Defining RADIUS Packets for Flexible RADIUS Plug-Ins with SDX Configuration Editor
Flexible RADIUS accounting and authentication plug-ins allow you to define the content of RADIUS packets that the SAE sends to RADIUS servers. You can specify which attributes are included in different types of RADIUS packets (for example, session start or stop requests, or accounting on or off requests). You can also specify what information is contained in the attribute fields.
In SDX Configuration Editor, there are two ways to define RADIUS packets for flexible RADIUS accounting and authentication plug-ins:
- Define attributes in a template and then apply the template to flexible RADIUS accounting and authentication plug-in instances. You can apply the same template to multiple plug-in instances, but each plug-in instance can use only one template.
- Define attributes in the packet definition configuration of a flexible plug-in instance. These definitions override definitions in packet templates. You can use these packet definitions to exclude attributes that come from the template. To do so, you define the value of the attribute that you want to exclude as None.
Creating and Using RADIUS Templates
The SDX software comes with two default templates:
- stdAcct—Defines RADIUS accounting packets and is used in the default RADIUS flexible accounting plug-in instance flexRadiusAcct
- stdAuth—Defines RADIUS authentication packets and is used in the default RADIUS flexible authentication plug-in instance flexRadiusAuth
You can use these templates as they are, modify them, or create new templates.
The Create a New Instance dialog box appears.
The instance appears in the Radius Packet Template area.
![]()
- Configure RADIUS attributes in the template as described in the next section.
- Configure a plug-in instance to use the template by entering the name of the template in the format RadiusPacket.<template name> in the Template field of the plug-in instance configuration.
You can apply a template to multiple plug-in instances, but each plug-in instance can use only one template.
Configuring RADIUS Attributes
Attribute instances define attributes for a specific type of RADIUS packet. The name that you assign to an attribute instance specifies the type of packet to which the attribute definition is applied. Table 18 lists the available packet types.
Use the steps below to configure attribute instances. You can follow them from within a RADIUS template or within a plug-in instance configuration.
You can configure attribute instances in a RADIUS template or within a plug-in instance configuration. To create and configure attribute instances for a:
- Template—Follow these steps in the Attributes configuration section of a template.
- Plug-in instance—Follow these steps in the Radius Packet Definition of a plug-in instance.
- Select Radius Attributes from the drop-down list, and click Create a New Instance of.
The Create a New Instance dialog box appears.
- Assign a name that specifies the RADIUS packet type to which the attribute definition applies (see Table 18), and click OK.
A new attribute table of properties (RADIUS attributes) and values (the value assigned to an attribute) appears.
- To add an attribute, type the attribute definition in the format property=value in the field below the attribute table, and click Add.
- To modify an attribute, select the attribute, make your changes in the field below the attribute table, and click Modify.
- To delete an attribute, select the attribute, and click Delete.
![]()
Property
- Standard RADIUS attribute name or number as defined in RFC 2865—Remote Authentication Dial In User Service (RADIUS) (June 2000), RFC 2866—RADIUS Accounting (June 2000), or RFC 2869—RADIUS Extensions (June 2000). For a full list, see www.iana.org/assignments/radius-types
- JUNOSe VSA in one of the following formats:
Vendor-Specific.4874.<vsa#>.<type>
26.4874.<vsa#>.<type>
where <type> is one of the following:
- text—Indicates that the value is 1-253 octets containing UTF-8 encoded characters
- string—Indicates that the value is 1-253 octets containing binary data
- address—Indicates that the value is a 32-bit value
- integer—Indicates that the value is a 32-bit unsigned value
- time—Indicates that the value is a 32-bit unsigned value, seconds since 00:00:00 UTC, January 1, 1970
For example, 26.4874.50.text sets a value for Session-Volume-Quota VSA 26-50.
Value
- Defines the values of RADIUS attributes. Most values can be sent from the SAE to the plug-in. Some of the values can also be returned by the plug-in.
- Value—Standard values (see Table 19) or an expression
- Expressions are evaluated with Python. For example: lowWord(inOctets) extracts the lower 32 bits of the 64-bit inOctets counter.
- You can define multiple values for an expression in a comma-separated list.
Provides access to DHCP packet. See Table 14 for details.
ID provided by the subscriber; the loginId value is not separated into UID and domain name.
