Configuring RADIUS

Configuring SSG to Communicate with the RADIUS Server

Configuring NAS Clients

Adding Cisco SSG VSAs to the Attribute Dictionary

Configuring Service Profiles

Example Service Profiles

Configuring User Profiles

Example User Profiles

Configuring Optional Profile Features

Configuring the RADIUS Accounting Feature

Configuring Cisco Access Registrar for SESM Deployments

Configuring the RADIUS Ports

Cisco SSG VSAs in Cisco Access Registrar's Dictionary

Configuring NAS Clients in Cisco Access Registrar

Configuring Attribute Profiles in Cisco Access Registrar

Configuring Cisco Access Registrar Userlists and AA Services

Configuring Accounting on Cisco Access Registrar

Saving the Configuration and Reloading the Server

Configuring RADIUS

This appendix describes the configuration steps required to include a RADIUS server in an CiscoSubscriber Edge Services Manager (SESM) deployment. This appendix includes the following topics:

Configuring SSG to Communicate with the RADIUS Server

You must configure SSG to communicate with the RADIUS server. To do so, use the radius-server host Cisco IOS command on the SSG host. Different ports are used for handling authentication and accounting packets. For example:

radius-server host 10.3.3.2 auth-port 1812 acct-port 1813 key cisco

To use different RADIUS servers for authentication and accounting, use two commands as follows:

radius-server host 10.3.3.2 auth-port 1812 acct-port 0 key cisco
radius-server host 10.3.3.3 auth-port 0 acct-port 1813 key cisco

Configuring NAS Clients

The RADIUS protocol is based on a client server model. The RADIUS server is the server. Multiple dial-in Network Access Server (NAS) devices are the clients. Before communication can occur, every client must be configured on the server.

An SESM deployment requires that you configure the following NAS clients on the RADIUS server:

The SSG host—This is the node route processors (NRP) on the Cisco 6400 UAC. The RADIUS server must recognize each SSG host as a client.
The SESM web application—This is the NWSP application, or your customized SESM web application. SESM web applications query the RADIUS server directly for service information. The RADIUS server must recognize the SESM web application as a client.

Table D-1 summarizes the information that might be required to define a NAS client on the RADIUS server. See your RADIUS server vendor documentation for more specific requirements, syntax, and procedures.

Table D-1: NAS Client Configuration

Property	Description
Name or IP Address	Identifies the client. Use either IP address or hostname.
Shared Secret	Must match a shared secret value configured on the client. If the shared secrets do not match, the RADIUS server issues an access-reject message. A shared secret is a value that is configured on both the client and the server. It is never sent over the network. The shared secret is used for MD5 encryption of the profile password.
Type	For SSG—Cisco:NAS For SESM—RAD_RFC+ACCT_RFC

Property

Description

Name or IP Address

Identifies the client. Use either IP address or hostname.

Shared Secret

Must match a shared secret value configured on the client. If the shared secrets do not match, the RADIUS server issues an access-reject message.

A shared secret is a value that is configured on both the client and the server. It is never sent over the network. The shared secret is used for MD5 encryption of the profile password.

Type

For SSG—Cisco:NAS

For SESM—RAD_RFC+ACCT_RFC

The following sample entries show a Merit RADIUS format defining SESM web applications and an SSG host as RADIUS clients. The examples use the value cisco as the shared secret on all of the clients.

#Entries for SESM-Server clients 
10.3.3.2       cisco     type=RAD_RFC+ACCT_RFC
10.3.3.101     cisco 		    type=RAD_RFC+ACCT_RFC
10.3.3.102     cisco     type=RAD_RFC+ACCT_RFC
 
#Entries for 6400 NRP (SSG host)
192.168.1.6     cisco     type=Cisco:NAS

Adding Cisco SSG VSAs to the Attribute Dictionary

An attribute dictionary defines attributes to the RADIUS server. The attribute dictionary contains:

Standard RADIUS attributes as defined by RFC 2138.

