Ошибка max failed skip attempts

To enable authentication, authorization, and accounting (AAA) accounting of requested services for billing or security purposes
when you use RADIUS or TACACS+, use the
aaa
accounting command in global configuration mode or template configuration mode. To disable AAA accounting, use the
no form of this command.

aaa accounting {auth-proxy | system | network | exec | connection | commands level | dot1x} {default | list-name | guarantee-first} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] {radius | group group-name}

no aaa accounting {auth-proxy | system | network | exec | connection | commands level | dot1x} {default | list-name | guarantee-first} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] {radius | group group-name}

Syntax Description

Command Default

AAA accounting is disabled.

Command Modes

Global configuration (config)

Command History

Usage Guidelines

General Information

Use the
aaa
accounting command to enable accounting and to create named method lists that define specific accounting methods on a per-line or per-interface
basis.

The table below contains descriptions of keywords for AAA accounting methods.

Table 1. aaa accounting Methods

In the table above, the
group
radius and
group
tacacs
+ methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the
radius-server
host and
tacacs-server
host commands to configure the host servers. Use the
aaa
group
server
radius and
aaa
group
server
tacacs+ commands to create a named group of servers.

Cisco IOS software supports the following two methods of accounting:

• RADIUS—The network access server reports user activity to the RADIUS security server in the form of accounting records.
  Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.

• TACACS+—The network access server reports user activity to the TACACS+ security server in the form of accounting records.
  Each accounting record contains accounting AV pairs and is stored on the security server.

Method lists for accounting define the way accounting will be performed. Named accounting method lists enable you to designate
a particular security protocol to be used on specific lines or interfaces for particular types of accounting services. Create
a list by entering values for the
list-name argument where
list-name is any character string used to name this list (excluding the names of methods, such as RADIUS or TACACS+) and method list
keywords to identify the methods to be tried in sequence as given.

If the
aaa
accounting command for a particular accounting type is issued without a named method list specified, the default method list is automatically
applied to all interfaces or lines (where this accounting type applies) except those that have a named method list explicitly
defined. (A defined method list overrides the default method list.) If no default method list is defined, then no accounting
takes place.

Note	System accounting does not use named accounting lists; you can define the default list only for system accounting.

For minimal accounting, include the
stop-only keyword to send a “stop” accounting record for all cases including authentication failures. For more accounting, you can
include the
start-stop keyword, so that RADIUS or TACACS+ sends a “start” accounting notice at the beginning of the requested process and a “stop”
accounting notice at the end of the process. Accounting is stored only on the RADIUS or TACACS+ server. The
none keyword disables accounting services for the specified line or interface.

To specify an accounting configuration for a particular VRF, specify a default system accounting method list, and use the
vrf keyword and vrf-name argument. System accounting does not have knowledge of VRF unless VRF is specified.

When AAA accounting is activated, the network access server monitors either RADIUS accounting attributes or TACACS+ AV pairs
pertinent to the connection, depending on the security method you have implemented. The network access server reports these
attributes as accounting records, which are then stored in an accounting log on the security server. For a list of supported
RADIUS accounting attributes, see the appendix “RADIUS Attributes” in the
Cisco IOS Security Configuration Guide . For a list of supported TACACS+ accounting AV pairs, see the appendix “TACACS+ Attribute-Value Pairs” in the
Cisco IOS Security Configuration Guide .

Note	This command cannot be used with TACACS or extended TACACS.

Cisco Service Selection Gateway Broadcast Accounting

To configure Cisco Service Selection Gateway (SSG) broadcast accounting, use ssg_broadcast_accounting for the
list-name argument. For more information about configuring SSG, see the chapter “Configuring Accounting for SSG” in the
Cisco IOS Service Selection Gateway Configuration Guide , Release 12.4.

Layer
2
LAN
Switch
Port

You must configure the RADIUS server to perform accounting tasks, such as logging start, stop, and interim-update messages
and time stamps. To turn on these functions, enable logging of “Update/Watchdog packets from this AAA client” in your RADIUS
server Network Configuration tab. Next, enable “CVS RADIUS Accounting” in your RADIUS server System Configuration tab.

You must enable AAA before you can enter the
aaa
accounting command. To enable AAA and 802.1X (port-based authentication), use the following global configuration mode commands:

• 
  aaa
  new-model
  

• 
  aaa
  authentication
  dot1x
  default
  group
  radius
  

• 
  dot1x
  system-auth-control
  

Use the
show
radius
statistics command to display the number of RADIUS messages that do not receive the accounting response message.

Use the
aaa
accounting
system
default
start-stop
group
radius command to send “start” and “stop” accounting records after the router reboots. The “start” record is generated while the
router is booted and the stop record is generated while the router is reloaded.

The router generates a “start” record to reach the AAA server. If the AAA server is not reachable, the router retries sending
the packet four times. The retry mechanism is based on the exponential backoff algorithm. If there is no response from the
AAA server, the request will be dropped.

Establishing a Session with a Router if the AAA Server Is Unreachable

The
aaa
accounting
system
guarantee-first command guarantees system accounting as the first record, which is the default condition. In some situations, users may be
prevented from starting a session on the console or terminal connection until after the system reloads, which can take more
than three minutes.

To establish a console or telnet session with the router if the AAA server is unreachable when the router reloads, use the

no
aaa
accounting
system
guarantee-first
start-stop
radius
command.

Note	Entering the no aaa accounting system guarantee-first command is not the only condition by which the console or telnet session can be started. For example, if the privileged EXEC session is being authenticated by TACACS and the TACACS server is not reachable, then the session cannot start.

Examples

The following example shows how to define a default command accounting method list, where accounting services are provided
by a TACACS+ security server, set for privilege level 15 commands with a stop-only restriction:

aaa accounting commands 15 default stop-only group tacacs+

The following example shows how to defines a default auth-proxy accounting method list, where accounting services are provided
by a TACACS+ security server with a start-stop restriction. The aaa
accounting command activates authentication proxy accounting.

aaa new-model
aaa authentication login default group tacacs+
aaa authorization auth-proxy default group tacacs+
aaa accounting auth-proxy default start-stop group tacacs+

The following example shows how to define a default system accounting method list, where accounting services are provided
by RADIUS security server “server1” with a start-stop restriction. The
aaa
accounting command specifies accounting for vrf “vrf1.”

aaa accounting system default vrf vrf1 start-stop group server1

The following example shows how to define a default IEEE 802.1x accounting method list, where accounting services are provided
by a RADIUS server. The
aaa
accounting command activates IEEE 802.1x accounting.

aaa new model
aaa authentication dot1x default group radius
aaa authorization dot1x default group radius
aaa accounting dot1x default start-stop group radius

The following example shows how to enable network accounting and send tunnel and tunnel-link accounting records to the RADIUS
server. (Tunnel-Reject and Tunnel-Link-Reject accounting records are automatically sent if either start or stop records are
configured.)

aaa accounting network tunnel start-stop group radius
aaa accounting network session start-stop group radius

The following example shows how to enable IEEE 802.1x accounting:

aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius

Related Commands

To enable authentication, authorization, and accounting (AAA) accounting when you are using RADIUS for Secure Socket Layer
Virtual Private Network (SSL VPN) sessions, use the aaa accounting-list command in global configuration mode. To disable the AAA accounting, use the no form of this command.

aaa accounting-list aaa-list

no aaa accounting-list aaa-list

Syntax Description

Command Default

AAA accounting is not enabled.

Command Modes

Global configuration

Command History

Usage Guidelines

Before configuring this command, ensure that the AAA accounting list has already been configured under global configuration.

Examples

The following example shows that AAA accounting has been configured for an SSL VPN session:

Router (config)# aaa accounting-list aaalist1

Related Commands

To enable AAA accounting for IPsec sessions, use the
aaa accounting command in IKEv2 profile configuration mode. To disable AAA accounting, use the
no form of this command.

aaa accounting {psk | cert | eap} list-name

no aaa accounting {psk | cert | eap} list-name

Syntax Description

Command Default

AAA accounting is disabled.

Command Modes

IKEv2 profile configuration (config-ikev2-profile)

Command History

Usage Guidelines

Use the
aaa
accounting command to enable and specify the method list for AAA accounting for IPsec sessions. The
aaa
accounting command can be specific to an authentication method or common to all authentication methods, but not both at the same time.
If no method list is specified, the list is common across authentication methods.

Examples

The following example defines an AAA accounting configuration common to all authentication methods:

Router(config-ikev2-profile)# aaa accounting common-list1

The following example configures an AAA accounting for each authentication method:

Router(config-ikev2-profile)# aaa accounting psk psk-list1
Router(config-ikev2-profile)# aaa accounting cert cert-list1
Router(config-ikev2-profile)# aaa accounting eap eap-list1

Related Commands

To define the accounting method list H.323 using RADIUS as a method with either stop-only or start-stop accounting options, use the aaa accounting connection h323 command in global configuration mode. To disable the use of this accounting method list, use the no form of this command.

aaa accounting connection h323 {stop-only | start-stop | none} [broadcast] group groupname

no aaa accounting connection h323 {stop-only | start-stop | none} [broadcast] group groupname

Syntax Description

Command Default

No accounting method list is defined.

