RADIUS server (for example, Cisco Access Registrar), at either the customer or service-provider site, can be used to authenticate and authorize remote-access clients. Customer-managed RADIUS servers typically store per-user information (such as user authentication). At the service-provider site, a RADIUS server can store all AAA and configuration information, or the information can be split across two servers.
The RADIUS-based start-stop IPsec accounting feature provides client accounting records that can be used for billing purposes. The accounting records use the VRF ID to provide VPN identification information in the accounting records. Some of the attributes include the client username, IP address, session time, and session byte and packet counts. A session constitutes all IPsec transmissions for a particular user or device.
http://www.cisco.com/en/US/netsol/ns341/ns396/ns172/ns334/networking_solutions_white_paper09186a008017dc5e.shtml