Configures authentication, authorization and accounting (AAA) functionality at the subscriber level.

default

Configures the default setting for the specified parameter.

no

accounting interim { interval-timeout interval_timeout | normal | suppress }

Specifies when system should send an interim accounting record to the server.

group aaa_group_name

Specifies the AAA server group for the subscriber for authentication and/or accounting.

aaa_group_name must be an alphanumeric string of 1 through 63 characters.

secondary-group aaa_secondary_group_name

Specifies the secondary AAA server group for the subscriber.

aaa_secondary_group_name must be an alphanumeric string of 1 through 63 characters.

Configures IP fragmentation processing over the Access-link.

df-ignore

Default: Enabled

Ignores the DF (Don't Fragment) bit setting. Fragments and forwards the packet over the access link.

df-fragment-and-icmp-notify

Default: Disabled

Partially ignores the DF bit. Fragments and forwards the packet, but also returns an ICMP error message to the source of the packet. The number of ICMP errors sent like this is rate-limited to one ICMP error packet per second per session.

normal

Default: Disabled

Normal processing. Drops the packet and sends an ICMP unreachable message to the source of packet. This is the default behavior.

Sets the accounting mode for the current local subscriber configuration.

default

Sets the type of accounting to be performed for the current local subscriber to the default setting.

Default: radius-diameter

flow-based

Diameter flow-based accounting is enabled for the current local subscriber.

gtpp [ radius-diameter ]

GTPP CDR RADIUS accounting is enabled for the current local subscriber. The radius-diameter keyword is available if both GTPP RADIUS and RADIUS-Diameter accounting are to be used.

none

Accounting is disabled for the current local subscriber and no charging records will be generated.

radius-diameter [ gtpp ]

RADIUS-Diameter accounting is enabled for the current local subscriber. The gtpp keyword is available if both GTPP RADIUS and RADIUS-Diameter accounting are to be used.

rf-style

Diameter Rf interface accounting is enabled for the current local subscriber.

Configures the bandwidth policy to be used for the subscriber.

default

Specifies that the default bandwidth policy configured in the rulebase be used for this subscriber.

no

Disables bandwidth control for this subscriber.

active-charging bandwidth-policy bandwidth_policy_name

Specifies name of the bandwidth policy.

bandwidth_policy_name must be an alphanumeric string of 1 through 63 characters.

Enables the TCP link monitoring feature on the Mobile Video Gateway. This command can be configured in either APN Configuration Mode or Subscriber Configuration Mode.

Important

In release 20.0, MVG is not supported. This command must not be used in release 20.0. For more information, contact your Cisco account representative.

default

Sets TCP link monitoring to its default value, which is the same as [ no ] .

no

Deletes the TCP link monitoring settings and disables TCP link monitoring if previously configured.

active-charging link-monitor tcp

Enables the TCP link monitoring feature on the Mobile Video Gateway. Note that TCP link monitoring is not enabled by default. Also note that when this command is configured without the log option, TCP link monitoring is enabled without logging, and the output from TCP link monitoring is only used by the dynamic translating feature.

log [ rtt [ histogram | time-series ] [ bitrate [ histogram | time-series ] ] | bitrate [ histogram | time-series ] [ rtt [ histogram | time-series ] ] ]

This option enables statistical logging for TCP link monitoring.

The rtt option can be used to enable either histogram or time-series logging for round-trip time (RTT).

Similarly, the bitrate option can be used to enable either histogram or time-series logging for bit rate.

When rtt and bitrate options are used without additional options, histogram and time-series logging are enabled for round-trip time (RTT) and/or bit rate respectively.

-noconfirm

Specifies that the command must execute without prompting for confirmation.

Enables the Congestion Management feature on the Mobile Video Gateway. This command can be configured in either APN Configuration Mode or Subscriber Configuration Mode.

Important

In release 20.0, MVG is not supported. This command must not be used in release 20.0. For more information, contact your Cisco account representative.

default

Sets congestion management to its default value, which is the same as [ no ] .

Default: Disabled

no

Deletes the settings and disables congestion management if previously configured.

active-charging radio-congestion policy policy_name

Enables the Congestion Management feature on the Mobile Video Gateway.

policy_name must be an alphanumeric string of 1 through 63 characters.

Specifies the rulebase to be used for this subscriber.

no

Removes the previously configured rulebase for the subscriber.

active-charging rulebase rulebase_name

Specifies name of the ACS rulebase.

rulebase_name must be the name of an ACS rulebase expressed as an alphanumeric string of 1 through 63 characters.

Once the idle timeout limit is reached, keeps the current subscriber session connected as long as the subscriber is reachable.

Caution

When always-on is enabled, the subscriber must have an idle time-out period configured (default is 0, no time-out). Failure to configure an idle time-out results in a subscriber session that is indefinite.

Two timers and a counter are associated with this feature. Refer to the timeout command in this chapter and the ppp echo-retransmit-timeout msec and ppp echo-max-retransmissions num_retries commands.

Default: Disabled.

always-on

Specifies that the user will remain connected after the idle time expires.

no

Disables always-on . The user is disconnected after the idle time expires.

Negotiates Robust Header Compression (ROHC) support for subscriber calls with AAA and WiMAX. This configuration indicates the type of header compression supported and enabled on the ASN.

no

Removes or disables the configured identifiers for ROHC in ASN-GW service.

default

The default is disabled.

Specifies the network service provider (NSP) associated with a WiMAX subscriber in an ASN-GW service. When configured, the NSP ID is sent in the Access-Request and Accounting messages.

no

Removes or disables the configured identifiers for this network service provider in ASN-GW service.

asn nspid nsp_id

Specifies the network service provider for this subscriber. This enables the MS to discover all accessible NSPs, and to indicate the NSP selection during connectivity to the ASN.

Configures the identifiers for packet data flow, service data flow, and service profile in an ASN-GW service.

no

Removes/disables the configured identifiers for this subscriber in ASN-GW service.

asn-pdfid pdf_id

Specifies the an unique ASN Packet Data Flow identifier for this subscriber.

pdf_id must be an integer from 1 through 65535.

asn-service-profile-id svc_profile_id

Specifies a unique ASN Service Profile Identifier for this subscriber.

svc_profile_id is a Service Profile Identifier configured in the Context Configuration Mode.

asn-sdfid sdf_id

Specifies the an unique ASN Service Data Flow identifier for this subscriber.

sdf_id must be an integer from 1 through 65535.

Configures the identifiers for packet data flow, service data flow, and service profile in an ASN-GW service.

no

Removes or disables the configured policy for this subscriber in ASN-GW service.

default

Sets the ASN policy to default for this subscriber.

