cc/td/doc/product/cable/svc_ctrl/scmgtsu
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table Of Contents

Configuring the RADIUS Listener LEG

Information About Configuring the General Settings

[Radius Listener] Section

Example

Configuring RADIUS Attributes Mapping

Mapping of RADIUS Attribute to Subscriber ID

Mapping of RADIUS Attribute to Subscriber Package

Mapping of RADIUS Attribute to Subscriber IP Address

Configuring the NAS Devices

Configuring the NAS Devices: Example


Configuring the RADIUS Listener LEG

This module describes the configuration procedure for the RADIUS Listener LEG.

The RADIUS Listener LEG is configured using the SM configuration file p3sm.cfg , which resides in the sm-inst-dir/sm/server/root/config directory ( sm-inst-dir refers to the SM installation directory).

The configuration file consists of sections headed by a bracketed section title; for example, [Radius.Subscriber ID]. Each section consists of several parameters having the format parameter=value. The number sign ("#") at the beginning of a line signifies that it is a remark.

The General RADIUS Listener LEG configuration settings reside in the [Radius Listener] section. All additional RADIUS Listener LEG sections start with the prefix Radius. , such as [Radius.NAS.nas1] , and they are defined initially as remark lines.

Information About Configuring the General Settings 

Configuring RADIUS Attributes Mapping 

Configuring the NAS Devices 

Information About Configuring the General Settings

[Radius Listener] Section

The [Radius Listener] section in the SM configuration file contains the following parameters:

start

Defines whether the SM should run the RADIUS Listener at startup.

Possible values for this parameter are yesand no. The default value is no.

accounting_port

Defines the RADIUS Listener accounting port number.

The default value is 1813.

ip

The IP address to which the RADIUS listener should bind. Use this parameter only in cases where the IP address used for RADIUS transactions is not the main IP address of the SM machine. (For example in an SM cluster.)

Possible values are any IP address in dotted notation. The default value is not set.

packet_types

Defines the RADIUS protocol packet types to analyze.

Possible values are accounting-start, accounting-interim, accounting-stopseparated by a comma.

The default value is accounting-start,accounting-interim,accounting-stop.

Example

The following example is a portion of a configuration file illustrating the [Radius.Listener] section:

[Radius Listener] # The following parameter defines whether the SM should # run the RADIUS Listener at startup. # Receives the values: yes, no. (default no) start=no # accounting port number (default 1813) accounting_port=1813 # RADIUS packet types packet_types=accounting-start,account-interim,accounting-stop

Configuring RADIUS Attributes Mapping

Mapping of RADIUS Attribute to Subscriber ID 

Mapping of RADIUS Attribute to Subscriber Package 

Mapping of RADIUS Attribute to Subscriber IP Address 

Mapping of RADIUS Attribute to Subscriber ID

Note The configuration described in this section is optional.

The subscriber ID is usually put in the User-Name RADIUS attribute. However, in certain installations, it is possible to use a different RADIUS attribute. For example, in wireless environments, it is possible to use the 3GPP-IMSI or the 3GPP2-IMSI attributes. The default is to use the User-Name attribute.

To define which attribute to use for the subscriber ID, configure the [Radius.Subscriber ID] section. To define the attribute to be used, configure the following parameters:

radius_attribute

Configure the radius_attribute parameter with the RADIUS attribute number. Enter the value of 26 for Vendor Specific Attributes (VSA).

radius_attribute_type

Configure radius_attribute_type parameter according to the RADIUS attribute format.

Possible values for this parameter are integerand string. The default value is integer.

