user-trace enable

By default, the mobile phone user source tracing function is disabled.

When a user accesses the Internet with a mobile phone, the user must be authenticated by the RADIUS server. After that, the access device and RADIUS server start to exchange accounting packets. The FW parses the RADIUS accounting packet through the RADIUS SSO function, obtains the mapping between the IP address and mobile phone number, and records it in the user source tracing table. When the FW sends a session log (in either binary or syslog format) to the log server, the FW queries the user source tracing table to obtain the mobile phone number corresponding to the source IP address and uses it as the value of the user field in the log to trace the source of the user. If the mobile phone number corresponding to the source IP address fails to be obtained, the session log does not contain the mobile phone number.

To enable the mobile phone user source tracing function, in addition to running the user-trace enable command, you must also run the enable command to enable the RADIUS SSO function.

When the FW receives the RADIUS accounting stop packet, the FW deletes the corresponding entry from the user source tracing table.

After you enable this function, the common RADIUS SSO function becomes unavailable. That is, users cannot log on in the online user list, and the FW cannot perform user-specific policy control. In this case, the FW resolves only the mobile phone number, IPv4 address in the RADIUS accounting packet and enables the user to log on in the user source tracing table. The FW resolves various attributes in the RADIUS accounting packet to obtain the preceding information.

The user source tracing table does not support hot standby. Therefore, both the active and standby devices shall obtain the RADIUS accounting packet.

After this function is enabled and the user-trace ipv6prefix command is run, in addition to resolving the mobile phone number, IPv4 address, the FW also resolves the IPv6 address prefix.