For downlink traffic classifier default policy is "loos" and for idle mode policy the default action is to allow idle mode operation in an ASN-GW service.

idle-mode

Sets the idle mode policy for this subscriber in an ASN-GW service. If enabled, Interim-Update is sent with the BSID and WiMAX-Idle_Mode Transition as Idle. If disabled, the Interim can be sent when the call is in the idle mode based on the interim timer. At this point, the last known BSID is reported to the RADIUS server.

notification-idle-mode

Default: allow

Use to enable or disable Idle-Mode-Notification capabilities. When you enable this command, when the call moves from active to idle, or idle to active, Accounting Interim is sent.

notification-handoff

Default: allow

If enabled, the Interim-Update is sent with the BSID and SN-Handoff-Indicator as Active Handoff.

allow

Default: enabled

Enables the policy for this subscriber to allow idle mode operation in an ASN-GW service.

disallow

Default: disabled

Enable the policy for this subscriber to disallow idle mode operation in an ASN-GW service.

classifiers downlink

Sets the classifier policy for all service flows coming from HA to FA for this subscriber's matching classifier.

strict

Default: disabled

This option discards all the service flows coming from HA to FA and any other packets not matching to any of the classifiers set for this subscriber.

loose

Default: enabled

This option allows all the service flows coming from HA to FA and any other packet does not matching to any of the classifiers set for this subscriber and sent to the BS/MS over downlink flow

auth-only

Specifies whether the call is Auth only or not.

allow

Enables the policy for this subscriber to allow auth-only in an ASN-GW service.

disallow

Default

Disables the policy for this subscriber to allow auth-only in an ASN-GW service.

ms-requested classifiers

Default: allow

By default ASNGW allows dynamic addition of classifiers by the MS during MS-initiated service flow creation or modification.

Associates the subscriber with specific pre-configured policies configured in the same context.

no

Removes the selected association from this subscriber.

name

Associates the subscriber with an accounting policy configured in the same context.

name must be an existing accounting policy expressed as a string of 1 through 63 characters.

Accounting policies are configured through the policy accounting command in the Context Configuration mode.

When a profile ID is requested by the Mobile Node (MN), this command sets the value that is authorized by the Access Gateway (AGW).

no

Removes the existing profile ID setting specified by profile_id . profile_id must be an integer from 0 through 65535.

authorized-flow-profile-id profile_id

The profile ID number that is authorized for the current subscriber. profile_id must be an integer from 0 through 65535.

direction { bidirectional | forward | reverse }

Enables or disables the specified preconfigured Category Policy Identifier for policy-based Content Filtering support to the subscriber.

no

Disables the configured category policy ID for content filtering support to the subscriber. This is the default setting.

content-filtering category policy-id cf_policy_id

Applies the content filtering category policy ID, configured in ACS Configuration Mode, to this subscriber.

cf_policy_id must be a category policy ID expressed as an integer from 1 through 4294967295.

If the specified category policy ID is not configured in the ACS Configuration Mode, all packets will be passed regardless of the categories determined for such packets.

Important

Category Policy ID configured through this mode overrides the Category Policy ID configured using the content-filtering category policy-id command in the ACS Rulebase Configuration Mode.

Configures the credit-control client parameters for the subscriber.

no

Disables the configured setting.

default

Resets the command to its default setting of disabled.

event-based-charging

Enables event-based charging.

override session-mode { per-sub-session | per-subscriber }

Overrides the session-mode configured through the CLI command "require ecs credit-control session-mode per-subscriber " in Global Configuration mode so that different subscriber groups can operate in different modes. For example, one subscriber group can be configured to work in per-subscriber mode, while another in per-sub-session mode.

This keyword is used to switch between subscriber level Gy and sub-session level Gy.

Important

This CLI can be changed on the fly. The modified values will be reflected only in the new subscriber session.

The no command removes the override CLI and makes the subscriber group fall back to the configuration specified through the CLI command "require ecs credit-control session-mode per-subscriber ".

Configures the credit-control group for this subscriber.

no

Removes the credit-control group from the subscriber configuration, if configured.

credit-control-group cc_group_name

Specifies name of the credit-control group.

cc_group_name must be an alphanumeric string of 1 through 63 characters.

Configures the credit-control service for this subscriber.

no

Disables the credit-control service, if configured.

credit-control-service cc_service_name

Specifies the name of the credit-control service.

cc_service_name must be an alphanumeric string of 1 through 63 characters.

Controls the handling of the DF (Don't Fragment) bit present in the user IPv4/IPv6 packet for GRE, IP-in-IP tunneling used for the MIP data path. If this feature is enabled, and fragmentation is required for the tunneled user IPv4/IPv6 packet, then the DF bit is ignored and the packet is fragmented. Also the DF bit is not copied to the outer header. Default is enabled.

no

Disables this option. The DF bit in the tunneled IP packet header is not ignored during tunneling.

data-tunneling ignore df-bit

Ignores the DF bit in the tunneled IP packet header.

Specifies the Diameter credit control primary and secondary peer for credit control.

no

Removes the previously configured Diameter credit control peer selection.

peer host_name

Specifies a unique name for the peer. peer_name must be an alphanumeric string of 1 through 63 characters that allows punctuation marks.

secondary-peer host_name

Specifies a back-up host that is used for fail-over processing. When the route-table does not find an available route, the secondary host performs a fail-over processing. host_name must be an alphanumeric string of 1 through 63 characters that allows punctuation marks.

realm realm_name

The realm_name must be an alphanumeric string of 1 through 63 characters that allows punctuation marks. The realm may typically be a company or service name.

