Using RADIUS to Create and Apply Policies

[Contents] [Prev] [Next] [Index] [Report an Error]

Using RADIUS to Create and Apply Policies
The E-series router enables you to use RADIUS to create and apply policies on IP interfaces. This feature supports the Ascend-Data-Filter attribute [242] through a RADIUS VSA that specifies a hexadecimal field. The hexadecimal field is encoded with policy attachment, classification, and policy action information.

The policy defined in the Ascend-Data-Filter attribute is applied when RADIUS receives a client authorization request and replies with an Access-Accept message.

When you use RADIUS to apply policies, a subset of the router's classification fields and actions is supported. The supported actions and classification fields are:

Actions

Filter

Forward

Packet marking

Rate limit

Traffic class

Classifiers

Destination address

Destination port

Protocol

Source address

Source port

NOTE: The E-series router dynamically assigns names to the new classifier list and policy list based on information such as the interface and direction of the policy.

To create a policy, you use hexadecimal format to configure the Ascend-Data-Filter attribute on the RADIUS server. For example:
Ascend-Data-Filter="01000100 0A020100 00000000 18000000 00000000 00000000"
Table 10 shows the fields in the order in which they are specified in the hexadecimal Ascend-Data-Filter attribute.

Table 10: Ascend-Data-Filter Policy Format

Action or Classifier

Format

Comments

Type

1 byte

0 = generic
1 = IP

Filter or forward

1 byte

0 = filter
1 = forward

Indirection

1 byte

0 = egress
1 = ingress

Spare

1 byte

-

Source IP address

4 bytes

-

Destination IP address

4 bytes

-

Source IP prefix

1 byte

Count of leading zeros in wildcard mask

Destination IP prefix

1 byte

Count of leading zeros in wildcard mask

Protocol

1 byte

-

Established

1 byte

Not implemented

Source port

2 bytes

-

Destination port

2 bytes

-

Source port qualifier

1 byte

0 = no compare
1 = less than
2 = equal to
3 = greater than
4 = not equal to

Destination port qualifier

1 byte

0 = no compare
1 = less than
2 = equal to
3 = greater than
4 = not equal to

Reserved

2 bytes

-

Marking value

1 byte

-

Marking mask

1 byte

0 = no packet marking

Traffic class

1-41 bytes

0 = no traffic class (required if there is no profile)

First byte specifies the length of the ASCII string, followed by the ASCII name of the traffic class

Traffic class must be statically configured

Name can optionally be null terminated, which consumes 1 byte

Rate-limit profile

1-41 bytes

0 = no rate limit (required if there is no profile)

First byte specifies the length of the ASCII string, followed by the ASCII name of the profile

Profile must be statically configured

Name can optionally be null terminated, which consumes 1 byte
 NOTE: To create a rate-limit profile, traffic class, or marking rule, you must first configure the filter/forward field as forward. 



 
A single RADIUS record can contain two policies—one ingress policy and one egress policy. Each policy can have a maximum of 512 ascend-data filters. Each ascend data-filter creates a classifier group and the action associated with the classifier group.

Examples—Using the Ascend-Data-Filter Attribute

This section provides examples showing the configuration of policies that use the Ascend-Data-Filter attribute.

Example 1

In this example, the following Ascend-Data-Filter attribute creates a RADIUS record that configures an input policy. The policy filters all packets from network 10.2.1.0 with wildcard mask 0.0.0.255 to any destination. The values specified in the Ascend-Data-Filter attribute are shown in Table 11.
Ascend-Data-Filter="01000100 0A020100 00000000 18000000 00000000 00000000"
 Table 11:  Ascend-Data-Filter Example 1 Values 

 Action or Classifier
 Hex Value
 Actual Value

 Type

 01

 IP


 Forward 

 00

 Forward


 Indirection

 01

 Ingress


 Spare

 00

 None


 Source IP address 

 0a020100

 10.2.1.0


 Destination IP address 

 00000000

 Any


 Source IP mask 

 18

 24 (0.0.0.255)


 Destination IP mask

 00

 0 (255.255.255.255)


 Protocol 

 00

 None


 Established 

 00

 None


 Source port 

 0000

 None


 Destination port 

 0000

 None


 Source port qualifier 

 00

 None


 Destination port qualifier 

 00

 None


 Reserved 

 0000

 None



 
Use the show classifier-list and show policy-list commands to view information about the policy:
host1#show classifier-list
                         Classifier Control List Table
                         ---------- ------- ---- -----
IP clin_5_00.1 ip 10.2.1.0 0.0.0.255 any
host1#show policy-list
                                  Policy Table
                                  ------ -----
IP Policy plin_5
   Administrative state: enable
   Reference count:      1
   Classifier control list: clin_5_00, precedence 100
      filter
   Referenced by interface(s): 
      ATM4/0.0  input policy, statistics enabled, virtual-router default
   Referenced by profile(s): 
      No profile references
Example 2

