Table Of Contents
Prerequisites for RADIUS-Based Lawful Intercept
Restrictions for RADIUS-Based Lawful Intercept
Information About RADIUS-Based Lawful Intercept
RADIUS-Based Lawful Intercept Solutions
RADIUS Attributes Used to Specify an Intercept Request
How Intercept Requests Work Within Access-Accept Packets
How Intercept Requests Work Within CoA-Request Packets
How to Configure RADIUS-Based Lawful Intercept
Configuration Examples for RADIUS-Based Lawful Intercept
Enabling RADIUS-Based Lawful Intercept on a Router: Example
aaa server radius dynamic-author
Feature Information for RADIUS-Based Lawful Intercept
RADIUS-Based Lawful Intercept
First Published: February 21, 2006Last Updated: March 9, 2006
The RADIUS-Based Lawful Intercept feature introduces a new method of conducting lawful interception of traffic data. Intercept requests are sent from the RADIUS server to the network access server (NAS) or to the Layer 2 Tunnel Protocol access concentrator (LAC) by using Access-Accept packets or Change of Authorization (CoA) Request packets. All data traffic going to or from a PPP or L2TP session is passed to a mediation device.
Previously, to intercept traffic data you had to wait for an IP address to be assigned to the session.
Finding Feature Information in This Module
Your Cisco IOS software release may not support all of the features documented in this module. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the "Feature Information for RADIUS-Based Lawful Intercept" section.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•Prerequisites for RADIUS-Based Lawful Intercept
•Restrictions for RADIUS-Based Lawful Intercept
•Information About RADIUS-Based Lawful Intercept
•How to Configure RADIUS-Based Lawful Intercept
•Configuration Examples for RADIUS-Based Lawful Intercept
•Feature Information for RADIUS-Based Lawful Intercept
Prerequisites for RADIUS-Based Lawful Intercept
Before enabling a RADIUS-based lawful intercept solution, ensure that your network supports the following features:
•Intercept requests in Access-Accept packets, which allow data interception to start at the beginning of a session.
•Intercept requests in CoA packets, which allow data interception to start or stop during an existing session.
•PPP packet interception.
Restrictions for RADIUS-Based Lawful Intercept
•The RADIUS-Based Lawful Intercept feature cannot honor both CoA requests and lawful intercept requests simultaneously. When a CoA-Request packet is identified as a lawful intercept request, the packet is consumed by the lawful intercept functionality, and it is not passed to other CoA packets.
•If there are attributes other than the required four LI attributes and the Acct-Session-ID attribute 44, the CoA-Request packet is rejected. However, Access-Accept packets can contain attributes that are not related to lawful intercept.
•When using the IP address, the tap must be set by using the Simple Network Management Protocol (SNMP); the tap cannot be set by using RADIUS.
Information About RADIUS-Based Lawful Intercept
To configure the RADIUS-Based Lawful Intercept feature, you need to understand the following concepts:
•RADIUS-Based Lawful Intercept Solutions
•RADIUS Attributes Used to Specify an Intercept Request
RADIUS-Based Lawful Intercept Solutions
A RADIUS-based lawful intercept solution enables intercept requests to be sent (via Access-Accept packets or CoA-Request packets) to the NAS or to the LAC from the RADIUS server. All traffic data going to or from a PPP or L2TP session is passed to a mediation device. Another advantage of RADIUS-based lawful intercept is the synchronicity of the solution—the tap is set with Access-Accept packets so that all target traffic is intercepted.
Without a RADIUS-based solution, Cisco's lawful intercept implementation must use the CISCO-TAP-MIB. Intercept requests are initiated by the mediation device via SNMPv3 messages, and all traffic data going to or from a given IP address is passed to a mediation device. Interception based on IP addresses prevents a session from being tapped until an IP address has been assigned to the session.
RADIUS Attributes Used to Specify an Intercept Request
Table 1 describes the four attributes that are required to specify an intercept request in Access-Accept packets or in CoA-Request packets. CoA-Request packets must have attribute 44, Acct-Session-ID, to identify the user session to which the Lawful Intercept feature should be applied. If a packet contains more than four attributes, the RADIUS packet is ignored. If an attribute name is misspelled, the security for that RADIUS profile will be affected when the debug radius command is entered.
Note The RADIUS server must support encoding and decoding of salt-encrypted attributes.
Each attribute (except for CoA-Request attribute 44) is salt-encrypted. The salt field ensures that the uniqueness of the encryption key is used to encrypt each instance of the vendor-specific attribute (VSA). The first and most significant bit of the salt field must be set to 1. Cisco VSA type 36 specifies the intercept attributes. See Figure 1.
Figure 1 Encrypted String VSA Format
Intercept Operation
This section describes the following:
•How Intercept Requests Work Within Access-Accept Packets
•How Intercept Requests Work Within CoA-Request Packets
How Intercept Requests Work Within Access-Accept Packets
When an intercept target begins to establish a connection, an Access-Request packet is sent to the RADIUS server. The RADIUS server responds with an Access-Accept packet containing the four RADIUS attributes that are listed in Table 1.
The NAS or the LAC receives the LI-Action attribute with the value 1, allowing the NAS or LAC to duplicate the traffic data at the start of the new session and forward the duplicated data to the mediation device that was specified via the attributes MD-IP-Address and MD-Port-Number.