Restores the default value for the option specified for the current subscriber.

access-link ip-fragmentation

Sets the method for fragmenting packets over the MN access link to its default of normal. Drop the packet and send ICMP unreachable to the source of packet.

accounting-mode

Enables Radius accounting for the current local subscriber configuration.

data-tunneling ignore df-bit

Sets this option to the default behavior, which is to send an ICMP unreachable - need to frag message back to the sender and drop the packet, in the case that fragmentation is required but the DF bit is set.

idle-timeout-activity dormant-downlink-data

Sets this option to the default behavior. When downlink data packets are transmitted to the Mobile node and the session is in dormant mode the session idle timer is reset.

inter-pdsn-handoff

During a handoff from one PDSN to another, if the Mobile requests an IP address of 0.0.0.0 or a mismatched IP address the PDSN will not disconnect the session immediately. The PDSN tries to assign the proposed address of the session in the IPCP configuration NAK.

ip { | allowed-dscp | dhcp-relay | header-compression | hide-service-address | multicast discard | qos-dscp | source-validation | user-datagram-tos copy }

allowed-dscp : resets the allowed DSCP parameters to the system defaults: class none, max-class be.

hide-service-address : specifies the default setting for hide the ip-address of the service from the subscriber. Default is Disabled

dhcp-relay : Configured with the DHCP server address during MS authentication. The AAA server sends the address of the DHCP server in the Access-Accept message. The DHCP relay uses this address to relay the DHCP messages from the MS to the DHCP server.

multicast discard : Configures the default multicast settings which is to discard PDUs

qos-dscp : Sets the quality of service setting to the system default.

source-validation : Specifies the default IP source validation. Default is Enabled.

user-datagram-tos copy : Disables copying of the IP TOS octet value to all tunnel encapsulation IP headers.

loadbalance-tunnel-peers

Sets the tunnel load balancing algorithm to the system default.

long-duration-action

Sets the action that is taken when the long duration timer expires to the default: detection.

mobile-ip { home-agent | mn-aaa-removal-indication | mn-ha-hash-algorithm | reverse-tunnel | security-level | send { dns-address | terminal-verification } }

allow-aaa-address-assignment : Disables the FA from accepting a home address assigned by an AAA server.

home-agent : Sets home agent IP address to its default of 0.0.0.0.

match-aaa-assigned-address : Disables the FA validating the home address in the RRQ against the one assigned by AAA server.

mn-aaa-removal-indication : Sets this parameter to its default of disabled.

mn-ha-hash-algorithm : Sets the encryption algorithm to the default of hmac-md5.

reverse-tunnel : Sets this parameter to its default of enabled.

security-level : Sets this parameter to its default of none.

send dns-address : Disables the HA from sending the DNS address NVSE in the RRP.

send terminal-verification : Disables the FA from sending the terminal verification NVSE in the RRQ.

permission

Restores the subscriber's service usage defaults.

ppp { always-on-vse-packet | data-compression { mode | protocols } | ip-header-compression negotiation | keepalive | min-compression-size | mtu }

Sets the point-to-point protocol option defaults.

always-on-vse-packet : Re-enables the PDSN to send special 3GPP2 VSE PPP packets to the Mobile Node with a max inactivity timer value for always on sessions. This configuration is applicable only for PDSN or PDSNCLOSED-RP sessions.

ip-header-compression negotiation : Sets the IP header compressions negotiation to the system default: force.

keepalive : sets the subscriber's PPP keep alive option to the system default: 30 seconds.

min-compression-size : Restores the PPP minimum packet size for compression: 128 octets.

mtu : Sets the maximum message transfer unit packet size to the system default: 1500 octets.

radius accounting interim interval-timeout

Disables the RADIUS accounting interim interval for the current subscriber.

timeout [ absolute | idle | long-duration ]

When a keyword is entered, this command resets the specified timeout to the system default: 0. When no keyword is specified, all timeouts are reset to the system defaults: 0.

Allows you to enter descriptive text for this configuration.

no

Clears the description for this configuration.

text

Enter descriptive text as an alphanumeric string of 1 to 100 characters.

If you include spaces between words in the description, you must enclose the text within double quotation marks (" "), for example, "AAA BBBB".

Specifies the DHCPv6 service to be used for this subscriber.

no

Removes the DHCPv6 service for the subscriber.

dhcpv6 service-name service_name

Specifies the name of an existing DHCPv6 service to be used for this subscriber.

service_name must be the name of a DHCPv6 service expressed as an alphanumeric string of 1 through 63 characters.

Specifies the DHCP options which can be sent from the DHCP server for this subscriber.

no

Removes the DHCP options for the subscriber.

options code 43 hex-values hex_values

Specifies hex values for DHCP option 43.

hex_values must be a dash-delimited list of hex data of size smaller than 506 datum.

Enables the sending of DHCP parameter request list option(s) in all outgoing messages for this subscriber.

no

Disables the sending of DHCP parameter request list option(s) in all outgoing messages.

options

Specifies the value of particular DHCP parameter request list option(s).

options must be an integer from 1 through 254.

Important

Multiple options may be selected in the same command.

Important

In Release 20 and later, HNBGW is not supported. This command must not be used for HNBGW in Release 20 and later. For more information, contact your Cisco account representative.

Enables DHCP service configuration accessible to the Se-GW context for subscriber. The specified DHCP service will be used for performing DHCP procedures between HNB-GW and HMS.

no

Removes the specified DHCP service from the subscriber template configuration.

dhcp_svc_name

Specifies name of the DHCP service configured in Context configuration mode for DHCP proxy support on HNB-GW.

dhcp_svc_name must be an alphanumeric string of 1 through 63 characters preconfigured within the same context of this subscriber.

context ctxt_name

Specifies the name of the context where DHCP service is configured for HNB-GW subscribers. ctxt_name must be an alphanumeric string of 1 trough 79 characters.

Configures the domain name servers for the current subscriber.

no

Indicates the IP address is to be removed as either a primary or secondary domain name server.

dns primary | secondary

dns primary : Updates the primary domain name server for the subscriber.

dns secondary : Updates the secondary domain name server for the subscriber.

ip_address

Specifies the IP address of the domain name server using IPv4 dotted-decimal notation.

Executes all show commands while in Configuration mode.

Specifies the lifetime for a primary session key (PSK) for extensible authentication protocol (EAP) authentication.

psk-lifetime dur

Specifies the lifetime duration (in seconds) on Primary Session Key (PSK) in seconds for a WiMAX subscriber EAP authentication.

dur is an integer from 60 through 65535.

psk-lifetime dur

Specifies the lifetime duration (in seconds) on Primary Session Key (PSK) in seconds for a WiMAX subscriber EAP authentication.

dur is an integer from 60 through 65535.

Designates use of password encryption.

encrypted password password

password is the encrypted password and must be an alphanumeric string of 1 through 132 characters.

Exits the current configuration mode and returns to the Exec mode.

Exits the current mode and returns to the parent configuration mode.

This is a restricted command.

Important

This command is only available in StarOS 8.0. In StarOS 8.1 and later releases, this configuration is available in the ACS Rulebase Configuration Mode.

Enables or disables Stateful Firewall support for the subscriber.

no

Disables Stateful Firewall support for this subscriber.

default

Configures the default setting for Stateful Firewall support.

Default: Disabled

firewall-required

Enables Stateful Firewall support for this subscriber.