Vendor-specific attributes (VSAs) that extend the standard attributes. VSAs add new capabilities, supported by specific vendors, to the RADIUS server. The value of a VSA can be one or more subattributes whose meanings depend on the vendor's definition.

An SESM deployment requires that you add Cisco VSAs to your RADIUS attribute dictionary. See your RADIUS server vendor's documentation for instructions and syntax. The Cisco Access Registrar ships with all of the Cisco SESM VSAs preconfigured.

Table D-2 shows the Cisco VSAs required in an SESM deployment that uses a RADIUS server, which includes:

SESM running in RADIUS mode. In this deployment, the RADIUS server supports authorization, authentication, and accounting features.
SESM running in DESS mode and using SSG accounting features. In this deployment, the RADIUS server supports accounting features.
SESM running in DESS mode and using the RADIUS DESS Proxy (RDP) in proxy mode. In this deployment, the RADIUS server supports authentication features.

Table D-2: Cisco SSG VSAs

RADIUS Attribute	Vendor ID	Subattribute	Name	Type
26	9	1	Cisco-Avpair	String
26	9	250	Account-Info	String
26	9	251	Service-Info	String
26	9	252	Command-Code	String
26	9	253	Control-Info	String

Configuring Service Profiles

Service profiles define the services that subscribers can access using the SESM web pages.

In an SESM deployment, you must configure a service profile for each service that will be accessible through the SESM web application.

Table D-3 briefly describes the attributes in a RADIUS service profile. Use the following references for more information.

If you are using the Cisco Access Registrar, see the "Configuring Cisco Access Registrar for SESM Deployments" section for service profile examples and syntax. Otherwise, see your RADIUS server vendor documentation for the syntax of a service profile
For sample SESM service profiles, see the demo.txt file located in the NWSP config directory (for example, nwsp/config/demo.txt). This file is installed whether or not you choose the demo option. It shows service and user profiles in Merit RADIUS format.
The Cisco 6400 Feature Guide, Chapter 4, describes service profile attributes and provides examples of their use.

