![]() |
SYSTEM ADMINISTRATOR GUIDE 61/1543-CRA 119 1170/1-V1 Uen B | ![]() |
Copyright
© Ericsson AB 2010. All rights reserved. No part of this document may be reproduced in any form without the written permission of the copyright owner.
Disclaimer
The contents of this document are subject to revision without notice due to continued progress in methodology, design and manufacturing. Ericsson shall have no liability for any error or damage of any kind resulting from the use of this document.
Trademark List
SmartEdge | is a registered trademark of Telefonaktiebolaget LM Ericsson. | |
NetOp | is a trademark of Telefonaktiebolaget LM Ericsson. |
This document provides an overview of the authentication, authorization, and accounting (AAA) features of the SmartEdge® router and describes the tasks used to configure, monitor, and administer AAA. This document also provides AAA configuration examples.
The following sections describe authentication features for administrators and subscribers.
By default, the SmartEdge router configuration performs administrator authentication. You can also authenticate administrators through database records on a Remote Authentication Dial-In User Service (RADIUS) server, through a Terminal Access Controller Access Control System Plus (TACACS+) server, or through one method, followed by another.
You must configure the IP address of a reachable RADIUS or TACACS+ server (or both) in the context in which the administrator is configured. For information about RADIUS and TACACS+, see Configuring RADIUS and Configuring TACACS+ respectively.
You can set a maximum limit on the number of administrator sessions that can be simultaneously active in each context.
Authentication of Point-to-Point Protocol (PPP) subscribers now includes support for IPv4, IPv6, and dual-stack subscribers. Dual-stack subscribers run both IPv4 and IPv6. For information on IPv6 subscribers, refer to Configuring IPv6 Subscriber Services. Authentication requests do not indicate if a session is single or dual stack, but authentication responses do.
An IPv6 subscriber must be authorized through AAA before PPP negotiates connectivity and ND processes packets. If a protocol is not authorized, PPP does not negotiate that protocol with a client, even when the PPP negotiation process is initiated by a client.
By default, the operating system configuration performs subscriber authentication. You can also authenticate subscribers through database records on a RADIUS server, or through multiple methods.
When the IP address or hostname of the RADIUS server is configured in the operating system “local” context, “global RADIUS” authentication is performed. That is, although subscribers may be configured in a non-local context, subscribers in non-local contexts are authenticated through the RADIUS server configured in the local context. With global RADIUS authentication, the RADIUS server returns the Context-Name vendor-specific attribute (VSA) indicating the name of the particular context to which subscribers are bound.
When the IP address or hostname of the RADIUS server is configured in a context other than the local context, context-specific RADIUS authentication is performed; that is, only subscribers bound to the context in which the RADIUS server’s IP address or hostname is configured are authenticated.
You can also configure the SmartEdge router to attempt authentication through a RADIUS server configured in the non-local context first, with a fallback to a RADIUS server configured in the local context if the first server is unavailable. Or, you can configure the SmartEdge router to attempt authentication through a RADIUS server configured in a non-local context, with a fallback to the SmartEdge router configuration.
AAA includes the following Layer 2 Tunneling Protocol (L2TP) attribute-value pairs (AVPs), RADIUS standard attributes, and vendor-specific attributes (VSAs) provided by Ericsson AB in RADIUS Access-Request messages for L2TP network server (LNS) subscribers that are authenticated using RADIUS:
If you have IPv6 PPP subscriber sessions, the following standard RADIUS attributes and Ericsson VSAs are supported:
For more information about RADIUS standard attributes and vendor VSAs provided by Ericsson AB, see RADIUS Attributes. For more information about L2TP AVPs, see Configuring L2TP.
You can set a maximum limit on the number of subscriber sessions that can be simultaneously active in a given context and for all configured contexts.
You can limit the services provided to subscribers based on volume of traffic. You can monitor volume-based services in the upstream and downstream directions independently, separately or aggregated in both directions. However, you cannot simultaneously monitor aggregated traffic and either upstream or downstream traffic.
Volume limits are imposed by the RADIUS VSA 113 in Access-Accept and Accounting-Request messages.
AAA supports inbound and outbound traffic counters, as well as an aggregated counter of both incoming and outgoing traffic. If the aggregated counter exceeds the configured value for aggregated traffic limit, AAA sends a RADIUS accounting message or tears down the subscriber session, depending on the configured action to perform.
