[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]


Defining RADIUS Packets for Flexible RADIUS Plug-Ins with SDX Configuration Editor

Flexible RADIUS accounting and authentication plug-ins allow you to define the content of RADIUS packets that the SAE sends to RADIUS servers. You can specify which attributes are included in different types of RADIUS packets (for example, session start or stop requests, or accounting on or off requests). You can also specify what information is contained in the attribute fields.

In SDX Configuration Editor, there are two ways to define RADIUS packets for flexible RADIUS accounting and authentication plug-ins:

Creating and Using RADIUS Templates

The SDX software comes with two default templates:

You can use these templates as they are, modify them, or create new templates.

To create a template:

  1. In the RADIUS tab, select Template from the drop-down list, and click Create a New Instance of.

The Create a New Instance dialog box appears.

  1. Assign a name to the template instance, and click OK.

The instance appears in the Radius Packet Template area.

  1. Configure RADIUS attributes in the template as described in the next section.
  2. Configure a plug-in instance to use the template by entering the name of the template in the format RadiusPacket.<template name> in the Template field of the plug-in instance configuration.

You can apply a template to multiple plug-in instances, but each plug-in instance can use only one template.

Configuring RADIUS Attributes

Attribute instances define attributes for a specific type of RADIUS packet. The name that you assign to an attribute instance specifies the type of packet to which the attribute definition is applied. Table 18 lists the available packet types.




Table 18: RADIUS Attribute Instance Names  
Attribute Instance (Packet-Type)
Type of RADIUS Packet to Which Attribute Definition Is Applied

acct

Any accounting request

auth

Any authentication request

authresp

Any authorization response

off

Accounting-Off requests

on

Accounting-On requests

onoff

Accounting-On or Accounting-Off requests

start

Start requests

startstop

Start, Stop, or Interim Update requests

stop

Stop or Interim Update requests

svcacct

Service Session Start, Stop, or Interim requests

svcresp

Any service authorization response

svcstart

Service Session Start requests

svcstop

Service Session Stop or Interim requests

useracct

User Session Start, Stop, or Interim requests

userresp

Any user authorization response

userstart

User Session Start requests

userstop

User Session Stop, or Interim requests

Use the steps below to configure attribute instances. You can follow them from within a RADIUS template or within a plug-in instance configuration.

You can configure attribute instances in a RADIUS template or within a plug-in instance configuration. To create and configure attribute instances for a:

The Create a New Instance dialog box appears.

  1. Assign a name that specifies the RADIUS packet type to which the attribute definition applies (see Table 18), and click OK.

A new attribute table of properties (RADIUS attributes) and values (the value assigned to an attribute) appears.

  1. Configure the attribute table as follows:

Property

For example, 26.4874.50.text sets a value for Session-Volume-Quota VSA 26-50.

Value

More About Using Flexible RADIUS Packet Definitions

This section shows some of the ways you can use flexible RADIUS packet definitions. Remember that the name of the attribute instance determines the type of RADIUS packet in which the packet definition is used.

For example, the constructed value might be:

default@phoenix FastEthernet 4/2

Setting Values in Authentication Response Packets

You can use some special attribute values to set values in authentication response packets. For example:

Table 19 lists the type of packets (authresp, userresp, or svcresp) in which you can use these values.

When the RADIUS client finds one of these attribute values in an authentication response, it binds ATTR to the current attribute and executes the defined expression. The expression calls one of the available set methods to set the value in the plug-in event.

Below are some examples.

Selecting IP Address Pools Using DHCP Response Packets

For DHCP subscribers, you can set up RADIUS authorization plug-ins to return to the router attributes that can be used to select a DHCP address such as framed IP address and pool. You can also set up the name of the virtual router on which the address pool is located and select a fixed address for each subscriber.

You can also select a fixed address for each subscriber. If you identify subscribers by port information (for example, NAS-IP and NAS-Port), the authorization response can select a fixed IP address for each subscriber.

NOTE: Parameters set in the DHCP profile override parameters set by DHCP authorization plug-ins.



[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]