Monitoring Remote Access
Use the commands in this section to monitor remote access. These commands provide information about:
- AAA configuration
- AAA profiles
- AAA statistics
- Address pools
- COPS protocol layer
- Domain name delimiters
- Name servers
- RADIUS servers
- RADIUS SNMP traps
- RADIUS statistics
- SDX client connections
- Subscribers
- User domain mapping
Use the following commands to monitor PPP interfaces:
For details on the show ppp commands, see JUNOSe Link Layer Configuration Guide, Chapter 4, Configuring Point-to-Point Protocol.
You can use the output filtering feature of the show command to include or exclude lines of output based on a text string you specify. For details, see JUNOSe System Basics Configuration Guide, Chapter 2, Command-Line Interface.
 |
NOTE: AAA and RADIUS statistics are not preserved across a warm restart when stateful SRP Switchover is enabled. |
show aaa accounting
- Accounting duplication—Name of the virtual router to which duplicate accounting records are sent to the accounting server
- Broadcast accounting—Name of the virtual router groups to which broadcast accounting records are sent to the accounting server
- send acct-stop on AAA access deny—Enabled, disabled
- send acct-stop on authentication server access deny—Enabled, disabled
- acct-interval (for PPP Clients)—Number of minutes between accounting update operations
- send immediate-update—On receipt of response to Acct-Start message; enabled, disabled
host1:vrXyz7#show aaa accounting
Accounting duplication set to router vrXyz25
Broadcast accounting uses group groupXyzCompany20
send acct-stop on AAA access deny is enabled
send acct-stop on authentication server access deny is disabled
acct-interval (for PPP Clients) 0
send immediate-update is enabled
show aaa accounting default
- Use to display the AAA accounting default method for a subscriber type. You can view the method used for ATM 1483, IPSec, PPP, RADIUS relay server, and tunnel subscribers, and IP subscriber management interfaces.
- Example
host1#show aaa accounting tunnel default
radius
show aaa accounting interval
host1#show aaa accounting interval
acct-interval (for PPP Clients) 10
show aaa accounting vr-group
- Use to display the names of a specific virtual router group or of all virtual router groups configured on the router and the virtual routers making up the groups.
- Field descriptions
- vr-group—Name of the virtual router group.
- virtual-router—Index entry and name of virtual routers in the group.
host1#show aaa accounting vr-group
vr-group groupXyzCompany10:
virtual-router 1 vrXyzA
virtual-router 2 vrXyzB
virtual-router 3 vrXyzC
virtual-router 4 vrXyzD
vr-group groupXyzCompany20:
virtual-router 1 vrXyzP
virtual-router 2 vrXyzQ
virtual-router 3 vrXyzR
virtual-router 4 vrXyzS
show aaa authentication default
- Use to display the default AAA authentication method list for a subscriber type. You can view the method list used for ATM 1483 subscribers, IPSec subscribers, IP subscriber management interfaces, PPP subscribers, RADIUS relay subscribers, and tunnel subscribers. For example, you can verify that the local authentication method is configured for PPP subscribers.
- Example
host1#show aaa authentication ppp default
local none
show aaa delimiters
- Use to display the domain and realm name delimiters, parse order, and parse direction configured on the router.
- Example
host1#show aaa delimiters
domain delimiters "@!"
realm delimiters "/"
parse order is realm-first
domain parse direction is right-to-left
realm parse direction is left-to-right
show aaa domain-map
- Use to display the mapping between user domains and virtual routers.
- The following keywords have significance when used as user domains:
- none—All client requests with no user domain name are associated with the virtual router mapped to the none entry
- default—All client requests with a domain present that have no map are associated with the virtual router mapped to the default entry
- Domain—Name of the domain
- router-name—Virtual router to which user domain name is mapped
- tunnel-group—Name of the tunnel group assigned to the domain map
- ipv6-router-name—IPv6 virtual router to which user domain name is mapped
- local-interface—Interface information to use on the local (E-series) side of the subscriber's interface
- ipv6-local-interface—IPv6 interface information to use on the local (E-series) side of the subscriber's interface
- poolname—Local address pool from which the router allocates addresses for this domain
- IP hint—IP hint is enabled
- strip-domain—Strip domain is enabled
- override-username—Single username used for all users from a domain in place of the values received from the remote client
- override-password—Single password used for all users from a domain in place of the values received from the remote client
- Tunnel Tag—Tag that identifies the tunnel
- Tunnel Peer—Destination address of the tunnel
- Tunnel Source—Source address of the tunnel
- Tunnel Type—L2TP
- Tunnel Medium—Type of medium for the tunnel; only IPv4 is supported
- Tunnel Password—Password for the tunnel
- Tunnel Id—ID of the tunnel
- Tunnel Client Name—Host name that the LAC sends to the LNS when communicating to the LNS about the tunnel
- Tunnel Server Name—Host name expected from the peer (the LNS) when during tunnel startup
- Tunnel Preference—Preference level for the tunnel
- Tunnel Max Sessions—Maximum number of sessions allowed on a tunnel
- Tunnel RWS—L2TP receive window size (RWS) for a tunnel on the LAC; displays either the configured value or the default behavior, which is indicated by
system chooses - Tunnel Virtual Router—Name of the virtual router to map to the user domain name
- Tunnel Failover Resync—L2TP peer resynchronization method
- Tunnel Switch Profile—Name of the L2TP tunnel switch profile
- Tunnel Tx Speed Method—Method that the router uses to calculate the transmit connect speed of the subscriber's access interface: static layer2, dynamic layer2, qos, actual, not set
host1#show aaa domain-map
Domain: lac-tunnel; router-name: lac; ipv6-router-name: default
Tunnel Tunnel Tunnel Tunnel Tunnel
Tag Tunnel Peer Source Type Medium Password Tunnel Id
------ ----------- ------ ------ ------ -------- -----------
5 192.168.1.1 <null> l2tp ipv4 welcome lac-tunnel
Tunnel Tunnel
Tunnel Tunnel Server Tunnel Max
Tag Client Name Name Preference Sessions Tunnel RWS
------ ----------- ------ ---------- -------- --------------
5 lac boston 5 0 4
Tunnel
Tunnel Tunnel Tunnel Tx
Tunnel Virtual Failover Switch Speed
Tag Router Resync Profile Method
------ ------- -------- --------- ------
5 <null> silent failover denver qos
show aaa duplicate-address-check
- Use to display whether the routing table address lookup or duplicate address check is enabled or disabled.