Command Modes

Global configuration

Command History

Usage Guidelines

This command creates a method list called h323 and is applied by default to all voice interfaces if the gw-accounting h323 command is also activated.

Examples

The following example enables authentication, authorization, and accounting (AAA) services, gateway accounting services, and
defines a connection accounting method list (h323). The h323 accounting method lists specifies that RADIUS is the security
protocol that will provide the accounting services, and that the RADIUS service will track start-stop records.

aaa new model
gw-accounting h323
aaa accounting connection h323 start-stop group radius

Related Commands

To delay the
generation of accounting start records until the user IP address is
established, use the
aaa
accounting
delay-start command in global configuration mode.
To disable this functionality, use the
no form of this
command.

aaa accounting delay-start [all] [vrf vrf-name] [extended-delay delay-value]

no aaa accounting delay-start [all] [vrf vrf-name] [extended-delay delay-value]

Syntax Description

Command Default

Accounting records
are not delayed.

Command Modes

Global configuration (config)

Command History

Usage Guidelines

Use the
aaa
accounting
delay-start command to delay the generation of
accounting start records until the IP address of the user has been established.
Use the
vrf
vrf-name keyword and argument to delay accounting
start records for individual VPN routing and forwarding (VRF) users or use the
all keyword
for all VRF and non-VRF users.

Note

The aaa accounting delay-start command applies only to non-VRF users. If you have a mix of VRF and non-VRF users, configure the aaa accounting delay-start (for non-VRF users), aaa accounting delay-start vrf vrf-name (for VRF users), or aaa accounting delay-start all (for all VRF and non-VRF users) command.

Use the
aaa
accounting
delay-start
extended-delay
delay-value command in the following two
scenarios:

• The user is a
  dual-stack (IPv4 or IPv6) subscriber.

• The IP address
  is from a local pool and not from the RADIUS server.

Note	It is mandatory that you configure the aaa accounting delay-start command before you configure the aaa accounting delay-start extended-delay command.

In both scenarios,
the IPCPv6 address is initialized first and the IPCPv4 address is initialized
after a few milliseconds. Use the
aaa
accounting
delay-start
extended-delay
delay-value command to delay the accounting start
records for the configured time (in seconds) after the IPCPv6 address is sent
to the RADIUS server. During this configured delay time, the IPCPv4 address is
sent and the Framed-IP-Address attribute is added to the accounting start
record. If the IPCPv4 address is not sent in the configured delay time, the
accounting start record is sent without the Framed-IP-Address attribute.

Examples

The following
example shows how to delay accounting start records until the IP address of the
user is established:

aaa new-model
aaa authentication ppp default radius
aaa accounting network default start-stop group radius
aaa accounting delay-start
radius-server host 192.0.2.1 non-standard
radius-server key rad123

The following
example shows that accounting start records are to be delayed to all VRF and
non-VRF users:

aaa new-model
aaa authentication ppp default radius
aaa accounting network default start-stop group radius
aaa accounting delay-start all
radius-server host 192.0.2.1 non-standard
radius-server key rad123

The following
example shows how to delay accounting start records for 2 seconds when the user
is a dual-stack subscriber:

aaa new-model
aaa authentication ppp default radius
aaa accounting network default start-stop group radius
aaa accounting delay-start
aaa accounting delay-start extended-delay 2
radius-server host 192.0.2.1 non-standard
radius-server key rad123

Related Commands

To enable authentication, authorization, and accounting (AAA) 64-bit, high-capacity counters, use the aaa accounting gigawords command in global configuration mode. To disable the counters, use the no form of this command. (Note that gigaword support is automatically configured unless you unconfigure it using the no form of the command.)

aaa accounting gigawords

no aaa accounting gigawords

Syntax Description

This command has no arguments or keywords.

Command Default

If this command is not configured, the 64-bit, high-capacity counters that support RADIUS attributes 52 and 53 are automatically
enabled.

Command Modes

Global configuration

Command History

Usage Guidelines

The AAA high-capacity counter process takes approximately 8 percent CPU memory for 24,000 (24 K) sessions running under steady
state.

If you have entered the no form of this command to turn off the 64-bit counters and you want to reenable them, you will need to enter the aaa accounting gigawords command. Also, once you have entered the no form of the command , it takes a reload of the router to actually disable the use of the 64-bit counters.

Note	The aaa accounting gigawords command does not show up in the running configuration unless the no form of the command is used in the configuration.

Examples

The following example shows that the AAA 64-bit counters have been disabled:

no aaa accounting gigawords

To include authorization profile attributes for the AAA accounting records, use the aaa accounting include auth-profile command in global configuration mode. To disable the authorization profile, use the no form of this command.

aaa accounting include auth-profile {delegated-ipv6-prefix | framed-ip-address | framed-ipv6-prefix}

no aaa accounting include auth-profile {delegated-ipv6-prefix | framed-ip-address | framed-ipv6-prefix}

Syntax Description

Command Default

authorization profile is included in the aaa accounting records.

Command Modes

Global configuration (config)

Command History

Usage Guidelines

The aaa accounting include auth-profile command can also be used for a dual-stack session if the negotiation between IPv4 and IPv6 is successful.

Examples

The following example shows how to include the delegated-IPv6-Prefix profile in the AAA accounting records:

Router(config)# aaa accounting include auth-profile delegated-ipv6-prefix

Related Commands

To enable authentication, authorization, and accounting (AAA) accounting when you are using RADIUS for Secure Socket Layer
Virtual Private Network (SSL VPN) sessions, use the aaa accounting-list command in global configuration mode. To disable the AAA accounting, use the no form of this command.

aaa accounting-list aaa-list

no aaa accounting-list aaa-list

Syntax Description

Command Default

AAA accounting is not enabled.

Command Modes

Global configuration

Command History

Usage Guidelines

Before configuring this command, ensure that the AAA accounting list has already been configured under global configuration.

Examples

The following example shows that AAA accounting has been configured for an SSL VPN session:

Router (config)# aaa accounting-list aaalist1

Related Commands

To provide an interval of time between records so that the AAA server does not get overwhelmed by a constant stream of records,
use the aaa accounting jitter maximum command in global configuration mode. To return to the default interval, use the no form of this command.

aaa accounting jitter maximum max-value

no aaa accounting jitter

Syntax Description

Command Default

Jitter is set to 300 seconds (5 minutes) by default.

Command Modes

Global configuration

Command History

Usage Guidelines

If certain applications require that periodic records be sent at exact intervals, disable jitter by setting it to 0.

Examples

The following example sets the maximum jitter value to 20 seconds:

aaa accounting jitter maximum 20

Related Commands

To specify that NETWORK records be generated, or nested, within EXEC “start” and “stop” records for PPP users who start EXEC
terminal sessions, use the aaa accounting nested command in global configuration mode. To allow the sending of records for users with a NULL username, use the no form of this command.

aaa accounting nested [suppress stop]

no aaa accounting nested [suppress stop]

Syntax Description

Command Default

Disabled

Command Modes

Global configuration (config)

Command History

Usage Guidelines

Use the aaa accounting nested command when you want to specify that NETWORK records be nested within EXEC “start” and “stop” records, such as for PPP users
who start EXEC terminal sessions. In some cases, such as billing customers for specific services, it can be desirable to keep
NETWORK “start” and “stop” records together, essentially nesting them within the framework of the EXEC “start” and “stop”
messages. For example, if you dial in using PPP, you can create the following records: EXEC-start, NETWORK-start, EXEC-stop,
and NETWORK-stop. By using the aaa accounting nested command to generate accounting records, NETWORK-stop records follow NETWORK-start messages: EXEC-start, NETWORK-start, NETWORK-stop,
EXEC-stop.

Use the aaa accounting nested suppress stop command to suppress the sending of EXEC-stop accounting records and to send only PPP accounting records.

Examples

The following example enables nesting of NETWORK accounting records for user sessions:

Router(config)# aaa accounting nested

The following example disables nesting of EXEC accounting records for user sessions:

Router(config)# aaa accounting nested suppress stop

To set the Accounting, Authorization, and Authentication (AAA) platform redundancy accounting behavior, use the
aaa accounting redundancy command in global configuration mode. To disable the accounting behavior, use the
no form of this command.

aaa accounting redundancy {best-effort-reuse [send-interim] | new-session | suppress system-records}

no aaa accounting redundancy {best-effort-reuse [send-interim] | new-session | suppress system-records}

Syntax Description

Command Default

A redundant session is set as a new session upon switchover.

Command Modes

Global configuration (config)

Command History

Usage Guidelines

Use the
aaa accounting redundancy command to specify the AAA platform redundancy accounting behavior. This command also enables you to track the redundant
sessions or existing sessions upon switchover.

Use the
send-interim keyword to send the interim accounting record first after a switchover. The router sends the interim update for all sessions
that survived the switchover as soon as the standby processor becomes active.