If the RADIUS attribute does not include the direction to which the limit is applied, the downstream direction is assumed. If no limit is included, the traffic volume is unlimited in both directions and is not monitored. If a limit of “0” is configured for a direction, traffic is treated as unlimited in that direction and is not monitored.
VSA 113 is also supported in a subscriber reauthorize Access-Accept message.
If a subscriber circuit has been configured with a dynamic binding, using the bind authentication command (in the circuit’s configuration mode), AAA uses subscriber attributes in messages received during subscriber authentication to determine which IPv4 address (and the associated interface) to use when binding the subscriber circuit.
By default, the SmartEdge router considers L2TP attributes before considering RADIUS attributes. You can reverse this order so that the IPv4 address provided in the RADIUS record is used before one provided by L2TP.
By default, the SmartEdge router uses a round-robin algorithm to allocate subscriber IPv4 addresses from the IP pool. You can also configure the router to use a first-available algorithm.
AAA typically assigns an IPv4 address to a Point-to-Point Protocol (PPP) subscriber from an IP pool after receiving an Access-Accept packet from a RADIUS server. However, you can configure AAA to provide an IPv4 address from an IP pool in the Framed-IP-Address attribute in the RADIUS Access-Request packet. This IPV4 IP address is provided to the RADIUS server as a “hint” that it is a preferred address. If there are no unassigned IPv4 addresses in the pool, the authentication request is sent without an IPv4 address.
The RADIUS server can accept the address or not; Table 1 lists the RADIUS server responses and the corresponding router actions.
RADIUS Server Response |
SmartEdge router Corresponding Action |
---|---|
Framed-IP-Address attribute contains 255.255.255.254, 0.0.0.0, or is missing. |
SmartEdge router assigns preferred IPv4 address. |
Framed-IP-Address attribute contains a different IPv4 address. |
SmartEdge router assigns the IPv4 address in the Framed-IP-Address attribute and returns the preferred IPv4 address to its pool. |
The following sections describe authorization and reauthorization features.
You can specify that commands with a matching privilege level (or higher) require authorization through TACACS+.
When subscribers request new or modified services during active sessions, the requests can be translated to changes that are applied during the active session through dynamic subscriber reauthorization. Reauthentication occurs without PPP renegotiation and without interrupting or dropping the active session.
The following sections describe accounting features.
You can configure the SmartEdge router so that accounting messages are sent to a TACACS+ server whenever an administrator enters commands at the specified privilege level (or higher).
You can configure administrator accounting, which tracks messages for administrator sessions; the messages are sent to a TACACS+ server.
You can configure subscriber accounting, which tracks messages for subscriber sessions; the messages are sent to a RADIUS accounting server. Use the aaa accounting subscriber command with the radius keyword to configure subscriber accounting. When the IP address or hostname of the RADIUS accounting server is configured in the SmartEdge router local context, global authentication is performed. That is, although subscribers are configured in a non-local context, accounting messages for subscribers sessions in the context are sent through the RADIUS accounting server configured in the local context. When using global RADIUS subscriber accounting, configuring global RADIUS subscriber authentication is required.
When the IP address or hostname of the RADIUS accounting server is configured in a context other than the local context, context-specific accounting is performed; that is, accounting messages are sent only for subscribers bound to the context in which the RADIUS accounting server IP address or hostname is configured.
You can configure two-stage accounting—the SmartEdge router sends accounting messages to a RADIUS accounting server configured in the non-local context and to a RADIUS accounting server configured in the local context. For example, a copy of the accounting data can be sent to a both a wholesaler's and an upstream service provider’s RADIUS accounting server, so that end-of-period accounting data can be reconciled and validated by both parties.
You can also specify the error conditions for which the SmartEdge router suppresses the sending of accounting messages to a RADIUS accounting server.
You can configure L2TP accounting, which tracks messages for L2TP tunnels, or sessions in L2TP tunnels; the messages are sent to a RADIUS accounting server. When the IP address or hostname of the RADIUS accounting server is configured in the SmartEdge router local context, global accounting is performed. When the IP address or hostname of the RADIUS accounting server is configured in a context other than the local context, context-specific accounting is performed. You can also configure two-stage accounting.
The SmartEdge router sends just a single accounting on message when more than one type of RADIUS accounting is enabled. For example, if you enable both subscriber accounting and L2TP accounting, the router sends only one “accounting on” message to each RADIUS accounting server, even if you enable L2TP accounting at a later time. Similarly, the “accounting off” message is not sent until you have disabled all types of RADIUS accounting.