Table D-3: Attributes in Service Profiles

Attribute	Description
Service profile name	An identifying name for a service profile. Each profile name must be unique. Service profile names are used in the user profiles to indicate that a subscriber is subscribed to the service.
Password	Must match the service password that was configured on the SSG host and in SESM. On the SSG host (the Cisco 6400 NRP), configure a service password using the following Cisco IOS command: `ssg service password password` In SESM, configure the service password in the following line from the AAAMBean in the nwsp/config/nwsp.xml file: `<Set name="servicePassword">servicecisco</Set>`
Service-Type	Standard RADIUS attribute number 6. The value must be "outbound."
Session-Timeout	Standard RADIUS attribute number 27. Specifies the maximum length of time, in seconds, that this service (the service object on SSG) can remain active in a session at any one time. When the time expires, SSG deletes the service object, which disconnects the subscriber from the service. If the host key feature is enabled on the SSG, the SSG signals the state change to the SESM web application. Note The NWSP application does not relay this state change to the subscriber. If Session-Timeout is not set, there is no limit on how long the subscriber can use the service. In a dial-up networking or bridged (non-PPP) network environment, a subscriber can disconnect from the NAS and release the IP address without logging out from the SSG. If this happens, the SSG continues to allow traffic to pass from that IP address, which can be a problem if the IP address is obtained by another user. You can use the Session-Timeout and the Idle-Timeout attributes to prevent this problem.
Idle-Timeout	Standard RADIUS attribute number 28. Specifies the maximum length of time, in seconds, that a service connection can remain idle before it is disconnected. See the explanation of the Session-Timeout attribute, above, for more information about setting this attribute.
Service-Info	A vendor-specific attribute (attribute number 26), vendor 9, subattribute 251. Valid values for Service-Info attributes are: Idescription—Service description. Optional. Describes the service. Ttype—Type of service. Optional. Valid values for type are: P—Passthrough. This is the default. T—Tunnel X—Proxy. Indicates that the SSG performs proxy service. Mmode—Service mode. Optional. Valid values for mode are: S—Sequential mode. Prevents the subscriber from accessing any other services while connected to this service. C—Concurrent mode. This is the default. Allows the subscriber to simultaneously log onto this service while connected to other services. Rip_address;mask—Service route (destination). Required. Specifies the network or the host where the service resides. Multiple instances of this attribute can exist within a single service profile, to specify multiple service destinations. An Internet service is typically specified as `"R0.0.0.0;0.0.0.0"`. Dip_address_1[;ip_address_2]—DNS Server Address. Optional. Specifies the IP addresses for the primary and secondary DNS servers to use for the domains that are defined using the O option. Oname1[name2]...[;nameX]—D omain names. Optional. SRadiusServerAddress;authPort;acctPort;secret—Remote server information. Required when type of service (T) is Proxy (X); not applicable for other service types. Specifies the remote RADIUS server that will perform authentication, authorization, and accounting for this service.
Service-Info (continued)	Gkey—Service next hop gateway. Specifies the next hop key for this service. Each SSG uses its own next hop gateway table that associates this key with a valid IP address. See the "Configuring Optional Profile Features" section for information about creating a next hop gateway table. Uurl or Hurl—These attributes specify the URL that is displayed in the HTTP address field when the service opens. If the SESM web application is designed to use HTML frames, then these options also specify whether the service is displayed in a new browser window or in a frame in the current (SESM) window, as follows: Uurl—URL for a service displayed in its own browser window. Hurl—URL for a service displayed in a frame in the SESM browser window. Note In a frameless application, both U and H cause a new browser window to open for the service. The NWSP application is a frameless application. X—Indicates that the RADIUS authentication and accounting requests use the full username (for example, user@service). Vstring—Service-defined cookie. Optional. Specifies any information that you wish to include in RADIUS authentication and accounting requests. SSG does not parse or interpret string. You must configure the proxy RADIUS server to interpret this attribute. SSG supports only one service-defined cookie per service profile. Use this attribute to add fields to accounting records.
Cisco-AVpair	A vendor-specific attribute (attribute number 26), vendor 9, subattribute 1. Valid values for the Cisco-AVpair attribute in a service profile are: "ip:inacl[#number]={standardACL \| extendedACL}"—Upstream access control list (ACL). Specifies either a Cisco IOS standard ACL or an extended ACL to be applied to upstream traffic coming from the subscriber. "ip:outacl[#number]={standardACL \| extendedACL}"—Downstream ACL. Specifies either a Cisco IOS standard ACL or an extended ACL to be applied to downstream traffic going to the subscriber. number—Identifies the access list. If a profile includes multiple inacl or outacl attributes, the attributes are downloaded and executed according to the order implied by number. standardACL—A Cisco IOS standard ACL. extendedACL—A Cisco IOS extended ACL. Note A profile can include multiple instances of inacl attributes and multiple instances of outacl attributes. Use one attribute for each ACL statement. Multiple attributes can be used for the same ACL. "vpdn:ip-addresses=address1[<delimiter>address2][<delimiter>address3]..."—Virtual private dial-up network (VPDN) IP address. Specifies the IP addresses of the home gateways (LNSs) to receive the L2TP connections. address—IP address of the home gateway. <delimiter>—A comma (,) or a space ( ) indicates that the SSG selects load sharing among IP addresses. A slash (/) indicates that the SSG considers IP addresses on the left side of the slash a higher priority than those on the right side of the slash. "vpdn:tunnel-id=name"—VPDN tunnel ID. Specifies the name of the tunnel that must match the tunnel ID specified in the LNS VPDN group. See the Cisco 6400 Feature Guide for information about configuring LNS. "vpdn:tunnel-password=secret"—L2TP tunnel password. Specifies the secret (password) used for L2TP tunnel authentication.

Example Service Profiles

The service configuration examples in this section use a Merit RADIUS format.