Configures GTP-P related parameters for a subscriber.

default

Resets the GTTP group name to the default group.

no

Deletes the specified group name.

group

Specifies primary group parameters.

secondary-group

Specifies secondary group parameters.

group_name

Specifies the name of the GTP-P group as an alphanumeric string of 1 through 63 characters.

accounting-context context_name

Specifies the GTPP accounting context as an alphanumeric string of 1 through 79 characters. Default is the GGSN service context.

Defines whether downlink (towards Mobile Node) data packets transmitted when the session is dormant are treated as activity for the idle-timer (inactivity timer).

By default, downlink data transmitted over a dormant session restarts the idle-timer for that session; it is treated as activity for the session.

no

Dormant mode downlink data is not treated as activity for the session idle-timer. The session idle timer is not reset.

idle-timeout-activity dormant-downlink-data

Treats dormant mode downlink data as activity for the session idle-timer. The session idle timer is reset.

Configures the Traffic Selector responder (TSr) negotiation behavior during IKEv2 Security Association (SA) establishment.

default

Specifies the default behavior, which is wildcard TSr negotiation.

ikev2 tsr

Enables TSr negotiation.

wildcard

Specifies that during TSr negotiation, the PDG/TTG always returns an any-to-any IP address range, an any-to-any port range, and allows any protocol, irrespective of the traffic selector ranges received from the UE. This is the default behavior.

user-specified

Specifies that during TSr negotiation, the PDG/TTG responds to each UE request with the UE-specified IP address ranges. This enables split tunneling on the PDG/TTG, and enables the UE to tunnel only a specified traffic range to the PDG/TTG and send other traffic directly out the WLAN.

Specifies the IP Multimedia Subsystem (IMS) application manager for the subscriber.

no

Disables the IMS application manager for this subscriber.

ims application-manager

Enables the IMS application manager for this subscriber.

domain-name domain-name

Specifies the domain name of the application manager.

domain-name must be an alphanumeric string of 1 through 63 characters.

ipv4-address ipv4_address

Specifies the IP address of the application manager using IPv4 dotted-decimal notation.

Enables IP Multimedia Subsystem (IMS) authorization support for subscriber. The specified IMSA service will be used for performing IMS authorization and flow-based charging procedures.

default

Configures default setting.

Default: Disabled or as specified at the context or network access service level or in subscriber template.

no

Removes the specified IMS authorization service from the subscriber configuration.

ims-auth-service auth_svc_name

Specifies name of the IMS authorization service.

auth_svc_name must be an alphanumeric string of 1 through 63 characters preconfigured within the same context of this subscriber.

Configure the system to force the MN to use its assigned IP address during Internet Protocol Control Protocol (IPCP) negotiations resulting from inter-PDSN handoffs.

no

Disables the rejecting of sessions when the MN uses a non-allocated IP address during IPCP re-negotiations.

inter-pdsn-handoff require ip-address

Rejects sessions when the MN uses a non-allocated IP address during IPCP re-negotiations.

Configures IP access group for the current subscriber.

no

Indicates the access group specified is to be cleared from the subscribers configuration.

ip access-group group_name

Specifies the name of the IPv4/IPv6 access group. acl_group_name is a configured ACL group expressed as an alphanumeric string of 1 through 79 characters.

in | out

Default: both (in and out)

Specifies the access-group as either inbound or outbound by the keywords in and out , respectively. If neither of these key words is specified, the command associates the group_name access group with the current subscriber for both inbound and outbound access.

Configures a static IPv4 address for use by the subscriber.

no

Removes a previously configured IP address assignment.

ip address ip_address

Specifies the IP address assigned to the subscriber using IPv4 dotted-decimal notation.

netmask

The subnet mask that corresponds to the assigned IPv4 address.

Configures IP address pool properties for the subscriber.

no

Removes a previously configured static address.

ip address pool name pool_name

Specifies the IP address pool or IP address pool group from which the subscribers IP address is assigned.

pool_name must be the name of an existing IP pool or IP pool group expressed as an alphanumeric string of 1 through 31 characters.

Configures secondary IP address pool properties for the subscriber to provide multiple IP host configuration behind one WiMAX Customer Premise Equipment (CPE).

no

Removes a previously configured auxiliary pool named aux_pool_name for multiple host support in ASN-GW service.

ip address secondary-pool name aux_pool_name

Specifies the secondary/auxiliary IP address pool or IP address pool group from which the IP address is assigned to host behind a WiMAX CPE having primary IP address.

pool_name must be the name of an existing IP pool or IP pool group expressed as an alphanumeric string of 1 through 31 characters.

Sets the Quality of Service (QoS) Differentiated Services (DiffServ) marking that a subscriber session is allowed. The DSCP is disabled by default.

no

Resets the parameters to the defaults: class none, max-class be . This indicates that all packets are let through without any dscp checking

ip allowed-dscp class class

Specifies the Differentiated Services Codepoint (DSCP) class with which the subscriber session may mark its packets. If the subscriber sessions packets request a code point class higher than the code point class specified, the PDSN service re-marks the packets with the QOS-DSCP value specified by the ip qos-dscp command.

Default: none

class must be one of the following;

a : allow packets with AF DSCPs

e : allow packets with EF DSCP

o : allow packets for experimental or local use

ae : allow packets with AF and EF DSCPs

ao : allow packets with AF DSCPs or packets for experimental or local use

eo : allow packets with EF DSCPs or packets for experimental or local use

aeo : allow packets with AF or EF DSCPs or packets for experimental or local use

none : allow only the be and sc1 through sc7 code points

max-class maxclass

This parameter specifies the maximum code point with which a subscriber session may mark its packets. The subscriber sessions packets must be marked with a code point equal to or less than the code point specified. If the subscriber sessions packets request a code point higher than the code point specified, the PDSN service re-marks the packets with the QOS-DSCP value specified by the lower of the max-class and the ip qos-dscp command.

The list below identifies the code points from lowest to highest precedence. For example, if the maxclass is set to af22, that becomes the maximum code point that the subscriber session may mark it's packets with and only be, af13, af12, af11,af23 , and af22 are allowed. If a subscriber session marks its packets with anything after af22 in this list, the PDSN service re-marks the packets with the QOS-DSCP value specified by the lower of the maxclass and the ip qos-dscp command.

If class is set to none only the be and sc1 through sc7 codepoints are allowed. For example; if class is set to none and you set max-class to sc1 , only the sc1 and be codepoints are allowed.

