cc/td/doc/solution/sesm/sesm_313
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Configuring RADIUS

Configuring RADIUS

This appendix describes the configuration steps required to include a RADIUS server in a Cisco Subscriber Edge Services Manager (SESM) deployment. This appendix includes the following topics:

Configuring SSG to Communicate with the RADIUS Server

You must configure SSG to communicate with the RADIUS server. To do so, use the radius-server host Cisco IOS command on the SSG host. Different ports are used for handling authentication and accounting packets. For example:

    radius-server host 10.3.3.2 auth-port 1812 acct-port 1813 key cisco

To use different RADIUS servers for authentication and accounting, use two commands as follows:

    radius-server host 10.3.3.2 auth-port 1812 acct-port 0 key cisco radius-server host 10.3.3.3 auth-port 0 acct-port 1813 key cisco

Configuring RADIUS Clients

The RADIUS protocol is based on a client server model. The RADIUS server is the server. Multiple dial-in Network Access Server (NAS) devices are the clients. Before communication can occur, each client must be configured on the server.

An SESM deployment requires that you configure the following NAS clients on the RADIUS server:

Table D-1 summarizes the information that might be required to define a NAS client on the RADIUS server. See your RADIUS server vendor documentation for more specific requirements, syntax, and procedures.


Table D-1: NAS Client Configuration
Property Description

Name or IP Address

Identifies the client. Use either IP address or host name.

Shared Secret

Must match a shared secret value configured on the client. If the shared secrets do not match, the RADIUS server issues an access-reject message.

A shared secret is a value that is configured on both the client and the server. It is never sent over the network. The shared secret is used for MD5 encryption of the profile password.

Type

For SSG—Cisco:NAS

For SESM—RAD_RFC+ACCT_RFC

The following sample entries show a Merit RADIUS format defining SESM web portals and an SSG host as RADIUS clients. The examples use the value cisco as the shared secret on all of the clients.

#Entries for SESM-Server clients 10.3.3.2       cisco     type=RAD_RFC+ACCT_RFC 10.3.3.101     cisco     type=RAD_RFC+ACCT_RFC 10.3.3.102     cisco     type=RAD_RFC+ACCT_RFC #Entries for SSG host 192.168.1.6     cisco     type=Cisco:NAS

Adding Cisco SSG Vendor-Specific Attributes to the Attribute Dictionary

An attribute dictionary defines attributes to the RADIUS server. The attribute dictionary contains:

An SESM deployment requires that you add Cisco VSAs to your RADIUS attribute dictionary. See your RADIUS server vendor's documentation for instructions and syntax. The Cisco Access Registrar ships with all of the Cisco SESM VSAs preconfigured.

Table D-2 shows the Cisco VSAs required in an SESM deployment that uses a RADIUS server, which includes:


Table D-2: Cisco SSG VSAs
RADIUS Attribute Vendor ID Subattribute Name Type

26

9

1

Cisco-Avpair

String

26

9

250

Account-Info

String

26

9

251

Service-Info

String

26

9

253

Control-Info

String

Configuring Service Profiles

Service profiles define the services that subscribers can select from an SESM web portal.

In an SESM deployment, you must configure a service profile for each service that will be accessible through the SESM web portal.

Table D-3 briefly describes the attributes in a RADIUS service profile. Use the following references for more information.


Table D-3: Attributes in Service Profiles
Attribute Description

Service profile name

An identifying name for a service profile. Each profile name must be unique.

Service profile names are used in the subscriber profiles to indicate that a subscriber is subscribed to the service.

Password

Must match the service password that was configured on the SSG host and in SESM.

On the SSG host, configure a service password using the following Cisco IOS command:

ssg service password password

In SESM, configure the service password in the following line from the AAA MBean in the nwsp.xml file:

<Set name="servicePassword">servicecisco</Set>

Service-Type

Standard RADIUS attribute number 6. The value must be "outbound."

Session-Timeout

Standard RADIUS attribute number 27. Specifies the maximum length of time, in seconds, that this service (the service object on SSG) can remain active in a session at any one time. When the time expires, SSG deletes the service object, which disconnects the subscriber from the service. If the host key feature is enabled on the SSG, the SSG signals the state change to the SESM web portal.

Note   The NWSP application does not relay this state change to the subscriber.

If Session-Timeout is not set, there is no limit on how long the subscriber can use the service.