If a subscriber session cannot be tunneled to a specific L2TP network server (LNS) or to an LNS in a group of L2TP peers, or if the SmartEdge router has received a Link Control Protocol (LCP) termination request from the subscriber before session establishment is complete, the Acct-Session-Time attribute is set to 0.
To configure, administer, and troubleshoot AAA, perform the tasks described in the following sections.
To configure global attributes for AAA, perform the tasks in the following sections.
To limit the number of administrator sessions that can be simultaneously active in a given context, perform the task describer in Table 2.
Task |
Root Command |
Notes |
---|---|---|
Limit the number of administrator sessions that can be simultaneously active in a given context. |
Enter this command in context configuration mode. To set the limit, use the maximum sessions num-sess construct. |
To limit the number of subscriber sessions that can be simultaneously active, perform the task described in Table 3.
Task |
Root Command |
Notes |
---|---|---|
Limit the number of subscriber sessions that can be simultaneously active in a given context. |
Enter this command in context configuration mode. |
To enable a direct connection for subscriber circuits, configure the SmartEdge router to install the route specified by the RADIUS Framed-IP-Netmask attribute. This configuration is described in Table 4.
Task |
Root Command |
Notes |
---|---|---|
Enable use of the RADIUS Framed-IP-Netmask attribute to install the route to a remote router. |
Enter this command in context configuration mode. |
To define one or more schema for matching the format of structured usernames (subscriber and administrator names), perform the task described in Table 5.
Task |
Root Command |
Notes |
---|---|---|
Define one or more schema for matching the format of structured usernames. |
Enter this command in global configuration mode. If no username formats are explicitly defined, the SmartEdge router checks the default format, username@domain-name, for a match. |
To require a username for authentication, perform the task described in Table 6.
Task |
Root Command |
Notes |
---|---|---|
Specify that the User-Name attribute is required in Access-Request messages. |
Enter this command in global configuration mode. If no value is specified for the User-Name attribute, AAA suppresses the Access-Request message, and subscriber authentication fails. |
By default, the SmartEdge router sends Access-Request messages to the RADIUS server, regardless of whether a username is specified.
To configure authentication, perform the tasks described in the following sections.
To configure administrator authentication, perform the task described in Table 7.
Task |
Root Command |
Notes |
---|---|---|
Configure administrator authentication. |
Enter this command in context configuration mode. You have the option to configure either the console port or a vty port for each specified authentication method. By default, both ports are enabled for use. Use either the console or vty keyword as needed. |
To configure subscriber authentication, perform the tasks described in the following sections.
To configure the algorithm the SmartEdge router uses to assign subscriber IPv4 address, perform the task described in Table 8.
Task |
Root Command |
Notes |
---|---|---|
Change the logic the SmartEdge router uses to allocate subscriber IP addresses from the default algorithm (round-robin) to a first-available algorithm. |
Enter this command in global configuration mode. |
To enable the SmartEdge router to provide a RADIUS server with preferred IP addresses when performing subscriber authentication, perform the task described in Table 9.
Task |
Root Command |
Notes |
---|---|---|
Enable the SmartEdge router to provide the RADIUS server with preferred IP addresses from unnamed IP pools. |
Enter this command in context configuration mode. |
To change the default order for determining the IP address (and its interface) to be used for binding a subscriber circuit, perform the task in Table 10.
Task |
Root Command |
Notes |
---|---|---|
Change the default order for determining the IP address for binding a subscriber circuit. |
Enter this command in context configuration mode. |
To configure global RADIUS authentication, perform the tasks described in Table 11.
Task |
Root Command |
Notes |
---|---|---|
Enable global RADIUS authentication. |
Enter this command in global configuration mode. At least one RADIUS server IP address or hostname must be configured in the local context; for more information, see Configuring RADIUS. | |
Authenticate subscribers in the current context through one or more RADIUS servers with IP addresses or hostnames configured in the local context. |
Enter this command in context configuration mode. Use the global keyword with this command. |
To authenticate subscribers using one or more RADIUS servers with IP addresses or hostnames configured in the current context, perform the task described in Table 12.
Task |
Root Command |
Notes |
---|---|---|
Configure context-specific RADIUS authentication. |
Enter this command in context configuration mode. Use the radius keyword with this command to configure RADIUS authentication. At least one RADIUS server IP address or hostname must be configured in the current context; for more information, see Configuring RADIUS. |
To authenticate subscribers through the SmartEdge router configuration, perform the task described in Table 13.