Default: be

maxclass must be one of the following;

be : best effort forwarding

af13 : assured Forwarding 13

af12 : assured Forwarding 12

af11 : assured Forwarding 11

af23 : assured Forwarding 23

af22 : assured Forwarding 22

af21 : assured Forwarding 21

af31 : assured Forwarding 31

af32 : assured Forwarding 32

af33 : assured Forwarding 33

af41 : assured Forwarding 41

af42 : assured Forwarding 42

af43 : assured Forwarding 43

ef : expedited forwarding

sc1 : selector class 1

sc2 : selector class 2

sc3 : selector class 3

sc4 : selector class 4

sc5 : selector class 5

sc6 : selector class 6

sc7 : selector class 7

rt-marking marking

This parameter is used for Mobile IP (MIP) reverse tunnels. When MIP session packets do not have a DSCP marking, the Foreign Agent (FA) marks the packets with the value specified by rt-marking marking .

If MIP sessions packets have a DSCP marking, the marking is subjected to the conformance rules for the values of class and max-class; the final DSCP marking is then copied from the inner IP header to the outer IP header.

Default: be

marking must be one of the following;

be : best effort forwarding

af11 : assured Forwarding 11

af12 : assured Forwarding 12

af13 : assured Forwarding 13

af21 : assured Forwarding 21

af22 : assured Forwarding 22

af23 : assured Forwarding 23

af31 : assured Forwarding 31

af32 : assured Forwarding 32

af33 : assured Forwarding 33

af41 : assured Forwarding 41

af42 : assured Forwarding 42

af43 : assured Forwarding 43

ef : expedited forwarding

sc1 : selector class 1

sc2 : selector class 2

sc3 : selector class 3

sc4 : selector class 4

sc5 : selector class 5

sc6 : selector class 6

sc7 : selector class 7

Configures the context to which the subscriber is assigned upon authentication. The assigned context is considered the destination context that provides the configuration options for the services the subscriber is allowed to access.

no

Removes the current assigned context from the subscriber's data.

ip context-name name

Specifies the name of the context to assign the subscriber to once authenticated. name must be an alphanumeric string of 1 trough 79 characters.

Configures the IP packet header compression options for the current subscriber. Although this command configures IP header compression algorithms, the Internet Protocol Control Protocol (IPCP) negotiations determine when the header compression algorithm is applied.

default

Restores this command's default setting to the Van Jacobsen (VJ) header compression algorithm.

no

Disables all IP header compression.

ip header-compression { rohc [ any [ mode { optimistic | reliable | unidirectional } ] | cid-mode { { large | small } [ marked-flows-only | max-cid | max-hdr value | mrru value ] } } | marked flows-only | max-hdr value | mrru value | downlink | uplink ] | vj }

Specifies that the Robust Header Compression (ROHC) algorithms is used for data.

Important

ROHC is only supported for use with the PDSN.

any : Apply ROHC header compression in both the uplink and downlink directions.

marked-flows-only : Specifies that ROHC is to be applied only to marked flows.

max-hdr value : Specifies the maximum header size to use. Default: 168. value must be an Integer from 0 through 65535.

mrru value : Specifies the maximum reconstructed reception unit to use. Default: 65535. value must be an Integer from 0 through 65535.

downlink : Apply the ROHC algorithm only in the downlink direction.

uplink : Apply the ROHC algorithm only in the uplink direction.

Important

When ROHC is enabled for downlink or uplink only the operational mode is Unidirectional.

vj

Specifies that the VJ algorithm is used for header compression.

+

Either one or both of the keywords may be entered in a single command.

If both vj and rohc are specified, vj must be specified first.

Important

If both VJ and ROHC header compression are specified, the optimum header compression algorithm for the type of data being transferred is used for data in the downlink direction.

Hides the IP address of the service from the subscriber.

no

Does not hide the IP address of the service from the subscriber. This is the default behavior.

ip hide-service-address

Hides the IP address of the service from the subscriber.

Configures the local-side IP address of the subscriber's point-to-point connection.

no

Removes a previously configured IP local-address.

ip_address ip_address

Specifies an IP address configured in a destination context on the system through which a packet data network can be accessed. ip_address is entered using IPv4 dotted-decimal notation.

Configures the IP multicast discard packet behavior.

no

Does not discard IP multicast packets.

ip multicast discard

Discards IP multicast packets.

Configures quality of service (QoS) options for the current subscriber using the differentiated services code point (DSCP) method. This functionality is disabled by default.

no

Sets the quality of service option to its default value.

ip qos-dscp option

Default: be (Best Effort)

Configures the static route to use to reach the subscriber's network.

no

Removes the configured route information from the subscriber data.

ip route ip_address

Specifies the target IP address for which the route information applies using IPv4 dotted-decimal notation.

ip_mask

Specifies the networking mask for the route.

1 bits in the ip_mask indicate that bit position in the ip_address must also have a value of 1.

0 bits in the ip_mask indicate that bit position in the ip_address does not need to match, such as the bit can be either a 0 or a 1.

For example, if the IP address and mask were specified as 172.168.10.0 and 255.255.255.224, respectively, the network mask will be 172.168.0.0 (obtained by logically ANDing the IP address with the IP mask).

gateway_address

Default: assigned remote IP address will be used as the gateway address.

Specifies the IP address of the next hop gateway for the route using IPv4 dotted-decimal notation.

Enables or disables packet source validation for the current subscriber. Source validation requires that the source address of the received packets match the IP address assigned to the subscriber (either statically or dynamically) during the session.

If an incorrect source address is received from the mobile node, the system attempts to renegotiate the PPP session. The parameters for IP source validation can be set by the ip source-violation command.

no

Disables source validation.

ip source-validation

Enables source validation.

Controls copying of the IP TOS octet value from IPv4/IPv6 datagrams to the IP header in tunnel encapsulation. This is disabled by default.

no

Disable copying of the IP TOS octet value to all tunnel encapsulation IP headers.

ip user-datagram-tos copy

Enables copying of the IP TOS octet value to all tunnel encapsulation IP headers.

access-link-tunnel

Copies the IP TOS octet value to the tunnel encapsulation IP header on the access side (RP) tunnel.

both

Uses both the access-link-tunnel and data-tunnel.

data-tunnel

Copies the IP TOS octet value to the tunnel encapsulation IP header on the MIP data tunnel or L3 tunnel (IP-in-IP, GRE).

Configures subscriber-to-Virtual LAN (VLAN) associations.

default

Resets the VLAN ID to the default setting.

no

Disables the VLAN ID for the subscriber.

ip vlan vlan-id

Specifies the VLAN ID that is associated with the IP address for that session. vlan-id is an integer from 1 through 4094.

Configures the IPv6 access group for a subscriber.

ipv6 access-group name

Defines the access group name. name is an alphanumeric string of 1 through 47 characters.

in

Defines the access group as inbound.

out

Defines the access group as outbound.

