Configuring Authentication, Authorization, and Accounting SYSTEM ADMINISTRATOR GUIDE 61/1543-CRA 119 1170/1 Uen L
Copyright © Ericsson AB 2010-2012. All rights reserved. No part of this document may be reproduced in any form without the written permission of the copyright owner. Disclaimer The contents of this document are subject to revision without notice due to continued progress in methodology, design and manufacturing. Ericsson shall have no liability for any error or damage of any kind resulting from the use of this document. Trademark List SmartEdge is a registered trademark of Telefonaktiebolaget LM Ericsson.
Contents Contents 1 Overview 1 1.1 Authentication 1 1.2 Authorization and Reauthorization 5 1.3 Accounting 5 1.4 AAA Route Download Overview 7 2 Configuration and Operations 9 2.1 Configuring Global AAA 9 2.2 Configuring Authentication 11 2.3 Configuring Authorization and Reauthorization 17 2.4 Configuring Accounting 19 2.5 Performing Operation Tasks 24 2.6 Configuring AAA Route Download 25 3 Configuration Examples 27 3.
Configuring Authentication, Authorization, and Accounting 61/1543-CRA 119 1170/1 Uen L | 2012-12-04
Overview 1 Overview This document applies to both the Ericsson SmartEdge® and SM family routers. However, the software that applies to the SM family of systems is a subset of the SmartEdge OS; some of the functionality described in this document may not apply to SM family routers. For information specific to the SM family chassis, including line cards, refer to the SM family chassis documentation.
Configuring Authentication, Authorization, and Accounting 1.1.2 Subscribers Authentication of Point-to-Point Protocol (PPP) subscribers now includes support for IPv4, IPv6, and dual-stack subscribers. Dual-stack subscribers run both IPv4 and IPv6. For information on IPv6 subscribers, refer to Configuring IPv6 Subscriber Services. Authentication requests do not indicate if a session is single or dual stack, but authentication responses do indicate.
Overview • Tunnel-Server-Auth-ID (91) • Tunnel-Function (VSA 18) • Tx-Connect-Speed (L2TP AVP 24) • Rx-Connect-Speed (L2TP AVP 38) If you have IPv6 PPP subscriber sessions, the following standard RADIUS attributes and Ericsson VSAs are supported: • NAS-IPv6-Address (95) • Framed-Interface-Id (96) • Framed-IPv6-Prefix (97) • Framed-IPv6-Route (99) • Framed-IPv6-Pool (100) • Delegated-IPv6-Prefix (123) • RB-IPv6-DNS (207) • RB-IPv6-Option (208) • Delegated-Max-Prefix (212) For more
Configuring Authentication, Authorization, and Accounting accounting message or tears down the subscriber session, depending on the configured action to perform. If the RADIUS attribute does not include the direction to which the limit is applied, the downstream direction is assumed. If no limit is included, the traffic volume is unlimited in both the directions and is not monitored. If a limit of 0 is configured for a direction, traffic is treated as unlimited in that direction and is not monitored.
Overview 1.2 Authorization and Reauthorization The following sections describe the authorization and reauthorization features. 1.2.1 CLI Commands Authorization You can specify that commands with a matching privilege level (or higher) require authorization through TACACS+. 1.2.
Configuring Authentication, Authorization, and Accounting Note: Configuring the global keyword with the aaa accounting subscriber command allows you to enable global RADIUS subscriber accounting even without global authentication. For more information, refer to the Command Description document.
Overview 1.4 AAA Route Download Overview The router allows you to configure and advertise IPv4 access routes before the routes have been assigned to subscribers. Pre-provisioning access routes helps eliminate routing protocol scalability issues or delays when the protocol is converging or when a large number of subscribers is being simultaneously activated. More than one RADIUS server can be designated as a route download server.
Configuring Authentication, Authorization, and Accounting 8 61/1543-CRA 119 1170/1 Uen L | 2012-12-04
Configuration and Operations 2 Configuration and Operations This section provides information on how to configure, administer, and troubleshoot AAA. Note: 2.1 The command syntax in the task table displays only the root command. For the complete command syntax, see Command List. Configuring Global AAA To configure global attributes for AAA, perform the tasks in the following sections. 2.1.
Configuring Authentication, Authorization, and Accounting 2.1.3 Preventing Subscriber Session Authentication When Session Limit Reached To prevent a new session from being authenticated when the maximum configured number of sessions has been reached, perform the task described in Table 4. Table 4 Subscriber Session Authentication When Session Limit Reached Task Root Command Notes Prevent a new subscriber session from being authenticated when the maximum configured number of sessions is established.
Configuration and Operations 2.1.6 Authenticating Username To specify a username for authentication, perform the task described in Table 7. Table 7 Username for Authentication Task Root Command Notes Specify that the Username attribute is required in Access-Request messages. aaa global reject empty-username Enter this command in the global configuration mode.
Configuring Authentication, Authorization, and Accounting Table 9 Administrator Authentication Task Root Command Notes Configure administrator authentication. aaa authentication admin istrator Enter this command in the context configuration mode. You have the option to configure either the console port or a vty port for each specified authentication method. By default, both ports are enabled for use. Use either the console or vty keyword as needed. 2.2.