Examples

The following example shows how to set the AAA platform redundancy accounting behavior to track redundant sessions as existing
sessions upon switchover:

Router(config)# aaa accounting redundancy best-effort-reuse

The following example shows how to enable the router to send the interim accounting record first after a switchover:

Router(config)# aaa accounting redundancy best-effort-reuse send-interim

Related Commands

To enable full r
esource accounting, which will generate both a “start” record at call setup and a “stop” record at call termination, use the
aaa accounting resource start-stop group command in global configuration mode. To disable full resource accounting, use the
no form of this command.

aaa accounting resource method-list start-stop [broadcast] group groupname

no aaa accounting resource method-list start-stop [broadcast] group groupname

Syntax Description

Command Default

No default behavior or values.

Command Modes

Global configuration

Command History

Usage Guidelines

Use the aaa accounting resource start-stop group command to send a “start” record at each call setup followed with a corresponding
“stop” record at the call disconnect. There is a separate “call setup-call disconnect “start-stop” accounting record tracking
the progress of the resource connection to the device, and a separate “user authentication start-stop accounting” record tracking
the user management progress. These two sets of accounting records are interlinked by using a unique session ID for the call.

You may want to use this command to manage and monitor wholesale customers from one source of data reporting, such as accounting
records.

Note	Sending “start-stop” records for resource allocation along with user “start-stop” records during user authentication can lead to serious performance issues and is discouraged unless absolutely required.

All existing AAA accounting method list and server group options are made available to this command.

Examples

The following example shows how to configure resource accounting for “start-stop” records:

aaa new-model
aaa authentication login AOL group radius local
aaa authentication ppp default group radius local
aaa authorization exec AOL group radius if-authenticated
aaa authorization network default group radius if-authenticated
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting resource default start-stop group radius

Related Commands

To enable re
source failure stop accounting support, which will generate a “stop” record at any point prior to user authentication only
if a call is terminated, use the aaa accounting resource stop-failure group command in global configuration mode. To disable
resource failure stop accounting, use the no form of this command.

aaa accounting resource method-list stop-failure [broadcast] group groupname

no aaa accounting resource method-list stop-failure [broadcast] group groupname

Syntax Description

Command Default

No default behavior or values.

Command Modes

Global configuration

Command History

Usage Guidelines

Use the aaa accounting resource stop-failure group command to generate a “stop” record for any calls that do not reach user
authentication; this function creates “stop” accounting records for the moment of call setup. All calls that pass user authentication
will behave as before; that is, no additional accounting records will be seen.

All existing authentication, authorization, and accounting (AAA) accounting method list and server group options are made
available to this command.

Examples

The following example shows how to configure “stop” accounting records from the moment of call setup:

aaa new-model
aaa authentication login AOL group radius local
aaa authentication ppp default group radius local
aaa authorization exec AOL group radius if-authenticated
aaa authorization network default group radius if-authenticated
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting resource default stop-failure group radius

Related Commands

To send IPv6 counters in the stop record to the accounting server, use the aaa accounting send counters ipv6 command in global configuration mode. To stop sending IPv6 counters, use the no form of this command.

aaa accounting send counters ipv6

no aaa accounting send counters ipv6

Syntax Description

This command has no arguments or keywords.

Command Default

IPv6 counters in the stop records are not sent to the accounting server.

Command Modes

Global configuration (config)

Command History

Usage Guidelines

The aaa accounting send counters ipv6 command sends IPv6 counters in the stop record to the accounting server.

Examples

The following example shows how enable the router to send IPv6 counters in the stop record to the accounting server:

Router(config)# aaa accounting send counters ipv6

To send a stop record whether or not a start record was sent, use the aaa accounting send stop-record always command in global configuration mode. To disable sending a stop record, use the no form of this command.

aaa accounting send stop-record always

no aaa accounting send stop-record always

Syntax Description

This command has no arguments or keywords.

Command Default

A stop record is not sent.

Command Modes

Global configuration (config)

Command History

Usage Guidelines

When the aaa accounting send stop-record always command is enabled, accounting stop records are sent, even if their corresponding accounting starts were not sent out previously.
This command enables stop records to be sent whether local authentication, or other authentication, is configured.

When a session is terminated on a Network Control Protocol (NCP) timeout, a stop record needs to be sent, even if a start
record was not sent.

Examples

The following example shows how to enable stop records to be sent always when an NCP timeout occurs, whether or not a start
record was sent:

Router(config)# aaa accounting send stop-record always

To refine generation of authentication, authorization, and accounting (AAA) accounting “stop” records, use the aaa accounting send stop-record authentication command in global configuration mode. To end generation of accounting stop records, use the no form of this command that is appropriate.

aaa accounting send stop-record authentication {failure | success remote-server} [vrf vrf-name]

Failed Calls: End Accounting Stop Record Generation

no aaa accounting send stop-record authentication failure [vrf vrf-name]

Successful Calls: End Accounting Stop Record Generation

no aaa accounting send stop-record authentication success remote-server [vrf vrf-name]

Syntax Description

Command Default

Accounting “stop” records are sent only if one of the following is true:

• A start record has been sent.

• The call is successfully established with the “stop-only” configuration and is terminated.

Command Modes

Global configuration (config)

Command History

Usage Guidelines

When the aaa accounting command is activated, by default the Cisco IOS software does not generate accounting records for system users who fail login
authentication or who succeed in login authentication but fail PPP negotiation for some reason. The aaa accounting command can be configured to sent a “stop” record using either the start-stop keyword or the stop-only keyword.

When the aaa accounting command is issued with either the start-stop keyword or the stop-only keyword, the “stop” records can be further configured with the aaa accounting send stop-record authentication command. The failure and success keywords are mutually exclusive. If you have the aaa accounting send stop-record authentication command enabled with the failure keyword and then enable the same command with the success keyword, accounting stop records will no longer be generated for failed calls. Accounting stop records are sent for successful
calls only until you issue either of the following commands:

• 
  no
  
  
  aaa
  accounting
  send
  stop-record
  authentication
  
  
  success
  remote-server
  

• 
  aaa
  accounting
  send
  stop-record
  authentication
  
  
  failure
  

When using the failure keyword, a “stop” record will be sent for calls that are rejected during authentication.

When using the success keyword, a “stop” record will be sent for calls that meet one of the following criteria:

• Calls that are authenticated by a remote AAA server when the call is terminated.

• Calls that are not authenticated by a remote AAA server and the start record has been sent.

• Calls that are successfully established and then terminated with the “stop-only” aaa accounting configuration.

Use the vrf vrf-name keyword and argument to generate accounting “stop” records per VPN routing and forwarding configuration.

Note	The success and remote-server keywords are not available in Cisco IOS Release 12.2SX.

Examples

The following example shows how to generate “stop” records for users who fail to authenticate at login or during session negotiation:

        
          aaa accounting send stop-record authentication failure 
      

The following example shows “start” and “stop” records being sent for a successful call when the aaa accounting send stop-record authentication command is issued with the failure keyword:

Router# show running-config | include aaa
 
.
.
.
aaa new-model 
aaa authentication ppp default group radius 
aaa authorization network default local 
aaa accounting send stop-record authentication failure 
aaa accounting network default start-stop group radius 
.
.
.
*Jul  7 03:28:31.543: AAA/BIND(00000018): Bind i/f Virtual-Template2 
*Jul  7 03:28:31.547: ppp14 AAA/AUTHOR/LCP: Authorization succeeds trivially 
*Jul  7 03:28:33.555: AAA/AUTHOR (0x18): Pick method list 'default'
*Jul  7 03:28:33.555: AAA/BIND(00000019): Bind i/f  
*Jul  7 03:28:33.555:  Tnl 5192 L2TP: O SCCRQ 
*Jul  7 03:28:33.555:  Tnl 5192 L2TP: O SCCRQ, flg TLS, ver 2, len 141, tnl 0, 
ns 0, nr 0
         C8 02 00 8D 00 00 00 00 00 00 00 00 80 08 00 00
         00 00 00 01 80 08 00 00 00 02 01 00 00 08 00 00
         00 06 11 30 80 10 00 00 00 07 4C 41 43 2D 74 75
         6E 6E 65 6C 00 19 00 00 00 08 43 69 73 63 6F 20
         53 79 73 74 65 6D 73 ...
*Jul  7 03:28:33.563:  Tnl 5192 L2TP: Parse  AVP 0, len 8, flag 0x8000 (M)
*Jul  7 03:28:33.563:  Tnl 5192 L2TP: Parse SCCRP
*Jul  7 03:28:33.563:  Tnl 5192 L2TP: Parse  AVP 2, len 8, flag 0x8000 (M)
*Jul  7 03:28:33.563:  Tnl 5192 L2TP: Protocol Ver 256
*Jul  7 03:28:33.563:  Tnl 5192 L2TP: Parse  AVP 3, len 10, flag 0x8000 (M)
*Jul  7 03:28:33.563:  Tnl 5192 L2TP: Framing Cap 0x0
*Jul  7 03:28:33.563:  Tnl 5192 L2TP: Parse  AVP 4, len 10, flag 0x8000 (M)
*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Bearer Cap 0x0
*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Parse  AVP 6, len 8, flag 0x0 
*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Firmware Ver 0x1120
*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Parse  AVP 7, len 16, flag 0x8000 (M)
*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Hostname LNS-tunnel
*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Parse  AVP 8, len 25, flag 0x0 
*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Vendor Name Cisco Systems, Inc.
*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Parse  AVP 9, len 8, flag 0x8000 (M)
*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Assigned Tunnel ID 6897
*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Parse  AVP 10, len 8, flag 0x8000 (M)
*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Rx Window Size 20050
*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Parse  AVP 11, len 22, flag 0x8000 (M)
*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Chlng  
         81 13 03 F6 A8 E4 1D DD 25 18 25 6E 67 8C 7C 39
*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Parse  AVP 13, len 22, flag 0x8000 (M)
*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Chlng Resp  
         4D 52 91 DC 1A 43 B3 31 B4 F5 B8 E1 88 22 4F 41
*Jul  7 03:28:33.571:  Tnl 5192 L2TP: No missing AVPs in SCCRP
*Jul  7 03:28:33.571:  Tnl 5192 L2TP: I SCCRP, flg TLS, ver 2, len 157, tnl 
5192, ns 0, nr 1
contiguous pak, size 157
         C8 02 00 9D 14 48 00 00 00 00 00 01 80 08 00 00
         00 00 00 02 80 08 00 00 00 02 01 00 80 0A 00 00
         00 03 00 00 00 00 80 0A 00 00 00 04 00 00 00 00
         00 08 00 00 00 06 11 20 80 10 00 00 00 07 4C 4E
         53 2D 74 75 6E 6E 65 6C ...
*Jul  7 03:28:33.571:  Tnl 5192 L2TP: I SCCRP from LNS-tunnel
*Jul  7 03:28:33.571:  Tnl 5192 L2TP: O SCCCN  to LNS-tunnel tnlid 6897
*Jul  7 03:28:33.571:  Tnl 5192 L2TP: O SCCCN, flg TLS, ver 2, len 42, tnl 
6897, ns 1, nr 1
         C8 02 00 2A 1A F1 00 00 00 01 00 01 80 08 00 00
         00 00 00 03 80 16 00 00 00 0D 32 24 17 BC 6A 19
         B1 79 F3 F9 A9 D4 67 7D 9A DB
*Jul  7 03:28:33.571: uid:14 Tnl/Sn 5192/11 L2TP: O ICRQ to LNS-tunnel 6897/0
*Jul  7 03:28:33.571: uid:14 Tnl/Sn 5192/11 L2TP: O ICRQ, flg TLS, ver 2, len 
63, tnl 6897, lsid 11, rsid 0, ns 2, nr 1
         C8 02 00 3F 1A F1 00 00 00 02 00 01 80 08 00 00
         00 00 00 0A 80 0A 00 00 00 0F C8 14 B4 03 80 08
         00 00 00 0E 00 0B 80 0A 00 00 00 12 00 00 00 00
         00 0F 00 09 00 64 0F 10 09 02 02 00 1B 00 00
*Jul  7 03:28:33.575: uid:14 Tnl/Sn 5192/11 L2TP: Parse  AVP 0, len 8, flag 
0x8000 (M)
*Jul  7 03:28:33.575: uid:14 Tnl/Sn 5192/11 L2TP: Parse ICRP
*Jul  7 03:28:33.575: uid:14 Tnl/Sn 5192/11 L2TP: Parse  AVP 14, len 8, flag 
0x8000 (M)
*Jul  7 03:28:33.575: uid:14 Tnl/Sn 5192/11 L2TP: Assigned Call ID 5
*Jul  7 03:28:33.575: uid:14 Tnl/Sn 5192/11 L2TP: No missing AVPs in ICRP
*Jul  7 03:28:33.575: uid:14 Tnl/Sn 5192/11 L2TP: I ICRP, flg TLS, ver 2, len 
28, tnl 5192, lsid 11, rsid 0, ns 1, nr 3
contiguous pak, size 28
         C8 02 00 1C 14 48 00 0B 00 01 00 03 80 08 00 00
         00 00 00 0B 80 08 00 00 00 0E 00 05
*Jul  7 03:28:33.579: uid:14 Tnl/Sn 5192/11 L2TP: O ICCN to LNS-tunnel 6897/5
*Jul  7 03:28:33.579: uid:14 Tnl/Sn 5192/11 L2TP: O ICCN, flg TLS, ver 2, len 
167, tnl 6897, lsid 11, rsid 5, ns 3, nr 2
         C8 02 00 A7 1A F1 00 05 00 03 00 02 80 08 00 00
         00 00 00 0C 80 0A 00 00 00 18 06 1A 80 00 00 0A
         00 00 00 26 06 1A 80 00 80 0A 00 00 00 13 00 00
         00 01 00 15 00 00 00 1B 01 04 05 D4 03 05 C2 23
         05 05 06 0A 0B E2 7A ...
*Jul  7 03:28:33.579: RADIUS/ENCODE(00000018):Orig. component type = PPoE
*Jul  7 03:28:33.579: RADIUS(00000018): Config NAS IP: 0.0.0.0
*Jul  7 03:28:33.579: RADIUS(00000018): sending
*Jul  7 03:28:33.579: RADIUS/ENCODE: Best Local IP-Address 192.168.202.169 for 
Radius-Server 192.168.202.169
*Jul  7 03:28:33.579: RADIUS(00000018): Send Accounting-Request to 
172.19.192.238:2196 id 1646/23, len 176
*Jul  7 03:28:33.579: RADIUS:  authenticator 3C 81 D6 C5 2B 6D 21 8E - 19 FF 
43 B5 41 86 A8 A5
*Jul  7 03:28:33.579: RADIUS:  Acct-Session-Id     [44]  10  "00000023"
*Jul  7 03:28:33.579: RADIUS:  Framed-Protocol     [7]   6   
PPP                       [1]
*Jul  7 03:28:33.579: RADIUS:  Tunnel-Medium-Type  [65]  6   
00:IPv4                   [1]
*Jul  7 03:28:33.583: RADIUS:  Tunnel-Client-Endpoi[66]  10  "192.168.202.169"
*Jul  7 03:28:33.583: RADIUS:  Tunnel-Server-Endpoi[67]  10  "192.168.202.169"
*Jul  7 03:28:33.583: RADIUS:  Tunnel-Assignment-Id[82]  5   "lac"
*Jul  7 03:28:33.583: RADIUS:  Tunnel-Type         [64]  6   
00:L2TP                   [3]
*Jul  7 03:28:33.583: RADIUS:  Acct-Tunnel-Connecti[68]  12  "3356800003"
*Jul  7 03:28:33.583: RADIUS:  Tunnel-Client-Auth-I[90]  12  "LAC-tunnel"
*Jul  7 03:28:33.583: RADIUS:  Tunnel-Server-Auth-I[91]  12  "LNS-tunnel"
*Jul  7 03:28:33.583: RADIUS:  User-Name           [1]   16  "user@domain.com"
*Jul  7 03:28:33.583: RADIUS:  Acct-Authentic      [45]  6   
Local                     [2]
*Jul  7 03:28:33.583: RADIUS:  Acct-Status-Type    [40]  6   
Start                     [1]
*Jul  7 03:28:33.583: RADIUS:  NAS-Port-Type       [61]  6   
Virtual                   [5]
*Jul  7 03:28:33.583: RADIUS:  NAS-Port            [5]   6   
0                         
*Jul  7 03:28:33.583: RADIUS:  NAS-Port-Id         [87]  9   "0/0/0/0"
*Jul  7 03:28:33.583: RADIUS:  Service-Type        [6]   6   
Framed                    [2]
*Jul  7 03:28:33.583: RADIUS:  NAS-IP-Address      [4]   6   
192.168.202.169 
*Jul  7 03:28:33.583: RADIUS:  Acct-Delay-Time     [41]  6   
0                         
*Jul  7 03:28:33.683: RADIUS: Received from id 1646/23 192.168.202.169:2196, 
Accounting-response, len 20
*Jul  7 03:28:33.683: RADIUS:  authenticator 1C E9 53 42 A2 8A 58 9A - C3 CC 
1D 79 9F A4 6F 3A

The following example shows the “stop” record being sent when the call is rejected during authentication when the aaa accounting send stop-record authentication command is issued with the success keyword.

