CLI user access accounting

1

User-Name

The name of user requesting user-Authentication, Authorization, Accounting. Usernames longer the allowed maximum Limit are treated as an authentication failure.

4

NAS-IP-Address

The identifying IP Address of the NAS requesting the Authentication or Accounting. Included when the RADIUS server is reachable using IPv4.

The address is determined by the routing instance through which the RADIUS server can be reached:

‟Management” — The active IPv4 address in the Boot Options File (bof address ipv4-address)

‟Base” — The IPv4 address of the system interface (configure router interface system address address). The address can be overwritten with the configured source-address (configure system security source-address application radius ip-int-name | ip-address)

31

Calling-Station-Id

The IP address (coded in hex) from the user that requests Authentication, Authorization, Accounting.

44

Acct-Session-Id

A unique number generated per authenticated user and reported in all accounting messages. Used to correlate CLI commands (accounting data) from the same user.

61

NAS-Port-Type

Mandatory included as type Virtual(5).

95

NAS-IPv6-Address

The identifying IP Address of the NAS requesting the Authentication or Accounting. Included when the RADIUS server is reachable using IPv6.

The address is determined by the routing instance through which the RADIUS server can be reached:

‟Management” — The active IPv6 address in the Boot Options File (bof address ipv6-address)

‟Base” — The IPv6 address of the system interface (configure router interface system ipv6 address ipv6-address). The address can be overwritten with the configured ipv6-source-address (configure system security source-address application6 radius ipv6-address)

26.6527.6

Timetra-Cmd

A command string, subtree command string or a list of command strings as scope for the match condition for user authorization. Multiple command strings in the same attribute are delimited with the; character. Additional command strings are encoded in multiple attributes. If the maximum number of command strings is violated, or if a string is too long, processing the input is stopped but authorization continues, so if the RADIUS server is configured to have five command strings of which the third is too long, only the first two entries are used and the rest are ignored. Each [26.6527.6] Timetra-Cmd attribute is followed in sequence by a [26.6527.7] Timetra-Action. (A missing Timetra-Action results in a deny.)

Note - For each authenticated RADIUS user a temporary profile with name [1]User-Name is always created (show system security profile) and executed as last profile. This temporary profile is built from the mandatory attribute [26.6527.5]Timetra-Default-Action and optional attributes [26.6527.6] Timetra-Cmd, [26.6527.7] Timetra-Action.

1

User-Name

string

16 chars

For example:

User-Name = ‟admin”

4

NAS-IP-Address

ipaddr

4 bytes

For example:

NAS-IP-Address= ‟192.0.2.1”

31

Calling-Station-Id

string

64 bytes

# users ip address

For example:

Calling-Station-Id= ‟192.0.2.2” or

Calling-Station-Id= ‟2001:db8 to 2”

44

Acct-Session-Id

string

22 bytes

For example:

Acct-Session-Id = ‟2128463592102512113409”

61

NAS-Port-Type

integer

4 bytes

value 5 fixed

Fixed set to value virtual (5)

For example:

NAS-Port-Type 00000005

95

NAS-IPv6-Address

ipv6addr

16 bytes

For example:

NAS-IPv6-Address = 2001:db8::1

26.6527.6

Timetra-Cmd

string

25 attributes

247 chars/attribute

For example:

Timetra-Cmd += configure router isis;show subscriber-mgmt sub-profile

Timetra-Cmd += show router

1

User-Name

1

1

4

NAS-IP-Address

0-1

0-1

31

Calling-Station-Id

1

1

44

Acct-Session-Id

1

1

61

NAS-Port-Type

1

1

95

NAS-IPv6-Address

0-1

0-1

26.6527.6

Timetra-Cmd

1

1