10-12
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 10 Inspection for Management Application Protocols
RADIUS Accounting Inspection
RADIUS Accounting Inspection Overview
The purpose of RADIUS accounting inspection is to prevent over-billing attacks on GPRS networks that
use RADIUS servers. Although you do not need the GTP/GPRS license to implement RADIUS
accounting inspection, it has no purpose unless you are implementing GTP inspection and you have a
GPRS setup.
The over-billing attack in GPRS networks results in consumers being billed for services that they have
not used. In this case, a malicious attacker sets up a connection to a server and obtains an IP address from
the SGSN. When the attacker ends the call, the malicious server will still send packets to it, which gets
dropped by the GGSN, but the connection from the server remains active. The IP address assigned to the
malicious attacker gets released and reassigned to a legitimate user who will then get billed for services
that the attacker will use.
RADIUS accounting inspection prevents this type of attack by ensuring the traffic seen by the GGSN is
legitimate. With the RADIUS accounting feature properly configured, the ASA tears down a connection
based on matching the Framed IP attribute in the Radius Accounting Request Start message with the
Radius Accounting Request Stop message. When the Stop message is seen with the matching IP address
in the Framed IP attribute, the ASA looks for all connections with the source matching the IP address.
You have the option to configure a secret pre-shared key with the RADIUS server so the ASA can
validate the message. If the shared secret is not configured, the ASA will only check that the source IP
address is one of the configured addresses allowed to send the RADIUS messages.
Note
When using RADIUS accounting inspection with GPRS enabled, the ASA checks for the
3GPP-Session-Stop-Indicator in the Accounting Request STOP messages to properly handle secondary
PDP contexts. Specifically, the ASA requires that the Accounting Request STOP messages include the
3GPP-SGSN-Address attribute before it will terminate the user sessions and all associated connections.
Some third-party GGSNs might not send this attribute by default.
Configure RADIUS Accounting Inspection
RADIUS accounting inspection is not enabled by default. You must configure it if you want RADIUS
accounting inspection.
Procedure
Step 1
Configure a RADIUS Accounting Inspection Policy Map, page 10-12
.
Step 2
Configure the RADIUS Accounting Inspection Service Policy, page 10-14
.
Configure a RADIUS Accounting Inspection Policy Map
You must create a RADIUS accounting inspection policy map to configure the attributes needed for the
inspection.
Содержание ASA 5512-X
Страница 5: ...P A R T 1 Service Policies and Access Control ...
Страница 6: ......
Страница 50: ...3 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Access Rules History for Access Rules ...
Страница 51: ...P A R T 2 Network Address Translation ...
Страница 52: ......
Страница 126: ...5 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 NAT Examples and Reference DNS and NAT ...
Страница 127: ...P A R T 3 Application Inspection ...
Страница 128: ......
Страница 255: ...P A R T 4 Connection Settings and Quality of Service ...
Страница 256: ......
Страница 288: ...12 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 12 Quality of Service History for QoS ...
Страница 303: ...P A R T 5 Advanced Network Protection ...
Страница 304: ......
Страница 339: ...P A R T 6 ASA Modules ...
Страница 340: ......
Страница 398: ...17 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 ASA CX Module History for the ASA CX Module ...