In this example, the Ascend-Data-Filter attribute is used to create RADIUS records that configure two policies. The first policy is an input policy that filters all TCP packets that come from a port greater than 9000 on host 10.2.1.1 and that go to any destination. The second policy is an output policy that filters all UDP packets from network 20.1.0.0 to host 10.2.1.1, port 3090.
Ascend-Data-Filter = "01000100 0A020101 00000000 20000600 23280000 03000000"
Ascend-Data-Filter = "01000000 14010000 0A020101 10201100 00000C12 00020000"
Using the show classifier-list and show policy-list commands produces the following information about the new policies:
host1#show classifier-list
                         Classifier Control List Table
                         ---------- ------- ---- -----
IP clin_6.1 tcp 10.2.1.1 gt 9000 any
IP clout_6.1 udp 20.1.0.0 0.0.255.255 10.2.1.1 eq 3090
host1#show policy-list
                                  Policy Table
                                  ------ -----
IP Policy plin_6
   Administrative state: enable
   Reference count:      1
   Classifier control list: clin_6_00, precedence 100
      filter
   Referenced by interface(s): 
      ATM4/0.0  input policy, statistics enabled, virtual-router default
   Referenced by profile(s): 
      No profile references
IP Policy plout_6
   Administrative state: enable
   Reference count:      1
   Classifier control list: clout_6_01, precedence 100
      filter
   Referenced by interface(s): 
      ATM4/0.0  output policy, statistics enabled, virtual-router default
   Referenced by profile(s): 
      No profile references
Example 3

This example creates an input policy and an output policy, each with multiple rules. The rules for the two policies are shown in the following list:

Input policy rules

Forward all TCP packets from host 10.2.1.1 to destination 20.0.0.0 0.255.255.255.

Filter all TCP packets from host 10.2.1.1 to any destination.

Forward all packets from host 10.2.1.1 to any destination.

Filter all other traffic.

The rules for the input policy translate to the following VSAs. The VSAs must be specified in this order:
Ascend-Data-Filter = "01010100 0A020101 14000000 20080600 00000000 00000000"
Ascend-Data-Filter = "01000100 0A020101 00000000 20000600 00000000 00000000"
Ascend-Data-Filter = "01010100 0A020101 00000000 20000000 00000000 00000000"
Ascend-Data-Filter = "01000100 00000000 00000000 00000000 00000000 00000000"
Output policy rules

Forward all TCP packets from 20.0.0.0 0.255.255.255 to host 10.2.1.1.

Filter all TCP packets from any source to host 10.2.1.1.

Forward all packets from any source to host 10.2.1.1.

Filter all other traffic.

The rules for the input policy translate to the following VSAs. The VSAs must be specified in this order:
Ascend-Data-Filter = "01010000 14000000 0A020101 08200600 00000000 00000000"
Ascend-Data-Filter = "01000000 00000000 0A020101 00200600 00000000 00000000"
Ascend-Data-Filter = "01010000 00000000 0A020101 00200000 00000000 00000000"
Ascend-Data-Filter = "01000000 00000000 00000000 00000000 00000000 00000000"
Using the show classifier-list and show policy-list commands produces the following information about the new policies:
host1:vr0#show classifier-list
                         Classifier Control List Table
                         ---------- ------- ---- -----
IP clin_7_00.1 tcp host 10.2.1.1 20.0.0.0 0.255.255.255
IP clin_7_01.1 tcp host 10.2.1.1 any
IP clin_7_02.1 ip host 10.2.1.1 any
IP clout_7_04.1 tcp 20.0.0.0 0.255.255.255 host 10.2.1.1
IP clout_7_05.1 tcp any host 10.2.1.1
IP clout_7_06.1 ip any host 10.2.1.1
host1:vr0#show policy-list
                                  Policy Table
                                  ------ -----
IP Policy plin_7
   Administrative state: enable
   Reference count:      1
   Classifier control list: clin_7_00, precedence 100
      forward
   Classifier control list: clin_7_01, precedence 100
      filter
   Classifier control list: clin_7_02, precedence 100
      forward
   Classifier control list: *, precedence 100
      filter
   Referenced by interface(s): 
      ATM4/0.0  input policy, statistics enabled, virtual-router default
   Referenced by profile(s): 
      No profile references
IP Policy plout_7
   Administrative state: enable
   Reference count:      1
   Classifier control list: clout_7_04, precedence 100
      forward
   Classifier control list: clout_7_05, precedence 100
      filter
   Classifier control list: clout_7_06, precedence 100
      forward
   Classifier control list: *, precedence 100
      filter
   Referenced by interface(s): 
      ATM4/0.0  output policy, statistics enabled, virtual-router default
   Referenced by profile(s): 
      No profile references
Example 4

In this example, the following Ascend-Data-Filter attribute creates a RADIUS record that configures an input policy. The policy filters TCP packets from host address 10.2.1.2 to any destination. The policy marks the packets with a ToS byte of 5 and a mask of 170. The policy also applies a traffic class named someTcl and a rate-limit profile named someRlp.

