Adds or deletes a reachability-detect server and configures parameters for retrying the failure-detection process. When network reachability is enabled, an ICMP ping request is sent to this device. If there is no response after a specified number of retries, the network is deemed failed. Execute this command multiple times to configure multiple network reachability servers.

no

Delete the reference to the specified network reachability server.

server_name

Specifies the name for the network device that is sent ping packets to test for network reachability.

interval seconds

Specifies the frequency in seconds for sending ping requests as an integer from 1 through 3600. Default: 60

local-addr ip_addr

Specifies the IP address to be used as the source address of the ping packets; If this is unspecified, an arbitrary IP address that is configured in the context is used. ip_addr must be entered using IPv4 dotted-decimal notation.

num-retry num

Specifies the number of retries before deciding that there is a network-failure as an integer from 0 through 100. Default: 5

remote-addr ip_addr

Specifies the IP address of a network element to use as the destination to send the ping packets for detecting network failure or reachability. ip_addr must be entered using IPv4 dotted-decimal notation.

timeout seconds

Specifies how long to wait (in seconds) before retransmitting a ping request to the remote address as an integer from 1 through 1. Default: 3

vrf name

Specifies an existing VRF name as an alphanumeric string of 1 through 63 characters.

Configures the mobile station(s) (MSs) for which network initiated PDP contexts are supported.

no

Disables the system's ability to accept network-requested PDP contexts on the specified interface.

ip_address

Specifies the static IP address of the MS n IPv4 dotted-decimal notation.

dst-context context_name

Specifies the name of the destination context configured on the system containing the static IP address pool in which the MS's IP address is configured. context_name is an alphanumeric string of 1 through 79 characters that is case sensitive.

imsi imsi

Specifies the International Mobile Subscriber Identity (IMSI) of the MS as a string of 1 through 15 numeric characters

apn apn_name

Specifies the Access Point Name (APN) that is passed to the SGSN by the system. apn_name is an alphanumeric string of 1 through 63 characters that is case sensitive.

Configures the IP address of the interworking node that is used by the system to communicate with the Home Location Register (HLR), and optionally sets the GTP version to use.

no

Deletes a previously configured gsn-map node.

ip_address

Specifies the IP address of the gsn-map node in Pv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.

gtp-version { 0 | 1 }

Specifies the gtp version used. Default: 1

Configures the time duration to that the system will wait after the SGSN rejects an attempt for a network-requested PDP context creation for the subscriber.

default

Configures the default setting.

Default:60 seconds

time

Specifies the time interval (in seconds) as an integer from 0 through 86400.

Configures the minimum amount of time that must elapse between the deletion of a network initiated PDP context and the creation of a new one for the same MS.

default

Returns the command to its default setting of 60.

time

Specifies the minimum amount of time (in seconds) that must pass before the system allows another network-requested PDP context for a specific MS after the previous context was deleted. time is an integer from 0 through 86400. Default: 60

Configures the time duration that the GGSN keeps the SGSN/subscriber pair cached in its local memory.

default

Configures the default setting.

Default: 300 seconds

time

Specifies the time interval (in seconds) as an integer from 0 through 86400.

Configures a context-level operator account within the current context.

no

Removes a previously configured context-level operator account.

user_name

Specifies a name for the account as an alphanumeric string of 1 through 32 characters.

[ encrypted ] password password

Specifies the password to use for the user which is being given context-level operator privileges within the current context. The encrypted keyword indicates the password specified uses encryption.

password is an alphanumeric string of 1 through 63 characters without encryption, or 1 through 127 with encryption.

The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.

[ nopassword ]

This option allows you to create an operator without an associated password. Enable this option when using ssh public keys (authorized key command in SSH Configuration mode) as a sole means of authentication. When enabled this option prevents someone from using an operator password to gain access to the user account.

ecs

Permits the specific user to access ACS-specific configuration commands from Exec Mode only. Default: ACS-specific configuration commands are not allowed.

expiry-date date_time

Specifies the date and time that this account expires. Enter the date and time in the format YYYY:MM:DD:HH:mm or YYYY:MM:DD:HH:mm:ss.

Where YYYY is the year, MM is the month, DD is the day of the month, HH is the hour, mm is minutes, and ss is seconds.

li-administration

Refer to the Lawful Intercept Configuration Guide for a description of this parameter.

noconsole

Disables user access to a Console line.

Note	The Global Configuration mode local-user allow-aaa-authentication noconsole command takes precedence in a normal (non-Trusted) StarOS build. In this case, all AAA-based users cannot access a Console line.

noecs

Prevents the user from accessing ACS-specific configuration commands. Default: Enabled

timeout-absolute abs_seconds

This keyword is obsolete. It has been left in place for backward compatibility. If used a warning is issued and the value entered is rounded to the nearest whole minute.

Specifies the maximum amount of time (in seconds) the context-level operator may have a session active before the session is forcibly terminated. abs_seconds must be a value in the range from 0 through 300000000. The value 0 disables the absolute timeout. Default: 0

timeout-min-absolute abs_minutes

Specifies the maximum amount of time (in minutes) the context-level operator may have a session active before the session is forcibly terminated. abs_minutes must be an integer from 0 through 300000000. The value 0 disables the absolute timeout. Default: 0

timeout-idle timeout_duration

This keyword is obsolete. It has been left in place for backward compatibility. If used a warning is issued and the value entered is rounded to the nearest whole minute.

Specifies the maximum amount of idle time (in seconds) the context-level operator may have a session active before the session is terminated. timeout_duration must be an integer from 0 through 300000000. The value 0 disables the idle timeout. Default: 0

timeout-min-idle idle_minutes

Specifies the maximum amount of idle time (in minutes) the context-level operator may have a session active before the session is terminated. idle_minutes must be an integer from 0 through 300000000. The value 0 disables the idle timeout. Default: 0

[ max-age days]

Defines the maximum age of a user password before it has to be changed. max-age is the replacement for expiry-date .

[ no-max-age ]

This parameter ensures that password never expires (these are non expiring passwords).

exp-warn-interval days

Impends password expiry warning interval in days. There is no default value at per user level. If any of the value is specified, Context global values are considered.

operator trexpac111 password pass@1234

In the previous example, there are no values for expiry, grace, and warn are provided. In this case, Global values for both of them will be considered.

[ no-exp-warn-interval ]

Disables impending password expiry warnings .

exp-grace-interval days

Specifies password expiry grace interval in days. Default = 3 days after expiry.

[ no-exp-grace-interval ]

Disables grace period of expired password.

Controls the optimization of the system's handling of inter-PDSN handoffs.

default

Resets the command to its default setting of enabled.

no

Disables the feature.

Configures password rules (exp-grace-interval, exp-warn-interval, max-age, complexity, and minimum length) to be enforced for all users in this context.

[ default ] password {exp-grace-interval | exp-warn-interval | max-age}  

[ default ] no password { exp-grace-interval | exp-warn-interval | max-age} 

default

The default password complexity is ansi-t1.276-2003.

The default minimum length is 8.

The default password expiry warning interval is 30 days before expiry.

The default password expiry grace interval is 3 days after expiry.

The default value of max-age parameter is 90 days.

Note	For non-default commands, the 3 variables needs days as an input

complexity { ansi-t1.276-2003 | none }

Specifies the complexity to be enforced for all context user passwords.

ansi-t1.276-2003 requires that all context user passwords comply with the following rules:

• Passwords may not contain the username or the reverse of the username

  .

• Passwords may contain no more than three of the same characters used consecutively.

• Passwords must contain at least three of the following:

  • uppercase alpha character (A, B,C, D...Z)

  • lowercase alpha character (a, b, c, d ...z)

  • numeric character (0, 1, 2, 3...)

  • special character (see the Alphanumeric Stirngs section of the Command Line Interface Overview chapter)

none results in only the password length being checked.

[ auto-generate [ none | length password-length]

Presents an automatically generated password to the user at login when password is found weak.

The auto-generate option is enabled by default with the password length of 8.

none : Specifies that the user must not be presented with the option to automatically generate a password.

length password-length : Specifies the length of the automatically-generated password for the user. The length of the automatically-generated password is an integer between 6 to 127.

exp-warn-interval days

Impends password expiry warning interval in days. Default = 30 days before expiry.

exp-grace-interval days

Specifies password expiry grace interval in days. Default = 3 days after expiry.

