IMS AAA Server Release 1.1 Administration Guide > Administering Remote Network Elements > Administering RADIUS Remote Network Elements

Administering RADIUS Remote Network Elements

This section describes administrative tasks specific to RADIUS Remote Network Elements.

As discussed in RADIUS Configuration Overview, RADIUS Remote Network Elements are split into two parts, an upstream portion and a downstream portion. Configuring the communication to the RADIUS Remote Network Element consists of configuring of clients and targets. Table 19 summarizes the parameters that must be configured for the upstream and downstream configurations.

Table 19: RADIUS Client and Target Configuration Parameters

Upstream or Downstream Configuration	Target or Client	IP Address & format	UDP Port Number	Shared Secret
Upstream	Authentication & Accounting Client		-
	Dynamic Authorization Target
Downstream	Authentication Target
	Dynamic Authorization Client		-

The functions that can be assigned to a RADIUS Remote Network Element depend on whether you are configuring the upstream or downstream portion of the Network Element. The following functions are supported:

• WLAN—this function can be assigned in the upstream configuration of the Remote Network Element. No configuration is required for this function.
• Downstream—this function can be assigned in the downstream configuration of the Remote Network Element, and requires implicit routing to be configured.

For a description of these functions and instructions on how to assign them to the RADIUS Remote Network Element see Assigning Functions and Configuring Implicit Routing Rules.

Figure 47 summarizes the configuration of a RADIUS Remote Network Element.

Figure 47:

Summary of RADIUS Remote Network Element Configuration

To access the RADIUS Remote Network Element panel select Remote Network Elements > RADIUS Elements. Select the network element you want to administer, or see Creating and Naming a Diameter or RADIUS Remote Network Element.

Figure 48 shows the dialog for the upstream configuration of the RADIUS Network Element.

Figure 48: Dialog for Upstream Configuration of the RADIUS Network Element

Notice that the dialog for the upstream configuration is divided into four sections:

• Name and Description
• Upstream configuration tab including:

• Authentication and Accounting Client configuration tab
• Dynamic Authorization Target configuration tab

• Function assignment area

Figure 49 shows the dialog for the downstream configuration of the RADIUS Network Element.

Figure 49: Dialog for Downstream Configuration of the RADIUS Network Element

Notice that the dialog for the downstream configuration is divided into four sections:

• Name and Description
• Downstream configuration tabs including:

• Authentication Target configuration tab
• Dynamic Authorization Client configuration tab

Notice that in Figure 49, the dialog being displayed is for a downstream RADIUS target. As such, the Round Robin and Primary/Back features are present, along with the other parameters used to manage multiple targets to a RADIUS Remote Network Element.

• Function assignment area

The basic steps to configuring a RADIUS Remote Network Element include:

• Creating and naming the RADIUS Network Element. See Creating and Naming a Diameter or RADIUS Remote Network Element.
• Configuring RADIUS Clients.
• Configuring RADIUS Targets.
• Assigning the function to the network element. See Assigning Functions and Configuring Implicit Routing Rules.
  

  NOTE: Notice that in both the RADIUS upstream and downstream configuration dialogs, the Make/Model is Standard Radius. The IMS AAA Server uses only standard RADIUS attributes.

  
  

Configuring RADIUS Clients

For each RADIUS client, you must configure an unordered collection of RADIUS sources, which represent the RADIUS clients, from which to accept packets. All of these RADIUS clients will be considered to be the same network element. For example, a server farm of RADIUS proxies may be considered one network element, if they are all interchangeable. The RADIUS client configuration parameters are shown in Table 20.

Table 20: RADIUS Clients Configuration Parameters

Field	Description
Client Name	The Name by which other devices know this client.
Client (source) IP address	IPv4 address or IPv6 address from which packets will be accepted. NOTE: The IMS AAA Server does not support an embedded IPv4 address as an IPv6 address.
Use IPv6 Networking	Enable this option if you are using IPv6 addressing. Leave it disabled if you are using IPv4 addressing.
Client shared secret	Used to decrypt incoming requests
Unmask	For privacy, asterisks are echoed as you type the shared secret. Enable this option to display the characters in the shared secret field.
Use different shared secret for Accounting	By default, IMS AAA Server uses the same shared secret for authentication and accounting. If you want the client to use different shared secrets for authentication and accounting, enable this option and enter an accounting shared secret for the client.