Example Service Profile for Passthrough Service

internet Password = "servicecisco", Service-Type = Outbound

Service-Info = "IInternet",
Service-Info = "R153.153.153.0;255.255.255.0",
Service-Info = "MC",
Service-Info = "TP"

Example Service Profile for Proxy Service

corporate Password = "servicecisco", Service-Type = Outbound

Service-Info = "ICorporate Intranet (proxy)",
Service-Info = "R154.154.154.0;255.255.255.0",
Service-Info = "S10.3.3.101;1812;1813;cisco",
Service-Info = "MC",
Service-Info = "TX"

Example Service Profile Using Timeout Values

iptv Password = "servicecisco", Service-Type = Outbound

Service-Info = "IIP/TV",
Service-Info = "R160.160.160.0;255.255.255.0",
Service-Info = "MC",
Service-Info = "TP"
Idle-Timeout = 60,
Session-Timeout = 60

Configuring User Profiles

User profiles define SESM logon names and passwords, access control lists associated with each logon, and subscribed services for each logon.

In an SESM deployment, you must define a user profile for each user ID and password combination that will sign onto the SESM application from a web browser.

Table D-4 briefly describes the attributes in a RADIUS user profile. Use the following references for more information about:

If you are using the Cisco Access Registrar, see the "Configuring Cisco Access Registrar for SESM Deployments" section for user profile examples and syntax. Otherwise, see your RADIUS server vendor documentation for the syntax of a user profile
For sample SESM user profiles, see the demo.txt file located in the NWSP config directory (for example, nwsp/config/demo.txt). This file is installed whether or not you choose the demo option. It shows service and user profiles in Merit RADIUS format.
The Cisco 6400 Feature Guide, Chapter 4, describes user profile attributes and provides examples of their use.

Table D-4: Attributes in User Profiles

Attribute	Description
Profile name	Identifies the profile. Each profile name must be unique.
Password	The user's password.
Session-Timeout	Standard RADIUS attribute number 27. Specifies the maximum length of time, in seconds, that this user session (the host object on SSG) can remain active at any one time. When the time expires, SSG deletes the host object, which ends the session. If the host key feature is enabled on the SSG, the SSG signals the state change to the SESM web application. Note The NWSP application does not relay this state change to the subscriber. If Session-Timeout is not set, there is no limit on how long the session lasts. In a dial-up networking or bridged (non-PPP) network environment, a subscriber can disconnect from the NAS and release the IP address without logging out from the SSG. If this happens, the SSG continues to allow traffic to pass from that IP address, which can be a problem if the IP address is obtained by another user. You can use the Session-Timeout and the Idle-Timeout attributes to prevent this problem.
Idle-Timeout	Standard RADIUS attribute number 28. Specifies the maximum length of time, in seconds, that a user session can remain idle before it is disconnected. See the explanation of the Session-Timeout attribute, above, for more information about setting this attribute.
Account-Info	A vendor-specific attribute (attribute number 26), vendor 9, subattribute 250. Valid values for Account-Info attributes are: "NserviceName"—Service name. Subscribes the user to the specified service and includes the service in the service list for that user obtained by the SESM web application. The serviceProfileName must be defined in a service profile. There can be multiple instances of this attribute within a user profile. "GserviceGroupProfileName"—Service group. Creates a folder for the service group on the subscriber's SESM web page. The serviceGroupProfileName must be defined in a service group profile. There can be multiple instances of this attribute within a user profile. "AautoConnectServiceName"—Automatic connection. Subscribes the user to the specified service and indicates that the user should be automatically connected to this service after successful logon. Note The service list displayed by SESM does not include A entries. It only shows N entries. For more information, see the "Example User Profile for Auto Services" section. Uurl or Hurl—These attributes specify the URL for the user's preferred Internet home page. If the SESM web server application is designed to use HTML frames, then these options also specify whether the home page is displayed in a new browser window or in a frame in the current (SESM) window, as follows: Uurl—URL for the home page displayed in its own browser window. Hurl—URL for the home page displayed in a frame in the SESM browser window. Note In a frameless application, both U and H cause a new browser window to open for the home page. The NWSP application is a frameless application.
Cisco-AVpair	A vendor-specific attribute (attribute number 26), vendor 9, subattribute 1. Valid values for the Cisco-AVpair attribute in a user profile are: "ip:inacl[#number]={standardACL \| extendedACL}"—Upstream access control list (ACL). Specifies either a Cisco IOS standard ACL or an extended ACL to be applied to upstream traffic coming from the subscriber. "ip:outacl[#number]={standardACL \| extendedACL}"—Downstream ACL. Specifies either a Cisco IOS standard ACL or an extended ACL to be applied to downstream traffic going to the subscriber. number—Identifies the access list. If a profile includes multiple inacl or outacl attributes, the attributes are downloaded and executed according to the order implied by number. standardACL—A Cisco IOS standard ACL. extendedACL—A Cisco IOS extended ACL. Note A profile can include multiple instances of inacl attributes and multiple instances of outacl attributes. Use one attribute for each ACL statement. Multiple attributes can be used for the same ACL.
Cisco-AVpair