Task |
Root Command |
Notes |
---|---|---|
Configure SmartEdge router configuration authentication. |
Enter this command in context configuration mode. Use the local keyword with this command to configure RADIUS authentication. |
Enable AAA to authenticate subscribers through the SmartEdge router local database. Subscribers are authenticated according to parameters set in the subscriber profile for the current context. In the subscriber local context, to configure an interface as a DHCPv6 interface, AAA must be enabled to provide subscriber authentication. To authenticate subscribers through a DHCPv6 server, perform the tasks described in Table 14.
Task |
Root Command |
Notes |
---|---|---|
Configure an interface to be a DHCPv6 server interface. |
dhcpv6 server interface |
The DHCPv6 server uses the primary IPv6 address of the interface as the server IP address. |
Enable AAA to authenticate subscribers through the SmartEdge router local database or RADIUS. |
aaa authentication subscriber local or aaa authentication subscriber radius |
Subscribers are authenticated according to parameters set in the subscriber profile for the current context. |
When the SmartEdge router is configured to provide dual-stack and IPv6 subscriber services, DHCPv6 requests AAA for prefix delegation. In response to the DHCPv6 request, AAA returns one or more prefixes. For more information on DHCPv6 configuration, refer to Configuring DHCP. For an example of an end-to-end IPv6 configuration to see where AAA subscriber authentication is required, refer to Configuring IPv6 Subscriber Services.
To configure context-specific RADIUS authentication, followed by global RADIUS authentication, perform the tasks described in Table 15.
Task |
Root Command |
Notes |
---|---|---|
Enable global RADIUS authentication. |
Enter this command in global configuration mode. At least one RADIUS server IP address or hostname must be configured in the local context; for more information, see Configuring RADIUS. | |
Configure context-specific RADIUS followed by global RADIUS authentication. |
Enter this command in context configuration mode. Use the radius global construct with this command. |
To authenticate subscribers using one or more RADIUS servers with IPv4 addresses or hostnames configured in the current context, followed by the SmartEdge router, perform the task described in Table 16.
Task |
Root Command |
Notes |
---|---|---|
Configure context-specific RADIUS authentication, followed by SmartEdge router configuration authentication. |
Enter this command in context configuration mode. Use the radius keyword followed by the local keyword with this command. At least one RADIUS server IP address or hostname must be configured in the current context; for more information, see Configuring RADIUS. |
To specify a context to attempt authentication of a subscriber when the domain portion of the subscriber name cannot be matched, perform the task described in Table 17.
Task |
Root Command |
Notes |
---|---|---|
Configure a last-resort authentication context. |
Enter this command in global configuration mode. |
To disable authentication of subscribers in the current context, perform the task described in Table 18.
Task |
Root Command |
Notes |
---|---|---|
Disable subscriber authentication. |
Enter this command in context configuration mode. Use the none keyword with this command if subscriber authentication is not required, such as when Dynamic Host Configuration Protocol (DHCP) is used to obtain IPv4 addresses for subscriber hosts. |
Caution! | ||
Risk of security breach. If you disable subscriber authentication,
individual subscriber names and passwords are not authenticated by
the SmartEdge router, so IP routes and ARP entries within individual
subscriber records are not installed. To reduce the risk, verify your
network security setup before disabling subscriber authentication.
|
To configure authorization and reauthorization, perform the tasks described the following sections.
To specify that commands with a matching privilege level (or higher) require authorization through TACACS+, perform the task described in Table 19.
Task |
Root Command |
Notes |
---|---|---|
Configure CLI commands authorization. |
Enter this command in context configuration mode. A TACACS+ server must be configured in the specified context; for more information, see Configuring TACACS+. |
To determine whether L2TP peers are authorized by the SmartEdge router (local) configuration or by a RADIUS server, perform the task described in Table 20.
Task |
Root Command |
Notes |
---|---|---|
Configure L2TP peer authorization. |
Enter this command in context configuration mode. By default, L2TP peers are authorized through the SmartEdge router configuration. |
To configure dynamic subscriber reauthorization, perform the task described in Table 21.
