Cisco Cisco IOS Software Release 12.2(27)SBC
![Cisco](https://files.manualsbrain.com/attachments/7380d0050044647c30f5c24bbbf5d0c0b6d9bb84/common/fit/150/50/faa183d287233c52228cfea3dbc2a127fe780f60564fcb0955d9c3d1cd23/brand_logo.png)
RADIUS-Based Lawful Intercept
How to Configure RADIUS-Based Lawful Intercept
5
Cisco IOS Security Configuration Guide
Errors are in the CoA-ACK packet attribute 101. Following are possible CoA-ACK settings that the
Lawful Intercept feature can set:
Lawful Intercept feature can set:
•
401: Unsupported Attribute (There is a non-LI attribute, except for 44 which is allowed.)
•
402: Missing Attribute (One of the four LI attributes is missing.)
•
404: Invalid Request (An LI attribute is malformed or duplicated.)
•
501: Administratively Prohibited (AAA Intercept is not configured.)
•
503: Session Context Not Found (Session does not exist.)
•
506: Resources Unavailable (Memory is low.)
•
200: Success (There are no errors; the CoA-Request was accepted and acted on.)
In each case, the RADIUS server must send CoA-Request packets (code 43) with the attributes identified
in
in
plus the Acct-Session-ID attribute (attribute 44). Each of these attributes must be in the
packet.
The Acct-Session-ID attribute identifies the session that will be intercepted. The Acct-Session-ID
attribute can be obtained from either the Access-Request packet or the Accounting-Stop packet by
entering the radius-server attribute 44 include-in-access-req command.
attribute can be obtained from either the Access-Request packet or the Accounting-Stop packet by
entering the radius-server attribute 44 include-in-access-req command.
When a session is being tapped and the session terminates, the tap stops. The session does not start when
the subscriber logs back in unless the Access-Accept indicates a start tap or a CoA-Request is sent to
start the session.
the subscriber logs back in unless the Access-Accept indicates a start tap or a CoA-Request is sent to
start the session.
Note
The frequency of CoA-Request packets should not exceed a rate of one request every 10 minutes.
How to Configure RADIUS-Based Lawful Intercept
This section contains the following procedure:
•
(required)
Enabling Lawful Intercept
To enable a RADIUS-Based Lawful Intercept solution on your router, perform the following steps.
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
aaa intercept
4.
aaa authentication ppp {default | list-name} group radius
5.
aaa accounting send stop-record authentication failure
6.
aaa accounting network {default | list-name} start-stop group {radius | group-name}
7.
radius-server attribute 44 include-in-access-req
8.
radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number]
[timeout seconds] [retransmit retries] [key string] [alias {hostname | ip-address}]
[timeout seconds] [retransmit retries] [key string] [alias {hostname | ip-address}]