ID of the port on the JUNOSe router; for example, FastEthernet 3/1:2001
For service tracking, this value is taken from the RADIUS Access-Accept response. If the response does not contain a value, the RADIUS class defined in the service definition is used.
Sets an arbitrary attribute (for example, class) to the name of the service.
This attribute can only be set. It is sent for session tracking events and can be returned by service authorization events. It can be set and retrieved through the portal API and can also be defined through an LDAP attribute in the service definition.
If the attribute is defined multiple times, the following precedence is observed:
NOTE:
The SAE does not enforce a volume quota directly; it only makes the attribute available to an external application that can control the volume quota.More About Using Flexible RADIUS Packet Definitions
This section shows some of the ways you can use flexible RADIUS packet definitions. Remember that the name of the attribute instance determines the type of RADIUS packet in which the packet definition is used.
- To use the Challenge Handshake Authentication Protocol (CHAP) to authenticate subscribers, include the Chap-Password and optionally the Chap-Challenge attributes in authentication requests. (We recommend that you use Chap-Password only. Use Chap-Challenge only if required.) To use a CHAP password, include the following in attribute instance auth:
Chap-Password = passwordTo cause the Calling-Station-Id attribute to use the subscriber's MAC address: Calling-Station-Id = userMacAddressTo set the value to prefix N followed by the service name and the prefix S followed by the service session name: 'N'+serviceName, 'S'+serviceSessionNameTo construct a value for the Nas-Port-Id attribute by concatenating the value of routerName, a space, and the Nas-Port-ID on the router: Nas-Port-Id=routerName + " " + portIdFor example, the constructed value might be:
default@phoenix FastEthernet 4/2
- Sets the value to accountingId, or
- If accountingId is empty, sets the value to loginName, or
- If loginName is also empty, sets the value to NN
User-Name = accountingId or loginName or "NN"Acct-Input-Octets = lowWord(inOctets)To set the counter fields in the RADIUS packet to the appropriate 32-bit values: RadiusPacket.std.svcstop.Acct-Input-Octets = lowWord(inOctets)RadiusPacket.std.svcstop.Acct-Output-Octets = lowWord(outOctets)RadiusPacket.std.svcstop.Acct-Input-Packets = inPacketsRadiusPacket.std.svcstop.Acct-Output-Packets = outPacketsRadiusPacket.std.svcstop.Acct-Input-Gigawords = highWord(inOctets)RadiusPacket.std.svcstop.Acct-Output-Gigawords = highWord(outOctets)
- The inOctets and outOctets are 64-bit values and must be split into lower 32-bit (Acct-*-Octets) and upper 32-bit (Acct-*-Gigawords) values.
- The inPacket and outPacket counters are 32-bit values and can be assigned directly.
Setting Values in Authentication Response Packets
You can use some special attribute values to set values in authentication response packets. For example:
Table 19 lists the type of packets (authresp, userresp, or svcresp) in which you can use these values.
When the RADIUS client finds one of these attribute values in an authentication response, it binds ATTR to the current attribute and executes the defined expression. The expression calls one of the available set methods to set the value in the plug-in event.
Session-Timeout = setSessionTimeout(ATTR)To set the RADIUS class: Class = setRadiusClass(ATTR)To set the service bundle in VSA 31: 26.4874.31.text = setServiceBundle(ATTR)To set the session volume quota: 26.4874.50.text = setSessionVolumeQuota(ATTR)Selecting IP Address Pools Using DHCP Response Packets
For DHCP subscribers, you can set up RADIUS authorization plug-ins to return to the router attributes that can be used to select a DHCP address such as framed IP address and pool. You can also set up the name of the virtual router on which the address pool is located and select a fixed address for each subscriber.
- Framed IP address—Selects the pool from which the address is allocated; if the framed IP address is not available, the DHCP server allocates the next available address in the pool; use the setUserIpAddress value.
- Framed IP pool—Name of the address pool on the router from which an IP address is assigned; use the setPoolName value.
- Virtual router name—Name of the virtual router on which the address pool is located; use the setAuthVirtualRouterName value.
You can also select a fixed address for each subscriber. If you identify subscribers by port information (for example, NAS-IP and NAS-Port), the authorization response can select a fixed IP address for each subscriber.
NOTE: Parameters set in the DHCP profile override parameters set by DHCP authorization plug-ins.