Task |
Root Command |
Notes |
---|---|---|
Configure dynamic subscriber reauthorization. |
Enter this command in context configuration mode. |
For reauthorization to take effect, vendor VSA 94 provided by Ericsson AB, Reauth-String, must be configured on the RADIUS server. Vendor VSA 95, Reauth-More, is only needed if multiple reauthorization records are used for one command; for example, if you have the following records, the reauthorize bulk 1 command causes the RADIUS server to process reauthorization for reauth-1@local followed by reauth-2@local:
reauth-1@local Password="redback" Reauth-String="ID-type;subID;attr-num;attr-value;attr-num;attr-value... Reauth-More=1 reauth-2@local Password="redback" Reauth-String="ID-type;subID;attr-num;attr-value;attr-num;attr-value... Reauth_String Attribute number: 94 Value: String Format: "xxx"* Send in Access-Request packet: No Send in Accounting-Request packet: No Receivable in Access-Request packet: Yes Description: (SE) * Format for Reauth String "type;sub_id;attr#;attr_val;attr#;;attr#;attr_val;..." (vsa_attr: vid-vsa_attr_#) Reauth_More Attribute number: 95 Value: integer Format: 1 Send in Access-Request packet: No Send in Accounting-Request packet: No Receivable in Access-Request packet: Yes Description: More reauth request is needed (SE)
For a list of the standard RADIUS attributes and vendor-specific attributes (VSAs) that are supported as part of the Reauth-String and details about them, see RADIUS Attributes.
To configure accounting, perform the tasks described in the following sections.
To specify that accounting messages are sent to a TACACS+ server whenever an administrator enters commands at the specified privilege level (or higher), perform the task described in Table 22.
Task |
Root Command |
Notes |
---|---|---|
Configure CLI commands accounting. |
Enter this command in context configuration mode. A TACACS+ server must be configured in the specified context; see Configuring TACACS+. |
To enable accounting messages for administrator sessions to be sent to the TACACS+ server, perform the task described in Table 23.
Task |
Root Command |
Notes |
---|---|---|
Configure administrator accounting. |
Enter this command in context configuration mode. A TACACS+ server must be configured in the specified context; see Configuring TACACS+. |
To configure subscriber accounting, perform the tasks described in the following sections.
To configure global subscriber accounting, perform the tasks described in Table 24.
Task |
Root Command |
Notes |
---|---|---|
Enable global subscriber session accounting messages. |
Enter this command in global configuration mode. Accounting messages for subscriber sessions in all contexts are sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the local context. | |
Enable global subscriber session accounting update messages. |
Enter this command in global configuration mode. Updated accounting records for subscriber sessions in all contexts are sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the local context. | |
Enable global accounting messages for the reauthorize command. |
Enter this command in global configuration mode. Accounting messages for the reauthorize command issued in any context are sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the local context. | |
Enable global accounting messages for subscriber session DHCP lease, reauthorization events, or ANCP events. |
Enter this command in global configuration mode. Accounting updates for DHCP lease, reauthorization events, or ANCP events for subscriber sessions in all contexts are sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the local context. |
To configure context-specific subscriber accounting, perform the tasks described in Table 25. Enter all commands in context configuration mode.
Task |
Root Command |
Notes |
---|---|---|
Enable context-specific subscriber accounting messages. |
Accounting messages for subscriber sessions in the current context are sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the same context. | |
Enable context-specific subscriber session accounting update messages. |
Sends updated accounting records for subscriber sessions in the current context to one or more RADIUS accounting servers with IP addresses or hostnames configured in the same context. | |
Enable context-specific accounting messages for the reauthorize command. |
Accounting messages for the reauthorize command used in the current context are sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the same context. | |
Enable context-specific accounting messages for DHCP lease, reauthorization information, or ANCP events. |
Accounting messages for DHCP lease, reauthorization information, or ANCP events for subscriber sessions in the current context are sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the same context. | |
Suppress accounting messages when subscriber sessions cannot be established. |
Accounting messages are not sent to the RADIUS server when subscriber sessions cannot be established due to an authentication problem, a changed IP address, and so on. |
Two-stage accounting collects RADIUS accounting data on both global RADIUS servers and context-specific RADIUS servers.
To configure two-stage accounting for subscriber sessions, perform the tasks in Configure Subscriber Accounting and Configure Context-Specific Subscriber Accounting.
To configure L2TP accounting, perform the tasks described in the following sections.
To configure global L2TP accounting, perform the task described in Table 26.
Task |
Root Command |
Notes |
---|---|---|
Configure global L2TP accounting. |
Enter this command in global configuration mode. For all contexts, accounting messages for L2TP tunnels, or sessions in L2TP tunnels, are sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the local context. |
To configure context-specific L2TP accounting, perform the task described in Table 27.