The following is an example configuration file illustrating how to configure the subscriber ID assignment option. In this example, the User-Name attribute is assigned to the subscriber ID:

[Radius.Subscriber ID] # RADIUS protocol attribute number radius_attribute=1 # the type of the attribute (type "integer" or "string") radius_attribute_type = string

Configuring the Vendor Specific Attribute (VSA)

1. Set the radius_attribute parameter to 26.

2. Set the radius_attribute_vendor_id parameter with the VSA vendor ID.

3. Set the radius_sub_attribute parameter with the specific sub-attribute value.

Configuring a Vendor Specific Attribute: Example

The following is an example configuration file illustrating how to configure the subscriber ID assignment option. In this example, the 3GPP_IMSI vendor-specific attribute is assigned to the subscriber ID:

[Radius.Subscriber ID] # in case of a vendor specific attribute (VSA) # when the 'radius_attribute' is set to 26 # configuration for 3GPP_IMSI radius_attribute = 26 radius_attribute_vendor_id=10415 radius_sub_attribute=1 # the type of the attribute (type "integer" or "string") radius_attribute_type = string

Configuring Stripping of the Attribute Value

It is possible to configure the RADIUS listener to strip a RADIUS attribute based on a selected character. This provides a convenient method for obtaining the subscriber ID from a prefix or a suffix of an attribute value.

For example, you can obtain the subscriber ID from the USERNAME attribute value of subscriber@domain-name by stripping the characters after the "at" sign (@) to produce the subscriber.

To configure stripping, set the strip_type parameter to either remove_suffixor remove_prefixand set the strip_character parameter to the character up to which, or from which, you want to strip characters.

Configuring Stripping of the Attribute Value: Example

The following is an example configuration file illustrating how to configure the stripping of an attribute value:

[Radius.Subscriber ID] # RADIUS protocol attribute number radius_attribute=1 # the type of the attribute (type "integer" or "string") radius_attribute_type = string strip_char=@ strip_type=remove_suffix

Mapping of RADIUS Attribute to Subscriber Package

Note The configuration described in this section is optional.

Subscriber package configuration in the RADIUS Listener can be handled in any of the following ways:

Extract the data from a RADIUS attribute

Set a default value for all subscribers that log on via the RADIUS Listener

Do not set any package to the subscriber

Extracting Data from a RADIUS Attribute

The attribute configuration is performed in the same manner as described in Mapping of RADIUS Attribute to Subscriber ID.

Additionally, configure the following parameters:

use_default

Defines whether to use a default value if the attribute was not found.

Possible values for this parameter are trueand false.

The default value is true.

default

Defines the default value to use if the attribute was not found.

There is no default value.

Note This parameter must be set if the use_default parameter is set to true.

mapping_table

Defines a conversion table between the result of the attribute manipulation (e.g. after stripping), and the property value. The conversion is mandatory if the radius_attribute_type is string. The format of the mapping_table is <attribute-value>=<property-value>There is no default value.

Extracting Data from a RADIUS Attribute Example

The following example is a portion of a configuration file illustrating how to configure the subscriber package assignment option. In this example, a VSA is assigned to the subscriber package. It is stripped from its prefix and converted to integer type using a mapping table.

[Radius.Property.Package] # the following is the configuration for using Vendor Specific Attributes (VSA) radius_attribute = 26 radius_sub_attribute = 1 radius_attribute_vendor_ID = 5655 # the type of the attribute (type "integer" or "string") radius_attribute type = integer # strip the prefix strip_type=remove_prefix strip_character=@ # this flag indicates whether to use default value # if the attribute was not found (when not mandatory) use_default = true # default property value default = 0 # definition of mapping table mapping_table.gold=1 mapping_table.silver=2 mapping_table.bronze=3

Setting a Value for All Subscribers

Do not configure the radius attribute parameters. However, set the use_default parameter to trueand set the value of the default parameter as needed.

Not Setting Any Package to the Subscriber

Edit the [Radius.Property.Package] section with all remark lines. The number sign ("#") at the beginning of a line signifies a remark line.

Mapping of RADIUS Attribute to Subscriber IP Address

The subscriber IP address is normally based on the Framed-IP-Address attribute; however, it can also be based on a different RADIUS attribute. The default is to use the Framed-IP-Address attribute.