In a dial-up networking or bridged (non-PPP) network environment, a subscriber can disconnect from the NAS and release the IP address without logging out from the SSG. If this happens, the SSG continues to allow traffic to pass from that IP address, which can be a problem if the IP address is obtained by another user. You can use the Session-Timeout and the Idle-Timeout attributes to prevent this problem.

Idle-Timeout

Standard RADIUS attribute number 28. Specifies the maximum length of time, in seconds, that a service connection can remain idle before it is disconnected. See the explanation of the Session-Timeout attribute, above, for more information about setting this attribute.

Service-Info

A vendor-specific attribute (attribute number 26), vendor 9, subattribute 251. Valid values for Service-Info attributes are:

Note   In a frameless application, both U and H cause a new browser window to open for the service. The NWSP application is a frameless application.

Service-Info (continued)

Cisco-AVpair

A vendor-specific attribute (attribute number 26), vendor 9, subattribute 1. Valid values for the Cisco-AVpair attribute in a service profile are:

Note   A profile can include multiple instances of inacl attributes and multiple instances of outacl attributes. Use one attribute for each ACL statement. Multiple attributes can be used for the same ACL.

Example Service Profiles

The service configuration examples in this section use a Merit RADIUS format.

Example Service Profile for Passthrough Service
internet Password = "servicecisco", Service-Type = Outbound
    Service-Info = "IInternet", Service-Info = "R153.153.153.0;255.255.255.0", Service-Info = "MC", Service-Info = "TP"
Example Service Profile for Proxy Service
corporate Password = "servicecisco", Service-Type = Outbound
    Service-Info = "ICorporate Intranet (proxy)", Service-Info = "R154.154.154.0;255.255.255.0", Service-Info = "S10.3.3.101;1812;1813;cisco", Service-Info = "MC", Service-Info = "TX"
Example Service Profile Using Timeout Values
iptv Password = "servicecisco", Service-Type = Outbound
    Service-Info = "IIP/TV", Service-Info = "R160.160.160.0;255.255.255.0", Service-Info = "MC", Service-Info = "TP" Idle-Timeout = 60, Session-Timeout = 60

Configuring Service Group Profiles

Service group profiles contain a list of services. Table D-4 briefly describes the attributes in a RADIUS subscriber profile.


Table D-4: Attributes in Service Group Profiles
Attribute Description

Password

Service-Type

Standard RADIUS attribute number 6. The level of service. Must be outbound.

Account-Info

A vendor-specific attribute (attribute number 26), vendor 9, subattribute 250. Valid values for Account-Info attributes are:

  • "Idescription"—Describes the service group. If this field is omitted, the service group profile name is used.

  • "GName"—Service group name.

  • "Nname"—Lists the services that belong to the group.

  • "TE"—Indicates that this is a mutually exclusive service group.

Example Service Group Profiles

The service group configuration examples in this section use a Merit RADIUS format.

Example Service Group Profile
SvcGroup1 Password = "servicecisco", Service-Type = Outbound
    Account-Info = "Nvidconf", Account-Info = "Ndistlearn", Account-Info = "Ncorporate", Account-Info = "Nbanking"
Example Service Group Profile for a Mutex Group
MutexGrp1 Password = "groupcisco", Service-Type = Outbound
    Account-Info = "IBandwidth-QoS", Account-Info = "Nbw-gold", Account-Info = "Nbw-silver", Account-Info = "Nbw-bronze", Account-Info = "TE"

Configuring Subscriber Profiles

Subscriber profiles define SESM logon names and passwords, access control lists associated with each logon, and subscribed services for each logon.

In an SESM RADIUS mode deployment, you must define a subscriber profile for each subscriber that will sign onto an SESM portal from a web browser.

Table D-5 briefly describes the attributes in a RADIUS subscriber profile. Use the following references for more information:


Table D-5: Attributes in Subscriber Profiles
Attribute Description

User-Name

Standard RADIUS attribute number 1. The subscriber name used for authentication.

User-Password

Standard RADIUS attribute number 2. The subscriber password used for authentication.

Called-Station_Id

Standard RADIUS attribute number 30. The access point name (APN), which can optionally be used for authentication.

Calling-Station_Id

Standard RADIUS attribute number 31. The MSISDN, which can optionally be used for authentication.

NAS-Identifier

Standard RADIUS attribute number 32. The NAS identifier, which can optionally be used for authentication.

Session-Timeout

Standard RADIUS attribute number 27. Specifies the maximum length of time, in seconds, that this subscriber session (the host object on SSG) can remain active at any one time. When the time expires, SSG deletes the host object, which ends the session. If the host key feature is enabled on the SSG, the SSG signals the state change to the SESM web portal.

