Cisco Cisco IOS Software Release 12.2(27)SBC

Descargar
Página de 32
RADIUS-Based Lawful Intercept
  How to Configure RADIUS-Based Lawful Intercept
5
Cisco IOS Security Configuration Guide
Errors are in the CoA-ACK packet attribute 101. Following are possible CoA-ACK settings that the 
Lawful Intercept feature can set:
401: Unsupported Attribute (There is a non-LI attribute, except for 44 which is allowed.)
402: Missing Attribute (One of the four LI attributes is missing.) 
404: Invalid Request (An LI attribute is malformed or duplicated.) 
501: Administratively Prohibited (AAA Intercept is not configured.) 
503: Session Context Not Found (Session does not exist.)
506: Resources Unavailable (Memory is low.) 
200: Success (There are no errors; the CoA-Request was accepted and acted on.) 
In each case, the RADIUS server must send CoA-Request packets (code 43) with the attributes identified 
in 
 plus the Acct-Session-ID attribute (attribute 44). Each of these attributes must be in the 
packet. 
The Acct-Session-ID attribute identifies the session that will be intercepted. The Acct-Session-ID 
attribute can be obtained from either the Access-Request packet or the Accounting-Stop packet by 
entering the radius-server attribute 44 include-in-access-req command. 
When a session is being tapped and the session terminates, the tap stops. The session does not start when 
the subscriber logs back in unless the Access-Accept indicates a start tap or a CoA-Request is sent to 
start the session. 
Note
The frequency of CoA-Request packets should not exceed a rate of one request every 10 minutes.
How to Configure RADIUS-Based Lawful Intercept 
This section contains the following procedure:
 (required)
Enabling Lawful Intercept 
To enable a RADIUS-Based Lawful Intercept solution on your router, perform the following steps. 
SUMMARY STEPS
1.
enable
2.
configure terminal
3.
aaa intercept 
4.
aaa authentication ppp {default | list-namegroup radius 
5.
aaa accounting send stop-record authentication failure 
6.
aaa accounting network {default | list-namestart-stop group {radius | group-name}
7.
radius-server attribute 44 include-in-access-req
8.
radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number
[timeout seconds] [retransmit retries] [key string] [alias {hostname ip-address}]