Router# show running-config | include aaa
,
,
,
aaa new-model
aaa authentication ppp default group radius
aaa authorization network default local 
aaa accounting send stop-record authentication success remote-server 
aaa accounting network default start-stop group radius
Router#
*Jul  7 03:39:40.199: AAA/BIND(00000026): Bind i/f Virtual-Template2 
*Jul  7 03:39:40.199: ppp21 AAA/AUTHOR/LCP: Authorization succeeds trivially 
*Jul  7 03:39:42.199: RADIUS/ENCODE(00000026):Orig. component type = PPoE
*Jul  7 03:39:42.199: RADIUS:  AAA Unsupported     [156] 7   
*Jul  7 03:39:42.199: RADIUS:   30 2F 30 2F 
30                                   [0/0/0]
*Jul  7 03:39:42.199: RADIUS(00000026): Config NAS IP: 0.0.0.0
*Jul  7 03:39:42.199: RADIUS/ENCODE(00000026): acct_session_id: 55
*Jul  7 03:39:42.199: RADIUS(00000026): sending
*Jul  7 03:39:42.199: RADIUS/ENCODE: Best Local IP-Address 192.168.202.169 for 
Radius-Server 192.168.202.169
*Jul  7 03:39:42.199: RADIUS(00000026): Send Access-Request to 
172.19.192.238:2195 id 1645/14, len 94
*Jul  7 03:39:42.199: RADIUS:  authenticator A6 D1 6B A4 76 9D 52 CF - 33 5D 
16 BE AC 7E 5F A6
*Jul  7 03:39:42.199: RADIUS:  Framed-Protocol     [7]   6   
PPP                       [1]
*Jul  7 03:39:42.199: RADIUS:  User-Name           [1]   16  "user@domain.com"
*Jul  7 03:39:42.199: RADIUS:  CHAP-Password       [3]   19  *
*Jul  7 03:39:42.199: RADIUS:  NAS-Port-Type       [61]  6   
Virtual                   [5]
*Jul  7 03:39:42.199: RADIUS:  NAS-Port            [5]   6   
0                         
*Jul  7 03:39:42.199: RADIUS:  NAS-Port-Id         [87]  9   "0/0/0/0"
*Jul  7 03:39:42.199: RADIUS:  Service-Type        [6]   6   
Framed                    [2]
*Jul  7 03:39:42.199: RADIUS:  NAS-IP-Address      [4]   6   
192.168.202.169 
*Jul  7 03:39:42.271: RADIUS: Received from id 1645/14 192.168.202.169:2195, 
Access-Accept, len 194
*Jul  7 03:39:42.271: RADIUS:  authenticator 30 AD FF 8E 59 0C E4 6C - BA 11 
23 63 81 DE 6F D7
*Jul  7 03:39:42.271: RADIUS:  Framed-Protocol     [7]   6   
PPP                       [1]
*Jul  7 03:39:42.275: RADIUS:  Service-Type        [6]   6   
Framed                    [2]
*Jul  7 03:39:42.275: RADIUS:  Vendor, Cisco       [26]  26  
*Jul  7 03:39:42.275: RADIUS:   Cisco AVpair       [1]   20  "vpdn:tunnel-
id=lac"
*Jul  7 03:39:42.275: RADIUS:  Vendor, Cisco       [26]  29  
*Jul  7 03:39:42.275: RADIUS:   Cisco AVpair       [1]   23  "vpdn:tunnel-
type=l2tp"
*Jul  7 03:39:42.275: RADIUS:  Vendor, Cisco       [26]  30  
*Jul  7 03:39:42.275: RADIUS:   Cisco AVpair       [1]   24  "vpdn:gw-
password=cisco"
*Jul  7 03:39:42.275: RADIUS:  Vendor, Cisco       [26]  31  
*Jul  7 03:39:42.275: RADIUS:   Cisco AVpair       [1]   25  "vpdn:nas-
password=cisco"
*Jul  7 03:39:42.275: RADIUS:  Vendor, Cisco       [26]  34  
*Jul  7 03:39:42.275: RADIUS:   Cisco AVpair       [1]   28  "vpdn:ip-
addresses=192.168.202.169"
*Jul  7 03:39:42.275: RADIUS:  Service-Type        [6]   6   
Framed                    [2]
*Jul  7 03:39:42.275: RADIUS:  Framed-Protocol     [7]   6   
PPP                       [1]
*Jul  7 03:39:42.275: RADIUS(00000026): Received from id 1645/14
*Jul  7 03:39:42.275: ppp21 PPP/AAA: Check Attr: Framed-Protocol
*Jul  7 03:39:42.275: ppp21 PPP/AAA: Check Attr: service-type
*Jul  7 03:39:42.275: ppp21 PPP/AAA: Check Attr: tunnel-id
*Jul  7 03:39:42.275: ppp21 PPP/AAA: Check Attr: tunnel-type
*Jul  7 03:39:42.275: ppp21 PPP/AAA: Check Attr: gw-password
*Jul  7 03:39:42.275: ppp21 PPP/AAA: Check Attr: nas-password
*Jul  7 03:39:42.275: ppp21 PPP/AAA: Check Attr: ip-addresses
*Jul  7 03:39:42.275: ppp21 PPP/AAA: Check Attr: service-type
*Jul  7 03:39:42.275: ppp21 PPP/AAA: Check Attr: Framed-Protocol
*Jul  7 03:39:42.279: AAA/BIND(00000027): Bind i/f  
*Jul  7 03:39:42.279:  Tnl 21407 L2TP: O SCCRQ 
*Jul  7 03:39:42.279:  Tnl 21407 L2TP: O SCCRQ, flg TLS, ver 2, len 134, tnl 
0, ns 0, nr 0
         C8 02 00 86 00 00 00 00 00 00 00 00 80 08 00 00
         00 00 00 01 80 08 00 00 00 02 01 00 00 08 00 00
         00 06 11 30 80 09 00 00 00 07 6C 61 63 00 19 00
         00 00 08 43 69 73 63 6F 20 53 79 73 74 65 6D 73
         2C 20 49 6E 63 2E 80 ...
*Jul  7 03:39:49.279:  Tnl 21407 L2TP: O StopCCN 
*Jul  7 03:39:49.279:  Tnl 21407 L2TP: O StopCCN, flg TLS, ver 2, len 66, tnl 
0, ns 1, nr 0
         C8 02 00 42 00 00 00 00 00 01 00 00 80 08 00 00
         00 00 00 04 80 1E 00 00 00 01 00 02 00 06 54 6F
         6F 20 6D 61 6E 79 20 72 65 74 72 61 6E 73 6D 69
         74 73 00 08 00 09 00 69 00 01 80 08 00 00 00 09
         53 9F
*Jul  7 03:39:49.279: RADIUS/ENCODE(00000026):Orig. component type = PPoE
*Jul  7 03:39:49.279: RADIUS(00000026): Config NAS IP: 0.0.0.0
*Jul  7 03:39:49.279: RADIUS(00000026): sending
*Jul  7 03:39:49.279: RADIUS/ENCODE: Best Local IP-Address 192.168.202.169 for 
Radius-Server 192.168.202.169
*Jul  7 03:39:49.279: RADIUS(00000026): Send Accounting-Request to 
192.168.202.169:2196 id 1646/32, len 179
*Jul  7 03:39:49.279: RADIUS:  authenticator 0A 85 2F F0 65 6F 25 E1 - 97 54 
CC BF EA F7 62 89
*Jul  7 03:39:49.279: RADIUS:  Acct-Session-Id     [44]  10  "00000037"
*Jul  7 03:39:49.279: RADIUS:  Framed-Protocol     [7]   6   
PPP                       [1]
*Jul  7 03:39:49.279: RADIUS:  Tunnel-Medium-Type  [65]  6   
00:IPv4                   [1]
*Jul  7 03:39:49.279: RADIUS:  Tunnel-Client-Endpoi[66]  10  "192.168.202.169"
*Jul  7 03:39:49.279: RADIUS:  Tunnel-Server-Endpoi[67]  10  "192.168.202.169"
*Jul  7 03:39:49.283: RADIUS:  Tunnel-Type         [64]  6   
00:L2TP                   [3]
*Jul  7 03:39:49.283: RADIUS:  Acct-Tunnel-Connecti[68]  3   "0"
*Jul  7 03:39:49.283: RADIUS:  Tunnel-Client-Auth-I[90]  5   "lac"
*Jul  7 03:39:49.283: RADIUS:  User-Name           [1]   16  "user@domain.com"
*Jul  7 03:39:49.283: RADIUS:  Acct-Authentic      [45]  6   
RADIUS                    [1]
*Jul  7 03:39:49.283: RADIUS:  Acct-Session-Time   [46]  6   
0                         
*Jul  7 03:39:49.283: RADIUS:  Acct-Input-Octets   [42]  6   
0                         
*Jul  7 03:39:49.283: RADIUS:  Acct-Output-Octets  [43]  6   
0                         
*Jul  7 03:39:49.283: RADIUS:  Acct-Input-Packets  [47]  6   
0                         
*Jul  7 03:39:49.283: RADIUS:  Acct-Output-Packets [48]  6   
0                         
*Jul  7 03:39:49.283: RADIUS:  Acct-Terminate-Cause[49]  6   nas-
error                 [9]
*Jul  7 03:39:49.283: RADIUS:  Acct-Status-Type    [40]  6   
Stop                      [2]
*Jul  7 03:39:49.283: RADIUS:  NAS-Port-Type       [61]  6   
Virtual                   [5]
*Jul  7 03:39:49.283: RADIUS:  NAS-Port            [5]   6   
0                         
*Jul  7 03:39:49.283: RADIUS:  NAS-Port-Id         [87]  9   "0/0/0/0"
*Jul  7 03:39:49.283: RADIUS:  Service-Type        [6]   6   
Framed                    [2]
*Jul  7 03:39:49.283: RADIUS:  NAS-IP-Address      [4]   6   
192.168.202.169 
*Jul  7 03:39:49.283: RADIUS:  Acct-Delay-Time     [41]  6   
0                         
*Jul  7 03:39:49.335: RADIUS: Received from id 1646/32 192.168.202.169:2196, 
Accounting-response, len 20
*Jul  7 03:39:49.335: RADIUS:  authenticator C8 C4 61 AF 4D 9F 78 07 - 94 2B 
44 44 17 56 EC 03

Related Commands

To calculate RADIUS attribute 46, Acct-Sess-Time, on the basis of the Network Time Protocol (NTP) clock time, use the aaa accounting session-duration ntp-adjusted command in global configuration mode. To disable the calculation that was configured on the basis of the NTP clock time,
use the no form of this command.

aaa accounting session-duration ntp-adjusted

no aaa accounting session-duration ntp-adjusted

Syntax Description

This command has no arguments or keywords.