The values specified in the Ascend-Data-Filter attribute are shown in Table 12.
Ascend-Data-Filter="01010100 0a020102 00000000 20000600 045708ae 02010000 
05aa0773 6f6d6554 636c0773 6f6d6552 6c70"
 Table 12:  Ascend-Data-Filter Example 4 Values 

 Action or Classifier
 Hex Value
 Actual Value

 Type

 01

 IP


 Forward 

 01

 Filter


 Indirection

 01

 Ingress


 Spare

 00

 None


 Source IP address 

 0a020102

 10.2.1.2


 Destination IP address 

 00000000

 Any


 Source IP mask 

 20

 32 (0.0.0.0)


 Destination IP mask

 00

 0 (255.255.255.255)


 Protocol 

 06

 TCP


 Established 

 00

 None


 Source port 

 0000

 None


 Destination port 

 0000

 None


 Source port qualifier 

 00

 None


 Destination port qualifier 

 00

 None


 Reserved 

 0000

 None


 Marking value

 05

 5


 Marking mask

 aa

 170


 Traffic class 

 0773 6f6d6554 636c

 someTcl


 Rate-limit profile

 0773 6f6d6552 6c70

 someRlp



 
Use the show classifier-list and show policy-list commands to view information about the policy:
host1#show classifier-list
                         Classifier Control List Table
                         ---------- ------- ---- -----
IP clin_8_00.1 tcp host 10.2.1.2 
host1#show policy-list 
                               Policy Table
                               ------ -----
IP Policy plin_8
   Administrative state: enable
   Reference count:      1
   Classifier control list: clin_8_00, precedence 100
      mark 5 mask 170
      traffic-class someTcl
      rate-limit-profile someRlp 
   Referenced by interface(s): 
      ATM11/0.0  input policy, statistics enabled, virtual-router default
   Referenced by profile(s): 
      No profile references

Action or Classifier	Format	Comments
Type	1 byte	0 = generic 1 = IP
Filter or forward	1 byte	0 = filter 1 = forward
Indirection	1 byte	0 = egress 1 = ingress
Spare	1 byte	-
Source IP address	4 bytes	-
Destination IP address	4 bytes	-
Source IP prefix	1 byte	Count of leading zeros in wildcard mask
Destination IP prefix	1 byte	Count of leading zeros in wildcard mask
Protocol	1 byte	-
Established	1 byte	Not implemented
Source port	2 bytes	-
Destination port	2 bytes	-
Source port qualifier	1 byte	0 = no compare 1 = less than 2 = equal to 3 = greater than 4 = not equal to
Destination port qualifier	1 byte	0 = no compare 1 = less than 2 = equal to 3 = greater than 4 = not equal to
Reserved	2 bytes	-
Marking value	1 byte	-
Marking mask	1 byte	0 = no packet marking
Traffic class	1-41 bytes	0 = no traffic class (required if there is no profile) First byte specifies the length of the ASCII string, followed by the ASCII name of the traffic class Traffic class must be statically configured Name can optionally be null terminated, which consumes 1 byte
Rate-limit profile	1-41 bytes	0 = no rate limit (required if there is no profile) First byte specifies the length of the ASCII string, followed by the ASCII name of the profile Profile must be statically configured Name can optionally be null terminated, which consumes 1 byte

Action or Classifier	Hex Value	Actual Value
Type	01	IP
Forward	00	Forward
Indirection	01	Ingress
Spare	00	None
Source IP address	0a020100	10.2.1.0
Destination IP address	00000000	Any
Source IP mask	18	24 (0.0.0.255)
Destination IP mask	00	0 (255.255.255.255)
Protocol	00	None
Established	00	None
Source port	0000	None
Destination port	0000	None
Source port qualifier	00	None
Destination port qualifier	00	None
Reserved	0000	None

Action or Classifier	Hex Value	Actual Value
Type	01	IP
Forward	01	Filter
Indirection	01	Ingress
Spare	00	None
Source IP address	0a020102	10.2.1.2
Destination IP address	00000000	Any
Source IP mask	20	32 (0.0.0.0)
Destination IP mask	00	0 (255.255.255.255)
Protocol	06	TCP
Established	00	None
Source port	0000	None
Destination port	0000	None
Source port qualifier	00	None
Destination port qualifier	00	None
Reserved	0000	None
Marking value	05	5
Marking mask	aa	170
Traffic class	0773 6f6d6554 636c	someTcl
Rate-limit profile	0773 6f6d6552 6c70	someRlp

[Contents] [Prev] [Next] [Index] [Report an Error]