Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring Router to Mirror Users Already Logged In

    When a mirroring operation is initiated for a user who is already logged in (RADIUS-initiated mirroring), the RADIUS server uses change-of-authorization messages and passes the required RADIUS attributes and the identifier of the currently running session to the E Series router. The router uses this information to create the secure policy and attaches it to the interface that is created for the user. The E Series router must be configured to accept change-of-authorization messages from the RADIUS server.

    1. Specify the RADIUS dynamic-request server that sends change-of-authorization messages to the router, and enter RADIUS configuration mode.
      host1(config)#radius dynamic-request server 192.168.11.0
    2. Specify the UDP port used to communicate with the RADIUS server.
      host1(config-radius)#udp-port 3799
    3. Create the key used to communicate with the RADIUS server.
      host1(config-radius)#key mysecret
    4. Configure the router to receive change-of-authorization messages from the RADIUS server.
      host1(config-radius)#authorization changehost1(config-radius)#exit host1(config)#exit
    5. Verify your RADIUS-initiated mirroring configuration.
      host1#show radius dynamic-request servers
      
                     RADIUS Request Configuration
                     ----------------------------
                                             Change
                      Udp                      Of
       IP Address     Port   Disconnect   Authorization   Secret
      -------------   ----   ----------   -------------   ------
       10.10.3.4      3799   enabled      enabled         mysecret
    6. Configure the analyzer interface to send the mirrored traffic to the analyzer device.
      host1(config)#interface fastEthernet 4/0 host1(config-if)#ip analyzer

      Alternatively, for increased security, create the analyzer interface at one end of an IPSec tunnel to the analyzer device.

      host1(config)# interface tunnel ipsec:mirror3 transport-virtual-router default host1(config-if)#ip analyzer host1(config-if)#exit host1(config)#ip route 192.168.99.2 255.255.255.255 tunnel ipsec:mirror3

    Published: 2014-08-14