Using RADIUS to Create and Apply Policies Overview

[Contents] [Prev] [Next] [Index] [Report an Error]

E-series routers enable you to use RADIUS to create and apply policies on IPv4 and IPv6 interfaces. This feature supports the Ascend-Data-Filter attribute [242] through a RADIUS vendor-specific attribute (VSA) that specifies a hexadecimal field. The hexadecimal field is encoded with policy attachment, classification, and policy action information

The policy defined in the Ascend-Data-Filter attribute is applied when RADIUS receives a client authorization request and replies with an Access-Accept message.

When you use RADIUS to apply policies, a subset of the router’s classification fields and actions is supported. The supported actions and classification fields are:

Actions
- Filter
- Forward
- Packet marking
- Rate limit
- Traffic class
Classifiers
- Destination address
- Destination port
- Protocol
- Source address
- Source port

Note: An E-series router dynamically assigns names to the new classifier list and policy list as described in Ascend-Data-Filter Attribute for IPv4/IPv6 Subscribers in a Dual Stack.

To create a policy, you use hexadecimal format to configure the Ascend-Data-Filter attribute on the RADIUS server. For example:


            Ascend-Data-Filter="01000100 0A020100 00000000 18000000 00000000 00000000"

Table 5 lists the fields in the order in which they are specified in the hexadecimal Ascend-Data-Filter attribute.

Table 5: Ascend-Data-Filter Fields

Action or Classifier	Format	Comments
Type	1 byte	1=IPv4 3=IPv6
Filter or forward	1 byte	0=filter 1=forward
Indirection	1 byte	0=egress 1=ingress
Spare	1 byte	-
Source IP address	4 bytes for IPv4 16 bytes for IPv6	-
Destination IP address	4 bytes for IPv4 16 bytes for IPv6	-
Source IP prefix	1 byte	Type 1 = Number of leading zeros in the wildcard mask Type 3 = Higher-order contiguous bits of the address that comprise the network portion of the address
Destination IP prefix	1 byte	Type 1 = Number of leading zeros in the wildcard mask Type 3 = Higher-order contiguous bits of the address that comprise the network portion of the address
Protocol	1 byte	-
Established	1 byte	Non implemented
Source port	2 bytes	-
Destination port	2 bytes	-
Source port qualifier	1 byte	0= no compare 1= less than 2= equal to 3= greater than 4= not equal to
Destination port qualifier	1 byte	0= no compare 1= less than 2= equal to 3= greater than 4= not equal to
Reserved	2 bytes	-
Marking value	1 byte	Type of Service (ToS)—for IPv4 Differentiated Services Code Point (DSCP)—for IPv6
Marking mask	1 byte	0= no packet marking
Traffic class	1–41 bytes	0= no traffic class (required if there is no profile) First byte specifies the length of the ASCII name of the traffic class Traffic class must be statically configured Name can optionally be null terminated, which consumes 1 byte Although the traffic class name field supports up to 41 bytes, you can create an Ascend-Data-Filter attribute with the traffic class name field set to a maximum of 32 bytes only (including null characters). This restriction occurs because the traffic class group configuration enables a traffic class name of up to 31 characters only.
Rate-limit profile	1–41 bytes	0= no rate limit (required if there is no profile) First byte specifies the length of the ASCII, followed by the ASCII name of the profile Profile must be statically configured Name can optionally be null terminated, which consumes 1 byte

Note: To create a rate-limit profile, traffic class, or marking rule, you must first configure the filter/forward field as forward.

A single RADIUS record can contain two policies—one ingress policy and one egress policy. Each policy can have a maximum of 512 ascend-data filters. Each ascend data-filter creates a classifier group and the action associated with the classifier group.

Construction of IPv6 Classifiers from the Hexadecimal Ascend-Data-Filter Attribute

If both the source and destination IP prefixes are 128, the IPv6 classifier is created using the IPv6 host argument as follows:


            
               IPv6 classifier-list testipv6 source-host 2001:db8:85a3::8a2e:370:7334
                  destination-host 2001:db8::1428:57ab

If either the source or destination IP prefix is non-zero, but less than 128 bits, (for example, 64 bits), the IPv6 classifier is created using the IPv6 address argument as follows:


            
                IPv6 classifier-list v6cl4 source-address 2001:db8:85a3::8a2e:370:7334/64
                  destination-address 2001:db8::1428:57ab/64

Note: For GE-2, GE-HDE, and OC48/STM16 line modules on ERX-7xx models, ERX-14xx models, and the ERX-310 router, and ES2 4G, ES2 10G, and ES2 10G Uplink LMs on the E120 and E320 routers, an IPv6 classifier size cannot exceed 128 bits. For more information on size limits for IP and IPv6 classifiers, see Size Limit for IP and IPv6 CAM Hardware Classifiers.

Ascend-Data-Filter Attribute for IPv4/IPv6 Subscribers in a Dual Stack

The PPP link between the customer premises equipment (CPE) and the provider edge (PE) device or E-series router equipment might require both IPv4 and IPv6 protocols for transmission of data. Such networks require that PE devices run a dual stack of IPv4 and IPv6 services. Dual-stack routers allow simultaneous support for both IPv4 and IPv6 applications. The following guidelines are used to create a policy defined in the Ascend-Data-Filter attribute when IPv4 and IPv6 subscribers are in a network:

If a subscriber requires only IPv4 services, only the Type 1 action is used in the Access-Accept message returned from the RADIUS server in response to the client authentication request.
If a subscriber requires only IPv6 services, only the Type 3 action is used in the Access-Accept message returned from the RADIUS server.
If both IPv4 and IPv6 addresses are assigned to the subscriber interface, then either Type 1 or Type 3 or both the actions are used in the Access-Accept message.
If the Type 1 action is used and the Indirection action field is set to 01 in the Ascend-Data-Filter attribute, one primary input policy is created and applied on the ingress IPv4 interface.
If the Type 3 action is used and the Indirection action field is set to 01 in the Ascend-Data-Filter attribute, one primary input policy is created and applied on the ingress IPv6 interface.
If the Type 1 action is used and the Indirection action field is set to 00 in the Ascend-Data-Filter attribute, one primary output policy is created and applied on the egress IPv4 interface.
If the Type 3 action is used and the Indirection action field is set to 00 in the Ascend-Data-Filter attribute, one primary output policy is created and applied on the egress IPv6 interface.
Ascend-Data-Filter attributes for both IPv4 and IPv6 interfaces are stored on the RADIUS server and the appropriate policies are created and applied to the corresponding interfaces when they come up, depending on the type of subscribers.

In lower-numbered releases, the formats of the input and output classifier list names and policy list names were as follows:

clin_<InterfaceId>_<filterNum>
clout_<InterfaceId>_<filterNum>
plin_<InterfaceId>
plout_<InterfaceId>

where:

clin—Classifier list included in an input policy list
clout—Classifier list included in an output policy list
plin—Policy list applied to the ingress interface
plout—Policy list applied to the egress interface
InterfaceId—A unique identifier for the interface to which the policy is applied
filterNum—A value that denotes the sequence of Ascend-Data-Filter attribute configured on the RADIUS server

In this release, the formats of the input and output classifier list names and policy list names are modified to support IPv6 subscribers. The following is the new format of the input and output classifier list and policy list:

clin_<AuthId>_<filterNum>
clout_<AuthId>_<filterNum>
plin_<ip/ipv6>_<AuthId>
plout_<ip/ipv6>_<AuthId>

where:

AuthId—A unique identifier that is used during the authentication of the client with the RADIUS server
ip/ipv6—Type of protocol used based on the Type action field