[ lockout-password-aging days ]

Specifies that the user account gets locked after passoword expiration

[ no-lockout-password-aging days ]

Specifies that the user account doest not get locked out after password expiration

max-age days

Defines the max-age of a user password before it has to be changed. Default = 90 days.

Description:

WARNING: Your password has expired.
You must change your password now and login again!
(current)  password:
Enter new  password:
Retype new password:

login: xxx
password: xxx

Case 1: [Normal]
# {you are logged in}

Case 2: [When in warning period]
Warning: Your password is about to expire in 0 days.
We recommend you to change password after login.
Logins are not allowed without acknowleding this.
Do you wish to continue [y/n] (times out in 30 seconds) :

Case 3: [when in grace period]
Your password has expired
Current password:
New password:
Repeat new password:

Case 4: [after the grace period]
Password Expired (even beyond grace period, if configured). Contact Security Administrator
to reset password

Creates or removes an IPCF Policy and Charging Control (PCC) Application Function (AF) service or configures an existing PCC-AF service. It enters the PCC-AF Service Configuration Mode to link, configure, and manage the Application Function endpoints and associated PCC services over the Rx interface for the IPCF services.

no

Removes the specified PCC-AF service from the context.

service_name

Specifies the name of the PCC-AF service. If service_name does not refer to an existing service, the new service is created if resources allow. service_name is an alphanumeric string of 1 through 63 characters.

Important

Service names must be unique across all contexts within a chassis.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.

Creates or removes an IPCF PCC-Policy service or configures an existing PCC-Policy service. It enters the PCC-Policy Service Configuration Mode to link, configure, and manage the Gx interface endpoints for policy authorization where IPCF acts as a policy server.

no

Removes the specified PCC-Policy service from the context.

service_name

Specifies the name of the PCC-Policy service. If service_name does not refer to an existing service, the new service is created if resources allow. service_name is an alphanumeric string of 1 through 63 characters.

Important

Service names must be unique across all contexts within a chassis.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.

Creates or removes an IPCF Policy and Charging Control (PCC) service or configures an existing PCC service. It enters the PCC Service Configuration Mode for IPCF related configurations in the current context.

no

Removes the specified PCC service from the context.

service_name

Specifies the name of the PCC service. If service_name does not refer to an existing service, the new service is created if resources allow. service_name is an alphanumeric string of 1 through 63 characters.

Important

Service names must be unique across all contexts within a chassis.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.

Creates or removes a PCC Sp interface endpoint or configures an existing PCC Sp interface client endpoint. It enters the PCC Sp Endpoint Configuration Mode to link, configure, and manage the operational parameters related to its peer.

no

Removes the specified PCC Sp interface endpoint from the context.

sp_intfc1

Specifies the name of the PCC Sp interface endpoint. If sp_intfc_endpoint does not refer to an existing endpoint, the new endpoint is created if resources allow.

sp_intfc_endpoint is an alphanumeric string of 1 through 63 characters.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.

Creates a new PDG service or specifies an existing PDG service and enters the PDG Service Configuration Mode. A maximum of 16 PDG services can be created. This limit applies per ASR 5000 chassis and per context.

no name

Deletes the specified PDG service.

name

Specifies the name of a new or existing PDG service as an alphanumeric string 1 through 63 characters that must be unique across all FNG services within the same context and across all contexts.

Important

Service names must be unique across all contexts within a chassis.

Creates a new, or specifies an existing, Packet Data Interworking Function (PDIF) service and enters the PDIF Service Configuration Mode.

name

Specifies the name of a new or existing PDIF service as an alphanumeric string of 1 through 63 characters.

Important

Service names must be unique across all contexts within a chassis.

Creates or deletes a packet data service or specifies an existing PDSN service for which to enter the Packet Data Service Configuration Mode for the current context.

no

Indicates the packet data service specified is to be removed.

name

Specifies the name of the PDSN service to configure. If name does not refer to an existing service, the new service is created if resources allow. name is an alphanumeric string of 1 through 63 characters.

Important

Service names must be unique across all contexts within a chassis.

Creates or deletes a Closed R-P packet data service or specifies an existing PDSN Closed R-P service for which to enter the Closed R-P Service Configuration Mode for the current context.

no

Removes the specified PDSN Closed R-P service.

name

Specifies the name of the Closed R-P PDSN service to configure. If name does not refer to an existing service, the new service is created if resources allow. name is an alphanumeric string of 1 through 63 characters.

Important

Service names must be unique across all contexts within a chassis.

Creates a PDN-Gateway (P-GW) service or specifies an existing P-GW service and enters the P-GW Service Configuration Mode for the current context.

service_name

Specifies the name of the P-GW service. If service_name does not refer to an existing service, the new service is created if resources allow. service_name is an alphanumeric string of 1 through 63 characters.

Important

Service names must be unique across all contexts within a chassis.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.

no pgw-service service_name

Removes the specified P-GW service from the context.

Enters an existing accounting policy or creates a new one where accounting parameters are configured.

no

Removes the specified accounting policy from the context.

name

Specifies the name of the existing or new accounting policy as an alphanumeric string of 1 through 63 characters.

Creates or deletes a policy group. It enters the Policy-Group Configuration Mode within the current destination context for flow-based traffic policing to a subscriber session flow.

no

Deletes configured policy group within the context.

name policy_group

Specifies the name of Policy-Group as an alphanumeric string of 1 through 15 characters that is case sensitive.

Creates or deletes a policy map. It enters the Traffic Policy-Map Configuration Mode within the current destination context to configure the flow-based traffic policing for a subscriber session flow.

no

Deletes configured Policy-Map within the context.

name policy_name

Specifies the name of Policy-Map as an alphanumeric string of 1 through 15 characters that is case sensitive.

Configures point-to-point protocol parameters for the current context.

default

Restores the system defaults for the specific command/keyword.

no

Disables, deletes, or resets the specified option.

For no ppp renegotiation retain-ip-address the initially allocated IP address will be released and a new IP address will be allocated during PPP renegotiation.

acfc { receive { allow | deny } | transmit { apply | ignore | reject} }

Configures PPP Address and Control Field Compression (ACFC) parameters.

receive { allow | deny }

This keyword specifies whether to allow Address and Control Field Compressed PPP packets received from the Peer. During LCP negotiation, the local PPP side indicates whether it can handle ACFC compressed PPP packets. Default: allow

When allow is specified, the local PPP side indicates that it can process ACFC compressed PPP packets and compressed packets are allowed. When deny is specified, the local PPP side indicates that it cannot handle ACFC compressed packets and compressed packets are not allowed.

transmit { apply | ignore | reject }

Specifies how Address and Control Field Compression should be applied for PPP packets transmitted to the Peer. During LCP negotiation, the Peer indicates whether it can handle ACFC compressed PPP packets. Default: ignore

When apply is specified, if the peer requests ACFC, the request is accepted and ACFC is applied for transmitted PPP packets. When ignore is specified, if the peer requests ACFC, the request is accepted, but ACFC is not applied for transmitted PPP packets. When reject is specified, if the peer requests ACFC, the request is rejected and ACFC is not applied to transmitted packets.

auth-retry suppress-aaa-auth

This option does not allow PPP authentication retries to the AAA server after the AAA server has already authenticated a session. PPP locally stores the username and password, or challenge response, after a successful PPP authentication. If the Mobile Node retries the PAP request or CHAP-Response packet to the PDSN, PPP locally compares the incoming username, password or Challenge Response with the information stored from the previous successful authentication. If it matches, PAP ACK or CHAP Success is sent back to the Mobile Node, without performing AAA authentication. If the incoming information does not match with what is stored locally, then AAA authentication is attempted. The locally stored PPP authentication information is cleared once the session reaches a connected state.

Default: no auth-retry suppress-aaa-auth

Important

This option is not supported in conjunction with the GGSN product.

chap fixed-challenge-length length

Normally PPP CHAP use sa random challenge length from 17 to 32 bytes. This command allows you to configure a specific fixed challenge length of from 4 through 32 bytes. length must be an integer from 4 through 32.