Example User Profiles

The user profile example in this section is in a Merit RADIUS format.

Example User Profile for Auto Services

user1 Password = "cisco"

Service-Type = Framed-User,
Account-Info = "Ainternet",      (hidden on the subscriber's web page)
Account-Info = "Ninternet"       (makes it visible)

Note The first Account-Info line specifies automatic connection to the service. If you do not include the second line, the autoconnection service does not appear on the SESM web page. To display the service on the SESM web page, you must include both entries as shown in the example.

Configuring Optional Profile Features

SSG supports the following additional optional features. See the Cisco 6400 Feature Guide for information about these features.

Service group profiles—Use these profiles to create service groups, which are groups of services that can be subscribed to as a unit.
Pseudo-service profiles—Use these profiles to define variable length tables or lists of information in the form of services.
- Next Hop Gateway—Associates next hop gateway keys with IP addresses. Because multiple SSGs might access services from different networks, service profiles can specify next hop keys. (See the service-info G attribute in Table D-3. ) If this is the case, you must configure a next hop gateway pseudo-service profile to resolve the keys to valid IP addresses.
An example next hop gateway pseudo-service profile follows:

Configuring the RADIUS Accounting Feature

If you configure a RADIUS accounting port, SSG generates accounting records and forwards them to the RADIUS server. To configure a RADIUS server for accounting only, you must perform the following configuration steps.

Configure the NAS clients as described in the "Configuring NAS Clients" section.
Add the Cisco VSAs to the RADIUS server attribute dictionary, as described in the "Adding Cisco SSG VSAs to the Attribute Dictionary" section.
Configure an accounting port, as described in the "Configuring SSG to Communicate with the RADIUS Server" section.

Note You do not need to provide service and user profiles if you are using the RADIUS server solely for accounting purposes.

The subscriber actions that cause SSG to generate a RADIUS accounting record are:

Subscriber logs in
Subscriber logs off
Subscriber accesses a service
Subscriber terminates a service

Use the following references for more information:

Chapter 4 in the Cisco 6400 Feature Guide—Descrubes the attributes contained in the accounting records
RADIUS server vendor documentation—Describes RADIUS accounting capabilities

Configuring Cisco Access Registrar for SESM Deployments

This section describes how to configure the Cisco Access Registrar (Cisco AR) for an SESM deployment. The section includes profile examples in Cisco AR format.

Configuring the RADIUS Ports

By default, Cisco Access Registrar listens on ports 1645 and 1646 for any type of RADIUS request. You can configure Cisco Access Registrar to listen on ports 1812 and 1813 instead by entering the following commands:

add /Radius/Advanced/Ports/1812
add /Radius/Advanced/Ports/1813

These commands cause Cisco Access Registrar to listen on the explicitly defined ports, 1812 and 1813, for all types of RADIUS requests. It no longer listens on the default ports.