- Example
host1#show aaa duplicate-address-check
enabled
show aaa model
host1#show aaa model
aaa model: old model
show aaa name-servers
host1#show aaa name-servers
Name Server Addresses (for PPP Clients):
primary DNS Addr 10.2.3.4
secondary DNS Addr 10.6.7.8
primary NBNS (WINS) Addr 10.22.33.44
secondary NBNS (WINS) Addr 10.66.77.88
show aaa profile
- ATM nas-port-type—Configuration of NAS-Port-Type attribute for ATM interfaces
- Ethernet nas-port-type—Configuration of NAS-Port-Type attribute for Ethernet interfaces
- profile-service-description—Description configured in the Service-Description attribute
- allow—Domain name(s) that are allowed access to AAA authentication
- deny—Domain name(s) that are denied access to AAA authentication
- translate—Original domain name and the name to which it is mapped for domain map lookup
host1#show aaa profile
charlie:
atm nas-port-type: ADLSL-CAP
ethernet nas-port-type: Cable
profile-service-description: xyzService
allow xyz.com
deny default
translate xyz1.com abc.com
show aaa statistics
- Use to display authentication, authorization, and accounting statistics.
- Use the optional delta keyword to specify that baselined statistics are to be shown.
- Field descriptions
- incoming initiate requests—Number of incoming AAA requests (from other E-series applications) for user connect services
- incoming disconnect requests—Number of incoming AAA requests (from other E-series applications) for user disconnect services
- outgoing grant (tunnel) responses—Number of outgoing tunnel grant responses to AAA requests
- outgoing grant responses—Number of outgoing grant responses to AAA requests
- outgoing deny responses—Number of outgoing deny responses to AAA requests
- outgoing error responses—Number of outgoing error responses to AAA requests
- outgoing Authentication requests—Number of authentication requests from AAA to the authentication task
- incoming Authentication responses—Number of authentication responses from the authentication task to AAA
- outgoing Re-Authentication requests—Number of reauthentication requests from AAA to the authentication task
- incoming Re-Authentication responses—Number of reauthentication responses from the authentication task to AAA
- outgoing Accounting requests—Number of accounting requests (starts, updates, stops) from AAA to the accounting task
- incoming Accounting responses—Number of accounting responses (starts, updates, stops) from the accounting task to AAA
- outgoing Duplicate Acct requests—Number of duplicate accounting requests (starts, updates, stops) from AAA to the accounting task
- incoming Duplicate Acct responses—Number of duplicate accounting responses (starts, updates, stops) from the accounting task to AAA
- outgoing Broadcast Acct requests—Number of broadcast accounting requests (starts, updates, stops) from AAA to the accounting task
- incoming Broadcast Acct responses—Number of broadcast accounting responses (starts, updates, stops) from the accounting task to AAA
- outgoing Address requests—Number of address allocation/release requests from AAA to address allocation task
- incoming Address responses—Number of address allocation/release responses from the address allocation task to AAA
host1#show aaa statistics
AAA Statistics
--------------
Statistic Count
------------------------------------ -----
incoming initiate requests 109
incoming disconnect requests 7
outgoing grant (tunnel) responses 3
outgoing grant responses 6
outgoing deny responses 0
outgoing error responses 0
outgoing Authentication requests 9
incoming Authentication responses 9
outgoing Re-Authentication requests 0
incoming Re-Authentication responses 0
outgoing Accounting requests 120
incoming Accounting responses 120
outgoing Duplicate Acct requests 18
incoming Duplicate Acct responses 18
outgoing Broadcast Acct requests 32
incoming Broadcast Acct responses 32
outgoing Address requests 0
incoming Address responses 0
show aaa subscriber per-port-limit
host1#show aaa subscriber per-port-limit
Subscriber Port Limits
----------------------
Port Limit
--------------- ---------------
0/2 5
0/3 2
3/2 2
show aaa subscriber per-vr-limit
host1#show aaa subscriber per-vr-limit
subscriber limit is 0
show aaa timeout
host1#show aaa timeout
idle timeout (for PPP Clients) 0 seconds
session timeout (for PPP Clients) 31622400 seconds
show configuration category aaa global-attributes
- Use to display the virtual router groups that are configured for AAA broadcast accounting.
- For additional information about the show configuration command, see Customizing the Configuration Output in JUNOSe System Basics Configuration Guide, Chapter 5, Managing the System.