The following algorithm is applied to handle IP addresses in this LEG:

1. If the user configured an attribute from which to extract the IP, the LEG will look for that attribute in the packet. If the attribute exists, the LEG will use the attribute as the subscriber IP address.

2. If the attribute does not exist or is not configured, the LEG will look for the Framed-Route attributes; several Framed-Route attributes may exist. If any Framed-Route attributes exist, the LEG will use these attributes as the subscriber IP addresses.

3. If there are no Framed-Route attributes, the LEG will look for a Framed-IP-Address attribute and a Framed-IP-Netmask attribute. If a Framed-IP-Address attribute exists, the LEG will use this attribute as the subscriber IP address. If both the Framed-IP-Address and the Framed-IP-Netmask attributes exist, the operation is performed with the IP range represented by the IP address and the IP netmask.

4. Otherwise, the LEG will perform a login without the IP address.

Note The configured attribute can be a regular RADIUS attribute or a VSA. It is possible to encode the attribute as an integer in which case it will be a single IP address. It can also be encoded as a string and will therefore be an IP-Address/IP-Range value: the value must be formatted as A.B.C.D/E or A.B.C.D.

Note The supported format of the Framed-Route attribute is as described in RFC-2865. It must start with a string that starts with the route itself in the format A.B.C.D/E followed by a space. Other values follow the space, but the LEG ignores these other values.

To define which attribute to use for the subscriber IP address, configure the [Radius.Subscriber IP Address] section. To define the attribute to use, configure the following parameters:

radius_attribute

Configure the radius_attribute parameter with the RADIUS attribute number. Enter the value 26 for Vendor Specific Attributes (VSA).

radius_attribute_vendor_id

This parameter is only relevant if radius_attribute is configured to 26 (Vendor-Specific attribute).

The parameter defines the vendor ID number for the subscriber ID classification.

This parameter has no default value.

radius_sub_attribute

This parameter is only relevant if radius_attribute is configured to 26 (Vendor-Specific attribute).

The parameter defines the sub attribute within the vendor specific attribute that is used for subscriber ID classification.

This parameter has no default value.

radius_attribute_type

Configure radius_attribute_type parameter according to the RADIUS attribute format.

Possible values for this parameter are integerand string. If the type is string, you must supply a mapping table.

The default value is integer.

Configuring the NAS Devices

The RADIUS Listener LEG must be configured with the RADIUS clients/NAS devices that transmit RADIUS messages to the LEG, to accept RADIUS messages.

Each [Radius.NAS.XXX] section specifies a single Network Access System (NAS), where XXX represents the NAS name.

Step 1 Copy the example Radius.NAS.XXX section that exists in the configuration file

The remarks from the parameters and section header should be removed.

Step 2 Configure a section name of the format [Radius.NAS.my_name_for_the_NAS].

Step 3 Configure the domain , IP_address , NAS_identifier , and secret parameters:

domain

Set the domain parameter with a valid subscriber domain name.

IP_address

Set the IP_address parameter with the NAS IP address with which the RADIUS messages arrive. IP address should be in dotted notation (xxx.xxx.xxx.xxx).

NAS_identifier

Set the NAS_identifier parameter with a NAS-ID attribute with which the RADIUS messages are sent.

secret

Set the secret parameter with the secret key defined in the NAS for this connection.

Configuring the NAS Devices: Example

This example is a portion of a configuration file illustrating how to configure the NAS:

[Radius.NAS.Access134] # Cisco's subscriber domain name domain = subscribers # IP address in dotted notation IP_address = 202.156.24.100 # name of the NAS that exists in the NAS-ID attribute NAS_identifier =ACCESS134 # secret string secret = secret123

hometocprevnextglossaryfeedbacksearchhelp

Posted: Mon Jan 21 23:29:18 PST 2008
All contents are Copyright © 1992--2008 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.