Default: Disabled. PAPCHAP uses a random challenge length.

dormant send-lcp-terminate

Indicates a link control protocol (LCP) terminate message is enabled for dormant sessions.

Important

This option is not supported in conjunction with the GGSN product.

echo-max-retransmissions num_retries

Configures the maximum number of retransmissions of LCP ECHO_REQ before a session is terminated in an always-on session. num_retries must be an integer from 1 through 16. Default: 3

echo-retransmit-timeout msec

Configures the timeout (in milliseconds) before trying LCP ECHO_REQ for an always-on session. msec must be an integer from 100 through 5000. Default: 3000

first-lcp-retransmit-timeout milliseconds

Specifies the number of milliseconds to wait before attempting to retransmit control packets. This value configures the first retry. All subsequent retries are controlled by the value configured for the ppp retransmit-timeout keyword.

milliseconds must be an integer from 100 through 5000. Default: 3000

lcp-authentication-discard retry-alternate num_discard

Sets the number of discards up to which authentication option is discarded during LCP negotiation and retries starts to allow alternate authentication option. num_discard must be an integer from 0 through 5. Recommended value is 2. Default: Disabled.

lcp-authentication-reject retry-alternate

Specifies the action to be taken if the authentication option is rejected during LCP negotiation and retries the allowed alternate authentication option.

Default: Disabled. No alternate authentication option will be retried.

lcp-start-delay delay

Specifies the delay (in milliseconds) before link control protocol (LCP) is started. delay must be an integer from 0 through 5000. Default: 0

lcp-terminate connect-state

Enables sending an LCP terminate message to the Mobile Node when a PPP session is disconnected if the PPP session was already in a connected state.

Note that if the no keyword is used with this option, the PDSN must still send LCP Terminate in the event of an LCP/PCP negotiation failure or PPP authentication failure, which happens during connecting state.

Important

This option is not supported in conjunction with the GGSN product.

lcp-terminate mip-lifetime-expiry

Configures the PDSN to send an LCP Terminate Request when a MIP Session is terminated due to MIP Lifetime expiry (default).

Note that if the no keyword is used with this option, the PDSN does not send a LCP Terminate Request when a MIP session is terminated due to MIP Lifetime expiry.

lcp-terminate mip-revocation

Configures the PDSN to send a LCP Terminate Request when a MIP Session is terminated due to a Revocation being received from the HA (default).

Note that if the no keyword is used with this option, the PDSN does not send a LCP Terminate Request when a MIP session is terminated due to a Revocation being received from the HA.

max-authentication-attempts num

Configures the maximum number of time the PPP authentication attempt is allowed. num must be an integer from 1 through 10. Default: 1

max-configuration-nak num

This command configures the maximum number of consecutive configuration REJ/NAKs that can be sent during CP negotiations, before the CP is terminated. num must be an integer from 1 through 20. Default: 10

max-retransmission number

Specifies the maximum number of times control packets will be retransmitted. number must be an integer from 1 through 16. Default: 5

max-terminate number

Sets the maximum number of PPP LCP Terminate Requests transmitted to the Mobile Node. number must be an integer from 0 through 16. Default: 2

Important

This option is not supported in conjunction with the GGSN product.

mru packet_size

Specifies the maximum packet size that can be received in bytes. packet_size must be an integer from 128 through 1500. Default: 1500

negotiate default-value-options

Enables the inclusion of configuration options with default values in PPP configuration requests. Default: Disabled

The PPP standard states that configuration options with default values should not be included in Configuration Request (LCP, IPCP, etc.) packets. If the option is missing in the Configuration Request, the peer PPP assumes the default value for that configuration option.

When negotiate default-value-options is enabled, configuration options with default values are included in the PPP configuration Requests.

peer-authenticate user_name [ [ encrypted ] password password ]

Specifies the username and an optional password required for point-to-point protocol peer connection authentications. user_name is an alphanumeric string of 1 through 63 characters. The keyword password is optional and if specified password is an alphanumeric string of 1 through 63 characters. The password specified must be in an encrypted format if the optional keyword encrypted was specified.

The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.

pfc { receive { allow | deny } | transmit { apply | ignore | reject} }

Configures Protocol Field Compression (PFC) parameters.

receive { allow | deny } Default: allow

This keyword specifies whether to allow Protocol Field Compression (PFC) for PPP packets received from the peer. During LCP negotiation, the local PPP side indicates whether it can handle Protocol Field Compressed PPP packets.

When allow is specified, the peer is allowed to request PFC during LCP negotiation. When deny is specified, the Peer is not allowed to request PFC during LCP negotiation.

transmit { apply | ignore | reject } Default: ignore

This keyword specifies how Protocol field Compression should be applied for PPP packets transmitted to the Peer. During LCP negotiation, the Peer indicates whether it can handle PFC compressed PPP packets.

When apply is specified, if the peer requests PFC, it is accepted and PFC is applied for transmitted PPP packets. When ignore is specified, If the peer requests PFC, it is accepted but PFC is not applied for transmitted packets. When reject is specified, all requests for PCF from the peer are rejected.

reject-peer-authentication

If disabled, re-enables the system to reject peer requests for authentication. Default: Enabled

renegotiation retain-ip-address

If enabled, retain the currently allocated IP address for the session during PPP renegotiation (SimpleIP) between FA and Mobile node. Default: Enabled

If disabled, the initially allocated IP address will be released and a new IP address will be allocated during PPP renegotiation.

retransmit-timeout milliseconds

Specifies the number of milliseconds to wait before attempting to retransmit control packets. milliseconds must be an integer from 100 through 5000. Default: 3000

Manages magic number checking during LCP Echo message handling. The magic number is a random number chosen to distinguish a peer and detect looped back lines.

no

Disables the specified behavior.

default

Restores the system defaults for the specific command/keyword.

receive ignore

Ignores the checking of magic number at the PDSN during LCP Echo message handling. Default: Disabled.

If a valid magic numbers were negotiated for the PPP endpoints during LCP negotiation and LCP Echo Request/Response have invalid magic numbers, enabling this command will cause the system to ignore the checking of magic number during LCP Echo message handling.

Changes the manor in which some PPP statistics are calculated.

no

Disable the specified behavior.

ppp statistics success-sessions lcp-max-retry

Alters statistical calculations so that: ppp successful session = successful sessions + lcp-max-retry.

success-sessions misc-reasons

Alters statistical calculations so that: ppp successful session = successful sessions + misc-reasons.

success-sessions remote-terminated

Alters statistical calculations so that: ppp successful session = successful sessions + remote-terminated.

Enters the HA Proxy DNS Configuration Mode and defines a name of a redirect rules list for the domain name servers associated with a particular FA (Foreign Agent) or group of FAs.

no

Removes the intercept list from the system.

name

Defines the rules list and enters the Proxy DNS Configuration Mode. name must be an alphanumeric string of 1 through 63 characters.

Configures Routing Area Code (RAC) profile for the current context. This command is used to enter the RAC Profile Configuration Mode.

rac-profile profile_name

Specifies the name of RAC profile. profile_name is an alphanumeric string of 1 through 31 characters. If profile_name does not refer to an existing profile, the new profile is created if resources allow.

This command configures RADIUS accounting parameters for the current context.

default

Configures the default settings.

no

Removes earlier configuration for the specified keyword.

archive [ stop-only ]

Enables archiving of RADIUS Accounting messages in the system after the accounting message has exhausted retries to all available RADIUS Accounting servers. All RADIUS Accounting messages generated by a session are delivered to the RADIUS Accounting server in serial. That is, previous RADIUS Accounting messages from the same call must be delivered and acknowledged by the RADIUS Accounting server before the next RADIUS Accounting message is sent to the RADIUS Accounting server.

stop-only specifies archiving of STOP accounting messages only.

Default: Enabled

deadtime dead_minutes

Specifies the number of minutes to wait before attempting to communicate with a server which has been marked as unreachable.

dead_minutes must be an integer from 0 through 65535.

Default: 10

detect-dead-server { consecutive-failures consecutive_failures | keepalive | response-timeout timeout_duration }

Important

If both consecutive-failures and response-timeout are configured, then both parameters have to be met before a server is considered unreachable, or dead.

interim interval seconds

Specifies the time interval (in seconds) for sending accounting INTERIM-UPDATE records. seconds must be an integer from 50 through 40000000.