- Field descriptions
- aaa accounting vr-group—Name of virtual router groups
- aaa virtual-router—Name and index number of the virtual routers that are members of the virtual router group
host1#show configuration category aaa global-attributes
! Configuration script being generated on MON JAN 10 2005 15:19:19 UTC
! Juniper Edge Routing Switch ERX-1440
! Version: 9.9.9 development-4.0 (January 7, 2005 17:26)
! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved.
!
! Commands displayed are limited to those available at privilege level 15
!
! NOTE: This script represents only a subset of the full system configuration.
! The category displayed is: aaa global-attributes
!
aaa accounting vr-group groupXyzCompany10
aaa virtual-router 1 vrXyzA
aaa virtual-router 2 vrXyzB
aaa virtual-router 3 vrXyzC
aaa virtual-router 4 vrXyzD
aaa accounting vr-group groupXyzCompany20
aaa virtual-router 1 vrXyzP
aaa virtual-router 2 vrXyzQ
aaa virtual-router 3 vrXyzR
aaa virtual-router 4 vrXyzS
!
hostname "host1"
show configuration category aaa local-authentication
- Use to display the configuration information for AAA local authentication. You can display information for the following keywords:
- databases—Local user databases configured on the router
- users—Users configured in the local user databases
- virtual-router—Local user database selected by the specified virtual router for local authentication
- For additional information about the show configuration command, see Customizing the Configuration Output in JUNOSe System Basics Configuration Guide, Chapter 5, Managing the System.
- Field descriptions for all keywords
- aaa local database—Name of the local user database; the name default specifies the default local user database
- aaa local select database—Local user database that the virtual router uses for local authentication
- aaa local username—Unique user entry in the local user database
- database—Name of the local user database for the specified username
- hostname—Name of the host router
- ip-address—IP address parameter for the user entry
- ip-address-pool—IP address pool parameter for the user entry
- operational virtual-router—Virtual router parameter for the user entry
- password—Password used to authenticate the subscriber
- secret—Secret used to authenticate the subscriber
- virtual-router—Name of virtual router
- Example (see Local Authentication Example for additional examples with the users and virtual-router keywords).
host1#show configuration category aaa local-authentication databases
! Configuration script being generated on TUE NOV 09 2004 12:50:18 UTC
! Juniper Edge Routing Switch ERX-1400
! Version: 6.1.0 (November 8, 2004 18:31)
! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved.
!
! Commands displayed are limited to those available at privilege level 15
!
! NOTE: This script represents only a subset of the full system configuration.
! The category displayed is: aaa local-authentication databases
!
hostname host1
aaa new-model
aaa local database default
aaa local database svaleLdb10
show configuration category aaa server-attributes include-defaults
- Use to display status of the attributes on the AAA server, including AAA accounting duplication and broadcast.
- For additional information about the show configuration command, see Customizing the Configuration Output in JUNOSe System Basics Configuration Guide, Chapter 5, Managing the System.
- Field descriptions
- virtual router—Name of the virtual router
- aaa accounting duplication—Virtual router used for duplicate accounting
- aaa accounting broadcast—Virtual router group used for broadcast accounting
- aaa duplicate-address-check—Enabled, disabled
- aaa accounting acct-stop on-aaa-failure—Enabled, disabled
- aaa accounting acct-stop on-access-deny—Enabled, disabled
- aaa subscriber limit per-vr—Enabled, disabled
- aaa intf-desc-format include sub-intf—Enabled, disabled
- aaa intf-desc-format include adapter—Enabled, disabled
- aaa accounting immediate-update—Enabled, disabled
host1#show configuration category aaa server-attributes include-defaults
! Configuration script being generated on MON JAN 10 2005 15:12:02 UTC
! Juniper Edge Routing Switch ERX-1440
! Version: 9.9.9 development-4.0 (January 7, 2005 17:26)
! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved.
!
! Commands displayed are limited to those available at privilege level 15
!
! NOTE: This script represents only a subset of the full system configuration.
! The category displayed is: aaa server-attributes
!
virtual-router default
aaa accounting duplication lac
aaa accounting broadcast group1
aaa duplicate-address-check enable
aaa accounting acct-stop on-aaa-failure enable
aaa accounting acct-stop on-access-deny disable
aaa subscriber limit per-vr 0
aaa intf-desc-format include sub-intf enable
aaa intf-desc-format include adapter enable
aaa accounting immediate-update disable
!
! ==============================================================================
!
virtual-router lac
no aaa accounting duplication
no aaa accounting broadcast
aaa duplicate-address-check enable
aaa accounting acct-stop on-aaa-failure enable
aaa accounting acct-stop on-access-deny disable
aaa subscriber limit per-vr 0
aaa intf-desc-format include sub-intf enable
aaa intf-desc-format include adapter enable
aaa accounting immediate-update disable
!
! ==============================================================================
!
virtual-router isp
no aaa accounting duplication
no aaa accounting broadcast
aaa duplicate-address-check enable
aaa accounting acct-stop on-aaa-failure enable
aaa accounting acct-stop on-access-deny disable
aaa subscriber limit per-vr 0
aaa intf-desc-format include sub-intf enable
aaa intf-desc-format include adapter enable
aaa accounting immediate-update disable
show cops info
- Use to display information about the COPS layer over which the SDX connection is made.