Note If the NAS or LAC cannot start intercepting traffic data for a new session, the session will not be established.
If accounting is enabled (via the aaa accounting network command and the aaa accounting send stop-record authentication failure command), an Accounting-Stop packet will not be sent with the Acct-Termination-Cause attribute (attribute 49) set to 15 (which means that service is not available).
How Intercept Requests Work Within CoA-Request Packets
After a session has been established for the intercept target, CoA-Request packets can be used for the following tasks:
•Starting the interception of an existing session. The LI-Action attribute is set to 1.
•Stopping the interception of an existing session. The LI-Action attribute is set to 0.
•Issuing a "dummy" intercept request. The LI-Action attribute is set to 2. The NAS or LAC should not perform any session interception; instead, it searches the session on the basis of the Acct-Session-ID attribute value that was specified in the CoA-Request packets. If a session is found, the NAS or LAC sends a CoA acknowledgment (ACK) response to the RADIUS server. If a session is not found, the NAS or LAC issues a "session not found" error message.
Errors are in the CoA-ACK packet attribute 101. Following are possible CoA-ACK settings that the Lawful Intercept feature can set:
•401: Unsupported Attribute (There is a non-LI attribute, except for 44 which is allowed.)
•402: Missing Attribute (One of the four LI attributes is missing.)
•404: Invalid Request (An LI attribute is malformed or duplicated.)
•501: Administratively Prohibited (AAA Intercept is not configured.)
•503: Session Context Not Found (Session does not exist.)
•506: Resources Unavailable (Memory is low.)
•200: Success (There are no errors; the CoA-Request was accepted and acted on.)
In each case, the RADIUS server must send CoA-Request packets (code 43) with the attributes identified in Table 1 plus the Acct-Session-ID attribute (attribute 44). Each of these attributes must be in the packet.
The Acct-Session-ID attribute identifies the session that will be intercepted. The Acct-Session-ID attribute can be obtained from either the Access-Request packet or the Accounting-Stop packet by entering the radius-server attribute 44 include-in-access-req command.
When a session is being tapped and the session terminates, the tap stops. The session does not start when the subscriber logs back in unless the Access-Accept indicates a start tap or a CoA-Request is sent to start the session.
Note The frequency of CoA-Request packets should not exceed a rate of one request every 10 minutes.
How to Configure RADIUS-Based Lawful Intercept
This section contains the following procedure:
•Enabling Lawful Intercept (required)
Enabling Lawful Intercept
To enable a RADIUS-Based Lawful Intercept solution on your router, perform the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. aaa intercept
4. aaa authentication ppp {default | list-name} group radius
5. aaa accounting send stop-record authentication failure
6. aaa accounting network {default | list-name} start-stop group {radius | group-name}
7. radius-server attribute 44 include-in-access-req
8. radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] [alias {hostname | ip-address}]
9. aaa server radius dynamic-author
10. client ip-address
11. server-key [0 | 7] word
12. port port-number
13. exit
DETAILED STEPS
Troubleshooting Tips
You can use the following commands to troubleshoot your lawful intercept configuration:
•debug aaa accounting
•debug aaa authentication
•debug aaa coa
•debug ppp authentication
•debug radius
Configuration Examples for RADIUS-Based Lawful Intercept
This section provides the following configuration example:
•Enabling RADIUS-Based Lawful Intercept on a Router: Example
Enabling RADIUS-Based Lawful Intercept on a Router: Example
The following example shows the configuration of a RADIUS-Based Lawful Intercept solution on a router acting as NAS device employing an Ethernet PPP connection over ATM (PPPoEoA) link:
aaa new-model ! aaa intercept ! aaa group server radius SG server 10.0.56.17 auth-port 1645 acct-port 1646 ! aaa authentication login LOGIN group SG aaa authentication ppp default group SG aaa authorization network default group SG aaa accounting send stop-record authentication failure aaa accounting network default start-stop group SG ! aaa server radius dynamic-author client 10.0.56.17 server-key cisco ! vpdn enable ! bba-group pppoe PPPoEoA-TERMINATE virtual-template 1 ! interface Loopback0 ip address 10.1.1.2 255.255.255.0 ! interface FastEthernet4/1/0 description To RADIUS server ip address 10.0.56.20 255.255.255.0 duplex auto ! interface FastEthernet4/1/2 description To network ip address 10.1.1.1 255.255.255.0 duplex auto ! interface ATM5/0/0 description To subscriber no ip address ! interface ATM5/0/0.1 point-to-point pvc 10/808 protocol pppoe group PPPoEoA-TERMINATE ! interface Virtual-Template1 ip unnumbered Loopback0 ppp authentication chap ! radius-server attribute 44 include-in-access-req radius-server attribute nas-port format d radius-server host 10.0.56.17 auth-port 1645 acct-port 1646 radius-server key ciscoAdditional References
The following sections provide references related to the RADIUS-Based Lawful Intercept feature.
Related Documents
Related Topic Document TitleRADIUS attributes and VSA overview information
The section "RADIUS Attributes" in the Cisco IOS Security Configuration Guide, Release 12.4
Lawful Intercept Architecture
Standards
MIBs
RFCs
RFC TitleRFC 2865
RFC 2868
RFC 3576
Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)
Technical Assistance
Command Reference
This section documents new and modified commands only.