Important

If RADIUS is used as the accounting protocol for the GGSN product, other commands are used to trigger periodic accounting updates. However, these commands would cause RADIUS STOP/START packets to be sent as opposed to INTERIM-UPDATE packets. Also note that accounting interim interval settings received from a RADIUS server take precedence over those configured on the system.

Default: Disabled

max-outstanding max_messages

Specifies the maximum number of outstanding messages a single AAA manager instance will queue. max_messages must be an integer from 1 through 4000. Default: 256

max-pdu-size octets

Specifies the maximum sized packet data unit which can be accepted/generated in bytes (octets). octets must be an integer from 512 through 4096. Default: 4096

max-retries max_retries

Specifies the maximum number of times communication with a AAA server will be attempted before it is marked as unreachable and the detect dead servers consecutive failures count is incremented. max_retries must be an integer from 0 through 65535. Default: 5

Once the maximum number of retries is reached this is considered a single failure for the consecutive failures count for detecting dead servers.

max-transmissions max_transmissions

Sets the maximum number of transmissions for a RADIUS accounting message before the message is declared as failed. max_transmissions must be an integer from 1 through 65535. Default: Disabled

timeout seconds

Specifies the amount of time to wait for a response from a RADIUS server before retransmitting a request. seconds must be an integer from 1 through 65535. Default: 3

unestablished-sessions

Indicates RADIUS STOP events are to be generated for sessions that were initiated but never fully established.

This command specifies the fail-over/load-balancing algorithm to select the RADIUS accounting server(s) to which accounting data must be sent.

default

Configures the default setting.

Default: first-server

first-n n

Specifies that the AGW must send accounting data to n (more than one) AAA accounting servers based on their priority. The full set of accounting data is sent to each of the n AAA servers. Response from any one of the servers would suffice to proceed with the call. On receiving an ACK from any one of the accounting servers, all retries are stopped.

n is the number of AAA accounting servers to which accounting data will be sent, and must be an integer from 2 through 128. Default: 1 (Disabled)

first-server [ fallback ]

Specifies that the context must send accounting data to the RADIUS accounting server with the highest configured priority. In the event that this server becomes unreachable, accounting data is sent to the accounting server with the next-highest configured priority. This is the default algorithm.

fallback : This algorithm is an extension of the existing "first-server " algorithm. This algorithm specifies that the context must send accounting data to the RADIUS server with the highest configured priority. When the server is unreachable, accounting data is sent to the server with the next highest configured priority. If a higher priority server recovers back, the accounting requests of existing sessions and new sessions are sent to the newly recovered server.

This new algorithm behaves similar to "first-server " algorithm, i.e. the accounting data is sent to the highest priority RADIUS/mediation server at any point of time.

If the highest priority server is not reachable, accounting data is sent to the next highest priority server. The difference between "first-server " and "first-server fallback " is that, with the new algorithm, if a higher priority server recovers, all new RADIUS requests of existing sessions and new accounting sessions are sent to the newly available higher priority server. In the case of "first-server " algorithm, the accounting requests of existing sessions continued to be sent to the same server to which the previous accounting requests of those sessions were sent.

round-robin

Specifies that the context must load balance sending accounting data among all of the defined RADIUS accounting servers. Accounting data is sent in a circular queue fashion on a per Session Manager task basis, where data is sent to the next available accounting server and restarts at the beginning of the list of configured servers. The order of the list is based upon the configured relative priority of the servers.

This command configures the Access Point Name (APN) to be included for RADIUS accounting.

default

Configures the default setting.

gi

Specifies the usage of the Gi APN name in the RADIUS accounting request. The Gi APN represents the APN received in the Create PDP context request message from the SGSN.

gn

Specifies the usage of the Gn APN name in the RADIUS accounting request. The Gn APN represents the APN selected by the GGSN.

This command configures the billing-system version of RADIUS accounting servers.

default

Configures the default setting. Default: 0

version

Specifies the billing-system version of RADIUS accounting servers as an integer from 0 through 4294967295. Default: 0

This command configures the RADIUS accounting trigger policy for GTP messages.

default

Resets the RADIUS accounting trigger policy to standard behavior for GTP session.

standard

Sets the RADIUS accounting trigger policy to standard behavior which is configured for GTP session for GGSN service.

ggsn-preservation-mode

Sends RADIUS Accounting Start when the GTP message with private extension of preservation mode is received from SGSN.

Important

This is a customer-specific keyword and needs customer-specific license to use this feature. For more information on GGSN preservation mode, refer to GGSN Service Configuration Mode Commands chapter.

This command configures the RADIUS accounting policy for HA sessions.

session-start-stop

Specifies to send Accounting Start when the session is connected, and send Accounting Stop when the session is disconnected. This is the default behavior.

custom1-aaa-res-mgmt

Accounting Start/Stop messages are generated to assist special resource management done by AAA servers. It is similar to the session-start-stop accounting policy, except for the following differences:

This command configures the volume of uplink and downlink volume octet counts that triggers RADIUS interim accounting.

no

Disables volume based RADIUS accounting.

downlink bytes uplink bytes

Specifies the downlink to uplink volume limit for RADIUS Interim accounting, in bytes. bytes must be an integer to 100000 through 4000000000.

total bytes

Specifies the total volume limit for RADIUS interim accounting in bytes. bytes must be an integer from 100000 through 4000000000.

uplink bytes

Specifies the uplink volume limit for RADIUS interim accounting in bytes. bytes must be an integer from 100000 through 4000000000.

downlink bytes

Specifies the downlink volume limit for RADIUS interim accounting in bytes. bytes must be an integer from 100000 through 4000000000.

This command configures IP remote address-based RADIUS accounting parameters.

no

Removes earlier configuration for the specified keyword.

collection

Enables collecting and reporting Remote-Address-Based accounting in RADIUS Accounting. This should be enabled in the AAA Context. It is disabled by default.

list list_id

Enters the Remote Address List Configuration Mode. This mode configures a list of remote addresses that can be referenced by the subscriber's profile. list_id must be an integer from 1 through 65535.

This command configures the keepalive authentication parameters for the RADIUS accounting server.

no

Removes configuration for the specified keyword.

default

Configures the default settings.

calling-station-id id

Configures the Calling-Station ID to be used for the keepalive authentication as an alphanumeric string of size 1 to 15 characters. Default: 000000000000000

consecutive-response responses_no_of

Configures the number of consecutive authentication response after which the server is marked as reachable. responses_no_of must be an integer from 1 through 5. Default: 1

Important

The keepalive request is tried every 0.5 seconds (non-configurable) to mark the server as up.

Important

In this case (for keepalive approach) "radius accounting deadtime" parameter is not applicable.

framed-ip-address ip_address

Specifies the framed ip-address to be used for the keepalive accounting in IPv4 dotted-decimal notation.

interval interval_duration

Configures the time interval (in seconds) between the two keepalive access requests. Default:30

retries retries_no_of

Configures the number of times the keepalive access request to be sent before marking the server as unreachable. retries_no_of must be an integer from 3 through 10. Default: 3

timeout timeout_duration

Configures the time interval between each keepalive access request retries. timeout_duration must be an integer from 1 through 30. Default: 3

username user_name

Configures the username to be used for the authentication as an alphanumeric string of 1 through 127 characters. Default: Test-Username

This command configures the current context's RADIUS accounting R-P originated call options.

no

Removes earlier configuration for the specified keyword.

default

Configures this command with the default settings.

handoff-stop { immediate | wait-active-stop }

Specifies the behavior of generating accounting STOP when handoff occurs.