Configures a static IP address for use by the subscriber.

no

Deletes a previously configured ipv6 address.

ipv6 address address

Specifies an IPv6 address. address is entered using IPv6 colon-separated-hexadecimal notation.

prefix

Specifies a static IPv6 address.

prefix-pool name

Specifies an IPv6 prefix pool name. name is an alphanumeric string of 1 through 31 characters.

Configures the IPv6 Domain Name Service (DNS) servers.

no

Deletes a previously configured DNS server.

ipv6 dns ipv6_dns_address

Specifies an IP address for the DNS server. ipv6_dns_address is entered using IPv6 colon-separated-hexadecimal notation.

primary

Configures the primary DNS server for the subscriber.

secondary

Configures the secondary DNS server for the subscriber. Only one secondary DNS server can be configured.

ipv6_dns_address

Configures the IP address of the DNS server.

Configures the system to act as a domain name server proxy for the current subscriber.

default

Disables IPv6 DNS proxy functionality for a subscriber.

no

Removes the pre-enabled functionality of IPv6 DNS proxy for a subscriber.

ipv6 dns-proxy

Enables IPv6 DNS proxy functionality for a subscriber. If enabled, the system will act as a proxy DNS server.

Default: disabled.

Configures the system to perform egress address filtering for the subscriber.

no

Disables IPv6 egress address filtering.

ipv6 egress-address-filtering

Enables IPv6 egress address filtering.

Creates an IPv6 initial router advertisement interval for the subscriber.

default

Resets the command to its default settings.

no ipv6 initial-router-advt router-solicit-wait-timeout

Disables running timer to wait for router solicit and sends the initial router advertisement immediately once session is up.

ipv6 initial-router-advt

Enables an initial router advertisement interval in milliseconds.

interval value

Default: 3000

The time interval the initial IPv6 router advertisement is sent to the mobile node in milliseconds.

value is an integer between 100 and 16000 milliseconds.

num-advts value value

Default: 3

The number of initial IPv6 router advertisements sent to the mobile node. value is an integer between 1 to 16.

router-solicit-wait-timeout value

Default: 3000

The time interval to wait for router solicit before sending the initial IPv6 router advertisement.

value is an integer between 1 and 30000 milliseconds.

Provides an IPv6 interface identifier for the subscriber.

default

No interface ID set for IPv6CP negotiation to subscriber.

no

Deletes a previously configured IPv6 interface ID.

interface-id ifid

Specifies the interface ID assigned to the Mobile during IPv6 Control Protocol (IPv6CP) negotiation. ifid is a 64-bit unsigned integer.

Configures the IPv6 minimum link maximum transmission unit (MTU) value.

default

Resets minimum link MTU to its default setting: 1280.

ipv6 minimum-link-mtu value

Specifies the MTU (in bytes) as a minimum link value. value is an integer between 100 and 2000.

Configures additional IPv6 4-bit prefixes to the subscriber session.

no

Deletes a previously configured ipv6 secondary address.

ipv6 secondary-address ipv6_address_pref

Specified the secondary IPv6 address using IPv6 colon-separated-hexadecimal notation.

pool_name

Specifies the name given to the secondary address prefix pool as an alphanumeric string of of 1 through 31 characters.

Enables the sending of accounting correlation information (Correlation-Id, NAS-IP-Address and NAS-ID) by the L 2TP Access Concentrator (LAC) in L2TP control messages (ICRQ) during session setup to an L2TP Network Server (LNS).

no

Disables the sending of accounting correlation information by the LAC.

default

Sets the setting to default mode: disable.

l2tp send accounting-correlation-info

Enables the sending of accounting correlation information by the LAC.

Configures the subscriber address allocation/validation policy, when subscriber Layer 3 (IPv4) sessions are tunneled using Layer 2 tunneling protocol (L2TP).

default

Restores the default value for Layer 3-to-Layer 2 tunnel addressing: no-alloc-validate .

l3-to-l2-tunnel address-policy

Sets the policy for Layer 3-to-Layer 2 sessions to one of the following options.

alloc-only

Only allocates an address in the case of dynamic address assignment. Does not validate static addresses.

alloc-validate

Locally allocates and validates the subscriber addresses.

no-alloc-validate

Does not allocate or validate subscriber addresses locally for current subscribers sessions. Passes the address between the remote tunnel terminator and the Mobile Node. This is the default behavior.

Configures the load balancing of traffic bound for L2TP tunnels configured on the system for the selected subscriber.

loadbalance-tunnel-peers

Enables load balancing of L2TP traffic using one of the methods described below.

balanced

Enables the equal use of all configured tunnel peers (LNSs) for the selected subscriber.

prioritized

Enables the use of all configured tunnel peers (LNSs) for the selected subscriber based on the preference number assigned to the peer address.

random

Default: Enabled

Enables the random use of all configured tunnel peers (LNSs) for the selected subscriber.

Specifies what action is taken when the long duration timer expires.

detection

Default: Enabled

Detects long duration sessions and sends SNMP TRAP and CORBA notification. This is the default behavior.

Use this command to detect a session exceeding the limit set by the long duration timer.

disconnection [ dormant-only ] [ suppress-notification ]

Default: Disabled

Detects a long duration session and disconnects the session after sending SNMP trap and CORBA notification.

suppress-notifiaction : Suppresses the SNMP trap and CORBA notification after detecting and disconnecting a long duration session. Default: Disabled

dormant only : Disconnects the dormant sessions after long duration timer and inactivity time with idle time-out duration expires. If the long duration timeout is fired and the call is not dormant, the call is disconnected when the call later moves to dormancy.

Important

For HA calls, the inactivity-time is considered as gauge for dormancy.

It sends the SNMP trap and CORBA notification after disconnecting a long duration session. Default: Disabled

Specifies the maximum number of connections to packet data networks (PDNs) supported per eHRPD session.

default

Resets the maximum number of PDN connections supported per eHRPD session to 3.

max-pdn-connections eHRPD_PDNs

Specifies the maximum number of PDN conceitedness allowed per eHRPD session. eHRPD_PDNs must be an integer from 1 to 14. Default is 3.

Enables the use of a mediation device for subscribers, and specifies the system context to use for communicating with the device. A mediation device can be the initial point of contact for all IT systems that need to receive Charging Data Records (CDRs). Mediation devices can also be deep-packet inspection servers or transaction control servers.

no

Deletes the mediation-device configuration.

default

Changes the mediation device to no context-name configured and restores the mediation device's default properties.

mediation-device context-name context-name

Default: The subscriber's destination context.

