Tunnel accounting, Tunnel authentication – Cisco 10000 User Manual
Page 189
5-25
Cisco 10000 Series Router Software Configuration Guide
OL-2226-23
Chapter 5 Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server
L2TP Network Server
When you activate packet fragmentation, the router clears the DF bit of packets entering all L2TP tunnels
and fragments the packets, but only if the packets exceed the session MTU. Clearing the DF bit allows
packets to be fragmented. If a packet enters an L2TP tunnel, but it does not exceed the MTU, the router
does not clear the DF bit. Instead, the DF bit is left untouched and the router does not fragment the
packet.
Tunnel Accounting
The tunnel accounting feature enhances AAA accounting by adding the ability to include tunnel-related
statistics in the RADIUS information. To collect tunnel usage information, RADIUS accounting
includes tunnel accounting attributes and additional tunnel accounting values for the Acct-Status-Type
RADIUS attribute.
Note
For more information about the RADIUS tunnel accounting attributes or the Acct-Status-Type values
that support RADIUS tunnel accounting, see the
“Configuring Vendor-Specific Attributes on RADIUS”
or see RFC 2867.
By using the tunnel accounting feature, you can track the services that users are accessing and the
amount of network resources that they are consuming. In L2TP dial-up networks, tunneling of user
sessions can be done automatically as a service of the Internet service provider (ISP). This service is
used to provide remote intranet access to the employees of a corporation. ISPs collect usage information
about the service, which they then can use for billing purposes and for managing the network. Tunnel
accounting allows dial-up usage information to be collected and stored at a central location.
When you enable tunnel accounting on the Cisco 10000 series router, the router reports user activity to
the RADIUS server in the form of accounting records. Each accounting record contains accounting
attribute-value (AV) pairs. Accounting records are stored on the RADIUS server and can be analyzed for
network management, client billing, and auditing. Corporations contracting with ISPs also receive a
record of a user’s resource consumption, which enables the corporation to audit its ISP billing
statements.
Note
For more information about AAA accounting, see the “Configuring Accounting” chapter in the
Cisco IOS Security Configuration Guide, Release 12.2.
Tunnel Authentication
The tunnel authentication feature verifies users before they are allowed access to the network and the
network services. On the LNS, L2TP tunnel authorization and authentication can occur by using the
vpdn-group commands configured in the local configuration. If a large number of VPDN groups is
configured, maintaining the local configuration across a number of LNS devices can be difficult. To
alleviate this, the Cisco 10000 series router supports the capability to do tunnel authentication using a
RADIUS server.