[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]


Defining RADIUS Packets for Flexible RADIUS Plug-Ins with the SRC CLI

Flexible RADIUS accounting and authentication plug-ins allow you to define the content of RADIUS packets that the SAE sends to RADIUS servers. You can specify which attributes are included in different types of RADIUS packets (for example, session start or stop requests, or accounting on or off requests). You can also specify what information is contained in the attribute fields.

A RADIUS attribute configuration consists of RADIUS attribute instances. Each instance defines attributes for a specific type of packet—For example, start requests or accounting off requests.

Within each attribute instance, you define individual RADIUS attributes. The following is a RADIUS attribute instance for authentication requests:

radius-attributes auth {
  attributes {
    User-Name loginId;
    User-Password password;
    NAS-Identifier localNasId;
    NAS-IP-Address localNasIp;
    NAS-Port nasPort;
  }
}

Each RADIUS packet template can consist of multiple RADIUS attribute instances.

Using Default RADIUS Templates

The SRC software comes with two default templates:

Naming RADIUS Attribute Instances

Attribute instances define attributes for a specific type of RADIUS packet. The name that you assign to an attribute instance specifies the type of packet to which the attribute definition is applied. Table 18 lists the available packet types.




Table 18: RADIUS Attribute Instance Names  
Attribute Instance (Packet-Type)
Type of RADIUS Packet to Which Attribute Definition Is Applied

acct

Any accounting request

auth

Any authentication request

authresp

Any authorization response

dhcpresp

DHCP response

off

Accounting-Off requests

on

Accounting-On requests

onoff

Accounting-On or Accounting-Off requests

start

Start requests

startstop

Start, Stop, or Interim Update requests

stop

Stop or Interim Update requests

svcacct

Service Session Start, Stop, or Interim requests

svcresp

Any service authorization response

svcstart

Service Session Start requests

svcstop

Service Session Stop or Interim requests

useracct

Subscriber Session Start, Stop, or Interim requests

userresp

Any subscriber authorization response

userstart

Subscriber Session Start requests

userstop

Subscriber Session Stop, or Interim requests

Defining RADIUS Attributes

RADIUS attribute definitions consist of a RADIUS attribute and a value for the RADIUS attribute.

You can define values for standard RADIUS attributes or JUNOSe vendor-specific attributes (VSAs).

Standard RADIUS Attributes

For standard RADIUS attributes, use a name or number as defined in RFC 2865—Remote Authentication Dial In User Service (RADIUS) (June 2000), RFC 2866—RADIUS Accounting (June 2000), or RFC 2869—RADIUS Extensions (June 2000). For a full list, see www.iana.org/assignments/radius-types.

Juniper Networks VSAs

For Juniper Networks VSAs, use one of the following formats:

where <type> is one of the following:

The following is an example of RADIUS attribute instances that define RADIUS VSAs.

radius-attributes svcresp {
  attributes {
    Session-Timeout setSessionTimeout(ATTR);
    Idle-Timeout setIdleTimeout(ATTR);
    vendor-specific.Juniper.Sdx-Session-Volume-Quota setSessionVolumeQuota(ATTR);
    vendor-specific.WISPr.Redirection-URL "setProperty(\"startURL=%s\" % ATTR)";
    vendor-specific.WISPr.Bandwidth-Min-Up "setSubstitution(\"min_up_rate=%s\" % ATTR)";
    vendor-specific.WISPr.Bandwidth-Min-Down "setSubstitution(\"min_down_rate=%s\" % ATTR)";
    vendor-specific.WISPr.Bandwidth-Max-Up "setSubstitution(\"max_up_rate=%s\" % ATTR)";
    vendor-specific.WISPr.Bandwidth-Max-Down "setSubstitution(\"max_down_rate=%s\" % ATTR)";
  }
}

radius-attributes dhcpresp {
  attributes {
    Framed-Pool setPoolName(ATTR);
    Framed-IP-Address setUserIpAddress(ATTR);
    26.4874.1.text setAuthVirtualRouterName(ATTR);
    26.4874.2.text setPoolName(ATTR);
    26.4874.31.text setServiceBundle(ATTR);
  }
}

Defining the Values of RADIUS Attributes

The values of RADIUS attributes can be a standard value (see Table 19) or an expression. Expressions are evaluated with Python. For example: lowWord(inOctets) extracts the lower 32 bits of the 64-bit inOctets counter. You can define multiple values for an expression in a comma-separated list.