- Field descriptions
- Session Created—Number of COPS sessions created
- Sessions Deleted—Number of COPS sessions deleted
- Current Sessions—Number of current COPS sessions
- Bytes Received—Number of bytes received on all COPS sessions
- Packets Received—Number of packets received on all COPS sessions
- Bytes Sent—Number of bytes transmitted on all COPS sessions
- Packets Sent—Number of packets transmitted on all COPS sessions
- Keep Alive Received—Number of COPS keepalive messages received
- Keep Alive Sent—Number of COPS keepalive messages sent
- Remote IP Address—IP address of the remote peer
- Remote TCP Port—TCP port number of the remote peer
- Client Type—Type of client for the session. For this release the client type must be 16640 (SDX client).
- Bytes Received—Number of bytes received for this COPS session
- Packets Received—Number of packets received for this COPS session
- Bytes Sent—Number of bytes sent on this COPS session
- Packets Sent—Number of packets sent on this COPS session
- REQ Sent—Number of Request packets sent on this COPS session
- DEC Rcv—Number of Decision packets received on this COPS session
- RPT Sent—Number of Report packets sent on this COPS session
- DRQ Sent—Number of Delete Requests sent on this COPS session
- SSQ Rcv—Number of Synch Requests received on this COPS session
- OPN Sent—Number of Open messages sent on this COPS session
- CAT Rcv—Number of Client Accepts packets received on this COPS session
- CC Sent—Number of Client Closes packets sent on this COPS session
- CC Rcv—Number of Client Closes packets received on this COPS session
- SSC Sent—Number of Sync Complete packets sent on this COPS session
host1#show cops info
General Cops Information:
Sessions Created: 1
Sessions Deleted: 0
Current Sessions: 1
Bytes Received: 680
Packets Received: 17
Bytes Sent: 692
Packets Sent: 21
Keep Alive Received: 12
Keep Alive Sent: 12
Session Information
Remote Ip Address: 10.10.0.223
Remote TCP Port: 4001
Client Type: 16384
Bytes Received: 2224
Packets Received: 5
Bytes Sent: 596
Packets Sent: 9
REQ Sent: 4
DEC Rcv: 4
RPT Sent: 4
DRQ Sent: 0
SSQ Rcv: 0
OPN Sent: 1
CAT Rcv: 1
CC Sent: 0
CC Rcv: 0
SSC Sent: 0
show cops statistics
- Use to display statistics about the COPS layer over which the SDX connection is made.
- Field descriptions
- Session Created—Number of COPS sessions created
- Sessions Deleted—Number of COPS sessions deleted
- Current Sessions—Number of current COPS sessions
- Bytes Received—Number of bytes received on all COPS sessions
- Packets Received—Number of packets received on all COPS sessions
- Bytes Sent—Number of bytes transmitted on all COPS sessions
- Packets Sent—Number of packets transmitted on all COPS sessions
- Keep Alive Received—Number of COPS keepalive messages received
- Keep Alive Sent—Number of COPS keepalive messages sent
- Client Type—Type of client for the session.
- Bytes Received—Number of bytes received for this COPS session
- Packets Received—Number of packets received for this COPS session
- Bytes Sent—Number of bytes sent on this COPS session
- Packets Sent—Number of packets sent on this COPS session
- REQ Sent—Number of Request packets sent on this COPS session
- DEC Rcv—Number of Decision packets received on this COPS session
- RPT Sent—Number of Report packets sent on this COPS session
- DRQ Sent—Number of Delete Requests sent on this COPS session
- SSQ Rcv—Number of Synch Requests received on this COPS session
- OPN Sent—Number of Open messages sent on this COPS session
- CAT Rcv—Number of Client Accepts packets received on this COPS session
- CC Sent—Number of Client Closes packets sent on this COPS session
- CC Rcv—Number of Client Closes packets received on this COPS session
- SSC Sent—Number of Sync Complete packets sent on this COPS session
host1#show cops statistics
General Cops Information:
Sessions Created: 0
Sessions Deleted: 0
Current Sessions: 0
Bytes Received: 1108
Packets Received: 12
Bytes Sent: 1572
Packets Sent: 18
Keep Alive Received: 2
Keep Alive Sent: 2
Session Information:
Client Type: 24754
Bytes Received: 2539032
Packets Received: 20388
Bytes Sent: 4386648
Packets Sent: 51337
REQ Sent: 21203
DEC Rcv: 20388
RPT Sent: 20391
DRQ Sent: 9743
SSQ Rcv: 0
OPN Sent: 0
CAT Rcv: 0
CC Sent: 0
CC Rcv: 0
SSC Sent: 0
show ip local alias
- Use to display information about aliases for the local address pools configured on your router.
- If you do not specify an alias, the router displays all aliases.
- Field descriptions
host1#show ip local alias
Alias Pool
------ -----
alias1 poolA
alias2 poolB
alias3 poolC
poolA poolD
poolB poolD
poolC poolD
show ip local pool
- Use to display information about the local address pools configured on your router.
- If you do not specify the name of a local address pool, the router displays all local address pools.
