Configuring Subscriber Access for a Wireless Location
To use the SAE to manage a wireless access point that participates in a roaming agreement:
- Configure RADIUS authentication for users who connect from a wireless location.
- Create subscriber access to an ISP.
- Create Web access.
- Verify idle timeout properties for the SAE.
The following sections describe how to perform these tasks.
Configuring RADIUS Authentication
To set up RADIUS authentication to support a roaming environment between wireless Internet service providers, you can use the Flexible RADIUS Authentication plug-in that is provided with the SRC software, or you can create a custom RADIUS authentication plug-in.
Configuring a Custom RADIUS Authentication Plug-In
If you create a custom plug-in, be sure that it supports the same RADIUS attributes as those configured for the flexible RADIUS authentication plug-in. See Configuring the Flexible RADIUS Authentication Plug-In.
For information about creating a custom plug-in, see SAE CORBA Plug-In Service Provider Interface (SPI) in the SRC software distribution in the folder SDK/doc/idl or on the Juniper Networks Web site at
http://www.juniper.net/techpubs/software/management/sdx/api-index.html
Configuring the Flexible RADIUS Authentication Plug-In
The default flexible RADIUS authentication plug-in, flexRadiusAuth, provides support for RADIUS vendor-specific attributes for WISPr, which are listed in the following procedure. These attributes use the IANA private enterprise number 14122 assigned to the Wi-FI Alliance. For more information about these attributes, see
http://www.wi-fialliance.org/opensection/wispr.asp
You should be familiar with the general procedure for configuring the flexible RADIUS authentication plug-in before configuring it to include the WISPr attributes. For information about configuring the flexible RADIUS authentication plug-in, see SRC-PE Subscribers and Subscriptions Guide, Chapter 5, Configuring Authorization and Accounting Plug-Ins for Solaris Platforms.
When you configure the plug-in, you can use the following standard attribute values to set values in authentication response packets:
Examples in the following procedure show how you can use these attribute values.
To configure the plug-in to support a roaming environment:
vendor-specific.WISPr.Location-ID=IdentifierThis attribute can be an interface description (ifAlias) or other value that identifies the JUNOSe interface to which the wireless access point connects.
vendor-specific.WISPr.Redirection-URL=Command to make the URL available to the SRC softwarevendor-specific.WISPr.Redirection-URL=setProperty("startURL=%s" % ATTR)The default configuration sets a session property named startURL.
vendor-specific.WISPr.Logoff-URL=URL of a log out pagevendor-specific.WISPr.Bandwidth-Max-Up=Command to make the rate available to the SRC softwarevendor-specific.WISPr.Bandwidth-Max-Up=setSubstitution("max_up_rate= %s" % ATTR)vendor-specific.WISPr.Bandwidth-Max-Down=Command to make the rate available to the SRC softwarevendor-specific.WISPr.Bandwidth-Max-Down=setSubstitution("max_down_r ate=%s" % \ ATTR)vendor-specific.WISPr.Location-Name=Name of the wireless locationThe date and time that the subscriber session is to end: vendor-specific.WISPr.Session-Terminate-Time=Command to set the session terminate timevendor-specific.WISPr.Session-Terminate-Time=setTerminateTime(ATTR)vendor-specific.WISPr.Session-Terminate-End-Of-Day=ATTR or setTerminateTime("00:00:00")If the operator of the wireless location does not support daily billing, do not configure this attribute, and remove it if present.
vendor-specific.WISPr.Billing-Class-Of-Service=Service type
- For each attribute that you configure, configure the packet type to which the attribute applies. Table 7 shows the packet types associated with each attribute.
Creating Subscriber Access to an ISP
An access service lets subscribers connect to an ISP. The policies associated with the access service should specify a JUNOS policing or JUNOSe rate-limiting policy to set the maximum bandwidth at which a subscriber can send traffic, and the maximum bandwidth at which a subscriber can receive traffic. When you configure the policies, define the bandwidth values as parameters so that the policies can be applied across a number of subscribers.
To configure an access service to the ISP:
See SRC-PE Services and Policies Guide, Chapter 2, Managing Services on a Solaris Platform.
- In Policy Editor, create a policy group the sets the maximum bandwidth at which a subscriber can send traffic, and the maximum bandwidth at which a subscriber can receive traffic. Use parameters to set these values.
See SRC-PE Services and Policies Guide, Chapter 12, Configuring and Managing Policies with Policy Editor and SRC-PE Services and Policies Guide, Chapter 15, Defining and Acquiring Values for Parameters.
The example in Figure 5 shows a policy configuration that includes:
- A local parameter named max_up_rate that sets the maximum rate at which the subscriber can send data
- A local parameter named max_down_rate that sets the maximum rate at which the subscriber can receive data
- A policy group Receive(Downstream) that references max_down_rate
- A policy group Send(Upstream) that references max_up_rate
![]()
Substitutions for these parameters can then be referenced in the RADIUS attributes:
vendor-specific.WISPr.Bandwidth-Max-Up=setSubstitution("max_up_rate=%s" % ATTR)vendor-specific.WISPr.Bandwidth-Max-Down=setSubstitution("max_down_rate=%s" % ATTR)Creating Web Access
When subscribers connect to and log in to a wireless access point, they are directed to a single Web page that is referred to as a captive portal page. This page is part of a residential service selection portal. A captive portal page receives and manages redirected Web requests. For information about residential portals and captive portal pages, see SRC-PE Subscribers and Subscriptions Guide, Chapter 15, Overview of the Residential Portal.
When creating a captive portal page for a wireless roaming environment, configure the page to:
- Start an access service that is configured to be authenticated by the RADIUS server of the ISP.
- After the access service starts, redirect the subscriber to the page specified by the Redirect-URL RADIUS attribute. This page is the start page for the subscriber's home ISP.
You can retrieve the URL of the start page from the service session property startURL. Note that startURL is the default name used for the flexible RADIUS authentication plug-in; you can assign a different name to this property.
You can use the Subscriber.readSubscription() method in the Common Object Request Broker Architecture (CORBA) remote application programming interface (API) to retrieve the redirect URL.
Note that when you develop the portal, you can use the following methods in the SAE CORBA remote API to retrieve session data after the access service starts:
For more information about these methods, see the SAE CORBA remote API documentation in the SRC software distribution in the folder SDK/doc/idl or on the Juniper Networks Web site at
http://www.juniper.net/techpubs/software/management/sdx/api-index.html
Verifying Idle Timeout Properties for the SAE
Review the following configuration properties to ensure that the settings are consistent with the requirements for your environment:
To review idle timeout settings from SDX Configuration Editor:
- In the navigation pane, expand SAE, and click a configuration object.
- In the content pane, click the Miscellaneous tab.
- Verify the setting for Idle Timeout(s).
This value may be set in the service definition for the access service, or by the ISP in a RADIUS authorization response.
An interval up to 5 minutes is typically recommended for the idle timeout. For the SRC software, the recommended minimum is 15 minutes.
- In the Miscellaneous pane, expand Idle Timeout, and review the setting for Adjust Session Time. See the field description below.
Adjust Session Time
- When an idle timeout terminates a session, whether or not the session time reported in the accounting message is reduced by the idle time. This way the session time is accurately reported to avoid overcharges for the session.
- Value