Note   The NWSP application does not relay this state change to the subscriber.

If Session-Timeout is not set, there is no limit on how long the session lasts.

In a dial-up networking or bridged (non-PPP) network environment, a subscriber can disconnect from the NAS and release the IP address without logging out from the SSG. If this happens, the SSG continues to allow traffic to pass from that IP address, which can be a problem if the IP address is obtained by another user. You can use the Session-Timeout and the Idle-Timeout attributes to prevent this problem.

Idle-Timeout

Standard RADIUS attribute number 28. Specifies the maximum length of time, in seconds, that a subscriber session can remain idle before it is disconnected. See the explanation of the Session-Timeout attribute, above, for more information about setting this attribute.

Account-Info

Note   In SSG Release 12.2.4(B) or later, if a point-to-point protocol (PPP) subscriber profile does not include any VSAs, the SSG does not create a host object for the subscriber and therefore, the SSG does not apply any control over the subscriber's access. The fact that the PPP link is established and the SSG is not applying any control means that the subscriber has unrestricted access to any downstream connections defined in the subscriber's profile or by the Cisco IOS configuration on the SSG host device. If it is important to avoid this situation, make sure that all PPP clients are subscribed to at least one service or define any other Cisco SSG VSA in the profile, such as a Uurl or Hurl attribute.

A vendor-specific attribute (attribute number 26), vendor 9, subattribute 250. Valid values for Account-Info attributes are:

Account-Info (continued)

Note   The service list displayed by SESM does not include A entries. It only shows N entries. To display an auto connect service on the SESM service list, include both an A and an N entry for the service in the profile. See the "Example Subscriber Profile for Auto Services" section for an example.

Note   In a frameless application, both U and H cause a new browser window to open for the home page. The NWSP application is a frameless application.

Cisco-AVpair

A vendor-specific attribute (attribute number 26), vendor 9, subattribute 1. Valid values for the Cisco-AVpair attribute in a subscriber profile are:

Note   A profile can include multiple instances of inacl attributes and multiple instances of outacl attributes. Use one attribute for each ACL statement. Multiple attributes can be used for the same ACL.

Example Subscriber Profiles

The subscriber profile example in this section is in a Merit RADIUS format.

Example Subscriber Profile for Auto Services
user1 Password = "cisco"
    Service-Type = Framed-User, Account-Info = "Ainternet", (hidden on the subscriber's web page) Account-Info = "Ninternet" (makes it visible)
    Note   The first Account-Info line specifies automatic connection to the service. If you do not include the second line, the auto connection service does not appear on the SESM web portal. To display the service on the SESM web portal, you must include both entries as shown in the example.

Configuring Next Hop Gateway Profiles

Next Hop Gateway profiles associate next hop gateway keys with IP addresses. Because multiple SSGs might access services from different networks, service profiles can specify next hop keys. (See the service-info G attribute in Table D-3.) If this is the case, you must configure a next hop gateway pseudo-service profile to resolve the keys to valid IP addresses.

An example next hop gateway pseudo-service profile follows:

ssg-next-hop Password = "xssg-key"
    Control-Info = "Gl2tp-net7;192.168.1.101", Control-Info = "Gl2tp-net40;192.168.1.102", Control-Info = "Gweb-key;192.168.1.101", Control-Info = "Gproxy-radius-key;192.168.1.101", Control-Info = "Gxint-24;192.168.1.101"

Configuring the RADIUS Accounting Feature

If you configure a RADIUS accounting port, SSG generates accounting records and forwards them to the RADIUS server. To configure a RADIUS server for accounting only, you must perform the following configuration steps.

The subscriber actions that cause SSG to generate a RADIUS accounting record are:

Use the following references for more information:

Configuring Cisco Access Registrar for SESM Deployments

This section describes how to configure the Cisco Access Registrar (Cisco AR) for an SESM deployment. The section includes profile examples in Cisco AR format.

Configuring the RADIUS Ports

By default, Cisco Access Registrar listens on ports 1645 and 1646 for any type of RADIUS request. You can configure Cisco Access Registrar to listen on ports 1812 and 1813 instead by entering the following commands:

    add /Radius/Advanced/Ports/1812 add /Radius/Advanced/Ports/1813

These commands cause Cisco Access Registrar to listen on the explicitly defined ports, 1812 and 1813, for all types of RADIUS requests. It no longer listens on the default ports.