- Field descriptions
- Pool—User-specified name of the address pool
- High Thresh—High utilization threshold value
- Abated Thresh—Abated utilization threshold value
- Trap—Enable SNMP pool utilization traps: Y (yes) or N (no)
- Aliases—Aliases for the local address pool
- Begin—Starting IP address
- End—Ending IP address
- Free—Number of addresses available for use
- In Use—Number of addresses currently in use
host1#show ip local pool
High Abated
Pool Thresh Thresh Trap Group
----- ------ ------ ---- -----
poolA 85 75 N
Aliases
-------
alias1
In
Begin End Free Use
-------- --------- ---- ---
10.1.1.1 10.1.1.10 10 0
10.1.2.1 10.1.2.10 10 0
10.1.3.1 10.1.3.10 10 0
High Abated
Pool Thresh Thresh Trap Group
----- ------ ------ ---- -----
poolB 85 75 N
Aliases
-------
alias2
In
Begin End Free Use
-------- --------- ---- ---
10.2.1.1 10.2.1.10 10 0
10.2.2.1 10.2.2.10 10 0
High Abated
Pool Thresh Thresh Trap Group
----- ------ ------ ---- -----
poolC 85 75 N
Aliases
-------
alias3
In
Begin End Free Use
-------- --------- ---- ---
10.3.1.1 10.3.1.10 10 0
High Abated
Pool Thresh Thresh Trap Group
----- ------ ------ ---- -----
poolD 85 75 N
Aliases
-------
poolA
poolB
poolC
In
Begin End Free Use
-------- ---------- ---- ---
10.4.1.1 10.4.1.255 255 0
show ip local pool statistics
- Use to display local address pool statistics.
- Use the optional delta keyword to specify that baselined statistics are to be shown.
- Example
host1#show ip local pool statistics
Local Address Pool Statistics
Statistic Values
--------------------------------- ------
Requests denied (pool exhaustion) 0
show ip local shared-pool
- Shared Pool—Name of the shared local address pool
- In Use—Number of addresses allocated
- Dhcp Pool—Name of the DHCP address pool
host1#show ip local shared-pool
Shared Pool In Use Dhcp Pool
----------- ------ ---------
shared_poolA 253 dhcp_pool_25
shared_poolB 83 dhcp_pool_25
shared_poolC 99 dhcp_pool_17
show license b-ras
host1#show license b-ras
K4bZ16Lr
show radius algorithm
host1#show radius algorithm
direct
show radius override
- nas-ip-addr—Either the NAS-IP-Address [4] attribute is used, or it is overridden with the Tunnel-Client-Endpoint [66] attribute.
- nas-info—Either the NAS-IP-Address [4] and NAS-Identifier [32] attributes of the virtual router generating the accounting information are used, or they are overridden with the respective attributes of the authentication virtual router.
host1:vrXyz7#show radius override
nas-ip-addr: nas-ip-addr
nas-info: from authentication virtual router
show radius rollover-on-reject
host1#show radius rollover-on-reject
rollover-on-reject enabled
show radius servers
- Use to display RADIUS authentication and accounting server information.
- Use with the accounting, authentication, or dynamic-request keywords to limit output to the specific type of server.
- Field descriptions
- IP Address—IP address of authentication or accounting server
- UDP Port—Number of the UDP of authentication or accounting server
- Retry Count—Maximum number of times that the router retransmits a RADIUS packet to the authentication or accounting server
- Timeout—Interval (in seconds) before the router retransmits a RADIUS packet to the authentication or accounting server
- Maximum Sessions—The number of outstanding requests to the authentication or accounting server
- Dead Time—Amount of time to remove the authentication or accounting server from the available list when a timeout occurs
- Secret—Configured authentication or accounting server secret
host1#show radius servers
RADIUS Authentication Configuration
-----------------------------------
UDP Retry Maximum Dead
IP Address Port Count Timeout Sessions Time Secret
---------- ---- ----- ------- -------- ---- ------
10.10.0.40 1645 3 3 255 5 radius
192.168.23.4 1812 3 3 255 0 <null>
192.168.6.1 1812 3 3 255 0 <null>
RADIUS Accounting Configuration
-----------------------------------
UDP Retry Maximum Dead
IP Address Port Count Timeout Sessions Time Secret
---------- ---- ----- ------- -------- ---- ------
10.10.0.40 1646 3 3 255 5 radius
show radius statistics
- Use to display statistics on RADIUS authentication and accounting services.
- Use with the optional accounting, authentication, or dynamic-request keywords to limit output to the specific type of statistics.
- Use the optional delta keyword to specify that baselined statistics are to be shown.
- Field descriptions
NOTE: All descriptions apply to the primary, secondary, and tertiary RADIUS authentication and accounting servers.
- UDP Port—Number of the UDP of a RADIUS server
- Round Trip Time—Hundreds of seconds from request to response
- Access Requests—Access requests sent to server
- Rollover Requests—Requests coming into server as a result of the previous server timing out
- Retransmissions—Retransmissions
- Access Accepts—Access-Accepts received from the server
- Access Rejects—Access-Rejects received from the server
- Access Challenges—Access challenges received from the server
- Malformed Responses—Responses with attributes having an invalid length or unexpected attributes (such as two attributes when the response is required to have at most one)
- Bad Authenticators—Authenticator in the response is incorrect for the matching request. This can occur if the RADIUS secret for the client and server does not match.
- Requests Pending—Requests waiting for a response
- Request Timeouts—Requests that timed out
- Unknown Responses—Unknown responses. The RADIUS response type in the header is invalid or unsupported.
- Packets Dropped—Packets dropped either because they are too short or the E-series router receives a response for which there is no corresponding request. For example, if the router sends a request and the request times out, the router removes the request from the list and sends a new request. If the server is slow and sends a response to the first request after the router removes the request, the packet is dropped.