The following procedure applies to clients for both the upstream and downstream portions of the RADIUS Remote Network Element.

To configure a RADIUS client:

1. From either the upstream or downstream tab, select the client tab and click New.

The New Client dialog opens. As an example, Figure 50 shows the Authentication and Accounting Client dialog for the upstream portion of the RADIUS Remote Network Element.

Figure 50: New RADIUS Authentication and Accounting Client Dialog

2. Enter the name by which other network elements refer to the client in the Name field.

Although you can assign any name to the client, you should use the device's IP address or DNS host name to avoid confusion.

3. Optionally, enter a description for the client in the Description field.

The description you associate with the client is not used during processing.

4. Enter the IPv4 address or IPv6 address of the client in the IP Address field.

• Enable the Use IPv6 Networking checkbox if the IP address is IPv6. Leave this option disabled for IPv4 addressing.
  

  NOTE: The IMS AAA Server does not support an embedded IPv4 address as an IPv6 address.

  
  

5. Enter the client shared secret in the Shared Secret field.

• For privacy, asterisks are echoed as you type. Enable the Unmask option to display the characters in the shared secret field.
  

  NOTE: After you complete configuration of the authentication shared secret on the server side, you must enter the same authentication shared secret on the client device.

  
  

6. By default, IMS AAA Server uses the same shared secret for authentication and accounting. If you want the client to use different shared secrets for authentication and accounting, specify an accounting shared secret for the client by enabling the Use different shared secret for accounting option and clicking Edit..
   

   NOTE: Accounting shared secrets are only supported on upstream Authentication and Accounting Clients, not on downstream Dynamic Authorization Clients.

   
   
7. When the Accounting Shared Secret dialog (Figure 51) opens, enter the accounting shared secret.

Figure 51: Accounting Shared Secret Dialog

For privacy, asterisks are echoed as you type. Enable the Unmask option to display the characters in the shared secret field.

NOTE: You must enter the same accounting shared secret on the client device.

8. Click OK to save the accounting shared secret.
9. Click OK to save the RADIUS client configuration.

Repeat the above steps for each client.

Configuring RADIUS Targets

For each RADIUS target, you must configure an ordered collection of RADIUS targets. The RADIUS target configuration parameters are shown in Table 21.

Table 21: RADIUS Target Configuration Parameters  

Field	Description
Target Name	The Name by which other devices know this target (WLAN)
Target IP address	IPv4 address or IPv6 address to which packets will be sent. NOTE: The IMS AAA Server does not support an embedded IPv4 address as an IPv6 address.
Use IPv6 Networking	Enable this option if you are using IPv6 addressing. Leave it disabled if you are using IPv4 addressing.
Target shared secret	Used to encrypt outgoing requests
Unmask	For privacy, asterisks are echoed as you type the shared secret. Enable this option to display the characters in the shared secret field.
Target port number	UDP port number.

The following procedure applies to targets for both the upstream and downstream portions of the RADIUS Remote Network Element.

To configure a RADIUS target:

1. From either the upstream or downstream tab, select the target tab and click New.

The New Target dialog opens (Figure 52).

Figure 52: New RADIUS Target Dialog

2. Enter the name by which other network elements refer to this target in the Name field.

Although you can assign any name to the target, you should use the target's IP address or DNS host name to avoid confusion.

3. Optionally, enter a description of the target in the Description field.

The description you associate with the target is not used during processing.

4. Enter the IPv4 address or IPv6 address of the target in the IP Address field.

• Enable the Use IPv6 Networking checkbox if the IP address is IPv6. Leave this option disabled for IPv4 addressing.
  

  NOTE: The IMS AAA Server does not support an embedded IPv4 address as an IPv6 address.

  
  

5. Enter the target shared secret in the Shared Secret field.

• For privacy, asterisks are echoed as you type. Enable the Unmask option to display the characters in the shared secret field.