•aaa server radius dynamic-author
•port
aaa intercept
To enable lawful intercept on a router, use the aaa intercept command in global configuration mode. To disable lawful intercept, use the no form of this command.
aaa intercept
no aaa intercept
Syntax Description
This command has no arguments or keywords.
Command Default
Lawful intercept is not enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the aaa intercept command to enable a RADIUS-Based Lawful Intercept solution on your router. Intercept requests are sent (via Access-Accept packets or CoA-Request packets) to the network access server (NAS) or the Layer 2 Tunnel Protocol (L2TP) access concentrator (LAC) from the RADIUS server. All data traffic going to or from a PPP or L2TP session is passed to a mediation device.
Configure this command with high administrative security so that unauthoried people cannot remove the command.
Examples
The following example shows the configuration of a RADIUS-Based Lawful Intercept solution on a router acting as NAS device employing an Ethernet PPP connection over ATM (PPPoEoA) link:
aaa new-model ! aaa intercept ! aaa group server radius SG server 10.0.56.17 auth-port 1645 acct-port 1646 ! aaa authentication login LOGIN group SG aaa authentication ppp default group SG aaa authorization network default group SG aaa accounting send stop-record authentication failure aaa accounting network default start-stop group SG ! aaa server radius dynamic-author client 10.0.56.17 server-key cisco ! vpdn enable ! bba-group pppoe PPPoEoA-TERMINATE virtual-template 1 ! interface Loopback0 ip address 10.1.1.2 255.255.255.0 ! interface FastEthernet4/1/0 description To RADIUS server ip address 10.0.56.20 255.255.255.0 duplex auto ! interface FastEthernet4/1/2 description To network ip address 10.1.1.1 255.255.255.0 duplex auto ! interface ATM5/0/0 description To subscriber no ip address ! interface ATM5/0/0.1 point-to-point pvc 10/808 protocol pppoe group PPPoEoA-TERMINATE ! interface Virtual-Template1 ip unnumbered Loopback0 ppp authentication chap ! radius-server attribute 44 include-in-access-req radius-server attribute nas-port format d radius-server host 10.0.56.17 auth-port 1645 acct-port 1646 radius-server key ciscoaaa server radius dynamic-author
To configure a device as an authentication, authorization, and accounting (AAA) server to facilitate interaction with an external policy server, use the aaa server radius dynamic-author command in global configuration mode. To remove this configuration, use the no form of this command.
aaa server radius dynamic-author
no aaa server radius dynamic-author
Syntax Description
This command has no arguments or keywords.
Command Default
The device will not function as a server when interacting with external policy servers.
Command Modes
Global configuration
Command History
Usage Guidelines
Dynamic authorization allows an external policy server to dynamically send updates to a device.
Dynamic Authorization for the Intelligent Service Gateway (ISG)
ISG works with external devices, referred to as policy servers, that store per-subscriber and per-service information. ISG supports two models of interaction between the ISG device and external policy servers: initial authorization and dynamic authorization.
The dynamic authorization model allows an external policy server to dynamically send policies to the Intelligent Service Gateway (ISG). These operations can be initiated in-band by subscribers (through service selection) or through the actions of an administrator, or applications can change policies on the basis of an algorithm (for example, change session quality of service (QoS) at a certain time of day). This model is facilitated by the Change of Authorization (CoA) RADIUS extension. CoA introduced peer-to-peer capability to RADIUS, enabling ISG and the external policy server each to act as a RADIUS client and server.
Examples
The following example configures the ISG to act as a AAA server when interacting with the client at IP address 10.12.12.12:
aaa server radius dynamic-authorclient 10.12.12.12 key ciscomessage-authenticator ignoreRelated Commands
Command Descriptionclient
Specifies a RADIUS client from which a device will accept CoA and disconnect requests.
client
To specify a RADIUS client from which a device will accept Change of Authorization (CoA) and disconnect requests, use the client command in dynamic authorization local server configuration mode. To remove this specification, use the no form of this command.
client {name | ip-address} [key [0 | 7] word] [vrf vrf-id]
no client {name | ip-address} [key [0 | 7 ] word] [vrf vrf-id]
Syntax Description
Command Default
CoA and disconnect requests are dropped.
Command Modes
Dynamic authorization local server configuration
Command History
Usage Guidelines
A device (such as a router) can be configured to allow an external policy server to dynamically send updates to the router. This functionality is facilitated by the CoA RADIUS extension. CoA introduced peer-to-peer capability to RADIUS, enabling a router and external policy server each to act as a RADIUS client and server. Use the client command to specify the RADIUS clients for which the router will act as server.
Examples
The following example configures the router to accept requests from the RADIUS client at IP address 10.0.0.1:
aaa server radius dynamic-authorclient 10.0.0.1 key ciscoRelated Commands
Command Descriptionaaa server radius dynamic-author
Configures an ISG as a AAA server to facilitate interaction with an external policy server.
debug ssm
To display diagnostic information about the Segment Switching Manager (SSM) for switched Layer 2 segments, use the debug ssm command in privileged EXEC mode. To disable debugging, use the no form of this command.
debug ssm {cm errors | cm events | fhm errors | fhm events | sm errors | sm events | sm counters | xdr}
no debug ssm {cm errors | cm events | fhm errors | fhm events | sm errors | sm events | sm counters | xdr}
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The SSM manages the data-plane component of the L2VPN configuration. The CM tracks the connection-level errors and events that occur on an xconnect. The SM tracks the per-segment events and errors on the xconnect.