Command Default

If this command is not configured, RADIUS attribute 46 is calculated on the basis of the 64-bit monotonically increasing counter,
which is not NTP adjusted.

Command Modes

Global configuration

Command History

Usage Guidelines

If this command is not configured, RADIUS attribute 46 can skew the session time by as much as 5 to 7 seconds for calls that
have a duration of more than 24 hours. However, you may not want to configure the command for short-lived calls or if your
device is up for only a short time because of the convergence time required if the session time is configured on the basis
of the NTP clock time.

For RADIUS attribute 46 to reflect the NTP-adjusted time, you must configure the ntp server command as well as the aaa accounting session-duration ntp-adjusted command.

Examples

The following example shows that the attribute 46 session time is to be calculated on the basis of the NTP clock time:

aaa new-model
aaa authentication ppp default group radius
aaa accounting session-time ntp-adjusted
aaa accounting network default start-stop group radius

Related Commands

To prevent the Cisco IOS software from sending accounting records for users whose username string is NULL, use the aaa accounting suppress null-username command in global configuration mode. To allow sending records for users with a NULL username, use the no form of this command.

aaa accounting suppress null-username

no aaa accounting suppress null-username

Syntax Description

This command has no arguments or keywords.

Command Default

Disabled

Command Modes

Global configuration

Command History

Usage Guidelines

When aaa accounting is activated, the Cisco IOS software issues accounting records for all users on the system, including users whose username
string, because of protocol translation, is NULL. This command prevents accounting records from being generated for those
users who do not have usernames associated with them.

Examples

The following example suppresses accounting records for users who do not have usernames associated with them:

aaa accounting suppress null-username

Related Commands

To enable periodic interim accounting records to be sent to the accounting server, use the aaa accounting update command in global configuration mode. To disable interim accounting updates, use the no form of this command.

aaa accounting update [newinfo] [periodic number [jitter maximum max-value]]

no aaa accounting update

Syntax Description

Command Default

Disabled

Command Modes

Global configuration

Command History

Usage Guidelines

• When the aaa accounting update command is activated, the Cisco IOS software issues interim accounting records for all users on the system. If the newinfo keyword is used, interim accounting records will be sent to the accounting server every time there is new accounting information
  to report. An example would be when IP Control Protocol (IPCP) completes IP address negotiation with the remote peer. The
  interim accounting record will include the negotiated IP address used by the remote peer.

• When the gw-accounting aaa command and the aaa accounting update newinfo command and keyword are activated, Cisco IOS software generates and sends an additional updated interim accounting record
  to the accounting server when a call leg is connected. All attributes (for example, h323-connect-time and backward-call-indicators
  (BCI)) available at the time of call connection are sent through this interim updated accounting record.

• When used with the periodic keyword, interim accounting records are sent periodically as defined by the number. The interim accounting record contains
  all of the accounting information recorded for that user up to the time the accounting record is sent.

• When using both the newinfo and periodic keywords, interim accounting records are sent to the accounting server every time there is new accounting information to
  report, and accounting records are sent to the accounting server periodically as defined by the number. For example, if you
  configure the aaa accounting update newinfo periodic number command, all users currently logged in will continue to generate periodic interim accounting records while new users will
  generate accounting records based on the newinfo algorithm.

• Vendor-specific attributes (VSAs) such as h323-connect-time and backward-call-indicator (BCI) are transmitted in the interim
  update RADIUS message when the aaa accounting update newinfo command and keyword are enabled.

• Jitter is used to provide an interval of time between records so that the AAA server does not get overwhelmed by a constant
  stream of records. If certain applications require that periodic records be sent a exact intervals, you should disable jitter
  by setting it to 0.

Caution

Using the aaa accounting update periodic command and keyword can cause heavy congestion when many users are logged into the network.

Examples

The following example sends PPP accounting records to a remote RADIUS server. When IPCP completes negotiation, this command
sends an interim accounting record to the RADIUS server that includes the negotiated IP address for this user; it also sends
periodic interim accounting records to the RADIUS server at 30-minute intervals.

aaa accounting network default start-stop group radius
aaa accounting update newinfo periodic 30

The following example sends periodic interim accounting records to the RADIUS server at 30-minute intervals and disables jitter:

aaa accounting update newinfo periodic 30 jitter maximum 0

Related Commands

To add calling line identification (CLID) and dialed number identification service (DNIS) attribute values to a user profile,
use the aaa attribute command in AAA-user configuration mode. To remove this command from your configuration, use the no form of this command.

aaa attribute {clid | dnis} attribute-value

no aaa attribute {clid | dnis} attribute-value

Syntax Description

Command Default

If this command is not enabled, you will have an empty user profile.

Command Modes

AAA-user configuration

Command History

Usage Guidelines

Use the aaa attribute command to add CLID or DNIS attribute values to a named user profile, which is created by using the aaa user profile command. The CLID or DNIS attribute values can be associated with the record that is going out with the user profile (via
the test aaa group command), thereby providing the RADIUS server with access to CLID or DNIS information when the server receives a RADIUS record.

Examples

The following example shows how to add CLID and DNIS attribute values to the user profile “cat”:

aaa user profile cat
 aaa attribute clid clidval
 aaa attribute dnis dnisval

Related Commands

To define an authentication, authorization, and accounting (AAA) attribute list locally on a router, use the
aaa
attribute
list command in global configuration mode or IKEv2 authorization policy configuration mode. To remove the AAA attribute list,
use the
no form of this command.

aaa attribute list list-name

no aaa attribute list list-name

Syntax Description

Command Default

A local attribute list is not defined.

Command Modes

Global configuration (config)

IKEv2 authorization policy configuration (config-ikev2-author-policy)

Command History

Usage Guidelines

There is no limit to the number of lists that can be defined (except for NVRAM storage limits).

Use this command to refer to a AAA attribute list. This list must be defined in global configuration mode. Among the AAA attributes,
the list can have ‘interface-config attribute that is used to apply interface configuration mode commands on the virtual access
interface associated with the session.

Examples

The following example shows that the attribute list named “TEST” is to be added to the subscriber profile “cisco.com”:

aaa authentication ppp template1 local
aaa authorization network template1 local
!
aaa attribute list TEST
   attribute type interface-config "ip unnumbered FastEthernet0" service ppp protocol lcp
   attribute type interface-config "ip vrf forwarding blue" service ppp protocol lcp
!
ip vrf blue
 description vrf blue template1
 rd 1:1
 route-target export 1:1
 route-target import 1:1
!
subscriber authorization enable
!
subscriber profile cisco.com
 service local
 aaa attribute list TEST
!
bba-group pppoe grp1
 virtual-template 1
 service profile cisco.com
!
interface Virtual-Template1
 no ip address
 no snmp trap link-status
 no peer default ip address
 no keepalive
 ppp authentication pap template1
 ppp authorization template1
!

The following examples shows how to configure an AAA attribute list ‘attr-list1’ which is referred from IKEv2 authorization
policy. The AAA attribute list has ‘interface-config’ attributes.

!
aaa attribute list attr-list1
attribute type interface-config "ip mtu 1100"
attribute type interface-config "tunnel key 10"
!
!
crypto ikev2 authorization policy pol1
 aaa attribute list attr-list1
!

Related Commands

To specify the AAA authentication list for Extensible Authentication Protocol (EAP) authentication, use the aaa authentication command in IKEv2 profile configuration mode. To remove the AAA authentication for EAP, use the no form of this command.

aaa authentication eap list-name

no aaa authentication eap

Syntax Description

Command Default

AAA authentication for EAP is not specified.

Command Modes

IKEv2 profile configuration (config-ikev2-profile)

Command History

Usage Guidelines

Use this command to specify the AAA authentication list for EAP authentication. The crypto ikev2 profile command must be enabled before this command is executed.

