cc/td/doc/solution/sesm/sesm_317
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Configuring the RADIUS Data Proxy

Configuring the RADIUS Data Proxy

The RADIUS Data Proxy (RDP) translates RADIUS protocol messages into LDAP protocol messages with SPE DESS extensions. RDP is available for installation when you install SESM in LDAP mode. This section describes how to configure the RDP application. Topics are:

Configuring Listeners and Handlers

RDP receives RADIUS protocol messages on one listener. The listener is configured in the RDP MBean.

RDP processes the messages using multiple handlers. Each handler performs some processing and calls the next handler. The chain of handlers that processes a message is configured in the RDP MBean and is determined by:

The RDP application is easily extensible because the chain of handlers is configurable in the MBeans. New handlers can be plugged in to handle new or customized configuration requirements.


Note   To maintain the correct processing sequence for the installed RDP application, do not change the name and nexthandler attributes in the RDP MBeans.

See the "RDP Protocol Handlers" section for a summary of the chain of RDP handlers that processes RADUIS protocol messages in the installed RDP application.

Changing Installed Configuration Options

RDP configuration options are chosen and configured during RDP installation. This section describes how to change those configuration options. The topics are:

Changing the RADIUS Data Proxy Mode

The RDP can run in the following modes:

If you use Proxy mode, see the "RADIUS Data Proxy MBeans" section for important information about configuring subscriber profiles.

To change the RDP mode, we recommend that you reinstall the RDP component.


Note   The alternative is to manually edit the configuration files, commenting out the inappropriate handlers, removing the comments surrounding other handlers, and configuring those handlers.

RDP can also run in LOCAL mode, during which it obtains profiles from a Merit flat file. This mode is useful for testing environments. To switch to LOCAL mode, use the LOCAL attribute in the RDP MBean.

Adding Service Information to Replies

To change this option, we recommend that you reinstall the RDP component.


Note   The alternative is to manually edit the configuration files, commenting out the inappropriate handlers, removing the comments surrounding other handlers, and configuring those handlers.

Choose this option if you want the SSG to perform automatic connections to services when a subscriber's profile includes the autoconnect attribute. When you choose this option, RDP includes the subscriber's service list and related information in replies to SSG. The service information consumes memory on the SSG device.

Do not choose this option if memory is a consideration on the SSG device. Instead, you can configure the SESM application to initiate automatic connections with the autoConnect attribute in the SESM MBean. See the "SESM MBean" section for more information.

Using a Restricted Client List

This option is easily changed after installation. For instructions, see the addClientList attribute in the "RDP MBean" section.

RADIUS Data Proxy MBeans

RDP uses the following MBeans:

To change attributes in these MBeans, you can either:

    rdp
      config    rdp.xml
    tools
      config    erp.xml

Default port numbers used by the installation process are:

Logger MBean

The Logger MBean configures both logging and debugging tools. The logging tool logs RDP application activity. The debugging mechanism produces messages useful for debugging. This is the same logging and debugging mechanism used by the SESM portal applications. See the "Logger MBean" section, for more information.

ManagementConsole MBean

The ManagementConsole MBean configures the RDP management console port, including valid user names and passwords for accessing the console. See the "Configuring the ManagementConsole MBean" section for more information.

RADIUSDictionary MBean

All SESM applications, including the RDP, internally predefine the standard RADIUS attributes and the Cisco SSG vendor-specific attributes (VSAs). You can define additional attributes, such as additional Cisco VSAs or third-party VSAs, in the RADIUSDictionary MBean. When you define attributes in this MBean, you can use the defined attribute names in the profiles on the LDAP directory.

For a list of the standard RADIUS attributes that are predefined in SESM, see Table C-2. For a list of the Cisco SSG VSAs that are predefined in SESM, see Table C-3.

Table 7-1 describes the attributes in the RADIUSDictionary MBean.


Table 7-1: RDP—RADIUSDictionary MBean
Attribute Name Explanation

dynamicAttributes

An array of new attribute definitions. To define a new attribute, add a new item to this array. The format for an item is:

name(radiusAttributeId, vendorId, vendorSubattribute, datatype)

Where:

  • name—The new attribute name.

  • radiusAttributeId—Use attribute value 26, the vendor-specific attribute.

  • vendorId—A RADIUS vendor ID.

  • vendorSubattribute— A unique number that distinguishes this attribute from other VSAs for the same vendor.

  • datatype—One of the following values: BINARY, STRING, INTEGER, IPADDRESS. When datatype is BINARY, the value assigned to the attribute must be expressed as a hexadecimal string.

An example follows:

demoVSA(26, 1, 1, BINARY)

Other valid syntax formats are represented below:

name([[type=]26],[vendorId=]vendorId,[vendorType=]vendorType,[dataType=]dataType)

For example:

demoVSA(type=26, vendorId=1, vendorType=1,dataType=INTEGER)

RDP MBean

The RDP MBean configures the RDP listener, including its thread pool and sockets (ports), and all of the handlers. Table 7-2 describes the configurable attributes in the RDP MBean.


Note   Unless you are customizing the RDP application, the attributes in Table 7-2 are the only ones you should change. All other attributes affect the processing sequence of the RDP protocol handler. See the "Changing Installed Configuration Options" section for more information.