Use the debug ssm command to troubleshoot problems in bringing up the data plane.
This command is generally used only by Cisco engineers for internal debugging of SSM processes.
Examples
The following example shows sample output for the debug ssm xdr command.
Router# debug ssm xdrSSM xdr debugging is on2w5d: SSM XDR: [4096] deallocate segment, len 162w5d: SSM XDR: [8193] deallocate segment, len 162w5d: %LINK-3-UPDOWN: Interface FastEthernet2/1, changed state to down2w5d: %LINK-3-UPDOWN: Interface FastEthernet2/1, changed state to up2w5d: SSM XDR: [4102] provision segment, switch 4101, len 1062w5d: SSM XDR: [4102] update segment status, len 172w5d: SSM XDR: [8199] provision segment, switch 4101, len 2062w5d: SSM XDR: [4102] update segment status, len 172w5d: %SYS-5-CONFIG_I: Configured from console by console2w5d: %LINK-3-UPDOWN: Interface FastEthernet2/1, changed state to down2w5d: SSM XDR: [4102] update segment status, len 172w5d: %LINK-3-UPDOWN: Interface FastEthernet2/1, changed state to up2w5d: SSM XDR: [4102] deallocate segment, len 162w5d: SSM XDR: [8199] deallocate segment, len 162w5d: SSM XDR: [4104] provision segment, switch 4102, len 1062w5d: SSM XDR: [4104] update segment status, len 172w5d: SSM XDR: [8201] provision segment, switch 4102, len 2062w5d: SSM XDR: [4104] update segment status, len 172w5d: SSM XDR: [4104] update segment status, len 172w5d: %SYS-5-CONFIG_I: Configured from console by consoleThe following example shows the events that occur on the segment manager when an Any Transport over MPLS (AToM) virtual circuit (VC) configured for Ethernet over MPLS is shut down and then enabled:
Router# debug ssm sm eventsSSM Connection Manager events debugging is onRouter(config)# interface fastethernet 0/1/0.1
Router(config-subif)# shutdown
09:13:38.159: SSM SM: [SSS:AToM:36928] event Unprovison segment09:13:38.159: SSM SM: [SSS:Ethernet Vlan:4146] event Unbind segment09:13:38.159: SSM SM: [SSS:AToM:36928] free segment class09:13:38.159: SSM SM: [SSS:AToM:36928] free segment09:13:38.159: SSM SM: [SSS:AToM:36928] event Free segment09:13:38.159: SSM SM: last segment class freed09:13:38.159: SSM SM: [SSS:Ethernet Vlan:4146] segment ready09:13:38.159: SSM SM: [SSS:Ethernet Vlan:4146] event Found segment dataRouter(config-subif)# no shutdown
09:13:45.815: SSM SM: [SSS:AToM:36929] event Provison segment09:13:45.815: label_oce_get_label_bundle: flags 14 label 1609:13:45.815: SSM SM: [SSS:AToM:36929] segment ready09:13:45.815: SSM SM: [SSS:AToM:36929] event Found segment data09:13:45.815: SSM SM: [SSS:AToM:36929] event Bind segment09:13:45.815: SSM SM: [SSS:Ethernet Vlan:4146] event Bind segmentThe following example shows the events that occur on the connection manager when an AToM VC configured for Ethernet over MPLS is shut down and then enabled:
Router(config)# interface fastethernet 0/1/0.1
Router(config-subif)# shutdown
09:17:20.179: SSM CM: [AToM] unprovision segment, id 3692909:17:20.179: SSM CM: CM FSM: state Open - event Free segment09:17:20.179: SSM CM: [SSS:AToM:36929] unprovision segment 109:17:20.179: SSM CM: [SSS:AToM] shQ request send unprovision complete event09:17:20.179: SSM CM: [SSS:Ethernet Vlan:4146] unbind segment 209:17:20.179: SSM CM: [SSS:Ethernet Vlan] shQ request send ready event09:17:20.179: SSM CM: SM msg event send unprovision complete event09:17:20.179: SSM CM: SM msg event send ready eventRouter(config-subif)# no shutdown
09:17:35.879: SSM CM: Query AToM to Ethernet Vlan switching, enabled09:17:35.879: SSM CM: [AToM] provision second segment, id 3693009:17:35.879: SSM CM: CM FSM: state Down - event Provision segment09:17:35.879: SSM CM: [SSS:AToM:36930] provision segment 209:17:35.879: SSM CM: [AToM] send client event 6, id 3693009:17:35.879: SSM CM: [SSS:AToM] shQ request send ready event09:17:35.883: SSM CM: SM msg event send ready event09:17:35.883: SSM CM: [AToM] send client event 3, id 36930The following example shows the events that occur on the connection manager and segment manager when an AToM VC is provisioned and then unprovisioned:
Router# debug ssm cm-ev
SSM Connection Manager events debugging is onRouter# debug ssm sm-evSSM Segment Manager events debugging is onRouter# configure terminalRouter(config)# interface ethernet1/0
