This appendix provides information on the translation that the RADIUS Data Proxy (RDP) server performs for the service-profile attributes that CDAT creates in the LDAP directory.
The content of the service profile that you create with CDAT is derived from a RADIUS service profile. When the SSG gets information about services, the SSG uses the RADIUS protocol and expects RADIUS service-profile attributes.
In an SESM system, the RDP server is a RADIUS proxy server that acts as a mediator between the SSG and the LDAP directory. For example, RDP uses the DESS programming interfaces to access service profiles in the LDAP directory. RDP translates the CDAT/DESS service-profile attributes into the RADIUS service-profile attributes that the SSG uses.
The three tables in this appendix list the CDAT-to-RADIUS translations that RDP performs for a service profile.
Note The information in this appendix may be useful to you if you are reading SSG documentation, which
discusses only RADIUS attributes, and you need to know what RADIUS attribute corresponds to
each CDAT attribute in a service profile.
Table C-1 shows the CDAT attributes for a service that RDP translates into standard RADIUS attributes.
Table C-1: Standard RADIUS Attributes
CDAT Attribute
Standard RADIUS Attribute Sent to the SSG
Service type
Standard RADIUS attribute number 6. Service type. The value must be outbound.
Session Timeout
Standard RADIUS attribute number 27. Maximum time, in seconds, that a host or service object can remain active in any one session.
Idle Timeout
Standard RADIUS attribute number 28. Maximum time, in seconds, that a service connection can remain idle before it is disconnected.
Table C-2 shows the CDAT attributes for a service that RDP translates into RADIUS Service-Info attributes. Service-Info attributes are vendor-specific attributes (attribute number 26), vendor 9, subattribute 251.
Table C-2: Service-Info Attributes
CDAT Attribute
Service-Info Attribute Sent to the SSG
Service class
Ttype
Type of service. Valid values for type are:
P—Passthrough service
T—Tunneled service
X—Proxy service
Access mode
Mmode
Service mode. Valid values for mode are:
S—Sequential mode
C—Concurrent mode
Description
Idescription
Service description where description is the text string for the description.
Next hop gateway
Gkey
Next-hop key where key is the text string for the key.
Domain names
Oname1[name2]...[;nameX]
Domain names where name1, name2, and so forth are the domain names.
Primary DNS servers Secondary DNS servers
Dip_address_1[;ip_address_2]
The primary and secondary DNS servers for this service. ip_address1 and ipaddress2 are the IP addresses for, respectively, the primary and secondary DNS servers.
Service routes
Rip_address;subnet_mask
Service routes (destinations) where the service is located. ip_address and subnet_mask are the IP address and subnet mask for a destination. Multiple instances of this attribute in a single service profile specify multiple service destinations.
Service URL
Uurl or Hurl
Service URL where url is a fully qualified URL.
RADIUS server IP address
RADIUS server authentication port
RADIUS server accounting port
RADIUS shared secret
SRadiusServerAddress;authPort;acctPort;secret
Remote RADIUS server information where:
RadiusServerAddress is the server IP address.
authPort is the server authentication port.
acctPort is the server accounting port.
secret is the server shared secret.
Table C-3 shows the CDAT attributes for a service that RDP translates into Cisco AVPair attributes. Cisco AVPair attributes are vendor-specific attributes (attribute number 26), vendor 9, subattribute 1.
Table C-3: Cisco AV-Pair Attributes
CDAT Attribute
Cisco AVPair Sent to the SSG
Tunnel identifier
vpdn:tunnel-id=name
Tunnel identifier where name is the name of tunnel.
Tunnel IP address
vpdn:ip-addresses=ip_address
Tunnel IP address where ip_address is the address of the home gateway (LNS) to receive the L2TP connection.
Tunnel password
vpdn:l2tp-tunnel-password=password
Tunnel password where password is the password for L2TP tunnel authentication.
Tunnel type
vpdn:tunnel-type=type
Tunnel type where type is the l2tp (the only value allowed with SESM).
Pool name and IP Pool Name
ip:addr-pool=pool_name
Local address pool where pool_name is the name of the address pool.
CDAT allows the service provider to explicitly define additional Cisco AV pairs for a service using the Local RADIUS Attributes box in the Services and Service Groups windows. RDP sends these AV pairs to the SSG exactly as they are specified. For information on these AV pairs, see the "RADIUS Profile" section.
For more information on RADIUS profiles and the SSG, see the Service Selection Gateway document and the Cisco Subscriber Edge Services Manager Installation and Configuration Guide.
