10-13
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 10 Inspection for Management Application Protocols
RADIUS Accounting Inspection
Procedure
Step 1
Create a RADIUS accounting inspection policy map:
hostname(config)#
policy-map type inspect radius-accounting
policy_map_name
hostname(config-pmap)#
Where the
policy_map_name
is the name of the policy map. The CLI enters policy-map configuration
mode.
Step 2
(Optional) Add a description to the policy map.
hostname(config-pmap)#
description
string
Step 3
Enter parameters configuration mode.
hostname(config-pmap)#
parameters
hostname(config-pmap-p)#
Step 4
Set one or more parameters. You can set the following options; use the
no
form of the command to
disable the option.
•
send response
—Instructs the ASA to send Accounting-Request Start and Stop messages to the
sender of those messages (which are identified in the
host
command).
•
enable gprs
—Implement GPRS over-billing protection. The ASA checks for the 3GPP VSA
26-10415 attribute in the Accounting-Request Stop and Disconnect messages in order to properly
handle secondary PDP contexts. If this attribute is present, then the ASA tears down all connections
that have a source IP matching the User IP address on the configured interface.
•
validate-attribute
number
—Additional criteria to use when building a table of user accounts when
receiving Accounting-Request Start messages. These attributes help when the ASA decides whether
to tear down connections.
If you do not specify additional attributes to validate, the decision is based solely on the IP address
in the Framed IP Address attribute. If you configure additional attributes, and the ASA receives a
start accounting message that includes an address that is currently being tracked, but the other
attributes to validate are different, then all connections started using the old attributes are torn down,
on the assumption that the IP address has been reassigned to a new user.
Values range from 1-191, and you can enter the command multiple times. For a list of attribute
numbers and their descriptions, see http://www.iana.org/assignments/radius-types.
•
host
ip_address
[
key
secret
]—The IP address of the RADIUS server or GGSN. You can optionally
include a secret key so that the ASA can validate the message. Without the key, only the IP address
is checked. You can repeat this command to identify multiple RADIUS and GGSNs hosts. The ASA
receives a copy of the RADIUS accounting messages from these hosts.
•
timeout
users
time
—Sets the idle timeout for users (in hh:mm:ss format). To have no timeout,
specify 00:00:00. The default is one hour.
Example
policy-map type inspect radius-accounting radius-acct-pmap
parameters
send response
enable gprs
validate-attribute 31
host 10.2.2.2 key 123456789
host 10.1.1.1 key 12345
class-map type management radius-class
Summary of Contents for ASA 5512-X
Page 5: ...P A R T 1 Service Policies and Access Control ...
Page 6: ......
Page 51: ...P A R T 2 Network Address Translation ...
Page 52: ......
Page 127: ...P A R T 3 Application Inspection ...
Page 128: ......
Page 255: ...P A R T 4 Connection Settings and Quality of Service ...
Page 256: ......
Page 303: ...P A R T 5 Advanced Network Protection ...
Page 304: ......
Page 339: ...P A R T 6 ASA Modules ...
Page 340: ......