Using RADIUS to Create and Apply Policies Overview

[Contents] [Prev] [Next] [Index] [Report an Error]

E-series routers enable you to use RADIUS to create and apply policies on IP interfaces. This feature supports the Ascend-Data-Filter attribute [242] through a RADIUS vendor-specific attribute (VSA) that specifies a hexadecimal field. The hexadecimal field is encoded with policy attachment, classification, and policy action information

The policy defined in the Ascend-Data-Filter attribute is applied when RADIUS receives a client authorization request and replies with an Access-Accept message.

When you use RADIUS to apply policies, a subset of the router’s classification fields and actions is supported. The supported actions and classification fields are:

Actions
- Filter
- Forward
- Packet marking
- Rate limit
- Traffic class
Classifiers
- Destination address
- Destination port
- Protocol
- Source address
- Source port

Note: An E-series router dynamically assigns names to the new classifier list and policy list based on information such as the interface and direction of the policy.

To create a policy, you use hexadecimal format to configure the Ascend-Data-Filter attribute on the RADIUS server. For example:



Ascend-Data-Filter="01000100 0A020100 00000000 18000000 00000000 00000000"

Table 6 lists the fields in the order in which they are specified in the hexadecimal Ascend-Data-Filter attribute.

Table 6: Ascend-Data-Filter Fields

Action or Classifier	Format	Comments
Type	1 byte	0=generic 1=IP
Filter or forward	1 byte	0=filter 1=forward
Indirection	1 byte	0=egress 1=ingress
Spare	1 byte	-
Source IP address	4 bytes	-
Destination IP address	4 bytes	-
Source IP prefix	1 byte	Count of leading zeros in wildcard mask
Destination IP prefix	1 byte	Count of leading zeros in wildcard mask
Protocol	1 byte	-
Established	1 byte	Non implemented
Source port	2 bytes	-
Destination port	2 bytes	-
Source port qualifier	1 byte	0= no compare 1= less than 2= equal to 3= greater than 4= not equal to
Destination port qualifier	1 byte	0= no compare 1= less than 2= equal to 3= greater than 4= not equal to
Reserved	2 bytes	-
Marking value	1 byte	-
Marking mask	1 byte	0= no packet marking
Traffic class	1–41 bytes	0= no traffic class (required if there is no profile) First byte specifies the length of the ASCII name of the traffic class Traffic class must be statically configured Name can optionally be null terminated, which consumes 1 byte
Rate-limit profile	1–41 bytes	0= no rate limit (required if there is no profile) First byte specifies the length of the ASCII, followed by the ASCII name of the profile Profile must be statically configured Name can optionally be null terminated, which consumes 1 byte

Note: To create a rate-limit profile, traffic class, or marking rule, you must first configure the filter/forward field as forward.

A single RADIUS record can contain two policies—one ingress policy and one egress policy. Each policy can have a maximum of 512 ascend-data filters. Each ascend data-filter creates a classifier group and the action associated with the classifier group.

[Contents] [Prev] [Next] [Index] [Report an Error]