Examples

The following example shows how to configure the remote access server using the remote EAP authentication method with an external
EAP server:

Router(config)# aaa new-model
Router(config)# aaa authentication login aaa-eap-list default group radius
Router(config)# crypto ikev2 profile profile2
Router(config-ikev2-profile)# authentication remote eap
Router(config-ikev2-profile)# aaa authentication eap aaa-eap-list

The following example shows how to configure the remote access server using the remote EAP authentication method with a local
and external EAP server:

Router(config)# aaa new-model
Router(config)# aaa authentication login aaa-eap-list default group radius
Router(config)# aaa authentication login aaa-eap-local-list default group tacacs
Router(config)# crypto ikev2 profile profile2
Router(config-ikev2-profile)# authentication remote eap
Router(config-ikev2-profile)# authentication remote eap-local
Router(config-ikev2-profile)# aaa authentication eap aaa-eap-list
Router(config-ikev2-profile)# aaa authentication eap-local aaa-eap-local-list

Related Commands

To configure authentication, authorization, and accounting (AAA) authentication for SSL VPN sessions, use the aaa authentication command in webvpn context configuration mode. To remove the AAA configuration from the SSL VPN context configuration, use
the no form of this command.

aaa authentication {domain name | list name}

no aaa authentication {domain | list}

Syntax Description

Command Default

If this command is not configured or if the no form of this command is entered, the SSL VPN gateway will use global AAA parameters (if configured).

Command Modes

Webvpn context configuration

Command History

Usage Guidelines

The aaa authentication command is entered to specify an authentication list or server group under a SSL VPN context configuration. If this command
is not configured and AAA is configured globally on the router, global authentication will be applied to the context configuration.

The database that is configured for remote-user authentication on the SSL VPN gateway can be a local database, or the database
can be accessed through any RADIUS or TACACS+ AAA server.

We recommend that you use a separate AAA server, such as a Cisco Access Control Server (ACS). A separate AAA server provides
a more robust security solution. It allows you to configure unique passwords for each remote user and accounting and logging
for remote-user sessions.

Examples

Examples

The following example configures local AAA for remote-user connections. Notice that the aaa authentication command is not configured in a context configuration.

Router (config)# aaa new-model
Router (config)# username USER1 secret 0 PsW2143
Router (config)# aaa authentication login default local

Examples

The following example configures a RADIUS server group and associates the AAA configuration under the SSL VPN context configuration.

Router (config)# aaa new-model
Router (config)# aaa group server radius myServer
Router (config-sg-radius)# server 10.1.1.20 auth-port 1645 acct-port 1646
Router (config-sg-radius)# exit
Router (config)# aaa authentication login default local group myServer
Router (config)# radius-server host 10.1.1.0 auth-port 1645 acct-port 1646
Router (config)# webvpn context context1
Router (config-webvpn-context)# aaa authentication list myServer
Router (config-webvpn-context)# exit

Related Commands

To enable an authentication, authorization, and accounting (AAA) authentication method for AppleTalk Remote Access (ARA),
use the
aaa
authentication
arap command in global configuration mode. To disable this authentication, use the
no form of this command.

aaa authentication arap {default | list-name} method1 [method2 . . . ]

no aaa authentication arap {default | list-name} method1 [method2 . . . ]

Syntax Description

Command Default

If the
default list is not set, only the local user database is checked. This has the same effect as the following command:

aaa authentication arap default local

Command Modes

Global configuration

Command History

Usage Guidelines

The list names and default that you set with the
aaa
authentication
arap command are used with the
arap
authentication command. Note that ARAP guest logins are disabled by default when you enable AAA. To allow guest logins, you must use either
the
guest or
auth-guest method listed in the table below. You can only use one of these methods; they are mutually exclusive.

Create a list by entering the
aaa
authentication
arap
list-name
method command, where
list-name is any character string used to name this list (such as
MIS-access ). The
method argument identifies the list of methods the authentication algorithm tries in the given sequence. See the table below for
descriptions of method keywords.

To create a default list that is used if no list is specified in the
arap
authentication command, use the
default keyword followed by the methods you want to be used in default situations.

The additional methods of authentication are used only if the previous method returns an error, not if it fails.

Use the
more
system:running-config command to view currently configured lists of authentication methods.

Note

In the table below, the group radius , group tacacs + , and group group-name methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs+-server host commands to configure the host servers. Use the aaa group server radius and aaa group server tacacs+ commands to create a named group of servers.

Table 2. aaa authentication arap Methods

Examples

The following example creates a list called
MIS-access , which first tries TACACS+ authentication and then none:

aaa authentication arap MIS-access group tacacs+ none

The following example creates the same list, but sets it as the default list that is used for all ARA protocol authentications
if no other list is specified:

aaa authentication arap default group tacacs+ none

Related Commands

To set the maximum number of login attempts that will be permitted before a session is dropped, use the aaa authentication attempts login command in global configuration mode. To reset the number of attempts to the default, use the no form of this command.

aaa authentication attempts login number-of-attempts

no aaa authentication attempts login

Syntax Description

Command Default

3 attempts

Command Modes

Global configuration

Command History

Usage Guidelines

The aaa authentication attempts login command configures the number of times a router will prompt for username and password before a session is dropped.

The aaa authentication attempts login command can be used only if the aaa new-model command is configured.

Examples

The following example configures a maximum of 5 attempts at authentication for login:

aaa authentication attempts login 5

Related Commands

To allow automatic authentication for Secure Socket Layer virtual private network (SSL VPN) users, use the aaa authentication auto command in webvpn context configuration mode. To disable automatic authentication, use the no form of this command.

aaa authentication auto

no aaa authentication auto

Syntax Description

This command has no arguments or keywords.

Command Default

Automatic authentication is not allowed.

Command Modes

Webvpn context (config-webvpn-context)

Command History

Usage Guidelines

Configuring this command allows users to provide their usernames and passwords via the gateway page URL. They do not have
to enter the usernames and passwords again from the login page.

A user can embed his or her username and password in the URL using the following format:

http://<gateway-address>/<vw_context>/webvpnauth?username:password

Examples

The following example shows that automatic authentication has been configured for users:

Router (config)# webvpn context
Router (config-webvpn-context)# aaa authentication auto

To configure a personalized banner that will be displayed at user login, use the aaa authentication banner command in global configuration mode.

aaa authentication banner dstringd

no aaa authentication banner

Syntax Description

Command Default

Not enabled

Command Modes

Global configuration

Command History

Usage Guidelines

Use the aaa authentication banner command to create a personalized message that appears when a user logs in to the system. This message or banner will replace
the default message for user login.

To create a login banner, you need to configure a delimiting character, which notifies the system that the following text
string is to be displayed as the banner, and then the text string itself. The delimiting character is repeated at the end
of the text string to signify the end of the banner. The delimiting character can be any character in the extended ASCII character
set, but once defined as the delimiter, that character cannot be used in the text string making up the banner.

Note	The AAA authentication banner message is not displayed if TACACS+ is the first method in the method list. With CSCum15057, the AAA authentication banner message is always printed if the user logs into the system using the Secure Shell (SSH) server.

Examples

The following example shows the default login message if aaa authentication banner is not configured. (RADIUS is specified as the default login authentication method.)

aaa new-model
aaa authentication login default group radius

This configuration produces the following standard output:

User Verification Access
Username:
Password:

The following example configures a login banner (in this case, the phrase “Unauthorized use is prohibited.”) that will be
displayed when a user logs in to the system. In this case, the asterisk (*) symbol is used as the delimiter. (RADIUS is specified
as the default login authentication method.)

aaa new-model
aaa authentication banner *Unauthorized use is prohibited.*
aaa authentication login default group radius

This configuration produces the following login banner:

Unauthorized use is prohibited.
Username:

Related Commands

To specify one or more authentication, authorization, and accounting (AAA) methods for use on interfaces running IEEE 802.1X,
use the
aaa
authentication
dot1x command in global configuration mode. To disable authentication, use the
no form of this command

aaa authentication dot1x {default | listname} method1 [method2 . . . ]

no aaa authentication dot1x {default | listname} method1 [method2 . . . ]

Syntax Description

Command Default

No authentication is performed.

Global configuration

Command History

Usage Guidelines

The
method
argument identifies the list of methods that the authentication algorithm tries in the given sequence to validate the password
provided by the client. The only method that is truly 802.1X-compliant is the
group
radius
method, in which the client data is validated against a RADIUS authentication server. The remaining methods enable AAA to
authenticate the client by using locally configured data. For example, the
local
and
local-case
methods use the username and password that are saved in the Cisco IOS configuration file. The
enable
and
line
methods use the
enable
and
line
passwords for authentication.

If you specify
group
radius , you must configure the RADIUS server by entering the
radius-server
host
global configuration command. If you are not using a RADIUS server, you can use the
local
or
local-case
methods, which access the local username database to perform authentication. By specifying the
enable
or
line
methods, you can supply the clients with a password to provide access to the switch.

Use the
show
running-config
privileged EXEC command to display the configured lists of authentication methods.

Examples

The following example shows how to enable AAA and how to create an authentication list for 802.1X. This authentication first
tries to contact a RADIUS server. If this action returns an error, the user is allowed access with no authentication:

Router(config)# aaa new model
Router(config)# aaa authentication dot1x default group radius none

Related Commands

To enable authentication, authorization, and accounting (AAA) authentication to determine whether a user can access the privileged
command level, use the
aaa
authentication
enable
default command in global configuration mode. To disable this authorization method, use the
no form of this command.

aaa authentication enable default method1 [method2 . . . ]

no aaa authentication enable default method1 [method2 . . . ]

Syntax Description

Command Default

If the
default list is not set, only the enable password is checked. This has the same effect as the following command:

aaa authentication enable default enable

On the console, the enable password is used if it exists. If no password is set, the process will succeed anyway.