Configuration and Operations 2.2.2.2 Enable the Assignment of Preferred IP Addresses To enable the router to provide a RADIUS server with preferred IP addresses when performing subscriber authentication, perform the task described in Table 11. Table 11 Assignment of Preferred IP Addresses Task Root Command Enable the router to provide the RADIUS server with preferred IP addresses from unnamed IP pools. aaa hint ip-address Enter this command in the context configuration mode. 2.2.2.
Configuring Authentication, Authorization, and Accounting 2.2.2.5 Configure Context-Specific RADIUS Authentication To authenticate subscribers using one or more RADIUS servers with IP addresses or hostnames configured in the current context, perform the task described in Table 14. Table 14 Context-Specific RADIUS Authentication Task Root Command Notes Configure context-specific RADIUS authentication. aaa authentication subs Enter this command in the context criber configuration mode.
Configuration and Operations Table 16 Router DHCPv6 Interface Authentication Task Root Command Notes Configure an interface to be a DHCPv6 server interface. dhcpv6 server interface The DHCPv6 server uses the primary IPv6 address of the interface as the server IP address. Enable AAA to authenticate subscribers through the router local database or RADIUS.
Configuring Authentication, Authorization, and Accounting Table 18 Context-Specific RADIUS and Router Authentication Task Root Command Notes Configure context-specific RADIUS authentication, followed by router configuration authentication. aaa authentication subs criber Enter this command in the context configuration mode. 2.2.2.10 Use the radius keyword followed by the local keyword with this command.
Configuration and Operations Caution! Risk of security breach. If you disable subscriber authentication, individual subscriber names and passwords will not be authenticated by the router, and therefore, IP routes and ARP entries within individual subscriber records are not installed. To reduce the risk, verify your network security setup before disabling subscriber authentication. 2.
Configuring Authentication, Authorization, and Accounting 2.3.3 Configuring Dynamic Subscriber Reauthorization To configure dynamic subscriber reauthorization, perform the task described in Table 23. Table 23 Dynamic Subscriber Reauthorization Task Root Command Notes Configure dynamic subscriber reauthorization. aaa reauthorization bulk Enter this command in the context configuration mode.
Configuration and Operations Description: (SE) * Format for Reauth String "type;sub_id;attr#;attr_val;attr#;;attr#;attr_val;...
Configuring Authentication, Authorization, and Accounting 2.4.2 Configuring Administrator Accounting To enable accounting messages for administrator sessions to be sent to the TACACS+ server, perform the task described in Table 25. Table 25 Administrator Accounting Task Root Command Notes Configure administrator accounting. aaa accounting administrator Enter this command in the context configuration mode. A TACACS+ server must be configured in the specified context; see Configuring TACACS+. 2.4.
Configuration and Operations Table 26 Global Subscriber Accounting Task Root Command Notes Enable global subscriber session accounting update messages. aaa global update subscriber Enter this command in global configuration mode. Updated accounting records for the subscriber sessions in all the contexts are sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the local context.
Configuring Authentication, Authorization, and Accounting Note: Table 27 At least one RADIUS accounting server must be configured in the current context before any messages are sent; for more information, see Configuring RADIUS. Context-Specific Subscriber Accounting Task Root Command Notes Enable context-specific subscriber accounting messages.
Configuration and Operations Table 27 Context-Specific Subscriber Accounting Task Root Command Notes Enable context-specific accounting messages for DHCP lease, DHCPv6 prefix delegation (PD), reauthorization information, or ANCP events.
Configuring Authentication, Authorization, and Accounting Table 28 Global L2TP Accounting Task Root Command Notes Configure global L2TP accounting. aaa global accounting l2tpsession Enter this command in global configuration mode. For all contexts, accounting messages for L2TP tunnels, or sessions in L2TP tunnels, are sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the local context. 2.4.4.
Configuration and Operations Table 30 AAA Operations Tasks Task Root Command Generate AAA debug messages. debug aaa Modify a subscriber attribute in real time during an active session, using the CLI. policy-refresh Modify a subscriber attribute in real time during an active session, using the RADIUS authentication process. reauthorize Test the communications link to a RADIUS server. test aaa 2.
Configuring Authentication, Authorization, and Accounting 4. Use the radius route-download server-timeout command to specify the interval in seconds while waiting for a response from the RADIUS server before declaring it unavailable. The range is 1 to 2,147,483,647. If not specified, the server is never considered unavailable. By default, the capability remains disabled. 5. Use the radius route-download timeout command to specify the interval in seconds, for the waiting time before retrying a request.
Configuration Examples 3 Configuration Examples The following sections provide AAA configuration examples. 3.1 Configuring Administrator Authentication The following example shows how to enable local administrator authentication using remote console access, and limit the number of concurrent sessions to 10: [local]Redback(config-ctx)#aaa authentication administrator vty local maximum sessions 10 3.
Configuring Authentication, Authorization, and Accounting [local]Redback(config)#aaa global authentication subscriber radius context local [local]Redback(config)#context local [local]Redback(config-ctx)#radius server 10.1.1.1 key TopSecret . . . [local]Redback(config)#context AAA_local [local]Redback(config-ctx)#aaa authentication subscriber local [local]Redback(config-ctx)#interface corpA multibind [local]Redback(config-if)#ip address 10.1.3.30 255.255.255.