Default: wait-active-stop

tod minute hour

Specifies the time of day a RADIUS event is to be generated for accounting. Up to four different times of the day may be specified through separate commands.

minute must be an integer from 0 through 59.

hour must be an integer from 0 through 23.

trigger-event { active-handoff | active-start-param-change | active-stop }

Configures the events for which a RADIUS event is generated for accounting as one of the following:

Important

This keyword has been obsoleted by the trigger-policy keyword. Note that if this command is used, if the context configuration is displayed, RADIUS accounting RP configuration is represented in terms of the trigger-policy.

trigger-policy { airlink-usage [ counter-rollover ] | custom [ active-handoff | active-start-param-change | active-stop ] | standard }

Default:airlink-usage : Disabled

custom :

Configures the overall accounting policy for R-P sessions as one of the following:

If the counter-rollover option is enabled, the system generates a STOP/START pair before input/output data octet counts (or input/output data packet counts) become larger than (2^32 - 1) in value. This setting is used to guarantee that a 32-bit octet count in any STOP message has not wrapped to larger than 2^32 thus ensuring the accuracy of the count. The system, may send the STOP/START pair at any time, so long as it does so before the 32-bit counter has wrapped. Note that a STOP/START pair is never generated unless the subscriber RP session is in the Active state, since octet/packet counts are not accumulated in the Dormant state.

Important

Note that a custom trigger policy with only active-start-param-change enabled is identical to the standard trigger-policy.

Important

If the radius accounting rp trigger-policy custom command is executed without any of the optional keywords, all custom options are disabled.

trigger-stop-start

Specifies that a stop/start RADIUS accounting pair should be sent to the RADIUS server when an applicable R-P event occurs.

This command configures RADIUS accounting server(s) in the current context.

no

Removes the server or server port(s) specified from the list of configured servers.

mediation-device

Enables mediation-device specific AAA transactions used to communicate with this RADIUS server.

Important

If this option is not used, the system by default enables standard AAA transactions.

ip_address

Specifies the IP address of the accounting server.

ip_address must be specified in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation. A maximum of 128 RADIUS servers can be configured per context. This limit includes accounting and authentication servers.

[ encrypted ] key value

Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted.

In 12.1 and earlier releases, the key value must be an alphanumeric string of 1 through 127 characters without encryption, and 1 through 256 characters with encryption.

In 12.2 and later releases, the key value must be an alphanumeric string of 1 through 127 characters without encryption, and 1 through 236 characters with encryption enabled.

The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the key keyword is the encrypted version of the plaint text key. Only the encrypted key is saved as part of the configuration file.

acct-on { enable | disable }

This keyword enables/disables sending of the Accounting-On message when a new RADIUS server is added to the configuration. By default, this keyword will be disabled.

When enabled, the Accounting-On message is sent when a new RADIUS server is added in the configuration. However, if for some reason the Accounting-On message cannot be sent at the time of server configuration (for example, if the interface is down), then the message is sent as soon as possible. Once the Accounting-On message is sent, if it is not responded to after the configured RADIUS accounting timeout, the message is retried the configured number of RADIUS accounting retries. Once all retries have been exhausted, the system no longer attempts to send the Accounting-On message for this server.

In releases prior to 18.0, whenever a chassis boots up or when a new RADIUS accounting server or RADIUS mediation-device accounting server is configured with Acct-On configuration enabled, the state of the RADIUS server in all the AAA manager instances was initialized to "Waiting-for-response-to-Accounting-On". The Acct-On transmission and retries are processed by the Admin-AAAmgr.

When the Acct-On transaction is complete (i.e., when a response for Accounting-On message is received or when Accounting-On message is retried and timed-out), Admin-AAAmgr changes the state of the RADIUS accounting server to Active in all the AAA manager instances. During the period when the state of the server is in "Waiting-for-response-to-Accounting-On", any new RADIUS accounting messages which are generated as part of a new call will not be transmitted towards the RADIUS accounting server but it will be queued. Only when the state changes to Active, these queued up messages will be transmitted to the server.

During ICSR, if the interface of the radius nas-ip address is srp-activated, then in the standby chassis, the sockets for the nas-ip will not be created. The current behavior is that if the interface is srp-activated Accounting-On transaction will not happen at ICSR standby node and the state of the RADIUS server in all the AAAmgr instances will be shown as "Waiting-for-response-to-Accounting-On" till the standby node becomes Active.

In 18.0 and later releases, whenever the chassis boots up or when a new RADIUS accounting server or RADIUS mediation-device accounting server is configured with Acct-On configuration enabled, the state of the RADIUS server will be set to Active for all the non-Admin-AAAmgr instances and will be set to "Waiting-for-response-to-Accounting-On" for only Admin-AAAmgr instance. The Accounting-On transaction logic still holds good from Admin-AAAmgr perspective. However, when any new RADIUS accounting messages are generated even before the state changes to Active in Admin-AAAmgr, these newly generated RADIUS accounting messages will not be queued at the server level and will be transmitted to the RADIUS server immediately.

During ICSR, even if the interface of radius nas-ip address is srp-activated, the state of the RADIUS accounting server will be set to Active in all non-Admin-AAAmgr instances and will be set to "Waiting-for-response-to-Accounting-On" in Admin-AAAmgr instance.

acct-off { enable | disable }

Default: enable

Disables and enables the sending of the Accounting-Off message when a RADIUS server is removed from the configuration.

The Accounting-Off message is sent when a RADIUS server is removed from the configuration, or when there is an orderly shutdown. However, if for some reason the Accounting-On message cannot be sent at this time, it is never sent. The Accounting-Off message is sent only once, regardless of how many accounting retries are enabled.

max max_messages

Specifies the maximum number of outstanding messages that may be allowed to the server. max_messages must be an integer from 0 through 4000. Default: 0

oldports

Sets the UDP communication port to the out of date standardized default for RADIUS communications to 1646.

port port_number

Specifies the port number to use for communications as an integer from 1 through 65535. Default:1813

priority priority

Specifies the relative priority of this accounting server. The priority is used in server selection for determining which server to send accounting data to.

priority must be an integer from 1 through 1000, where 1 is the highest priority. When configuring two or more servers with the same priority you will be asked to confirm that you want to do this. If you use the -noconfirm option, you are not asked for confirmation and multiple servers could be assigned the same priority.

Default: 1000

type { mediation-device | standard }

Specifies the type of AAA transactions to use to communicate with this RADIUS server.

Default: standard

type standard

Specifies the use of standard AAA transactions to use to communicate with this RADIUS server. Default: standard

admin-status { enable | disable }

Enables or disables the RADIUS authentication/accounting/ charging server functionality, and saves the status setting in the configuration file to re-establish the set status at reboot.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.

This command configures the RADIUS authentication server selection algorithm for the current context.

default

Configures this command with the default setting. Default: first-server

first-server

Sends authentication data to the first available RADIUS authentication server based upon the relative priority of each configured server.

round-robin

Sends authentication data in a circular queue fashion on a per Session Manager task basis where data is sent to the next available RADIUS authentication server and restarts at the beginning of the list of configured servers. The order of the list is based upon the configured relative priority of the servers.

This command configures the system behavior to allow subscriber sessions when RADIUS accounting and/or authentication is unavailable.

no

Removes earlier configuration for the specified keyword.

accounting-down

Allows sessions while accounting is unavailable (down). Default: Enabled

authentication-down

Allows sessions while authentication is not available (down). Default: Disabled

This command configures the system's RADIUS identification parameters.

no

Removes earlier configuration for the specified keyword.

default

Configures the default setting.

nas-identifier id

Specifies the attribute name by which the system will be identified in Access-Request messages. id must be a alphanumeric string of 1 through 32 characters that is case sensitive.

nas-ip-address address primary_address

Specifies the AAA interface IP address(es) used to identify the system. Up to two addresses can be configured. primary_address is the IP address of the primary interface to use in the current context in IPV4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.

backup secondary_address

Specifies the IP address of the secondary interface to use in the current context in IPV4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.

mpls-label input in_label_value | output out_label_value1 [ out_label_value2 ]

This command configures the traffic from the specified AAA client NAS IP address to use the specified MPLS labels.

MPLS label values must be an integer from 16 through 1048575.

Important

This option is available only when nexthop-forwarding gateway is also configured with the nexthop-forwarding-address keyword.

nexthop-forwarding-address nexthop_ip_address

Configures the next hop IP address for this NAS IP address in IPV4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.

vlan vlan_id

Specifies the VLANID to be associated with the next-hop IP address as an integer from 1 through 4094.

This command enables (allows) or disables (prevents) the authentication of user names that are blank or empty. This is enabled by default.

default

Configures the default setting.