Table 19: Standard Values for RADIUS Attributes  
Value
Type of Plug-In
Comments

accountingId

User and service tracking

authUserId

Service tracking

dhcp

User and service tracking

Provides access to DHCP packet. See Table 12 for details.

domain

Authorization

eventTime

User and service tracking

Seconds since 1970-01-01T00:00Z

ifRadiusClass

User and service tracking

ifSessionId

User and service tracking

inOctets

Service tracking

64-bit counter

inPackets

Service tracking

interfaceAlias

User and service tracking

interfaceDescr

User and service tracking

interfaceName

User and service tracking

localNasId

All

Configured NAS-ID

localNasIp

All

Configured NAS-IP

loginId

User and service authorization

ID provided by the subscriber; the loginId value is not separated into UID and domain name.

loginName

User and service tracking

Name that the subscriber uses to log in to portal

nasIp

User and service tracking

NAS IP address of the router

nasPort

User and service tracking

32-bit integer

outOctets

Service tracking

64-bit counter

outPackets

Service tracking

password

User and service authorization

portId

User and service tracking

ID of the port on the JUNOSe router; for example, FastEthernet 3/1:2001

primaryUserName

User and service tracking

Name that the subscriber uses for DHCP/PPP authentication

radiusClass

User tracking, user and service authorization

For service tracking, this value is taken from the RADIUS Access-Accept response. If the response does not contain a value, the RADIUS class defined in the service definition is used.

This attribute can be set by an authorization response.

replyMessage

User and service authorization

This attribute can only be set.

routerName

User and service tracking

serviceBundle

User tracking and authorization

This attribute can be set by an authorization response.

serviceName

Service tracking

Sets an arbitrary attribute (for example, class) to the name of the service.

serviceSessionName

Service tracking

Named service session; empty for default session

serviceSessionTag

Service tracking

sessionId

User and service tracking

sessionTime

User and service tracking

sessionTimeout

User tracking, user and service authorization

This attribute can be set by an authorization response.

sessionVolumeQuota

User authorization

This attribute can only be set. It is sent for session tracking events and can be returned by service authorization events. It can be set and retrieved through the portal API and can also be defined through an LDAP attribute in the service definition.

If the attribute is defined multiple times, the following precedence is observed:

  1. Service definition (lowest)
  2. Authorization
  3. API call (highest)

NOTE: The SAE does not enforce a volume quota directly; it only makes the attribute available to an external application that can control the volume quota.

setAcctInterimTime

User authorization

Integer

setAuthVirtualRouterName

DHCP authorization

Text

setIdleTimeout(ATTR)

User authorization

setLoadServices(ATTR)

User authorization

This attribute can only be set.

setPoolName

DHCP authorization

Text

setRadiusClass(ATTR)

User and service authorization

setReplyMessage(ATTR)

User and service authorization

setSessionTimeout(ATTR)

User and service authorization

setServiceBundle(ATTR)

User authorization

setSessionVolumeQuota(ATTR)

User authorization

setSubstitution

User authorization

Text. Substitutions can be set only for service sessions.

setTerminateTime

User authorization

Text

setUserIpAddress

DHCP authorization

Integer

sspHost

User and service tracking

terminateCause

User and service tracking

uid

User and service authorization

userDn

User and service tracking

userIpAddress

User and service tracking

userMacAddress

User and service tracking

userRadiusClass

Service tracking

RADIUS class of associated subscriber session

userSessionId

Service tracking

RADIUS session ID of associated subscriber session

Configuring a RADIUS Packet Template

There are two ways to define RADIUS packets for flexible RADIUS accounting and authentication plug-ins:

Use the following configuration statements to configure a RADIUS packet template:

shared sae configuration radius-packet-template name ...

shared sae configuration radius-packet-template name radius-attributes name ...

shared sae configuration radius-packet-template name radius-attributes name 
attributes name {
value; 
}

shared sae configuration plug-ins name name flex-radius-accounting 
radius-packet-definition name ...


shared sae configuration plug-ins name name flex-radius-accounting 
radius-packet-definition name attributes name {
value; 
}

shared sae configuration plug-ins name name flex-radius-authentication 
radius-packet-definition name ...

shared sae configuration plug-ins name name flex-radius-authentication 
radius-packet-definition name attributes name {
value; 
}

To configure a template:

  1. From configuration mode, access the RADIUS packet template configuration. In this sample procedure, the stdAcct template is configured in the west-region SAE group.
  2. user@host# edit shared sae group west-region configuration 
    radius-packet-template stdAcct 
    
    
    
  3. Create an attribute instance using the names in Table 18, and enter the configuration for the RADIUS attribute instance.
  4. [edit shared sae group west-region configuration radius-packet-template stdAcct]
    
    user@host# edit radius-attributes name 
    
    
    
  5. Add RADIUS attribute definitions to the attribute instance. Repeat this step for each attribute.
  6. [edit shared sae group west-region configuration radius-packet-template stdAcct 
    radius-attributes svcstop]
    
    user@host# set attributes name value 
    
    
    

For example:

[edit shared sae group west-region configuration radius-packet-template stdAcct 
radius-attributes svcstop]
user@host# set attributes Acct-Session-ID sessionId 

  1. (Optional) Verify the configuration of your attribute instance.
  2. [edit shared sae group west-region configuration radius-packet-template 
    stdAcct radius-attributes svcstop]
    
    user@host# show 
    
    attributes {
    
      Acct-Input-Octets lowWord(inOctets);
    
      Acct-Output-Octets lowWord(outOctets);
    
      Acct-Input-Packets lowWord(inPackets);
    
      Acct-Output-Packets lowWord(outPackets);
    
      Acct-Input-Gigawords highWord(inOctets);
    
      Acct-Output-Gigawords highWord(outOctets);
    
    }
    
    
    
  3. (Optional) Verify the configuration of the RADIUS packet template.
  4. [edit shared sae group west-region configuration radius-packet-template 
    stdAcct radius-attributes svcstop]
    
    user@host# up 
    
    [edit shared sae group west-region configuration radius-packet-template 
    stdAcct]
    
    user@host# show 
    
    radius-attributes svcstop {
    
      attributes {
    
        Acct-Input-Octets lowWord(inOctets);
    
        Acct-Output-Octets lowWord(outOctets);
    
        Acct-Input-Packets lowWord(inPackets);
    
        Acct-Output-Packets lowWord(outPackets);
    
        Acct-Input-Gigawords highWord(inOctets);
    
        Acct-Output-Gigawords highWord(outOctets);
    
      }
    
    }
    
    radius-attributes stop {
    
      attributes {
    
        Acct-Session-Time sessionTime;
    
        Acct-Terminate-Cause terminateCause;
    
      }
    
    }
    
    radius-attributes svcacct {
    
      attributes {
    
        Class radiusClass;
    
      }
    
    }
    
    radius-attributes acct {
    
      attributes {
    
        Acct-Session-Id sessionId;
    
        NAS-Identifier localNasId;
    
        NAS-IP-Address localNasIp;
    
        Event-Time eventTime;
    
      }
    
    }
    
    radius-attributes startstop {
    
      attributes {
    
        Acct-Multi-Session-Id ifSessionId;
    
        NAS-Port-Id "\"%s %s\" %(routerName, portId or interfaceName)";
    
        NAS-Port "nasPort or None";
    
      }
    
    }
    
    
    

More About Using Flexible RADIUS Packet Definitions

This section shows some of the ways you can use flexible RADIUS packet definitions. Remember that the name of the attribute instance determines the type of RADIUS packet in which the packet definition is used.

For example, the constructed value might be:

default@phoenix FastEthernet 4/2

Setting Values in Authentication Response Packets

You can use some special attribute values to set values in authentication response packets. For example:

Table 19 lists the type of packets (authresp, userresp, or svcresp) in which you can use these values.

When the RADIUS client finds one of these attribute values in an authentication response, it binds ATTR to the current attribute and executes the defined expression. The expression calls one of the available set methods to set the value in the plug-in event.

Below are some examples.

Selecting IP Address Pools Using DHCP Response Packets

For DHCP subscribers, you can set up RADIUS authorization plug-ins to return to the router attributes that can be used to select a DHCP address such as framed IP address and pool. You can also set up the name of the virtual router on which the address pool is located and select a fixed address for each subscriber.

You can also select a fixed address for each subscriber. If you identify subscribers by port information (for example, NAS-IP and NAS-Port), the authorization response can select a fixed IP address for each subscriber.

NOTE: Parameters set in the DHCP profile override parameters set by DHCP authorization plug-ins.



[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]