Command Modes

Global configuration (config)

Command History

Usage Guidelines

Use the
aaa
authentication
enable
default command to create a series of authentication methods that are used to determine whether a user can access the privileged
command level. Method keywords are described in the table below. The additional methods of authentication are used only if
the previous method returns an error, not if it fails. To specify that the authentication should succeed even if all methods
return an error, specify
none as the final method in the command line.

All
aaa
authentication
enable
default requests sent by the router to a RADIUS server include the username “$enab15$.”

Note	An enable authentication request for $enab{x }$ is sent only for RADIUS servers.

If a default authentication routine is not set for a function, the default is
none and no authentication is performed. Use the
more
system:running-config command to view currently configured lists of authentication methods.

Note

In the table below, the group radius , group tacacs + , and group group-name methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs+-server host commands to configure the host servers. Use the aaa group server radius and aaa group server tacacs+ commands to create a named group of servers.

Table 3. aaa authentication enable default Methods

Examples

The following example shows how to create an authentication list that first tries to contact a TACACS+ server. If no server
can be found, AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured
on the server), the user is allowed access with no authentication.

aaa authentication enable default group tacacs+ enable none

Related Commands

To set authentication lists for Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP), use the aaa authentication eou default enable group radius command in global configuration mode. To remove the authentication lists, use the no form of this command.

aaa authentication eou default enable group radius

no aaa authentication eou default enable group radius

Syntax Description

This command has no arguments or keywords.

Command Default

Authentication lists for EAPoUDP are not set.

Command Modes

Global configuration

Command History

Examples

The following example shows that authentication lists have been set for EAPoUDP:

Router (config)# aaa new-model
Router (config)# aaa authentication eou default enable group radius

Related Commands

To configure a personalized banner that will be displayed when a user fails login, use the aaa authentication fail-message command in global configuration mode. To remove the failed login message, use the no form of this command.

aaa authentication fail-message dstringd

no aaa authentication fail-message

Syntax Description

Command Default

Not enabled

Command Modes

Global configuration

Command History

Usage Guidelines

Use the aaa authentication fail-message command to create a personalized message that appears when a user fails login. This message will replace the default message
for failed login.

To create a failed-login banner, you need to configure a delimiting character, which notifies the system that the following
text string is to be displayed as the banner, and then the text string itself. The delimiting character is repeated at the
end of the text string to signify the end of the banner. The delimiting character can be any character in the extended ASCII
character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner.

Examples

The following example shows the default login message and failed login message that is displayed if aaa authentication banner and aaa authentication fail-message are not configured. (RADIUS is specified as the default login authentication method.)

aaa new-model
aaa authentication login default group radius

This configuration produces the following standard output:

User Verification Access
Username:
Password:
% Authentication failed.

The following example configures both a login banner (“Unauthorized use is prohibited.”) and a login-fail message (“Failed
login. Try again.”). The login message will be displayed when a user logs in to the system. The failed-login message will
display when a user tries to log in to the system and fails. (RADIUS is specified as the default login authentication method.)
In this example, the asterisk (*) is used as the delimiting character.

aaa new-model
aaa authentication banner *Unauthorized use is prohibited.*
aaa authentication fail-message *Failed login. Try again.*
aaa authentication login default group radius

This configuration produces the following login and failed login banner:

Unauthorized use is prohibited.
Username: 
Password: 
Failed login. Try again.

Related Commands

To set
authentication, authorization, and accounting (AAA) authentication at login,
use the
aaa
authentication
login command in global configuration mode. To
disable AAA authentication, use the
no form of this
command.

aaa authentication login {default | list-name} method1 [method2 . . . ]

no aaa authentication login {default | list-name} method1 [method2 . . . ]

Syntax Description

Command Default

AAA authentication
at login is disabled.

Command Modes

Global configuration (config)

Command History

Usage Guidelines

If the
default
keyword is not set, only the local user database is checked. This has the same
effect as the following command:

aaa authentication login default local

Note	On the console, login will succeed without any authentication checks if default keyword is not set.

The default and
optional list names that you create with the
aaa
authentication
login command are used with the
login
authentication command.

Create a list by
entering the
aaa
authentication
login

list-name
method command for a particular protocol. The
list-name
argument is the character string used to name the list of authentication
methods activated when a user logs in. The
method
argument identifies the list of methods that the authentication algorithm
tries, in the given sequence. The “Authentication Methods That Cannot be used
for the list-name Argument” section lists authentication methods that cannot be
used for the
list-name
argument and the table below describes the method keywords.

To create a
default list that is used if no list is assigned to a line, use the
login
authentication command with the default argument
followed by the methods you want to use in default situations.

The password is
prompted only once to authenticate the user credentials and in case of errors
due to connectivity issues, multiple retries are possible through the
additional methods of authentication. However, the switchover to the next
authentication method happens only if the previous method returns an error, not
if it fails. To ensure that the authentication succeeds even if all methods
return an error, specify
none as the
final method in the command line.

If authentication
is not specifically set for a line, the default is to deny access and no
authentication is performed. Use the
more
system:running-config command to display currently
configured lists of authentication methods.

Authentication
Methods That Cannot Be Used for the list-name Argument

The
authentication methods that cannot be used for the
list-name
argument are as follows:

• 
  auth-guest
  

• 
  enable
  

• 
  guest
  

• 
  if-authenticated
  

• 
  if-needed
  

• 
  krb5
  

• 
  krb-instance
  

• 
  krb-telnet
  

• 
  line
  

• 
  local
  

• 
  none
  

• 
  radius
  

• 
  rcmd
  

• 
  tacacs
  

• 
  tacacsplus
  

Note

In the table below, the group radius , group tacacs + , group ldap , and group group-name methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs-server host commands to configure the host servers. Use the aaa group server radius , aaa group server ldap , and aaa group server tacacs+ commands to create a named group of servers.

The table below
describes the method keywords.

Table 4. aaa authentication login
Methods Keywords

Examples

The following
example shows how to create an AAA authentication list called
MIS-access .
This authentication first tries to contact a TACACS+ server. If no server is
found, TACACS+ returns an error and AAA tries to use the enable password. If
this attempt also returns an error (because no enable password is configured on
the server), the user is allowed access with no authentication.

aaa authentication login MIS-access group tacacs+ enable none

The following
example shows how to create the same list, but it sets it as the default list
that is used for all login authentications if no other list is specified:

aaa authentication login default group tacacs+ enable none

The following
example shows how to set authentication at login to use the Kerberos 5 Telnet
authentication protocol when using Telnet to connect to the router:

aaa authentication login default krb5

The following
example shows how to configure password aging by using AAA with a crypto
client:

aaa authentication login userauthen passwd-expiry group radius

Related Commands

To specify authentication, authorization, and accounting (AAA) authentication for Netware Asynchronous Services Interface
(NASI) clients connecting through the access server, use the
aaa
authentication
nasi command in global configuration mode. To disable authentication for NASI clients, use the
no form of this command.

aaa authentication nasi {default | list-name} method1 [method2 . . . ]

no aaa authentication nasi {default | list-name} method1 [method2 . . . ]

Syntax Description

Command Default

If the
default list is not set, only the local user database is selected. This has the same effect as the following command:

aaa authentication nasi default local

Command Modes

Global configuration

Command History

Usage Guidelines

The default and optional list names that you create with the
aaa
authentication
nasi command are used with the
nasi
authentication command.

Create a list by entering the
aaa
authentication
nasi command, where
list-name is any character string that names the list (such as
MIS-access ). The
method argument identifies the list of methods the authentication algorithm tries in the given sequence. Method keywords are described
in the table below.

To create a default list that is used if no list is assigned to a line with the
nasi
authentication command, use the default argument followed by the methods that you want to use in default situations.

The remaining methods of authentication are used only if the previous method returns an error, not if it fails. To ensure
that the authentication succeeds even if all methods return an error, specify
none as the final method in the command line.

If authentication is not specifically set for a line, the default is to deny access and no authentication is performed. Use
the
more
system:running-config command to display currently configured lists of authentication methods.

Note

In the table below, the group radius , group tacacs + , and group group-name methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs+-server host commands to configure the host servers. Use the aaa group server radius and aaa group server tacacs+ commands to create a named group of servers.

Table 5. aaa authentication nasi Methods

Examples

The following example creates an AAA authentication list called
list1 . This authentication first tries to contact a TACACS+ server. If no server is found, TACACS+ returns an error and AAA tries
to use the enable password. If this attempt also returns an error (because no enable password is configured on the server),
the user is allowed access with no authentication.

aaa authentication nasi list1 group tacacs+ enable none

The following example creates the same list, but sets it as the default list that is used for all login authentications if
no other list is specified:

aaa authentication nasi default group tacacs+ enable none

Related Commands