Default: Authenticate, send Access-Request messages to the AAA server, all user names, including NULL user names.

no

Disables sending an Access-Request message to the AAA server for user names (NAI) that are blank.

null-username

Enables sending an Access-Request message to the AAA server for user names (NAI) that are blank.

This command configures the Access Point Name (APN) to be included for RADIUS authentication.

default

Configures the default setting.

gi

Specifies the use of the Gi APN name in the RADIUS authentication request. The Gi APN represents the APN received in the Create PDP Context Request message from the SGSN.

gn

Specifies the use of the Gn APN name in the RADIUS authentication request. The Gn APN represents the APN selected by the GGSN.

This command enables (allows) or disables (prevents) the MD5 authentication of RADIUS users. By default this feature is enabled.

default

Enables MD5 authentication validation for an Access-Request message to the AAA server.

no

Disables MD5 authentication validation for an Access-Request message to the AAA server.

This command configures the NAS IP address and UDP port on which the current context will listen for Change of Authorization (COA) messages and Disconnect Messages (DM). If the NAS IP address is not defined with this command, any COA or DM messages from the RADIUS server are returned with a Destination Unreachable error.

no

Deletes the NAS IP address information which disables the system from receiving and responding to COA and DM messages from the RADIUS server.

ip_address

Specifies the NAS IP address of the current context's AAA interface that was defined with the radius attribute command.

ip_address can be expressed in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.

[ encrypted ] key value

Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted.

The key value must be an alphanumeric string of 1 through 127 characters without encryption, and 1 through 256 characters with encryption.

The key value must be an alphanumeric string of 1 through 127 characters without encryption, and 1 through 236 characters with encryption enabled.

The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the key keyword is the encrypted version of the plain text key. Only the encrypted key is saved as part of the configuration file.

port port

The UDP port on which to listen for CoA and DM messages. Default: 3799

event-timestamp-window window

When a COA or DM request is received with an event-time-stamp, if the current-time is greater than the received-pkt-event-time-stamp plus the event-time-stamp-window, the packet is silently discarded

When a COA or DM request is received without the event-time stamp attribute, the packet is silently discarded.

window must be an integer from 0 through 4294967295. If window is specified as 0 (zero), this feature is disabled; the event-time-stamp attribute in COA or DM messages is ignored and the event-time-stamp attribute is not included in NAK or ACK messages. Default: 300

no-nas-identification-check

Disables the context from checking the NAS Identifier/NAS IP Address while receiving the CoA/DM requests. By default this check is enabled.

no-reverse-path-forward-check

Disables the context from checking whether received CoA or DM packets are from one of the AAA servers configured under the default AAA group in the current context. Only the src-ip address in the received CoA or DM request is validated and the port and key are ignored. The reverse-path-forward-check is enabled by default.

If reverse-path-forward-check is disabled, the CoA and DM messages will be accepted from AAA servers from any groups. If the check is enabled, then the CoA and DM messages will be accepted only from servers under default AAA group.

mpls-label input in_label_value | output out_label_value1 [ out_label_value2 ]

This command configures COA traffic to use the specified MPLS labels.

MPLS label values must be an integer from 16 through 1048575.

This command configures basic RADIUS options for Active Charging Services.

no

Removes configuration for the specified keyword.

default

Configures the default settings.

deadtime dead_minutes

Specifies the number of minutes to wait before attempting to communicate with a server which has been marked as unreachable.

dead_minutes must be an integer from 0 through 65535.

Default: 10

detect-dead-server { consecutive-failures consecutive_failures | response-timeout timeout_duration }

consecutive-failures consecutive_failures : Default: 4. Specifies the number of consecutive failures, for each AAA manager, before a server is marked as unreachable. consecutive_failures must be an integer from 0 through 1000.

response-timeout timeout_duration : Specifies the number of seconds for each AAA manager to wait for a response to any message before a server is detected as failed, or in a down state. timeout_duration must be an integer from 1 through 65535.

max-outstanding max_messages

Specifies the maximum number of outstanding messages a single AAA manager instance will queue. max_messages must be an integer from 1 through 4000. Default: 256

max-retries max_retries

Specifies the maximum number of times communication with a AAA server will be attempted before it is marked as unreachable and the detect dead servers consecutive failures count is incremented. max_retries must be an integer from 0 through 65535. Default: 5

max-transmissions transmissions

Sets the maximum number of re-transmissions for RADIUS authentication requests. This limit is used in conjunction with the max-retries for each server. transmissions must be an integer from 1 through 65535. Default: Disabled

When failing to communicate with a RADIUS sever, the subscriber is failed once all of the configured RADIUS servers have been exhausted or once the configured number of maximum transmissions is reached.

For example, if 3 servers are configured and if the configured max-retries is 3 and max-transmissions is 12, then the primary server is tried 4 times (once plus 3 retries), the secondary server is tried 4 times, and then a third server is tried 4 times. If there is a fourth server, it is not tried because the maximum number of transmissions (12) has been reached.

timeout timeout_duration

Specifies the number of seconds to wait for a response from the RADIUS server before re-sending the messages. timeout_duration must be an integer from 1 through 65535. Default: 3

This command specifies the fail-over/load-balancing algorithm to be used for selecting RADIUS servers for charging services.

first-n n

Specifies that the AGW must send accounting data to n (more than one) AAA servers based on their priority. Response from any one of the n AAA servers would suffice to proceed with the call. The full set of accounting data is sent to each of the n AAA servers.

n is the number of AAA servers to which accounting data will be sent, and must be an integer from 2 through 128. Default: 1 (Disabled)

first-server

Specifies that the context must send accounting data to the RADIUS server with the highest configured priority. In the event that this server becomes unreachable, accounting data is sent to the server with the next-highest configured priority. This is the default algorithm.

round-robin

Specifies that the context must load balance sending accounting data among all of the defined RADIUS servers. Accounting data is sent in a circular queue fashion on a per Session Manager task basis, where data is sent to the next available server and restarts at the beginning of the list of configured servers. The order of the list is based upon the configured relative priority of the servers.

This command configures RADIUS charging accounting servers in the current context for Active Charging Services prepaid accounting.

no

Removes the server or server port(s) specified from the list of configured servers.

ip_address

Specifies IP address of the accounting server in IPv4 dotted-decimal notation. A maximum of 128 RADIUS servers can be configured per context. This limit includes accounting and authentication servers.

[ encrypted ] key key

Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted.

In 12.1 and earlier releases, the key value must be an alphanumeric string of 1 through 127 characters without encryption, and 1 through 256 characters with encryption.

In 12.2 and later releases, the key value must be an alphanumeric string of 1 through 127 characters without encryption, and 1 through 236 characters with encryption enabled.

The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the key keyword is the encrypted version of the plaint text key. Only the encrypted key is saved as part of the configuration file.

max max_messages

Specifies the maximum number of outstanding messages that may be allowed to the server. max_messages must be integer from 0 through 4000. Default: 0

max-rate max_rate

Specifies the rate (number of messages per second) at which the authentication messages should be sent to the RADIUS server. max_rate must be an integer from 0 through 1000. Default: 0 (Disabled)

oldports

Sets the UDP communication port to the out of date standardized default for RADIUS communications to 1646.

port port_number

Specifies the port number to use for communications as an integer from 1 through 65535. Default: 1813

priority priority

Specifies the relative priority of this accounting server. The priority is used in server selection for determining to which server to send accounting data. priority must be an integer 1 through 1000 where 1 is the highest priority. Default:1000

admin-status { enable | disable }

Enables or disables the RADIUS authentication/ accounting/charging server functionality, and saves the status setting in the configuration file to re-establish the set status at reboot.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.

This command configures the RADIUS authentication server selection algorithm for Active Charging Services for the current context.

default

Configures the default setting. Default: first-server

first-server

Sends accounting data to the first available server based upon the relative priority of each configured server.

round-robin

Sends accounting data in a circular queue fashion on a per Session Manager task basis where data is sent to the next available server and restarts at the beginning of the list of configured servers. The order of the list is based upon the configured relative priority of the servers.

This command configures the RADIUS charging server(s) in the current context for Active Charging Services prepaid authentication.

no

Removes the server or server port(s) specified from the list of configured servers.

ip_address

Specifies the IP address of the server in IPv4 dotted-decimal notation. A maximum of 128 RADIUS servers can be configured per context. This limit includes accounting and authentication servers.

