15-14
Cisco ASA Series Firewall CLI Configuration Guide
 
Chapter 15      Inspection of Database, Directory, and Management Protocols
  RADIUS Accounting Inspection
Configure a RADIUS Accounting Inspection Policy Map
You must create a RADIUS accounting inspection policy map to configure the attributes needed for the 
inspection.
Procedure
Step 1 Create a RADIUS accounting inspection policy map:
hostname(config)# policy-map type inspect radius-accounting policy_map_name
hostname(config-pmap)# 
Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration 
mode.
Step 2 (Optional) Add a description to the policy map.
hostname(config-pmap)# description string
Step 3 Enter parameters configuration mode.
hostname(config-pmap)# parameters
hostname(config-pmap-p)# 
Step 4 Set one or more parameters. You can set the following options; use the no form of the command to 
disable the option.
• send response—Instructs the ASA to send Accounting-Request Start and Stop messages to the 
sender of those messages (which are identified in the host command).
• enable gprs—Implement GPRS over-billing protection. The ASA checks for the 3GPP VSA 
26-10415 attribute in the Accounting-Request Stop and Disconnect messages in order to properly 
handle secondary PDP contexts. If this attribute is present, then the ASA tears down all connections 
that have a source IP matching the User IP address on the configured interface.
• validate-attribute number—Additional criteria to use when building a table of user accounts when 
receiving Accounting-Request Start messages. These attributes help when the ASA decides whether 
to tear down connections.
If you do not specify additional attributes to validate, the decision is based solely on the IP address 
in the Framed IP Address attribute. If you configure additional attributes, and the ASA receives a 
start accounting message that includes an address that is currently being tracked, but the other 
attributes to validate are different, then all connections started using the old attributes are torn down, 
on the assumption that the IP address has been reassigned to a new user.
Values range from 1-191, and you can enter the command multiple times. For a list of attribute 
numbers and their descriptions, see http://www.iana.org/assignments/radius-types. 
• host ip_address [key secret]—The IP address of the RADIUS server or GGSN. You can optionally 
include a secret key so that the ASA can validate the message. Without the key, only the IP address 
is checked. You can repeat this command to identify multiple RADIUS and GGSNs hosts. The ASA 
receives a copy of the RADIUS accounting messages from these hosts.
• timeout users time—Sets the idle timeout for users (in hh:mm:ss format). To have no timeout, 
specify 00:00:00. The default is one hour.
Example
policy-map type inspect radius-accounting radius-acct-pmap