Router(config-if)# xconnect 55.55.55.2 101 pw-class mpls16:57:34: SSM CM: provision switch event, switch id 8604016:57:34: SSM CM: [Ethernet] provision first segment, id 1231316:57:34: SSM CM: CM FSM: state Idle - event Provision segment16:57:34: SSM CM: [SSS:Ethernet:12313] provision segment 116:57:34: SSM SM: [SSS:Ethernet:12313] event Provison segment16:57:34: SSM CM: [SSS:Ethernet] shQ request send ready event16:57:34: SSM CM: SM msg event send ready event16:57:34: SSM SM: [SSS:Ethernet:12313] segment ready16:57:34: SSM SM: [SSS:Ethernet:12313] event Found segment data16:57:34: SSM CM: Query AToM to Ethernet switching, enabled16:57:34: SSM CM: [AToM] provision second segment, id 1641016:57:34: SSM CM: CM FSM: state Down - event Provision segment16:57:34: SSM CM: [SSS:AToM:16410] provision segment 216:57:34: SSM SM: [SSS:AToM:16410] event Provison segment16:57:34: SSM CM: [AToM] send client event 6, id 1641016:57:34: label_oce_get_label_bundle: flags 14 label 1916:57:34: SSM CM: [SSS:AToM] shQ request send ready event16:57:34: SSM CM: SM msg event send ready event16:57:34: SSM SM: [SSS:AToM:16410] segment ready16:57:34: SSM SM: [SSS:AToM:16410] event Found segment data16:57:34: SSM SM: [SSS:AToM:16410] event Bind segment16:57:34: SSM SM: [SSS:Ethernet:12313] event Bind segment16:57:34: SSM CM: [AToM] send client event 3, id 16410Router# configure terminal
Router(config)# interface e1/0Router(config-if)# no xconnect
16:57:26: SSM CM: [Ethernet] unprovision segment, id 1638716:57:26: SSM CM: CM FSM: state Open - event Free segment16:57:26: SSM CM: [SSS:Ethernet:16387] unprovision segment 116:57:26: SSM SM: [SSS:Ethernet:16387] event Unprovison segment16:57:26: SSM CM: [SSS:Ethernet] shQ request send unprovision complete event16:57:26: SSM CM: [SSS:AToM:86036] unbind segment 216:57:26: SSM SM: [SSS:AToM:86036] event Unbind segment16:57:26: SSM CM: SM msg event send unprovision complete event16:57:26: SSM SM: [SSS:Ethernet:16387] free segment class16:57:26: SSM SM: [SSS:Ethernet:16387] free segment16:57:26: SSM SM: [SSS:Ethernet:16387] event Free segment16:57:26: SSM SM: last segment class freed16:57:26: SSM CM: unprovision switch event, switch id 1229016:57:26: SSM CM: [SSS:AToM] shQ request send unready event16:57:26: SSM CM: SM msg event send unready event16:57:26: SSM SM: [SSS:AToM:86036] event Unbind segment16:57:26: SSM CM: [AToM] unprovision segment, id 8603616:57:26: SSM CM: CM FSM: state Down - event Free segment16:57:26: SSM CM: [SSS:AToM:86036] unprovision segment 216:57:26: SSM SM: [SSS:AToM:86036] event Unprovison segment16:57:26: SSM CM: [SSS:AToM] shQ request send unprovision complete event16:57:26: SSM CM: SM msg event send unprovision complete event16:57:26: SSM SM: [SSS:AToM:86036] free segment class16:57:26: SSM SM: [SSS:AToM:86036] free segment16:57:26: SSM SM: [SSS:AToM:86036] event Free segment16:57:26: SSM SM: last segment class freedRelated Commands
port
To specify the port on which a device listens for RADIUS requests from configured RADIUS clients, use the port command in dynamic authorization local server configuration mode. To restore the default, use the no form of this command.
port port-number
no port port-number
Syntax Description
Command Default
The device listens for RADIUS requests on the default port (port 1700).
Command Modes
Dynamic authorization local server configuration
Command History
Usage Guidelines
A device (such as a router) can be configured to allow an external policy server to dynamically send updates to the router. This functionality is facilitated by the CoA RADIUS extension. CoA introduced peer-to-peer capability to RADIUS, enabling a router and external policy server each to act as a RADIUS client and server. Use the port command to specify the ports on which the router will listen for requests from RADIUS clients.
Examples
The following example specifies port 1650 as the port on which the device listens for RADIUS requests:
aaa server radius dynamic-authorclient 10.0.0.1port 1650Related Commands
Command Descriptionaaa server radius dynamic-author
Configures a device as a AAA server to facilitate interaction with an external policy server.
server-key
To configure the RADIUS key to be shared between a device and RADIUS clients, use the server-key command in dynamic authorization local server configuration mode. To remove this configuration, use the no form of this command.
server-key [0 | 7] word
no server-key [0 | 7] word
Syntax Description
0
(Optional) An unencrypted key will follow.
7
(Optional) A hidden key will follow.
word
Unencrypted server key.
Command Default
A server key is not configured.
