Cisco Cisco IOS Software Release 12.2(27)SBC
RADIUS-Based Lawful Intercept
Prerequisites for RADIUS-Based Lawful Intercept
2
Cisco IOS Security Configuration Guide
Prerequisites for RADIUS-Based Lawful Intercept
Before enabling a RADIUS-based lawful intercept solution, ensure that your network supports the
following features:
following features:
•
Intercept requests in Access-Accept packets, which allow data interception to start at the beginning
of a session.
of a session.
•
Intercept requests in CoA packets, which allow data interception to start or stop during an existing
session.
session.
•
PPP packet interception.
Restrictions for RADIUS-Based Lawful Intercept
•
The RADIUS-Based Lawful Intercept feature cannot honor both CoA requests and lawful intercept
requests simultaneously. When a CoA-Request packet is identified as a lawful intercept request, the
packet is consumed by the lawful intercept functionality, and it is not passed to other CoA packets.
requests simultaneously. When a CoA-Request packet is identified as a lawful intercept request, the
packet is consumed by the lawful intercept functionality, and it is not passed to other CoA packets.
•
If there are attributes other than the required four LI attributes and the Acct-Session-ID attribute 44,
the CoA-Request packet is rejected. However, Access-Accept packets can contain attributes that are
not related to lawful intercept.
the CoA-Request packet is rejected. However, Access-Accept packets can contain attributes that are
not related to lawful intercept.
•
When using the IP address, the tap must be set by using the Simple Network Management Protocol
(SNMP); the tap cannot be set by using RADIUS.
(SNMP); the tap cannot be set by using RADIUS.
Information About RADIUS-Based Lawful Intercept
To configure the RADIUS-Based Lawful Intercept feature, you need to understand the following
concepts:
concepts:
•
•
•
RADIUS-Based Lawful Intercept Solutions
A RADIUS-based lawful intercept solution enables intercept requests to be sent (via Access-Accept
packets or CoA-Request packets) to the NAS or to the LAC
packets or CoA-Request packets) to the NAS or to the LAC
from the RADIUS server. All traffic data
going to or from a PPP or L2TP session is passed to a mediation device. Another advantage of
RADIUS-based lawful intercept is the synchronicity of the solution—the tap is set with Access-Accept
packets so that all target traffic is intercepted.
RADIUS-based lawful intercept is the synchronicity of the solution—the tap is set with Access-Accept
packets so that all target traffic is intercepted.
Without a RADIUS-based solution, Cisco’s lawful intercept implementation must use the
CISCO-TAP-MIB. Intercept requests are initiated by the mediation device via SNMPv3 messages, and
all traffic data going to or from a given IP address is passed to a mediation device. Interception based on
IP addresses prevents a session from being tapped until an IP address has been assigned to the session.
CISCO-TAP-MIB. Intercept requests are initiated by the mediation device via SNMPv3 messages, and
all traffic data going to or from a given IP address is passed to a mediation device. Interception based on
IP addresses prevents a session from being tapped until an IP address has been assigned to the session.