Configures the mediation VPN context for the subscriber.

context-name must be an alphanumeric string of 1 through 79 characters that is case sensitive. If not specified, the mediation context is same as the destination context of the subscriber.

no-interims

Disables sending of Interim messages to the mediation device.

Default: Disabled

Enables or disables access to mobile IP services by the subscriber.

no

Disables the mobile IP option specified.

allow-aaa-address-assignment

Default: Disabled.

Enables the FA to accept a home address assigned by an AAA server. This should only be configured on the FA side.

dns-address source-priority { aaa | home-agent }

Sets the priority behavior on the FA to use either the DNS IP address information from the HA or the AAA server to include in the RRP to the MN.

When the no keyword is used in conjunction with the dns-address keyword, information received from both the home-agent and the AAA server is sent if available.

DNS IP address information from the HA comes from the DNS Normal Vendor/Organization Specific Extension (NVSE) in the Registry Registrar Protocol (RRP).

DNS IP address information from the AAA server is in the access accept message.

home-agent : If the DNS address is received from the home-agent only that information is sent to the MN. Otherwise the DNS address received from the AAA server is sent.

aaa : If the DNS address is received from the AAA server only that information is sent to MN. Otherwise the DNS address received from the home-agent is sent.

gratuitous-arp aggressive

Default: Disabled.

When enabled, this mode will cause the HA to send out gratuitous ARP (Address Resolution Protocol) messages for all Mobile IP (MIP) registration renewals and handoffs.

To disable this mode, use the no form of this command.

Important

This mode will only work for IP addresses that have been assigned from a static IP address pool.

home-agent ip_address [alternate]

Specifies the IP address of the mobile IP user's home agent. ip_address must be entered using IPv4 dotted-decimal or IPv6 colon -separated notation.

alternate - Specifies the secondary, or alternate, Home Agent to use when Proxy Mobile IP HA Failover is enabled.

match-aaa-assigned-address

Default: Disabled.

Enables the FA to validate the home address in the RRQ against the one assigned by AAA server. This should only be configured on the FA side.

min-reg-lifetime-override [ value | infinit ]

Default: 0.

Configures the subscriber for minimum registration lifetime parameter on HA service. By default it uses the value configured on HA service where value must be the minimum registration lifetime that the HA service allows in any Registration Request message from the mobile node. An infinite registration lifetime can be configured by setting the value as "infinite".

value is a minimum registration lifetime value in seconds and must be an integer between 1 through 65534.

mn-aaa-removal-indication

Default: Disabled.

When enabled, the MN-FA challenge and MN-AAA Authentication extensions are removed when relaying a Registration Request (RRQ) to the Home Agent (HA)

mn-ha-hash-algorithm { hmac-md5 | md5 | rfc2002-md5 }

Speechifies the encryption algorithm to use.

Default: hmac-md5

hmac-md5 : Uses HMAC-MD5 hash algorithm, as defined in RFC-2002bis. This is the default algorithm.

md5 : Uses the MD-5 hash algorithm.

rfc2002-md5 : Uses the MD-5 hash algorithm variant as defined in RFC-2002.

mn-ha-shared-key key

Verifies the MN-HA Authentication for a local subscriber in the current context. key is an alphanumeric string or a hexadecimal number beginning with "0x" up to 127 bytes

mn-ha-spi spi_num

Specifies the Security Parameter Index (SPI) number. spi_num must be an integer from 256 through 4294967295.

reverse-tunnel

Default: enabled.

All the mobile IP user to use reverse IP tunnels. The no keyword disables this option.

security-level { ipsec | none }

Default: none

Configures the security level needed for the subscriber's traffic.

ipsec : secures both MIP control and data traffic with IPSec.

none : none of the traffic is secured

Important

This keyword corresponds to the 3GPP2-Security-Level RADIUS attribute. This attribute indicates the type of security that the home network mandates on the visited network.

Important

For this attribute, the integer value "3" enables IPSec for tunnels and registration messages, "4" Disables IPSec

send {access-technology | accounting-correlation-info bsid | dns-address | host-config | imsi | terminal-verification }

access-technology : Configures FA to sends the access-technology type extension in the RRQ, by default it is disabled.

accounting-correlation-info : Configures whether the FA sends the correlation info to the NVSE in the RRQ. Default is disabled.

dns-address : Enables the HA to send the DNS address NVSE in the RRP. Default is disabled. This should only be enabled on the HA side.

host-config : Configures by sending the Host Config NVSE in RRQ. By default it is disabled.

imsi : Configures sending the IMSI NVSE in the RRQ. Default is sending IMSI in custom-1 format.

terminal-verification : Enables the FA to send the terminal verification NVSE in the RRQ. Default is disabled. This should only be enabled on the FA side.

Important

send dns-address is a proprietary feature developed for a specific purpose and requires the MN to be able to renegotiate IPCP for DNS addresses and reregister MIP if necessary. Since this feature needs the MN to support certain PPP/MIP behavior, and not all MNs support that particular behavior, send dns-address should be enabled only after careful consideration.

Accommodates two Mobile IP (MIP) Home Agent (HA) options in subscriber mode.

no

Disables the mobile IP HA option specified.

assignment-table name

Specifies the name of an existing MIP HA Assignment table. name must be an alphanumeric string of 1 through 63 characters.

ignore-unknown-ha-addr-error

Default is disabled.

Enables or disables the HA to accept or reject the RRQ from a particular subscriber.

Overrides the Mobile IP (MIP) registration lifetime from HA with value configured for subscriber.

mobile-ip reg-lifetime-override dur

Default: 100 seconds.

Overrides the MIP registration lifetime from HA for the specified period of time in seconds. dur must be an integer from 1 through 65534.

infinite

Sets the MIP registration lifetime override value to infinite for a particular subscriber.

default

Sets the value of mobile IP registration lifetime override option to 100 seconds.

no

Disables the MIP registration lifetime override option.

Enables the sending of the RAT (Radio Access Technology) of the MS to the HA in a PMIP RRQ (Proxy MIP Register Request) message.

default

Disables the support for sending the RAT to the HA in a PMIP RRQ.

This is the default mode.

no

Removes the configured support for sending the RAT to the HA in a PMIP RRQ.

Enables the sending call correlation information Normal Vendor/Organization Specific Extensions (NVSEs) to the HA in the MIP Registry Registrar Protocol (RRP).

default

Disables the support for sending call correlation information NVSEs to the HA in MIP RRQ.

This is the default mode.

no

Removes the configured support for sending call correlation information.