- Requests—Total number of accounting requests received from the server
- Start Requests—Accounting start requests sent; includes Acct-On, Acct-Start, Acct-Link-State, and Acct-Tunnel-Start requests
- Interim Requests—Interim accounting requests
- Stop Requests—Accounting stop requests sent; includes Acct-Off, Acct-Stop, Acct-Link-Stop, and Acct-Tunnel-Stop requests
- Reject Requests—Accounting reject requests sent; includes Acct-Link-Reject and Acct-Tunnel-Reject requests
- Responses—Accounting responses received from the server
- Start Responses—Accounting start responses received; includes Acct-On, Acct-Start, Acct-Link-Start, and Acct-Tunnel-Start responses
- Interim Responses—Interim accounting responses
- Stop Responses—Accounting stop responses received; includes Acct-Off, Acct-Stop, Acct-Link-Stop, and Acct-Tunnel-Stop responses
- Reject Responses—Accounting reject responses received; includes Acct-Link-Reject and Acct-Tunnel-Reject responses
host1#show radius statistics
RADIUS Authentication Statistics
--------------------------------
Statistic 10.10.121.128
------------------- -------------
UDP Port 1812
Round Trip Time 0
Access Requests 0
Rollover Requests 0
Retransmissions 0
Access Accepts 0
Access Rejects 0
Access Challenges 0
Malformed Responses 0
Bad Authenticators 0
Requests Pending 0
Request Timeouts 0
Unknown Responses 0
Packets Dropped 0
RADIUS Accounting Statistics
----------------------------
Statistic 10.10.121.128
------------------- -------------
UDP Port 1646
Round Trip Time 2
Requests 1
Start Requests 1
Interim Requests 0
Stop Requests 0
Reject Requests 0
Rollover Requests 0
Retransmissions 3
Responses 1
Start Responses 1
Interim Responses 0
Stop Responses 0
Reject Responses 0
Malformed Responses 0
Bad Authenticators 0
Requests Pending 0
Request Timeouts 3
Unknown Responses 0
Packets Dropped 0
show radius trap
host1#show radius trap
trap for auth-server-not-responding enabled
trap for no-auth-server-responding disabled
trap for auth-server-responding enabled
trap for acct-server-not-responding enabled
trap for no-acct-server-responding disabled
trap for acct-server-responding disabled
show radius tunnel-accounting
host1#show radius tunnel-accounting
disabled
show radius udp-checksum
host1#show radius udp-checksum
enabled
show radius update-source-addr
host1#show radius update-source-address
192.168.1.228
show sscc info
- Use to display the current status of the SDX client connection to the SDX servers. The command output refers to the SDX client by its former name, SSC client.
- Field descriptions
- The SSC client configured servers—IP addresses of the primary, secondary, and tertiary SDX client servers
- Local Source—Fixed source interface for the TCP/COPS connection
- Local Source Address—Fixed source address for the TCP/COPS connection
- The configured transport router is—Router on which is TCP/COPS connection is established
- The configured retry timer is (seconds)—Delay period the client waits for a response from the SDX server before submitting request again
- The connection state is—Current state of the TCP/COPS connection
- SSC Client Statistics—Statistics about the connection between the SDX client and SDX server
- Policy Commands received—Number of policy commands received on the SDX client connection
- Policy Commands(List)—Number of Policy Commands with subtype List
- Policy Commands(Acct)—Number of Policy Commands with subtype Accounting
- Bad Policy Cmds received—Number of Policy Commands received with bad policies
- Error Policy Cmds received—Number of Policy Commands received with errors
- Policy Reports sent—Number of Policy Reports sent
- Connection Open requests—Number of connections the SDX client has tried to open with a remote SDX server
- Connection Open completed—Number of connections successfully open to the SDX server
- Connection Closed sent—Number of connections the SDX client has closed
- Connection Closed remotely—Number of connections that were closed by the remote SDX server
- Create Interfaces sent—Number of create interface indications sent to the SDX server
- Delete Interfaces sent—Number of delete interface indications sent to the SDX server
- Active IP Interfaces—Current number of active IP interfaces the SDX client is aware of
- IP Interface Transitions—Number of IP interface transitions logged by the SDX client
- Synchronizes received—Number of synchronization requests the SDX client received from the SDX server
- Synchronize Complete sent—Number of synchronization complete indications sent
- Internal Errors—Number of internal errors
- Communication Errors—Number of errors with lower-layer communications (such as socket errors)
host1#show sscc info
The SSC Client is currently unconnected
The SSC Client configured servers are:
Primary: 10.10.2.2:3
Secondary: 0.0.0.0:0
Tertiary: 0.0.0.0:0
Local Source: FastEthernet 0/0, Local Source Address: 10.13.5.61
The configured transport router is: default
The configured retry timer is (seconds): 90
The connection state is: NoConnection
SSC Client Statistics:
Policy Commands received 0
Policy Commands(List) 0
Policy Commands(Acct) 0
Bad Policy Cmds received 0
Error Policy Cmds received 0
Policy Reports sent 0
Connection Open requests 0
Connection Open completed 0
Connection Closed sent 0
Connection Closed remotely 0
Create Interfaces sent 0
Delete Interfaces sent 0
Active IP Interfaces 2
IP Interface Transitions 0
Synchronizes received 0
Synchronize Complete sent 0
Internal Errors 0
Communication Errors 0
Tokens Seen 0
Active Tokens 0
Token Transitions 0
Token Creates Sent 0
Token Deletes Sent 0
Active Addresses 0
Address Transitions 0
Create Addresses Sent 0
Delete Addresses Sent 0
Authentication Successes 0
Authentication Failures 0
show sscc statistics
- Use to display statistics about connection between the SDX client and SDX server. The command output refers to the SDX client by its former name, SSC client.