Task |
Root Command |
Notes |
---|---|---|
Configure context-specific L2TP accounting. |
Enter this command in context configuration mode. For the current context, accounting messages for L2TP tunnels, or sessions in L2TP tunnels, are sent to one or more RADIUS accounting servers with IP addresses or hostnames configured in the same context. |
Two-stage accounting collects RADIUS accounting data on both global RADIUS accounting servers and context-specific RADIUS accounting servers.
To configure two-stage accounting for subscriber sessions, perform the tasks in Configure Global L2TP Accounting and Configure Context-Specific L2TP Accounting.
To administer and troubleshoot AAA features, perform the appropriate AAA operations task in Table 28. Enter all commands in exec mode.
Task |
Root Command |
---|---|
Enable the generation of AAA debug messages. |
|
Modify a subscriber attribute in real time during an active session, using the CLI. |
|
Modify a subscriber attribute in real time during an active session, using the RADIUS authentication process. |
|
Test the communications link to a RADIUS server. |
This following sections provide AAA configuration examples.
You can configure subscriber authentication in several different ways. For example, different subscribers can be authenticated by different RADIUS servers in distinct contexts.
In the following example, subscriber janet in the AAA_local context is authenticated by the configuration in that context; subscriber rene in the AAA_radius context is authenticated by the RADIUS server in that context; and subscriber kevin in the AAA_global context is authenticated by the RADIUS server in the local context:
[local]Redback(config)#aaa global authentication subscriber radius context local [local]Redback(config)#context local [local]Redback(config-ctx)#radius server 10.1.1.1 key TopSecret . . . [local]Redback(config)#context AAA_local [local]Redback(config-ctx)#aaa authentication subscriber local [local]Redback(config-ctx)#interface corpA multibind [local]Redback(config-if)#ip address 10.1.3.30 255.255.255.0 [local]Redback(config-if)#exit [local]Redback(config-ctx)#subscriber name janet [local]Redback(config-sub)#password dragon [local]Redback(config-sub)#ip address 10.1.3.30 255.255.255.0 [local]Redback(config-sub)#exit [local]Redback(config-ctx)#exit [local]Redback(config)#port atm 6/1 [local]Redback(config-atm-oc)#atm pvc 1 100 profile ubr encapsulation bridge1483 [local]Redback(config-atm-pvc)#bind subscriber janet@AAA_local password dragon . . . [local]Redback(config)#context AAA_radius [local]Redback(config-ctx)#aaa authentication subscriber radius [local]Redback(config-ctx)#radius server 10.2.2.2 key TopSecret [local}Redback(config-ctx)#interface corpB multibind [local]Redback(config-if)#ip address 10.2.4.40 255.255.255.0 [local]Redback(config-if)#exit [local]Redback(config-ctx)#exit [local]Redback(config)#port atm 6/1 [local]Redback(config-atm-oc)#atm pvc 2 200 profile ubr encapsulation bridge1483 [local]Redback(config-atm-pvc)#bind subscriber rene@AAA_radius password tiger . . . [local]Redback(config)#context AAA_global [local]Redback(config-ctx)#aaa authentication subscriber global [local}Redback(config-ctx)#interface corpC multibind [local]Redback(config-if)#ip address 10.3.5.50 255.255.255.0 [local]Redback(config-if)#exit [local]Redback(config-ctx)#exit [local]Redback(config)#port atm 6/1 [local]Redback(config-atm-oc)#atm pvc 3 300 profile ubr encapsulation bridge1483 [local]Redback(config-atm-pvc)#bind subscriber kevin@AAA_global password lion
The following example enables RADIUS reauthorization for subscriber circuits and accounting messages:
[local]Redback(config-ctx)#radius server 10.10.11.12 key redback [local]Redback(config-ctx)#radius attribute nas-ip-address interface loop1 [local]Redback(config-ctx)#aaa authentication subscriber radius [local]Redback(config-ctx)#aaa accounting subscriber radius [local]Redback(config-ctx)#aaa accounting reauthorization subscriber radius [local]Redback(config-ctx)#aaa update subscriber 10 [local]Redback(config-ctx)#aaa accounting event reauthorization [local]Redback(config-ctx)#aaa reauthorization bulk radius [local]Redback(config-ctx)#radius accounting server 10.10.11.2. key redback