Enables the sending of the BSID (Base Station Identifier) of the WiFi access point/Radio Access Network (RAN) to the HA in a PMIP RRQ (Register Request) message.

default

Disables the support for sending the BSID to the HA in a PMIP RRQ.

This is the default mode.

no

Removes the configured support for sending the BSID to the HA in a PMIP RRQ.

custom-2

NVSE to send service option attribute in the PMIP RRQ.

Important

This is a customer-specific keyword and needs customer-specific license to use this feature.

Configures whether the FA sends the PCF address NVSE in the RRQ.

default

Disables the support for sending the PCF address to the HA in a PMIP RRQ.

This is the default mode.

no

Removes the configured support for sending the PCF address to the HA in a PMIP RRQ.

custom-2

NVSE to send PCF address attribute in the PMIP RRQ.

Configures whether the FA sends the service option NVSE in the PMIP RRQ.

default

Disables the support for sending the service option to the HA in a PMIP RRQ.

This is the default mode.

no

Removes the configured support for sending the service option to the HA in a PMIP RRQ.

custom-2

NVSE to send service option attribute in the PMIP RRQ.

Configures whether the FA sends the subnet-id NVSE in the PMIP RRQ.

default

Disables the support for sending the subnet-id to the HA in a PMIP RRQ.

This is the default mode.

no

Removes the configured support for sending the subnet-id to the HA in a PMIP RRQ.

custom-2

NVSE to send subnet-id attribute in the PMIP RRQ.

Configures Mobile IPv6 related parameters for a subscriber.

default

Disables the support for sending call correlation information NVSEs to the HA in MIP RRQ.

This is the default mode.

no

Removes the configured support for sending call correlation information.

home-address ipv6_address

Specifies the home address for the subscriber. ipv6_address must be entered using IPv6 colon-separated-hexadecimal notation.

home-agent ipv6_address

Specifies the IPv6 address of the mobile IP user's home agent. ipv6_address must be entered using IPv6 colon-separated-hexadecimal notation.

home-link-prefix ipv6_address

Specifies the IPv6 address of the mobile IP user's home link. ipv6_address must be entered using IPv6 colon-separated-hexadecimal notation.

tunnel mtu value

Configures the tunnel MTU (in bytes) for the IPv6 tunnel between the HA and the mobile node. value must be an integer from 1024 through 2000. The default is 1500.

After authentication, the domain name specified by this command replaces the Network Access Identifier (NAI) constructed for the subscriber.

nai-construction-domain domain_name

Defines the domain name to use to replace the NAI constructed domain name. domain_name must be an alphanumeric string of 1 through 79 characters.

no

Deletes the defined domain name.

Configures and enables use of NetBIOS Name Service (NBNS) for the subscriber.

nbns primary

Designates primary NBNS server. Must be followed with IPv4 address in dotted-decimal notation.

nbns secondary

Designates secondary/failover NBNS server. Must be followed with IPv4 address in dotted-decimal notation.

IPv4-address

Specifies the IP address used for this service using IPv4 dotted-decimal notation.

no

Removes/disables use of a previously configured NetBios Name Service.

Configures the next hop forwarding address for the subscriber.

nexthop-forwarding-address ip_address

Configures the IP address of the nexthop forwarding address. ip_address must be entered using IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.

no

Disables this function. This is the default setting.

Configures an Network Processing Unit (NPU) QoS priority queue for packets from the subscriber.

best-effort

Assigns the best-effort queue priority. This is the lowest priority.

bronze

Assigns the bronze queue priority. This is the third-highest priority.

derive-from-packet-dscp

Default: Enabled

Specifies that the priority is to be determined from the DS field in the packet's TOS octet.

gold

Assigns the gold queue priority. This is the highest priority.

silver

Assigns the silver queue priority. This is the second-highest priority.

Binds the name of a configured network reachability server to the current subscriber and enables network reachability detection.

nw-reachability server server_name

Specifies the name of a network reachability server that has been defined in the current context. server_name is an alphanumeric string of 1 through 16 characters.

no nw-reachability server

Deletes the name of the network reachability server from the current subscribers configuration and disable network reachability failure detection for the current subscriber.

Configures the subscriber host password for use when authenticating PPP sessions.

[ outbound encrypted ] password pwd

Specifies the password to use for point-to-point protocol session host authentication. The encrypted keyword indicates the password specified uses encryption.

The password specified as pwd must be an alphanumeric string of 1 through 63 characters without encryption, or 1 through 127 characters with encryption.

The encrypted keyword is intended only for use by the chassis while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.

no outbound password

Clears the outbound password configuration from the subscriber data.

Sets the threshold parameter for overload disconnect.

threshold inactivity-time inactivity_time_threshold

Sets the inactivity time threshold (in seconds) as an integer from 0 through 4294967295. The default value of zero disables this feature. If inactivity-time for the subscriber's session is greater than inactivity_time_threshold , the session becomes a candidate for disconnection.

threshold connect-time connect_time_threshold

Sets the connection time threshold (in seconds) as an integer from 0 through 4294967295. A value of zero disables this feature. If connect-time for the subscriber's session is greater than connect_time_threshold , the session becomes a candidate for disconnection.

default

Enables the default condition for this subscriber.

no

Disables the overload disconnect feature for this subscriber. This is the default condition for PDIF.

Configures the subscribers password for the current context.

encrypted

Indicates the password provided is encrypted.

The encrypted keyword is intended only for use by the chassis while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the password keyword is the encrypted version of the plain text password. Only the encrypted password is saved as part of the configuration file.

pwd

Specifies the user's password for authentication. pwd must be an alphanumeric string of 1 through 63 characters without encryption, or from 1 through 127 characters with encryption. A "null" password is allowed and is entered as consecutive double quotes (" "). See Example(s) for correct syntax.

Important

Subscribers configured with a null password will be authenticated using PAP and CHAP (MD5) only. Subscribers configured without a password (no password ) will only be able to access services if the service is configured to allow no authentication.

no

Used to clear the subscriber password configuration from the subscriber data.

Important

Subscribers with no password will only be able to access services if the service is configured to grant access with no authentication.

Configures PDIF subscriber call setup parameters.

[ default | no ]

Disables the option specified.

release-tia

Specifies that after subscriber call setup is complete, the tunnel inner address (TIA) is released. If SImple IP is enabled, the TIA becomes the principal communications tunnel and the restriction that it is only to be used to set up a Mobile-IP call is lifted. This parameter is disabled by default.

required

Specifies that Mobile IP is required for this subscriber whenever a call is set up. This parameter is disabled by default.

simple-ip-fallback