- Field descriptions
- Policy Commands received—Number of policy commands received on the SDX client connection
- Policy Commands(List)—Number of Policy Commands with subtype List
- Policy Commands(Acct)—Number of Policy Commands with subtype Accounting
- Bad Policy Cmds received—Number of Policy Commands received with bad policies
- Error Policy Cmds received—Number of Policy Commands received with errors
- Policy Reports sent—Number of Policy Reports sent
- Connection Open requests—Number of connections the SDX client has tried to open with a remote SDX server
- Connection Open completed—Number of connections successfully open to the SDX server
- Connection Closed sent—Number of connections the SDX client has closed
- Connection Closed remotely—Number of connections that were closed by the remote SDX server
- Create Interfaces sent—Number of create interface indications sent to the SDX server
- Delete Interfaces sent—Number of delete interface indications sent to the SDX server
- Active IP Interfaces—Current number of active IP interfaces the SDX client is aware of
- IP Interface Transitions—Number of IP interface transitions logged by the SDX client
- Synchronizes received—Number of synchronization requests the SDX client received from the SDX server
- Synchronize Complete sent—Number of synchronization complete indications sent
- Internal Errors—Number of internal errors
- Communication Errors—Number of errors with lower-layer communications (such as socket errors)
host1#show sscc statistics
SSC Client Statistics:
Policy Commands received 0
Policy Commands(List) 0
Policy Commands(Acct) 0
Bad Policy Cmds received 0
Error Policy Cmds received 0
Policy Reports sent 3
Connection attempts 7
Connection Open requests 7
Connection Open completed 0
Connection Closed sent 0
Connection Closed remotely 5
Create Interfaces sent 0
Delete Interfaces sent 3
Active IP Interfaces 3282
IP Interface Transitions 3281
Synchronizes received 0
Synchronizes rcvd & droped 0
Synchronize Complete sent 2
Internal Errors 0
Communication Errors 0
Discovers Seen 15263
Active Discovers 4911
Discover Transitions 20704
Discover Creates Sent 15263
Discover Deletes Sent 10352
Active Addresses 3274
Address Transitions 3280
Create Addresses Sent 3277
Delete Addresses Sent 3
show sscc version
host1#show sscc version
The SSC Client version is: 4.0
show subscribers
- Use to display the active subscribers on the router.
- If you specify a username, the router displays only the users that match.
- When you issue the command in the default VR, all users are displayed. When you issue the command in a nondefault VR, only those users attached to that VR are displayed.
- You can use the domain, interface, port, slot, username, or virtual-router keywords on all routers to filter the results. If you do not use a keyword, all active users are displayed.
- When you use the interface keyword to display detailed subscriber information by interface, you must also specify either the atm or ethernet keyword, an interface specifier, and optionally a subinterface specifier.
- The output displayed in the interface field depends on the configuration of two commands at the time the subscriber logs in: aaa intf-desc-format include sub-intf and aaa intf-desc-format include adapter (for the E320 router).
When the aaa intf-desc-format include sub-intf disable command has been issued, the subinterface is stripped from the subscriber's interface field at login and is not displayed in the output. In the default state, or when the aaa intf-desc-format include sub-intf enable command has been issued, the subinterface is included in the subscriber's interface field at login, and is displayed in the output.
When the aaa intf-desc-format include adapter disable command has been issued, the adapter is stripped from the subscriber's interface field at login and is not displayed in the output. In the default state, or when the aaa intf-desc-format include adapter enable command has been issued, the adapter is included in the subscriber's interface field at login and is displayed in the output.
Even when the subinterface has been stripped from the subscriber's interface field, you can still include the subinterface specifier in the show subscribers interface command. Even though the subinterface itself is not displayed, only subscribers on the specified subinterface are displayed.
These considerations do not apply when you issue the summary keyword. The output displayed in the Interface field of summary versions is not affected by the state of either the aaa intf-desc-format include sub-intf command or the aaa intf-desc-format include adapter command when the subscriber logs in.
- You can use the ipv6 keyword to display all IPv6 subscribers or include the IPv6 prefix to limit the display to only IPv6 subscribers on a specific network.
- You can use the summary keyword to display only summary information about active subscribers.
- Field descriptions
- User Name—Name of the subscriber
- Type—Type of subscriber: atm, ip, ipsec, ppp, tnl (tunnel), tst (test)
- Addr | Endpt—IP or IPv6 address and source of the address: l2tp, local, dhcp, radius, user. For local, dhcp, radius, and user endpoints, the address is that of the user. When the endpoint is l2tp, the address is that of the LNS.