[ encrypted ] key key

Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted.

In 12.1 and earlier releases, the key value must be an alphanumeric string of 1 through 127 characters without encryption, and 1 through 256 characters with encryption.

In 12.2 and later releases, the key value must be an alphanumeric string of 1 through 127 characters without encryption, and 1 through 236 characters with encryption enabled.

The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the key keyword is the encrypted version of the plain text key. Only the encrypted key is saved as part of the configuration file.

max max_messages

Specifies the maximum number of outstanding messages that may be allowed to the server. max_messages must be an integer from 0 through 4000. Default: 256

max-rate max_rate

Specifies the rate (number of messages per second), at which the authentication messages should be sent to the RADIUS server. max_rate must be an integer from 0 through 1000. Default: 0 (Disabled)

oldports

Sets the UDP communication port to the old default for RADIUS communications to 1645.

port port_number

Specifies the port number to use for communications as an integer from 1 through 65535. Default:1812

priority priority

Specifies the relative priority of this accounting server. The priority is used in server selection for determining to which server to send accounting data. priority must be an integer from 1 through 1000 where 1 is the highest priority. Default: 1000

admin-status { enable | disable }

Enables or disables the RADIUS authentication/accounting/charging server functionality and saves the status setting in the configuration file to re-establish the set status at reboot.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.

This command configures the maximum period of time (in minutes) that must elapse between when a context marks a RADIUS server as unreachable and when it can re-attempt to communicate with the server.

default

Configures the default setting.

Default: 10 minutes

minutes

Specifies the number of minutes to wait before changing the state of a RADIUS server from "Down" to "Active". minutes must be an integer from 0 through 65535.

Important

Configuring deadtime as 0 disables the feature and the server is never marked as DOWN.

This command configures how the system detects a dead RADIUS server.

no

Removes the configuration.

default

Configures the default setting.

consecutive-failures consecutive_failures_count

Specifies the consecutive number of times that the system must find the AAA server unreachable for the server to be marked unreachable, that is the server's state is changed from "Active" to "Down".

consecutive_failures_count must be an integer from 1 through 1000. Default: Enabled; 4 consecutive failures

keepalive

Enables the AAA server alive-dead detect mechanism based on sending keepalive authentication messages to all authentication servers. Default: Disabled

response-timeout timeout_duration

Specifies the time duration, in seconds, that the system must wait for a response from the AAA server to any message before the server is marked unreachable, that is the server's state is changed from "Active" to "Down".

timeout_duration must be an integer from 1 through 65535. Default: Disabled

Configures the RADIUS dictionary.

default

Configures the default setting.

dictionary

Specifies which dictionary to use.

dictionary must be one of the following values:

This command has been deprecated and is replaced by AAA Server Group configurations. Seethe AAA Server Group Configuration Mode Commands chapter.

This command associates the specific AAA group (NAS-IP) with a Virtual Routing and Forwarding (VRF) Context instance for BGP/MPLS, GRE, and IPSec tunnel functionality which needs VRF support for RADIUS communication. By default the VRF is NULL, which means that AAA group is associated with global routing table.

no

Disables the configured IP Virtual Routing and Forwarding (VRF) context instance and removes the association between the VRF context instance and the AAA group instance (NAS-IP).

By default this command is disabled, which means the NAS-IP being used is assumed a non-VRF IP and specific AAA group does not have any VRF association.

vrf_name

Specifies the name of a pre-configured VRF context instance. vrf_name is the alphanumeric string of a pre-configured VRF context configured in Context Configuration Mode via the ip vrf command.

Caution

Any incorrect configuration, such as associating AAA group with wrong VRF instance or removing a VRF instance, will fail the RADIUS communication.

This command configures the keepalive authentication parameters for the RADIUS server.

default

Configures the default setting for the specified parameter.

calling-station-id id

Configures the Calling-Station ID to be used for the keepalive authentication. id must bean alphanumeric string of size 1 to 15 characters. Default: 000000000000000

consecutive-response responses_no_of

Configures the number of consecutive authentication responses after which the server is marked as reachable. responses_no_of must be an integer from 1 through 10. Default: 1

Important

The keepalive request is tried every 0.5 seconds (non-configurable) to mark the server as up.

Important

In this case (for keepalive approach) "radius deadtime"' parameter is not applicable.

encrypted password

Designates use of encryption for the password.

In 12.1 and earlier releases, password must be an alphanumeric string of 1 through 63 characters.

In 12.2 and later releases, password must be an alphanumeric string of 1 through 132 characters.

Default: Test-Password

interval interval_duration

Configures the time interval (in seconds) between two keepalive access requests. interval_duration must be an integer from 30 through 65535. Default: 30

password

Configures the password to be used for the authentication as an alphanumeric string of 1 through 63 characters. Default: Test-Password

retries retries_no_of

Configures the number of times the keepalive access request are sent before marking the server as unreachable. retries_no_of must be an integer from 3 through 10. Default: 3

timeout timeout_duration

Configures the time interval (in seconds) between keepalive access request retries. timeout_duration must be an integer from 1 through 30. Default: 3

username user_name

Configures the username to be used for authentication as an alphanumeric string of 1 through 127 characters. Default: Test-Username

valid-response access-accept [ access-reject ]

Configures the valid response for the authentication request.

If access-reject is configured, then both access-accept and access-reject are considered as success for the keepalive authentication request.

If access-reject is not configured, then only access-accept is considered as success for the keepalive access request.

Default: keepalive valid-response access-accept

This command configures the maximum number of outstanding messages a single AAA Manager instance will queue.

default

Configures the default setting.

Default: 256

max_messages

Specifies the maximum number of outstanding messages a single AAA Manager instance will queue. max_messages must be an integer from 1 through 4000. Default: 256

This command configures the maximum number of times communication with a AAA server will be attempted before it is marked as "Not Responding".

default

Configures the default setting.

max_retries

Specifies the maximum number of times communication with a AAA server will be attempted before it is marked as "Not Responding", and the detect dead server's consecutive failures count is incremented. max_retries must be an integer from 0 through 65535. Default: 5

This command configures the maximum number of re-transmissions for RADIUS authentication requests.

no

Deletes the RADIUS max-transmissions configuration.

default

Configures the default setting.

Default: Disabled

max_transmissions

Specifies the maximum number of re-transmissions for RADIUS authentication requests. This limit is used in conjunction with radius max-retries configuration for each server. max_transmissions must be an integer from 1 through 65535. Default: Disabled

When failing to communicate with a RADIUS sever, the subscriber is failed once all of the configured RADIUS servers have been exhausted, or once the configured number of maximum transmissions is reached.

For example, if three servers are configured and if the configured max-retries is 3 and max-transmissions is 12, then the primary server is tried four times (once plus three retries), the secondary server is tried four times, and then a third server is tried four times. If there is a fourth server, it is not tried because the maximum number of transmissions (12)has been reached.

See the radius accounting server command.

This command configures the interval between two RADIUS authentication probes.

default

Configures the default setting of 3.

seconds

Specifies the time duration (in seconds) to wait before sending another probe authentication request to a RADIUS server. The value must be an integer from 1 through 65535. Default: 3

This command configures the number of retries for RADIUS authentication probe response.

default

Configures the default setting.

Default: 5

retries

Specifies the number of retries for RADIUS authentication probe response before the authentication is declared as failed. retries must be an integer from 1 through 65535. Default: 5

This command configures the service ip-address to be sent as an AVP in RADIUS authentication probe messages.

no

Disables sending of AVPs configured under probe-message cli in RADIUS authentication probe messages.

radius probe-message local-service-address

radius probe-message

Configures AVPs to be sent in RADIUS authentication probe messages.

local-service-address

Configures the service ip-address to be sent as an AVP in RADIUS authentication probe messages.

ipv4/ipv6_address

Specifies the IPv4/IPv6 address of the server in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation. A maximum of 128 RADIUS servers can be configured per context. This limit includes accounting and authentication servers.

This command configures the timeout duration to wait for a response for RADIUS authentication probes.

default

Configures the default setting.

