Using RADIUS to Create and Apply Policies Overview

E Series routers enable you to use RADIUS to create and apply policies on IPv4 and IPv6 interfaces. This feature supports the Ascend-Data-Filter attribute [242] through a RADIUS vendor-specific attribute (VSA) that specifies a hexadecimal field. The hexadecimal field is encoded with policy attachment, classification, and policy action information

The policy defined in the Ascend-Data-Filter attribute is applied when RADIUS receives a client authorization request and replies with an Access-Accept message.

When you use RADIUS to apply policies, a subset of the router’s classification fields and actions is supported. The supported actions and classification fields are:

Note: An E Series router dynamically assigns names to the new classifier list and policy list as described in Ascend-Data-Filter Attribute for IPv4/IPv6 Subscribers in a Dual Stack.

To create a policy, you use hexadecimal format to configure the Ascend-Data-Filter attribute on the RADIUS server. For example:

Ascend-Data-Filter="01000100 0A020100 00000000 18000000 00000000 00000000"

Table 6 lists the fields in the order in which they are specified in the hexadecimal Ascend-Data-Filter attribute.

Table 6: Ascend-Data-Filter Fields

Action or Classifier

Format

Comments

Type

1 byte

1=IPv4

3=IPv6

Filter or forward

1 byte

0=filter

1=forward

Indirection

1 byte

0=egress

1=ingress

Spare

1 byte

-

Source IP address

4 bytes for IPv4

16 bytes for IPv6

-

Destination IP address

4 bytes for IPv4

16 bytes for IPv6

-

Source IP prefix

1 byte

Type 1 = Number of leading zeros in the wildcard mask

Type 3 = Higher-order contiguous bits of the address that comprise the network portion of the address

Destination IP prefix

1 byte

Type 1 = Number of leading zeros in the wildcard mask

Type 3 = Higher-order contiguous bits of the address that comprise the network portion of the address

Protocol

1 byte

-

Established

1 byte

Non implemented

Source port

2 bytes

-

Destination port

2 bytes

-

Source port qualifier

1 byte

0= no compare

1= less than

2= equal to

3= greater than

4= not equal to

Destination port qualifier

1 byte

0= no compare

1= less than

2= equal to

3= greater than

4= not equal to

Reserved

2 bytes

-

Marking value

1 byte

Type of Service (ToS)—for IPv4

Differentiated Services Code Point (DSCP)—for IPv6

Marking mask

1 byte

0= no packet marking

Traffic class

1–41 bytes

  • 0= no traffic class (required if there is no profile)
  • First byte specifies the length of the ASCII name of the traffic class
  • Traffic class must be statically configured
  • Name can optionally be null terminated, which consumes 1 byte
  • Although the traffic class name field supports up to 41 bytes, you can create an Ascend-Data-Filter attribute with the traffic class name field set to a maximum of 32 bytes only (including null characters). This restriction occurs because the traffic class group configuration enables a traffic class name of up to 31 characters only.

Rate-limit profile

1–41 bytes

  • 0= no rate limit (required if there is no profile)
  • First byte specifies the length of the ASCII, followed by the ASCII name of the profile
  • Profile must be statically configured
  • Name can optionally be null terminated, which consumes 1 byte

Note: To create a rate-limit profile, traffic class, or marking rule, you must first configure the filter/forward field as forward.

A single RADIUS record can contain two policies—one ingress policy and one egress policy. Each policy can have a maximum of 512 ascend-data filters. Each ascend data-filter creates a classifier group and the action associated with the classifier group.

Construction of IPv6 Classifiers from the Hexadecimal Ascend-Data-Filter Attribute

If both the source and destination IP prefixes are 128, the IPv6 classifier is created using the IPv6 host argument as follows:

IPv6 classifier-list testipv6 source-host 2001:db8:85a3::8a2e:370:7334 destination-host 2001:db8::1428:57ab

If either the source or destination IP prefix is non-zero, but less than 128 bits, (for example, 64 bits), the IPv6 classifier is created using the IPv6 address argument as follows:

IPv6 classifier-list v6cl4 source-address 2001:db8:85a3::8a2e:370:7334/64 destination-address 2001:db8::1428:57ab/64

Note: In JunosE Release 10.1.x and earlier, the maximum width of a CAM hardware classifier entry for IPv4 or IPv6 in a single policy was 128 bits. In JunosE Release 10.2.x and later, based on the size limit for a combined IPv6 classifier entry, a maximum of 336 bits of CAM entry is supported for full IPv6 classification with an additional 16 bits for rule set ID. However, OC48/STM16 line modules on ERX14xx models, ERX7xx models, and the ERX310 router support only 128-bit IPv6 classification. For more information on size limits for IP and IPv6 classifiers, see Size Limit for IP and IPv6 CAM Hardware Classifiers.

Ascend-Data-Filter Attribute for IPv4/IPv6 Subscribers in a Dual Stack

The PPP link between the customer premises equipment (CPE) and the provider edge (PE) device or E Series router equipment might require both IPv4 and IPv6 protocols for transmission of data. Such networks require that PE devices run a dual stack of IPv4 and IPv6 services. Dual-stack routers allow simultaneous support for both IPv4 and IPv6 applications. The following guidelines are used to create a policy defined in the Ascend-Data-Filter attribute when IPv4 and IPv6 subscribers are in a network:

In lower-numbered releases, the formats of the input and output classifier list names and policy list names were as follows:

where:

In this release, the formats of the input and output classifier list names and policy list names are modified to support IPv6 subscribers. The following is the new format of the input and output classifier list and policy list:

where:

Related Documentation