Cisco Systems ASA 5505 Webcam User Manual


 
14-11
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 14 Configuring Inspection for Management Application Protocols
RADIUS Accounting Inspection
Select RADIUS Accounting Map, page 14-11
Add RADIUS Accounting Policy Map, page 14-11
RADIUS Inspect Map, page 14-12
RADIUS Inspect Map Host, page 14-12
RADIUS Inspect Map Other, page 14-13
RADIUS Accounting Inspection Overview
One of the well known problems is the over-billing attack in GPRS networks. The over-billing attack
can cause consumers anger and frustration by being billed for services that they have not used. In this
case, a malicious attacker sets up a connection to a server and obtains an IP address from the SGSN.
When the attacker ends the call, the malicious server will still send packets to it, which gets dropped by
the GGSN, but the connection from the server remains active. The IP address assigned to the malicious
attacker gets released and reassigned to a legitimate user who will then get billed for services that the
attacker will use.
RADIUS accounting inspection prevents this type of attack by ensuring the traffic seen by the GGSN is
legitimate. With the RADIUS accounting feature properly configured, the security appliance tears down
a connection based on matching the Framed IP attribute in the Radius Accounting Request Start message
with the Radius Accounting Request Stop message. When the Stop message is seen with the matching
IP address in the Framed IP attribute, the security appliance looks for all connections with the source
matching the IP address.
You have the option to configure a secret pre-shared key with the RADIUS server so the security
appliance can validate the message. If the shared secret is not configured, the security appliance does
not need to validate the source of the message and will only check that the source IP address is one of
the configured addresses allowed to send the RADIUS messages.
Note When using RADIUS accounting inspection with GPRS enabled, theASA checks for the
3GPP-Session-Stop-Indicator in the Accounting Request STOP messages to properly handle secondary
PDP contexts. Specifically, the ASA requires that the Accounting Request STOP messages include the
3GPP-SGSN-Address attribute before it will temrinate the user sessions and all associated connections.
Some third-party GGSNs might not send this attribute by default.
Select RADIUS Accounting Map
The Select RADIUS Accounting Map dialog box lets you select a defined RADIUS accounting map or
define a new one.
Fields
Add—Lets you add a new RADIUS accounting map.
Add RADIUS Accounting Policy Map
The Add RADIUS Accounting Policy Map dialog box lets you add the basic settings for the RADIUS
accounting map.