Default: 3

timeout_duration

Specifies the time duration (in seconds) to wait for a response from the RADIUS server before resending the authentication probe. timeout_duration must bean integer from 1 through 65535. Default: 3

This command configures RADIUS authentication server(s) in the current context.

no

Removes the server or server port(s) specified from the list of configured servers.

ip_address

Specifies the IP address of the server in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation. A maximum of 128 RADIUS servers can be configured per context. This limit includes accounting and authentication servers.

[ encrypted ] key value

Specifies the shared secret key used to authenticate the client to the servers. The encrypted keyword indicates the key specified is encrypted.

In 12.1 and earlier releases, the key value must be an alphanumeric string of 1 through 127 characters without encryption, and 1 through 256 characters with encryption.

In 12.2 and later releases, the key value must be an alphanumeric string of 1 through 127 characters without encryption, and 1 through 236 characters with encryption enabled.

The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the key keyword is the encrypted version of the plain text key. Only the encrypted key is saved as part of the configuration file.

max max_messages

Specifies the maximum number of outstanding messages that may be allowed to the server. max_messages must be an integer from 0 through 4000. Default: 256

max-rate max_rate

Specifies the rate (number of messages per second), at which the authentication messages should be sent to the RADIUS server. max_rate must be an integer from 0 through 1000. Default: 0 (Disabled)

oldports

Sets the UDP communication port to the old default for RADIUS communications to 1645.

port port_number

Specifies the port number to use for communications as an integer from 1 through 65535. Default: 1812

priority priority

Specifies the relative priority of this accounting server. The priority is used in server selection for determining to which server is to send accounting data.

priority must be an integer from 1 through 1000 where 1 is the highest priority. When configuring two or more servers with the same priority you will be asked to confirm that you want to do this. If you use the -noconfirm option, you are not asked for confirmation and multiple servers could be assigned the same priority.

Default: 1000

probe

Enables probe messages to be sent to the specified RADIUS server.

no-probe

Disables probe messages from being sent to the specified RADIUS server. This is the default behavior.

probe-username username

Specifies the username sent to the RADIUS server to authenticate probe messages. username must be an alphanumeric string of 1 through 127 characters.

probe-password [ encrypted ] password password

The password sent to the RADIUS server to authenticate probe messages.

encrypted : This keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.

password password : Specifies the probe-user password for authentication. password must be an alphanumeric string of 1 through 63 characters.

type { mediation-device | standard }

Specifies the type of transactions the RADIUS server accepts.

mediation-device : Specifies mediation-device specific AAA transactions. This device is available if you purchased a transaction control services license. Contact your local sales representative for licensing information.

standard : Specifies standard AAA transactions. (Default)

admin-status { enable | disable }

Enables or disables the RADIUS authentication/accounting/charging server functionality, and saves the status setting in the configuration file to re-establish the set status at reboot.

-noconfirm

Executes the command without any additional prompt and confirmation from the user.

This command configures the stripping of the domain from the user name prior to authentication or accounting.

no

Removes the RADIUS strip-domain configuration.

authentication-only

Specifies that the domain must be stripped from the user name prior to authentication.

accounting-only

Specifies that the domain must be stripped from the user name prior to accounting.

This command configures the time duration to wait for a response from the RADIUS server before resending the messages.

default

Configures the default setting.

timeout_duration

Specifies the time duration (in seconds) to wait for a response from the RADIUS server before resending the messages. timeout_duration must be an integer from 1 through 65535. Default: 3

This command enables specific RADIUS triggers. The RADIUS Trigger configuration in the Context Configuration Mode is to enable backward compatibility. To configure RADIUS triggers for the default AAA group, you must configure them in the Context Configuration Mode.

no

Disables the specified RADIUS trigger.

default

Configures the default setting.

Default: All RADIUS triggers are enabled.

ms-timezone-change

Specifies to enable RADIUS trigger for MS time zone change.

qos-change

Specifies to enable RADIUS trigger for Quality of Service change.

rai-change

Specifies to enable RADIUS trigger for Routing Area Information change.

rat-change

Specifies to enable RADIUS trigger for Radio Access Technology change.

serving-node-change

Specifies to enable RADIUS trigger for Serving Node change.

uli-change

Specifies to enable RADIUS trigger for User Location Information change.

This command is used to create, configure, or delete the module for Real Time Cell Traffic Tracing in a context.

no

Removes the real time trace module configuration for the current context.

realtime-trace-module

Creates the module for real time cell traffic tracing.

Once the realtime trace module is configured, the real time trace file transfer parameters can be configured.

Creates or specifies the name of an existing remote server list for this context and enters the Remote Access List Configuration Mode.

no

Removes the specified remote server list from the context.

list_name

Specifies the name of the remote server list. If list_name does not refer to an existing list, the new list is created if resources allow. list_name is an alphanumeric string of 1 through 31 characters.

Configures an access list for filtering routes based on a specified range of IP addresses.

no

Deletes the specified route access list.

identifier

Specifies a value to identify the route access list as an integer from 100 through 999.

deny

Deny routes that match the specified criteria.

permit

Permit routes that match the specified criteria.

ip network_parameter ip_address wildcard_mask

mask_parameter

Configures an access list for filtering routes based on a network address and net mask.

no

Deletes the specified route access list.

list_name

Specifies name that identifies the route access list as an alphanumeric string of 1 through 79 characters.

deny

Denies routes that match the specified criteria.

permit

Permits routes that match the specified criteria.

ip_address / mask

Specifies the IP address (in IPv4 dotted-decimal notation) and the number of subnet bits, representing the subnet mask in CIDR notation (for example 209.165.200.225/24).

any

Matches any route.

exact-match

Matches the IP address prefix exactly.

Configures an access-list for filtering routes based on network addresses.

no

Deletes the specified route access list.

identifier

Specifies a value that identifies the route-access-list as an integer from 1 through 99.

deny

Denies routes that match the specified criteria.

permit

Permits routes that match the specified criteria.

ip_address wildcard_mask

Specifies the IP address and subnet mask to match for routes. Both ip_address and wildcard_mask must be entered in IPv4 dotted-decimal notation. (For example, 192.168.100.0 255.255.255.0)

any

Matches any route.

host network_address

Matches only route shaving the specified network address as if it had a 32-bit network mask. network_address must be an IPv4 address specified in dotted-decimal notation.

Creates a route-map that is used by the routing features and enters Route-map Configuration mode. A route-map allows redistribution of routes and includes a list of match and set commands associated with it. The match commands specify the conditions under which redistribution is allowed; the set commands specify the particular redistribution actions to be performed if the criteria specified by match commands are met. Route-maps are used for detailed control over route distribution between routing processes. Up to eight route-maps can be created in each context. Refer to the Route-map Configuration Mode Commands chapter for more information.

no

Deletes the specified route map.

map_name

Specifies the name of the route map to create or edit as an alphanumeric string of 1 through 69 characters.

deny

If the deny parameter is specified and the match command criteria are met, the route is not redistributed and any other route maps with the same map name are not examined. Set commands have no affect on deny route-maps.

permit

If the permit parameter is specified, and the match criteria are met, the route is redistributed as specified by set actions. If the match criteria are not met, the next route map with the same name is tested.

seq_number

Specifies the sequence number that indicates the position a new route map is to have in the list of route maps already configured with the same name. Route maps with the same name are tested in ascending order of their sequence numbers. This must be an integer from 1 through 65535.

Enables BGP, Open Shortest Path First (OSPF) or OSPF version 3 (OSPFv3) routing functionality and enters the corresponding Configuration Mode. Refer to the BGP Configuration Mode Commands, OSPF Configuration Mode Commands or OSPFv3 Configuration Mode Commands chapter for details on associated Configuration mode commands.

no

Disables the specified routing support in the current context.

bgp as_number

Enables a BGP routing service for this context and assigns it the specified Autonomous System (AS) number before entering the BGP Configuration mode. as_number must be an integer from 1 through 4294967295.

Important

BGP routing is supported only for use with the HA.

ospf

Enables OSPF routing in this context and enters OSPF Configuration mode.

ospfv3

Enables OSPFv3 routing in this context and enter OSPFv3 Configuration mode.

rip

Enters RIP (Routing Information Protocol) Configuration mode.