Table 7-2: RDP—RDP MBean
Attribute Name Explanation

handler

Defines the type of listener being configured. The value must be RDP to configure an RDP protocol handler.

dump

Default: true

The following attribute is in the DESSAuthenticationHandler class.

authAttributes

This attribute specifies the RADIUS attributes to use in subscriber authentication, in addition to the USER_NAME attribute. USER_NAME is always required and should not appear in the list. Any other standard RADIUS attribute can be used for authentication. Typical values are:

  • USER_PASSWORD

  • CALLED_STATION_ID (APN)

  • CALLING_STATION_ID (MSISDN)

  • NAS_IDENTIFIER

See the "Multikey Authentication" section for more information.

The following attributes are in the DESSServiceProfileHandler, DESSGroupProfileHandler, and DESSNextHopProfileHandler.classes.

servicePassword

RDP requires passwords to obtain service, group, and next hop profiles. The SSG sets the password in the request. The values you configure here must match the values configured on the SSG, or, in the case of the groupPassword, in SESM configuration. If the configured password does not match the password in a profile, RDP returns an access-reject message.

  • servicePassword—Requests containing this password value are requests for a single service profile. RDP uses the SPE API to obtain a list of authorized services for a subscriber. This servicePassword must match the password configured on the SSG with the following command:

    1. ssg service-password servicePassword
  • groupPassword—Requests containing this password value are requests for a service group profile. RDP forwards requests to a RADIUS server to obtain a list of authorized services for the group of which the subscriber is a member. Group requests are relevant only when RDP is configured in proxy mode. The groupPassword value must match the password configured on the SESM portal in the serviceGroupPassword attribute in the AAA MBean.

  • nextHopPassword—Requests containing this password value are requests for a next hop table profile. RDP passes authentication requests to the AAAMBean when the RDP is configured in proxy mode, or through SPE to the directory when the RDP is not in proxy mode. On the SSG side, set this password using the following command:

    ssg next-hop download nextHopTableName password

groupPassword

nextHopPassword

Note   The following attributes are in RDP MBean, RADIUSListener=RDP,component=Threadpool

minThreads

Sets the minimum number of threads that this listener maintains during periods of low load. This listener always has system resources allocated for this number of threads.

Default: 5

maxThreads

Sets the maximum number of threads that this listener can allocate resources for, even during peak loads. This listener can have up to this number of threads.

Default: 255

Note   The following attributes are in RDP MBean, RADIUSListener=RDP,component=RADIUSServerSocket

secret

The shared secret that must be used in RADIUS protocol messages sent to the bundled SESM RADIUS server. This attribute sets a global shared secret for all clients. To specify different shared secrets for each client, use the allowedClients attribute.

localPort

The port the RADIUS server listens on. It uses the same port for RADIUS Accounting-Requests and Access-Requests.

The installed configuration file defines this attribute as a Java system property, which is assigned a value at run time:

application.portno

allowedClients

Configures a list of clients from which the server can accept requests. Also configures shared secrets. Turn this feature on and off as follows:

  • Allow any client to access the RDP—Comment out the allowedClients attribute in the XML file, or remove all clients from the allowedClients list.

  • Restrict client access—Uncomment the allowedClients attribute in the XML file.

Note   If you do not see the allowedClients attribute in the Agent View, check the configuration file (the XML file). The allowedClients attribute might be commented out. If so, remove the comment characters, save the XML file, and then restart the RDP.

RDP clients are SSGs. You can add more clients by adding more elements to the allowedClients attribute. An element in allowedClients attribute has the following format:

{hostName | IPAddress}[:localSecret]

Where:

hostName or IPAddress identify a client (an SSG, for example) that has access to the RDP.

localSecret identifies the secret that this client uses for RADIUS communication If the client is an SSG, this value must match the shared secret configured on the SSG device:

    radius-server key SharedSecret

Note   The following attributes are in RDP MBean, PROXY=ProxyHandler,component=RADIUSClientSocket. This component is used only when RDP is configured in Proxy mode.

throttle

The maximum number of simultaneous requests that RDP can send to a RADIUS server. This is a RADIUS protocol attribute. The RADIUS protocol queues additional requests and issues them as the server returns responses or timeout messages for previous requests.

Default: 256

timeOut

The number of seconds that RDP waits before timing out RADIUS packets that it sends to the AAA server.

Default: 4000

maxRetries

The number of times RDP resends packets to the AAA server if no response is received.

Default: 3

primaryIP

The IP address or the host name of the primary AAA server.

primaryPort

The port number that the primary RADIUS server listens on.

Default: 1812

secret

The shared secret used between the RADIUS server and RDP. The shared secret must be the same for the primary and secondary servers. It must match the secret specified when you configured RDP as a NAS client on the RADIUS server.

Default: cisco.

secondaryIP

The IP address or host name of the secondary AAA server. If you are not using a secondary RADIUS server, reenter the primary server.

secondaryPort

The port number that the secondary RADIUS server listens on. If you are not using a secondary server, reenter the primary server.

Default: 1812

RDP Protocol Handlers

Figure 7-1 shows the processing sequence that RDP uses for handling packets.


Figure 7-1: RDP Handlers


Each protocol handler has a special purpose:


hometocprevnextglossaryfeedbacksearchhelp
Posted: Fri Oct 18 09:58:21 PDT 2002
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.