- Virtual Router—Name of the virtual router context
- Interface—Interface specifier over which the subscriber is connected
- Login Time—Date, in YY/MM/DD format, and time the subscriber logged in
- Circuit Id—User circuit ID value specified by PPPoE
- Remote Id—User remote ID value specified by PPPoE
- Total Subscribers—Number of active subscribers, chassis-wide
- Peak Subscribers—Maximum value of the Total Subscriber field during the time the router has been active, chassis-wide
- Subscribers—Number of subscribers; the sum of the Ppp and Ip fields
- Ppp—Number of PPPoA and PPPoE users, combined
- Ip—Number of DHCP and IP subscriber manager users, combined
- Tnl—Number of users tunneled to an LNS
- Total—Total number of users per virtual router; the sum of the Ppp, Ip, and Tnl fields
- Domain Name—Domain name used by the subscriber
- Count—Number of subscribers
- Slot—Number of slot in the chassis
host1#show subscribers
Subscriber List
----------------
Virtual
User Name Type Addr|Endpt Router
----------------------- ----- -------------------- ------------
fred tst 10.10.65.86/radius default
bert tst 192.168.10.3/user default
User Name Interface
----------------------- --------------------------------
fred atm 2/1.42:100.104
bert FastEthernet 5/2.4
User Name Login Time Circuit Id
----------------------- ------------------- ----------------
fred 06/05/12 10:58:42 atm 5/1.3
bert 06/05/12 10:59:08
User Name Remote Id
----------------------- ----------------
fred
bert (800) 555-1212
host1#show subscribers interface ethernet 5/2
Subscriber List
---------------
Virtual
User Name Type Addr|Endpt Router
------------------------ ----- -------------------- ------------
bert tst 192.168.10.3/user default
User Name Interface
------------------------ --------------------------------
bert FastEthernet 5/2.4
User Name Login Time Circuit Id
------------------------ ------------------- ----------------
bert 06/05/12 10:59:08
User Name Remote Id
----------------------- ----------------
bert (800) 555-0000
host1#show subscribers slot 5
Subscriber List
---------------
Virtual
User Name Type Addr|Endpt Router
------------------------ ----- -------------------- ------------
fred tst 10.10.65.86/radius default
User Name Interface
------------------------ --------------------------------
fred atm 5/1.42:100.104
User Name Login Time Circuit Id
------------------------ ------------------- ----------------
fred 06/05/12 10:58:42 atm 5/1.3
User Name Remote Id
----------------------- ----------------
fred
- Example 4—Shows the number of subscribers on each virtual router, as well as the total and peak subscribers for the chassis
host1#show subscribers summary
Virtual
Router Subscribers Ppp Ip Tnl Total
------------ ------------ ------ ------ ------ ------
default 1 1 0 0 1
Total Subscribers : 10 (chassis-wide total)
Peak Subscribers : 15 (chassis-wide total)
host1#show subscribers summary port
Interface Count
------------ ------
3/1 5
2/1 5
Total Subscribers : 10 (chassis-wide total)
Peak Subscribers : 15 (chassis-wide total)
host1#show subscribers summary domain
Domain Name Count
-------------------------------- ------
abc.com 5
iii.com 5
Total Subscribers : 10 (chassis-wide total)
Peak Subscribers : 15 (chassis-wide total)
host1#show subscribers summary interface
Interface Count
-------------------- ------
ATM 3/2.1 1
ETHERNET 5/2.1 2
Total Subscribers : 3 (chassis-wide total)
Peak Subscribers : 6 (chassis-wide total)
host1#show subscribers summary slot
Slot Count
-------- -----
3 1
5 4
Total Subscribers : 5 (chassis-wide total)
Peak Subscribers : 8 (chassis-wide total)
show terminate-code
- Apps—The application generating the terminate reason; AAA, L2TP, PPP, or RADIUS client
- Terminate Reason—The application's terminate reason
- Description—The terminate reason
- Radius Code—The RADIUS Acct-Terminate-Cause code to which the application's terminate reason is mapped
- Example 1—Specifies the radius keyword to display all current terminate reasons mapped to RADIUS Acct-Terminate-Cause codes. This command lists all PPP mappings, followed by L2TP mappings, and then AAA mappings.
host1(config)#run show terminate-code radius
Radius
Apps Terminate Reason Description Code
--------- -------------------------- -------------------------- ------
ppp authenticate-authenticator authenticate authenticator 17
-timeout timeout
ppp authenticate-challenge-tim authenticate challenge tim 10
eout eout
ppp authenticate-chap-no-resou authenticate chap no resou 10
rces rces
ppp authenticate-chap-peer-aut authenticate chap peer aut 17
henticator-timeout henticator timeout
ppp authenticate-deny-by-peer authenticate deny by peer 17
ppp authenticate-inactivity-ti authenticate inactivity ti 4
meout meout
ppp authenticate-max-requests authenticate max requests 10
--More--
host1(config)#run show terminate-code radius 4
Radius
Apps Terminate Reason Description Code
--------- -------------------------- -------------------------- ------
ppp authenticate-inactivity-ti authenticate inactivity ti 4
meout meout
l2tp session-timeout-inactivity session timeout inactivity 4
host1(config)#run show terminate-code aaa
Radius
Apps Terminate Reason Description Code
--------- -------------------------- -------------------------- ------
aaa deny-server-not-available deny server not available 17
aaa deny-server-request-timeou deny server request timed 17
t out
aaa deny-authentication-failur deny authentication failur 17
e e from server
aaa deny-address-assignment-fa deny address assignment fa 17
ilure ilure
aaa deny-address-allocation-fa deny address allocation fa 17
ilure ilure
aaa deny-no-address-allocation deny insufficient resource 17
-resources s for address allocation
aaa deny-unknown-subscriber deny no such server entry 17
aaa deny-no-resources deny no resources availabl 10
e
--More--
host1(config)#run show terminate-code l2tp session-access-interface-down
Radius
Terminate Reason Description Code
------------------------------------------------------------ ------
session access interface down 8