Configuring a radius inspection policy – Cisco ASA 5505 User Manual

46-10

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 46 Configuring Inspection for Management Application Protocols

RADIUS Accounting Inspection

the GGSN, but the connection from the server remains active. The IP address assigned to the malicious
attacker gets released and reassigned to a legitimate user who will then get billed for services that the
attacker will use.

RADIUS accounting inspection prevents this type of attack by ensuring the traffic seen by the GGSN is
legitimate. With the RADIUS accounting feature properly configured, the security appliance tears down
a connection based on matching the Framed IP attribute in the Radius Accounting Request Start message
with the Radius Accounting Request Stop message. When the Stop message is seen with the matching
IP address in the Framed IP attribute, the security appliance looks for all connections with the source
matching the IP address.

You have the option to configure a secret pre-shared key with the RADIUS server so the security
appliance can validate the message. If the shared secret is not configured, the security appliance does
not need to validate the source of the message and will only check that the source IP address is one of
the configured addresses allowed to send the RADIUS messages.

Note

When using RADIUS accounting inspection with GPRS enabled, theASA checks for the
3GPP-Session-Stop-Indicator in the Accounting Request STOP messages to properly handle secondary
PDP contexts. Specifically, the ASA requires that the Accounting Request STOP messages include the
3GPP-SGSN-Address attribute before it will temrinate the user sessions and all associated connections.
Some third-party GGSNs might not send this attribute by default.

Configuring a RADIUS Inspection Policy Map for Additional Inspection Control

In order to use this feature, the radius-accounting-map will need to be specified in the policy-map type
management and then applied to the service-policy using the new control-plane keyword to specify that
this traffic is for to-the-box inspection.

The following example shows the complete set of commands in context to properly configure this
feature:

Step 1

Configure the class map and the port:

class-map type management c1

match port udp eq 1888

Step 2

Create the policy map, and configure the parameters for RADIUS accounting inspection using the
parameter command to access the proper mode to configure the attributes, host, and key.

policy-map type inspect radius-accounting radius_accounting_map

parameters

host 10.1.1.1 inside key 123456789

send response

enable gprs

validate-attribute 22

Step 3

Configure the service policy and control-plane keywords.

policy-map type management global_policy

class c1

inspect radius-accounting radius_accounting_map

service-policy global_policy control-plane abc global