6. Enter the UDP port number.
7. Click OK to save the configuration of the RADIUS target.

Configuring the Round Robin or Primary/Backup Features for RADIUS Targets

As mentioned in Round Robin and Primary/Backup, the Round Robin and Primary/Backup features manage how the server sends messages over multiple targets or paths to the Remote Network Element. When multiple RADIUS targets are defined, you need to configure their order. The order specifies the order in which messages are sent to the Remote Network Element.

To configure Round Robin and Primary/Backup:

1. From either the RADIUS upstream or downstream tab, select the Target tab.
2. Select either the Round Robin or Primary/Backup option.
3. Define the order of the RADIUS targets by selecting each target and using the the Up/Down arrows.
4. Click OK to save the configuration.

Configuring the Retry and Fast Fail Policies for the RADIUS Target

To configure the Retry Policy for the target:

1. From either the RADIUS upstream or downstream tab, select the Target tab.
2. Enter a number in the Maximum Attempts field. This field specifies the maximum number of times a message is retransmitted if an acknowledgment from the target is not received; if the Maximum Attempts is exhausted, then the original request is rejected.
3. Enter a number in the Delay Between Attempts field. This is the number of seconds the server will wait between attempts.

To configure the Fast Fail Policy for the target:

When the server sends a message to a target, it expects to receive a reply. If the server does not receive the reply within the time-frame specified by the fast fail policy, it goes into fast fail mode for that target and rejects the request.

1. Enter a number for the Minimum Attempts field. This is the minimum number of times the IMS AAA Server will retransmit a message if an acknowledgment from the target is not received; if the Minimum Attempts is exhausted, the server places the target in fast fail.
2. Enter a number in the Minimum Period field. This is the timeout (in seconds) before the server goes into fast fail mode for that target.
3. Enter a number for the Reset Delay. This is the timeout (in seconds) after which the server goes out of fast fail mode for that target.
4. Click OK to save the configuration.

Editing RADIUS Clients

To edit a RADIUS client:

1. Select the client tab from either the upstream or downstream tab.
2. Select the client you want to edit from the list of clients and click Edit.

The Edit Client dialog opens. As an example, Figure 53 shows the edit dialog for an upstream Authentication and Accounting client.

Figure 53: Edit RADIUS Client Dialog

From this dialog you can edit the Description, IP Address, Shared Secret, or define a Different Shared Secret for Accounting. You cannot edit the Name field. To edit a field, highlight the entire field and type in the new entry.

For details on editing RADIUS clients, refer to Configuring RADIUS Clients.

Editing RADIUS Targets

To edit a RADIUS target:

1. Select the target tab from either the upstream or downstream tab.
2. Select the target you want to edit from the list of targets and click Edit.

The Edit Target dialog opens. Figure 54 shows an example edit dialog for a RADIUS target.

Figure 54: Edit RADIUS Target Dialog

From this dialog you can edit the Description, IP Address, Shared Secret, or the Port. You cannot edit the Name field. To edit a field, highlight the entire field and type in the new entry.

For details on editing RADIUS targets, refer to Configuring RADIUS Targets.

Editing the Round Robin or Primary/Backup Configuration and Re-ordering the RADIUS Targets

1. From either the RADIUS upstream or downstream tab, select the Target tab.
2. Select either the Round Robin or Primary/Backup option.
3. Re-order the RADIUS targets by selecting each target and using the Up/Down arrows.
4. Click OK to save the configuration.

Editing the Retry Policy and the Fast Fail Policy for the Target

For a description of these parameters see Configuring the Retry and Fast Fail Policies for the RADIUS Target.

These policies are edited from the RADIUS upstream or downstream target tabs.

To edit the Retry Policy for the target:

1. Enter a number in the Maximum Attempts field.
2. Enter a number in the Delay Between Attempts field.

To edit the Fast Fail Policy for the target:

1. Enter a number for the Minimum Attempts field.
2. Enter a number in the Minimum Period field.
3. Enter a number for the Reset Delay.
4. Click OK to save the configuration.

Deleting RADIUS Clients

To delete a RADIUS client:

1. Select the client tab from either the upstream or downstream tab.
2. Select the client you want to delete from the list of clients and click Delete.

The client is deleted.

Deleting RADIUS Targets

To delete a RADIUS target:

1. Select the target tab from either the upstream or downstream tab.
2. Select the target you want to delete from the list of targets and click Delete.

The target is deleted.