionID:0 
00:03:01: RADIUS: Received from id 1 1.7.157.1:1823, Access-Accept, len 115 
00:03:01: RADIUS: Service-Type [6] 6 Login 
00:03:01: RADIUS: Vendor, Cisco [26] 29 VT=101 TL=23 h323-credit-amount=45 
00:03:01: RADIUS: Vendor, Cisco [26] 27 VT=102 TL=21 h323-credit-time=33 
00:03:01: RADIUS: Vendor, Cisco [26] 26 VT=103 TL=20 h323-return-code=0 
00:03:01: RADIUS: Class [25] 7 6C6F63616C 
00:03:01: RADIUS: saved authorization data for user 62321E14 at 6233D258 
00:03:13: %ISDN-6-DISCONNECT: Interface Serial0:22 disconnected from 4085274206, call lasted 22 seconds 
00:03:13: RADIUS: ustruct sharecount=2 
00:03:13: Radius: radius_port_info() success=0 radius_nas_port=1 
00:03:13: RADIUS: Sent class "local" at 6233D2C4 from user 62321E14 
00:03:13: RADIUS: Initial Transmit ISDN 0:D:23 id 2 10.0.0.0:1824, Accounting-Request, len 775 
00:03:13: RADIUS: NAS-IP-Address [4] 6 10.0.0.1 
00:03:13: RADIUS: Vendor, Cisco [26] 19 VT=02 TL=13 ISDN 0:D:23 
00:03:13: RADIUS: NAS-Port-Type [61] 6 Async 
00:03:13: RADIUS: User-Name [1] 8 "123456" 
00:03:13: RADIUS: Called-Station-Id [30] 7 "52981"
00:03:13: RADIUS: Calling-Station-Id [31] 12 "4085554206"
00:03:13: RADIUS: Acct-Status-Type [40] 6 Stop
00:03:13: RADIUS: Class [25] 7 6C6F63616C
00:03:13: RADIUS: Undebuggable [45] 6 00000001
00:03:13: RADIUS: Service-Type [6] 6 Login
00:03:13: RADIUS: Vendor, Cisco [26] 27 VT=33 TL=21 h323-gw-id=5300_43.
00:03:13: RADIUS: Vendor, Cisco [26] 55 VT=01 TL=49 h323-incoming-conf-id=8F3A3163 B4980003 0 29BD0
00:03:13: RADIUS: Vendor, Cisco [26] 31 VT=26 TL=25 h323-call-origin=answer
00:03:13: RADIUS: Vendor, Cisco [26] 32 VT=27 TL=26 h323-call-type=Telephony
00:03:13: RADIUS: Vendor, Cisco [26] 57 VT=25 TL=51 h323-setup-time=*16:02:48.681 PST Fri Dec 31 1999
00:03:13: RADIUS: Vendor, Cisco [26] 59 VT=28 TL=53 h323-connect-time=*16:02:48.946
PST Fri Dec 31 1999
00:03:13: RADIUS: Vendor, Cisco [26] 62 VT=29 TL=56 h323-disconnect-time=*16:03:11.306
PST Fri Dec 31 1999
00:03:13: RADIUS: Vendor, Cisco [26] 32 VT=30 TL=26 h323-disconnect-cause=10
00:03:13: RADIUS: Vendor, Cisco [26] 28 VT=31 TL=22 h323-voice-quality=0
00:03:13: RADIUS: Vendor, Cisco [26] 46 VT=24 TL=40 h323-conf-id=8F3A3163 B4980003 0 29BD0
00:03:13: RADIUS: Acct-Session-Id [44] 10 "00000002"
00:03:13: RADIUS: Acct-Input-Octets [42] 6 0
00:03:13: RADIUS: Acct-Output-Octets [43] 6 88000
00:03:13: RADIUS: Acct-Input-Packets [47] 6 0
00:03:13: RADIUS: Acct-Output-Packets [48] 6 550
00:03:13: RADIUS: Acct-Session-Time [46] 6 22
00:03:13: RADIUS: Vendor, Cisco [26] 30 VT=01 TL=24 subscriber=RegularLine
00:03:13: RADIUS: Vendor, Cisco [26] 35 VT=01 TL=29 h323-ivr-out=Tariff:Unknown
00:03:13: RADIUS: Vendor, Cisco [26] 22 VT=01 TL=16 pre-bytes-in=0
00:03:13: RADIUS: Vendor, Cisco [26] 23 VT=01 TL=17 pre-bytes-out=0
00:03:13: RADIUS: Vendor, Cisco [26] 21 VT=01 TL=15 pre-paks-in=0
00:03:13: RADIUS: Vendor, Cisco [26] 22 VT=01 TL=16 pre-paks-out=0
00:03:13: RADIUS: Vendor, Cisco [26] 22 VT=01 TL=16 nas-rx-speed=0
00:03:13: RADIUS: Vendor, Cisco [26] 22 VT=01 TL=16 nas-tx-speed=0
00:03:13: RADIUS: Delay-Time [41] 6 0
00:03:13: RADIUS: Received from id 2 10.0.0.0:1824, Accounting-response, len 20

      Additional References

      The following sections provide references related to the RADIUS Debug Enhancements feature.

      Related Documents

      Related Topic

      Document Title

      Configuring RADIUS

      “Configuring RADIUS” module.

      Debug commands: complete command syntax, defaults, command mode, command history, usage guidelines, and examples

      Cisco IOS Debug Command Reference

      Standards

      Standard

      Title

      None

      --

      MIBs

      MIB

      MIBs Link

      None

      To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

      http:/​/​www.cisco.com/​go/​mibs

      RFCs

      RFC

      Title

      RFC 2138

      Remote Authentication Dial In User Service (RADIUS)

      Technical Assistance

      Description

      Link

      The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

      To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

      Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

      http:/​/​www.cisco.com/​techsupport

      Feature Information for RADIUS Debug Enhancements

      The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

      Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

      Table 1 Feature Information for RADIUS Debug Enhancements

      Feature Name

      Releases

      Feature Information

      RADIUS Debug Enhancements

      12.2(11)T

      This feature provides enhancements to the existing functionality of RADIUS debug parameters.

      The following commands were introduced or modified: debug radius and show debug.

      Glossary

      AAA--authentication, authorization, and accounting. Pronounced “triple A.”

      ASCII --American Standard Code for Information Interchange. 8-bit code for character representation (7 bits plus parity).

      attribute --Form of information items provided by the X.500 Directory Service. The directory information base consists of entries, each containing one or more attributes. Each attribute consists of a type identifier together with one or more values.

      IETF--Internet Engineering Task Force. Task force consisting of over 80 working groups responsible for developing Internet standards. The IETF operates under the auspices of ISOC.

      RADIUS --Remote Authentication Dial-In User Service. Database for authenticating modem and ISDN connections and for tracking connection time.

      VoIP --Voice over IP. The capability to carry normal telephony-style voice over an IP-based internet with POTS-like functionality, reliability, and voice quality. VoIP enables a router to carry voice traffic (for example, telephone calls and faxes) over an IP network. In VoIP, the DSP segments the voice signal into frames, which then are coupled in groups of two and stored in voice packets. These voice packets are transported using IP in compliance with ITU-T specification H.323.

      VSA --vendor-specific attribute. An attribute that has been implemented by a particular vendor. It uses the attribute Vendor-Specific to encapsulate the resulting AV pair: essentially, Vendor-Specific = protocol:attribute = value.