Command Modes
Dynamic authorization local server configuration
Command History
Usage Guidelines
A device (such as a router) can be configured to allow an external policy server to dynamically send updates to the router. This functionality is facilitated by the CoA RADIUS extension. CoA introduced peer-to-peer capability to RADIUS, enabling a router and external policy server each to act as a RADIUS client and server. Use the server-key command to configure the key to be shared between the ISG and RADIUS clients.
Examples
The following example configures "cisco" as the shared server key:
aaa server radius dynamic-authorclient 10.0.0.1server-key ciscoRelated Commands
Command Descriptionaaa server radius dynamic-author
Configures a device as a AAA server to facilitate interaction with an external policy server.
show ssm
To display Segment Switching Manager (SSM) information for switched Layer 2 segments, use the show ssm command in privileged EXEC mode.
show ssm {cdb | feature id [feature-id] | id | memory [chunk variable {feature | queue | segment} | detail] | segment id [segment-id] | switch id [switch-id]}
Syntax Description
Command Modes
Privileged EXEC
Command History
Release Modification12.2(22)S
This command was introduced.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
Usage Guidelines
Use the show ssm command to determine the segment ID for an active switched Layer 2 segment. The segment ID can be used with the debug condition xconnect command to filter debug messages by segment.
Examples
The following example shows sample output for the show ssm cdb command. The output for this command varies depending on the type of hardware being used.
Router# show ssm cdbSwitching paths active for class SSS:-------------------------------------|FR |Eth|Vlan|ATM|HDLC|PPP/AC|L2TP|L2TPv3|L2F|PPTP|ATM/AAL5|ATM/VCC|--------+---+---+----+---+----+------+----+------+---+----+--------+-------+FR | E | E | E |E/-| E | E | E | E |-/-|-/- | E | E |Eth | E | E | E |E/-| E | E | E | E |-/-|-/- | E | E |Vlan | E | E | E |E/-| E | E | E | E |-/-|-/- | E | E |ATM |-/E|-/E|-/E |-/-|-/E | -/E |-/E | -/E |-/-|-/- | -/E | -/E |HDLC | E | E | E |E/-| E | E | E | E |-/-|-/- | E | E |PPP/AC | E | E | E |E/-| E | E | E | E |-/-|-/- | E | E |L2TP | E | E | E |E/-| E | E | E | -/- | E | E | E | E |L2TPv3 | E | E | E |E/-| E | E |-/- | E |-/-|-/- | E | E |L2F |-/-|-/-|-/- |-/-|-/- | -/- | E | -/- | E | E | -/- | -/- |PPTP |-/-|-/-|-/- |-/-|-/- | -/- | E | -/- | E | E | -/- | -/- |ATM/AAL5| E | E | E |E/-| E | E | E | E |-/-|-/- | E | E |ATM/VCC | E | E | E |E/-| E | E | E | E |-/-|-/- | E | E |ATM/VPC | E | E | E |E/-| E | E | E | E |-/-|-/- | E | E |ATM/Cell| E | E | E |E/-| E | E | E | E |-/-|-/- | E | E |AToM |-/E|-/E|-/E |-/-|-/E | -/E |-/- | -/E |-/-|-/- | -/E | -/E |PPP |-/-|-/-|-/- |-/-|-/- | -/- | E | -/- | E | E | -/- | -/- |PPPoE |-/-|-/-|-/- |-/-|-/- | -/- | E | -/- | E | E | -/- | -/- |PPPoA |-/-|-/-|-/- |-/-|-/- | -/- | E | -/- | E | E | -/- | -/- |Lterm |-/-|-/-|-/- |-/-|-/- | -/- | E | -/- | E | E | -/- | -/- |TC |-/-|-/-|-/- |-/-|-/- | -/- |-/- | -/- |-/-|-/- | -/- | -/- |IP-If |-/-|-/-|-/- |-/-|-/- | -/- |-/- | -/- |-/-|-/- | -/- | -/- |IP-SIP |-/-|-/-|-/- |-/-|-/- | -/- |-/- | -/- |-/-|-/- | -/- | -/- |VFI |-/E|-/E|-/E |-/-|-/E | -/E |-/- | -/E |-/-|-/- | -/E | -/E ||ATM/Cell|AToM|PPP|PPPoE|PPPoA|Lterm|TC |IP-If|IP-SIP|VFI|--------+--------+----+---+-----+-----+-----+---+-----+------+---+FR | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-|Eth | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-|Vlan | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-|ATM | -/E |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-|HDLC | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-|PPP/AC | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-|L2TP | E |-/- | E | E | E | E |-/-| -/- | -/- |-/-|L2TPv3 | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-|L2F | -/- |-/- | E | E | E | E |-/-| -/- | -/- |-/-|PPTP | -/- |-/- | E | E | E | E |-/-| -/- | -/- |-/-|ATM/AAL5| E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-|ATM/VCC | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-|ATM/VPC | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-|ATM/Cell| E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-|AToM | -/E |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-|PPP | -/- |-/- | E | E | E | E |-/-| -/- | -/- |-/-|PPPoE | -/- |-/- | E | E | E | E |-/-| -/- | -/- |-/-|PPPoA | -/- |-/- | E | E | E | E |-/-| -/- | -/- |-/-|Lterm | -/- |-/- | E | E | E | E | E | E | E |-/-|TC | -/- |-/- |-/-| -/- | -/- | E | E | E | E |-/-|IP-If | -/- |-/- |-/-| -/- | -/- | E | E | E | -/- |-/-|IP-SIP | -/- |-/- |-/-| -/- | -/- | E | E | -/- | E |-/-|VFI | -/E |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-|Switching paths active for class ADJ:-------------------------------------|FR |Eth|Vlan|ATM|HDLC|PPP/AC|L2TP|L2TPv3|L2F|PPTP|ATM/AAL5|ATM/VCC|--------+---+---+----+---+----+------+----+------+---+----+--------+-------+FR | E | E | E |E/-| E | E |E/- | E |-/-|-/- | E | E |Eth | E | E | E |E/-| E | E |E/- | E |-/-|-/- | E | E |Vlan | E | E | E |E/-| E | E |E/- | E |-/-|-/- | E | E |ATM |-/E|-/E|-/E |-/-|-/E | -/E |-/- | -/E |-/-|-/- | -/E | -/E |HDLC | E | E | E |E/-| E | E |E/- | E |-/-|-/- | E | E |PPP/AC | E | E | E |E/-| E | E |E/- | E |-/-|-/- | E | E |L2TP |-/E|-/E|-/E |-/-|-/E | -/E | E | -/- |E/-|E/- | -/E | -/E |L2TPv3 | E | E | E |E/-| E | E |-/- | E |-/-|-/- | E | E |L2F |-/-|-/-|-/- |-/-|-/- | -/- |-/E | -/- |-/-|-/- | -/- | -/- |PPTP |-/-|-/-|-/- |-/-|-/- | -/- |-/E | -/- |-/-|-/- | -/- | -/- |ATM/AAL5| E | E | E |E/-| E | E |E/- | E |-/-|-/- | E | E |ATM/VCC | E | E | E |E/-| E | E |E/- | E |-/-|-/- | E | E |ATM/VPC | E | E | E |E/-| E | E |E/- | E |-/-|-/- | E | E |ATM/Cell| E | E | E |E/-| E | E |E/- | E |-/-|-/- | E | E |AToM |-/E|-/E|-/E |-/-|-/E | -/E |-/- | -/E |-/-|-/- | -/E | -/E |PPP |-/-|-/-|-/- |-/-|-/- | -/- |-/E | -/- |-/-|-/- | -/- | -/- |PPPoE |-/-|-/-|-/- |-/-|-/- | -/- |-/E | -/- |-/-|-/- | -/- | -/- |PPPoA |-/-|-/-|-/- |-/-|-/- | -/- |-/E | -/- |-/-|-/- | -/- | -/- |Lterm |-/-|-/-|-/- |-/-|-/- | -/- |-/E | -/- |-/-|-/- | -/- | -/- |TC |-/-|-/-|-/- |-/-|-/- | -/- |-/- | -/- |-/-|-/- | -/- | -/- |IP-If |-/-|-/-|-/- |-/-|-/- | -/- |-/- | -/- |-/-|-/- | -/- | -/- |IP-SIP |-/-|-/-|-/- |-/-|-/- | -/- |-/- | -/- |-/-|-/- | -/- | -/- |VFI |E/-| E | E |E/-|E/- | E/- |-/- | -/E |-/-|-/- | E | E ||ATM/Cell|AToM|PPP|PPPoE|PPPoA|Lterm|TC |IP-If|IP-SIP|VFI|--------+--------+----+---+-----+-----+-----+---+-----+------+---+FR | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/E|Eth | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- | E |Vlan | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- | E |ATM | -/E |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/E|HDLC | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/E|PPP/AC | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/E|L2TP | -/E |-/- |E/-| E/- | E/- | E/- |-/-| -/- | -/- |-/-|L2TPv3 | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |E/-|L2F | -/- |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-|PPTP | -/- |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-|ATM/AAL5| E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- | E |ATM/VCC | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- | E |ATM/VPC | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- | E |ATM/Cell| E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- | E |AToM | -/E |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/E|PPP | -/- |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-|PPPoE | -/- |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-|PPPoA | -/- |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-|Lterm | -/- |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-|TC | -/- |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-|IP-If | -/- |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-|IP-SIP | -/- |-/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-|VFI | E |E/- |-/-| -/- | -/- | -/- |-/-| -/- | -/- |-/-|Key:'-' - switching type is not available'R' - switching type is available but not enabled'E' - switching type is enabled'D' - switching type is disabledThe following example displays SSM output of the show ssm id command on a device with one active Layer 2 Tunnel Protocol Version 3 (L2TPv3) segment and one active Frame Relay segment. The segment ID field is in shown in bold.