Cisco SSG VSAs in Cisco Access Registrar's Dictionary

Cisco Access Registrar is installed with the following Cisco VSAs already defined in its attribute dictionary:

Cisco-AVPair
Cisco-SSG-Account-Info
Cisco-SSG-Service-Info
Cisco-SSG-Command-Code
Cisco-SSG-Control-Info

Configuring NAS Clients in Cisco Access Registrar

Use the following commands to configure the NAS clients required by an SESM deployment:

add /Radius/Clients/SESM1 "" 10.3.3.2 cisco
add /Radius/Clients/SESM2 "" 10.3.3.101 cisco
add /Radius/Clients/SESM1 "" 10.3.3.102 cisco

Configuring Attribute Profiles in Cisco Access Registrar

This section shows commands for creating sample profiles in Cisco Access Registrar format.

Internet Service Profile

add /Radius/Profiles/internet-profile set /Radius/Profiles/internet-profile/Attributes/Cisco-SSG-Service-Info IInternet

R153.153.153.0;255.255.255.0 MC TP

Corporate Service Profile

add /Radius/Profiles/corporate-profile set /Radius/Profiles/corporate-profile/Attributes/Cisco-SSG-Service-Info "ICorporate

Intranet(proxy)" R154.154.154.0;255.255.255.0 S10.3.3.101;1812;1813;cisco MC TX

IPTV Profile

add /Radius/Profiles/iptv-profile set /Radius/Profiles/iptv-profile/Attributes/Cisco-SSG-Service-Info IIP/TV

R160.160.160.0;255.255.255.0 MC TP

set /Radius/Profiles/iptv-profile/Attributes/Idle-Timeout 60
set /Radius/Profiles/iptv-profile/Attributes/Session-Timeout 60

Standard user profile

add /Radius/Profiles/std-user-profile set /Radius/Profiles/std-user-profile/Attributes/Service-Type Framed set /Radius/Profiles/std-user-profile/Attributes/Cisco-SSG-Account-Info Ainternet

Ninternet

Pseudo-service profile:

add /Radius/Profiles/pseudo-service-profile set /Radius/Profiles/pseudo-service-profile/Attributes/Cisco-SSG-Control-Info

Gl2tp-net7;192.168.1.101 Gl2tp-net40;192.168.1.102 Gweb-key;192.168.1.101 
Gproxy-radius-key;192.168.1.101 Gxint-24;192.168.1.101

Configuring Cisco Access Registrar Userlists and AA Services

This section describes how to configure userlists and authentication and authorization services on Cisco Access Registrar.

Configuring Userlist for SESM Services

The following commands configure userlists containing SESM services and corresponding attribute profiles.

add /Radius/Userlists/SESMservices
add /Radius/Userlists/SESMservices/internet "" servicecisco TRUE "" internet-profile
add /Radius/Userlists/SESMservices/corporate "" servicecisco TRUE "" corporate-profile
add /Radius/Userlists/SESMservices/iptv "" servicecisco TRUE "" iptv-profile

Configuring Userlist for SESM Users

The following commands configure userlists containing SESM users and corresponding attribute profiles.

add /Radius/Userlists/SESMusers
add /Radius/Userlists/SESMusers/user1 "" cisco TRUE "" std-user-profile
add /Radius/Userlists/SESMusers/ssg-next-hop "" xssg-key TRUE "" pseudo-service-profile

Configuring AA Services

The following commands configure Cisco Access Register AA services. The first command configures services for the SESM services userlist. The second command configures services for SESM users userlist.

add /Radius/Services/Outbound "" local "" "" RejectAll "" SESMservices
add /Radius/Services/SESMdefault "" local "" "" RejectAll "" SESMusers

Checking the Service-Type Attribute

The following commands configure Cisco Access Registrar to check the Service-Type attribute in the request. If Service-Type is set to Outbound, then the Outbound AA service is used; otherwise, the SESMdefault AA service is used.

set /Radius/DefaultAuthenticationService ${q|Service-Type}{SESMdefault}
set /Radius/DefaultAuthorizationService ${q|Service-Type}{SESMdefault}

Configuring Accounting on Cisco Access Registrar

To configure accounting services, use the following commands:

add /Radius/Services/SESMaccounting "" file
set /Radius/DefaultAccountingService SESMaccounting

Saving the Configuration and Reloading the Server

To save the configuration and reload the Cisco Access Registrar server, use the following commands:

save
reload

Table of Contents