Configuring Router to Mirror Users Already Logged In

When a mirroring operation is initiated for a user who is already logged in (RADIUS-initiated mirroring), the RADIUS server uses change-of-authorization messages and passes the required RADIUS attributes and the identifier of the currently running session to the E Series router. The router uses this information to create the secure policy and attaches it to the interface that is created for the user. The E Series router must be configured to accept change-of-authorization messages from the RADIUS server.

  1. Specify the RADIUS dynamic-request server that sends change-of-authorization messages to the router, and enter RADIUS configuration mode.
    host1(config)#radius dynamic-request server
  2. Specify the UDP port used to communicate with the RADIUS server.
    host1(config-radius)#udp-port 3799
  3. Create the key used to communicate with the RADIUS server.
    host1(config-radius)#key mysecret
  4. Configure the router to receive change-of-authorization messages from the RADIUS server.
    host1(config-radius)#authorization changehost1(config-radius)#exit host1(config)#exit
  5. Verify your RADIUS-initiated mirroring configuration.
    host1#show radius dynamic-request servers
                   RADIUS Request Configuration
                    Udp                      Of
     IP Address     Port   Disconnect   Authorization   Secret
    -------------   ----   ----------   -------------   ------      3799   enabled      enabled         mysecret
  6. Configure the analyzer interface to send the mirrored traffic to the analyzer device.
    host1(config)#interface fastEthernet 4/0 host1(config-if)#ip analyzer

    Alternatively, for increased security, create the analyzer interface at one end of an IPSec tunnel to the analyzer device.

    host1(config)# interface tunnel ipsec:mirror3 transport-virtual-router default host1(config-if)#ip analyzer host1(config-if)#exit host1(config)#ip route tunnel ipsec:mirror3

Related Documentation