Router# show ssm idSSM Status: 1 switchSwitch-ID 4096 State: OpenSegment-ID: 8193 Type: L2TPv3[8]Switch-ID: 4096Physical intf: RemoteAllocated By: This CPUClass: SSSState: ActiveL2X switching context:Session ID Local 16666 Remote 54742TxSeq 0 RxSeq 0Tunnel end-point addr Local 10.1.1.2 Remote 10.1.1.1SSS Info Switch Handle 0x98000000 Ciruit 0x1B19510L2X Encap [24 bytes]45 00 00 00 00 00 00 00 FF 73 B7 86 01 01 01 0201 01 01 01 00 00 D5 D6Class: ADJState: ActiveL2X H/W Switching Context:Session Id Local 16666 Remote 54742Tunnel Endpoint Addr Local 10.1.1.2 Remote 10.1.1.1Adjacency 0x1513348 [complete] PW IP, Virtual3:16666L2X Encap [24 bytes]45 00 00 00 00 00 00 00 FF 73 B7 86 01 01 01 0201 01 01 01 00 00 D5 D6Segment-ID: 4096 Type: FR[1]Switch-ID: 4096Physical intf: LocalAllocated By: This CPUClass: SSSState: ActiveAC Switching Context: Se2/0:200SSS Info - Switch Handle=0x98000000 Ckt=0x1B194B0Interworking 0 Encap Len 0 Boardencap Len 0 MTU 1584Class: ADJState: ActiveAC Adjacency context:adjacency = 0x1513618 [complete] RAW Serial2/0:200Additional output displayed by this command is either self-explanatory or used only by Cisco engineers for internal debugging of SSM processes.
The following example shows sample output for the show ssm memory command:
Router# show ssm memoryAllocator-Name In-use/Allocated Count----------------------------------------------------------------------------SSM CM API large segment : 208/33600 ( 0%) [ 1] ChunkSSM CM API medium segment : 144/20760 ( 0%) [ 1] ChunkSSM CM API segment info c : 104/160 ( 65%) [ 1]SSM CM API small segment : 0/19040 ( 0%) [ 0] ChunkSSM CM inQ interrupt msgs : 0/20760 ( 0%) [ 0] ChunkSSM CM inQ large chunk ms : 0/33792 ( 0%) [ 0] ChunkSSM CM inQ msgs : 104/160 ( 65%) [ 1]SSM CM inQ small chunk ms : 0/20760 ( 0%) [ 0] ChunkSSM DP inQ msg chunks : 0/10448 ( 0%) [ 0] ChunkSSM Generic CM Message : 0/3952 ( 0%) [ 0] ChunkSSM HW Class Context : 64/10832 ( 0%) [ 1] ChunkSSM ID entries : 144/11040 ( 1%) [ 3] ChunkSSM ID tree : 24/80 ( 30%) [ 1]SSM INFOTYPE freelist DB : 1848/2016 ( 91%) [ 3]SSM SEG Base : 240/34064 ( 0%) [ 2] ChunkSSM SEG freelist DB : 5424/5592 ( 96%) [ 3]SSM SH inQ chunk msgs : 0/5472 ( 0%) [ 0] ChunkSSM SH inQ interrupt chun : 0/5472 ( 0%) [ 0] ChunkSSM SW Base : 56/10920 ( 0%) [ 1] ChunkSSM SW freelist DB : 5424/5592 ( 96%) [ 3]SSM connection manager : 816/1320 ( 61%) [ 9]SSM seg upd info : 0/2464 ( 0%) [ 0] ChunkTotal allocated: 0.246 Mb, 252 Kb, 258296 bytesRelated Commands
show subscriber session
To display information about subscriber sessions on an Intelligent Service Gateway (ISG), use the show subscriber session command in privileged EXEC mode.
show subscriber session [identifier {authen-status {authenticated | unauthenticated} | authenticated-domain domain-name | authenticated-username username | dnis dnis | media type | nas-port identifier | protocol type | source-ip-address ip-address subnet-mask | timer timer-name | tunnel-name name | unauthenticated-domain domain-name | unauthenticated-username username} | uid session-identifier | username username] [detailed]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
If the show subscriber session command is entered without any keywords or arguments, information is displayed for all sessions on the ISG. When an identifier is specified, information is displayed for only those sessions that match the identifier.
Examples
The following example shows sample output for the show subscriber session command:
Router# show subscriber sessionCurrent Subscriber Information: Total sessions 1Uniq ID Interface State Service Identifier Up-time 6 Traffic-Cl unauthen Ltm Internal rouble-pppoe 00:09:04 5 Vi3 authen Local Term rouble-pppoe 00:09:04The following example shows sample output for the show subscriber session command with an identifier specified. In this case, information is displayed for the session with the session identifier 3.
Router# show subscriber session identifier uid 3Current Subscriber Information: Total sessions 1Uniq ID Interface State Service Identifier Up-time-------------------------------------------------- Unique Session ID: 3 Identifier: 10.0.0.2 SIP subscriber access type(s): IP Current SIP options: Req Fwding/Req Fwded Session Up-time: 00:00:15, Last Changed: 00:00:15Policy information: Authentication status: authen Rules, actions and conditions executed: subscriber rule-map RULEB condition always event session-start 1 authorize identifier source-ip-addressConfiguration sources associated with this session:Interface: Ethernet0/0, Active Time = 00:00:15Table 2 describes the significant fields shown in the displays.
Feature Information for RADIUS-Based Lawful Intercept
Table 3 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For details on when support for a specific command was introduced, see the command reference documentation.
Cisco IOS software images are specific to a Cisco IOS software release, a feature set, and a platform. Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Note Table 3 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect , Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flip Video, Flip Video (Design), Flipshare (Design), Flip Ultra, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0907R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2006-2009 Cisco Systems, Inc. All rights reserved.