Cisco SSG VSAs in Cisco Access Registrar Dictionary

Cisco Access Registrar is installed with the following Cisco VSAs already defined in its attribute dictionary:

Configuring NAS Clients in Cisco Access Registrar

Use the following commands to configure the NAS clients required by an SESM deployment:

    add /Radius/Clients/SESM1 "" 10.3.3.2 cisco add /Radius/Clients/SESM2 "" 10.3.3.101 cisco add /Radius/Clients/SESM1 "" 10.3.3.102 cisco

Configuring Attribute Profiles in Cisco Access Registrar

This section shows commands for creating sample profiles in Cisco Access Registrar format.

Internet Service Profile
add /Radius/Profiles/internet-profile set /Radius/Profiles/internet-profile/Attributes/Cisco-SSG-Service-Info IInternet
    R153.153.153.0;255.255.255.0 MC TP
Corporate Service Profile
add /Radius/Profiles/corporate-profile set /Radius/Profiles/corporate-profile/Attributes/Cisco-SSG-Service-Info "ICorporate
    Intranet(proxy)" R154.154.154.0;255.255.255.0 S10.3.3.101;1812;1813;cisco MC TX
IPTV Profile
add /Radius/Profiles/iptv-profile set /Radius/Profiles/iptv-profile/Attributes/Cisco-SSG-Service-Info IIP/TV
    R160.160.160.0;255.255.255.0 MC TP
set /Radius/Profiles/iptv-profile/Attributes/Idle-Timeout 60 set /Radius/Profiles/iptv-profile/Attributes/Session-Timeout 60
Standard Subscriber Profile
add /Radius/Profiles/std-user-profile set /Radius/Profiles/std-user-profile/Attributes/Service-Type Framed set /Radius/Profiles/std-user-profile/Attributes/Cisco-SSG-Account-Info Ainternet
    Ninternet
Pseudo-service Profile
add /Radius/Profiles/pseudo-service-profile set /Radius/Profiles/pseudo-service-profile/Attributes/Cisco-SSG-Control-Info
    Gl2tp-net7;192.168.1.101 Gl2tp-net40;192.168.1.102 Gweb-key;192.168.1.101 Gproxy-radius-key;192.168.1.101 Gxint-24;192.168.1.101

Configuring Cisco Access Registrar Userlists and Authentication and Authorization Services

This section describes how to configure userlists and authentication and authorization services on Cisco Access Registrar.

Configuring Userlist for SESM Services

The following commands configure userlists containing SESM services and corresponding attribute profiles.

add /Radius/Userlists/SESMservices add /Radius/Userlists/SESMservices/internet "" servicecisco TRUE "" internet-profile add /Radius/Userlists/SESMservices/corporate "" servicecisco TRUE "" corporate-profile add /Radius/Userlists/SESMservices/iptv "" servicecisco TRUE "" iptv-profile
Configuring Userlist for SESM Users

The following commands configure userlists containing SESM users and corresponding attribute profiles.

add /Radius/Userlists/SESMusers add /Radius/Userlists/SESMusers/user1 "" cisco TRUE "" std-user-profile add /Radius/Userlists/SESMusers/ssg-next-hop "" xssg-key TRUE "" pseudo-service-profile
Configuring AA Services

The following commands configure Cisco Access Register AA services. The first command configures services for the SESM services userlist. The second command configures services for SESM users userlist.

add /Radius/Services/Outbound "" local "" "" RejectAll "" SESMservices add /Radius/Services/SESMdefault "" local "" "" RejectAll "" SESMusers
Checking the Service-Type Attribute

The following commands configure Cisco Access Registrar to check the Service-Type attribute in the request. If Service-Type is set to Outbound, then the Outbound AA service is used; otherwise, the SESM default AA service is used.

set /Radius/DefaultAuthenticationService ${q|Service-Type}{SESMdefault} set /Radius/DefaultAuthorizationService ${q|Service-Type}{SESMdefault}

Configuring Accounting on Cisco Access Registrar

To configure accounting services, use the following commands:

add /Radius/Services/SESMaccounting "" file set /Radius/DefaultAccountingService SESMaccounting

Saving the Configuration and Reloading the Server

To save the configuration and reload the Cisco Access Registrar server, use the following commands:

save reload


hometocprevnextglossaryfeedbacksearchhelp
Posted: Mon Aug 26 08:51:28 PDT 2002
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.