Cisco Cisco IOS Software Release 12.2(27)SBC
RADIUS-Based Lawful Intercept
Information About RADIUS-Based Lawful Intercept
3
Cisco IOS Security Configuration Guide
RADIUS Attributes Used to Specify an Intercept Request
describes the four attributes that are required to specify an intercept request in Access-Accept
packets or in CoA-Request packets. CoA-Request packets must have attribute 44, Acct-Session-ID, to
identify the user session to which the Lawful Intercept feature should be applied. If a packet contains
more than four attributes, the RADIUS packet is ignored. If an attribute name is misspelled, the security
for that RADIUS profile will be affected when the debug radius command is entered.
identify the user session to which the Lawful Intercept feature should be applied. If a packet contains
more than four attributes, the RADIUS packet is ignored. If an attribute name is misspelled, the security
for that RADIUS profile will be affected when the debug radius command is entered.
Note
The RADIUS server must support encoding and decoding of salt-encrypted attributes.
Each attribute (except for CoA-Request attribute 44) is salt-encrypted. The salt field ensures that the
uniqueness of the encryption key is used to encrypt each instance of the vendor-specific attribute (VSA).
The first and most significant bit of the salt field must be set to 1. Cisco VSA type 36 specifies the
intercept attributes. See
uniqueness of the encryption key is used to encrypt each instance of the vendor-specific attribute (VSA).
The first and most significant bit of the salt field must be set to 1. Cisco VSA type 36 specifies the
intercept attributes. See
Table 1
Intercept Request RADIUS Attribute Field Descriptions
Attribute Name
Length
Vendor-Length Attribute String
Description
Intercept-Identifier 42
36
intercept-id=value
value is eight digits.
Identifies the intercepted target
session. Send a unique
Intercept-Identifier attribute for all
tapped sessions; otherwise, the session
is not tapped. (The mediation device is
responsible for ensuring that this
attribute is unique for all tapped
sessions.)
session. Send a unique
Intercept-Identifier attribute for all
tapped sessions; otherwise, the session
is not tapped. (The mediation device is
responsible for ensuring that this
attribute is unique for all tapped
sessions.)
LI-Action
26
20
li-action=0, 1, or 2.
Specifies one of the following
intercept actions:
intercept actions:
•
0—Stop interception of a session.
•
1—Start interception of a session.
•
2—No action; a dummy
interception is ignored. Check to
see if a subscriber is logged on.
interception is ignored. Check to
see if a subscriber is logged on.
When LI-Action is in Access-Accept
packets, only 1 starts the tap.
packets, only 1 starts the tap.
When LI-Action is in CoA-Request
packets, you can enter any action.
packets, you can enter any action.
MD-IP-Address 42
or
more
36 or more
md-ip-addr=address
address is a Version 4 IP
address in dotted format.
address in dotted format.
Specifies the IP address of the
mediation device that receives the
duplicated data.
mediation device that receives the
duplicated data.
Note
The IP address cannot be
255.255.255.255 or 0.0.0.0.
255.255.255.255 or 0.0.0.0.
MD-Port-Number
26
20
md-port=port
port is 1 through 5.
Specifies the User Data Protocol
(UDP) port number of the mediation
device that receives the duplicated
data.
(UDP) port number of the mediation
device that receives the duplicated
data.