Using RADIUS to Manage Subscriber Service Sessions
Service Manager supports two RADIUS-based methods for dynamically activating subscriber service sessions. Dynamic service sessions that RADIUS activates are not stored in NVS. Both methods can also apply optional statistics and session threshold (volume and time) configurations. The two methods differ in how Service Manager activates a subscriber service session:
- RADIUS login method—The service session is activated when the subscriber logs in. At login, RADIUS verifies that the Activate-Service attribute is configured in the subscriber's RADIUS record. RADIUS then uses vendor-specific attributes (VSAs) in the Access-Accept packet to activate the service session for the subscriber. This method is useful when your subscribers are not currently logged in.
- RADIUS CoA method—Supports dynamic service selection for subscribers. For example, the subscriber might have logged in without a service, or might have used the RADIUS login method to activate a service at login. If no service was activated at login (because of no Activate-Service attribute in the user's RADIUS record), you can later use the CoA method and a separate RADIUS record to create a subscriber session and activate a service session for the subscriber. Or, if the RADIUS login method was used and the subscriber already has an active service session, you can use the CoA method and a new RADIUS record to activate a new service session for the subscriber (and optionally deactivate the existing service session). The RADIUS CoA method is useful when you have a large number of users already logged in through RADIUS and you want to activate new services for them. This method is also used for the guided entrance service described in Guided Entrance Service Definition Example.
The RADIUS CoA method also supports the use of mutex groups to create mutex services. See Using Mutex Groups to Activate and Deactivate Subscriber Services.
Figure 29 compares the two RADIUS-based methods.
Using RADIUS to Activate Subscriber Service Sessions
To use RADIUS to activate subscriber service sessions, you create a RADIUS record that includes the Activate-Service VSA. For the RADIUS login method, this RADIUS record is used by the Access-Accept message to start Service Manager and activate the service when the subscriber logs in.
For the RADIUS CoA method, the service provider uses a CoA-Request message to activate and deactivate the service for the subscriber who is already logged in.
To configure a service session that will be activated by RADIUS:
- For RADIUS login—Create the RADIUS record for the subscriber and include the Activate-Service VSA in the record. Specify values for the parameters defined in the service template name of the definition macro file.
- For RADIUS CoA—Format the CoA message to create the RADIUS record for the subscriber. Include the Activate-Service VSA in the record. Optionally, include the Deactivate-Service VSA if the subscriber has an active service session that you want to deactivate. Specify values for the parameters defined in the service template name of the definition macro file.
 |
NOTE: You specify the parameter values in the order in which the parameters appear in the template name of the service definition file. For example, in the tiered service that is defined in Figure 27, the template name is: <# tiered(inputBW, outputBW) #> For the RADIUS Activate-Service VSA, you specify values for the input and output bandwidth: tiered(1280000, 5120000) |
Service Manager RADIUS Attributes
For the RADIUS login method, the RADIUS VSAs for service activation, threshold configuration, statistics configuration, and interim accounting in Access-Accept messages at subscriber login are used by Service Manager to activate the appropriate service session. For the RADIUS CoA method, Service Manager uses the VSAs for service activation and deactivation, threshold configuration, statistics configuration, and interim accounting in CoA-Request messages to activate the service session. The accounting-related VSAs are included in RADIUS accounting messages.
Table 136 lists the Service Manager-related attributes and indicates which are tagged VSAs. See Using Tags with RADIUS Attributes for a discussion about using tagged VSAs to group attributes for a service.
|
NOTE: Service Manager statistics collection is a two-part procedure. You must configure statistics information in the service definition macro file and also enable statistics collection in the RADIUS record. The Service-Volume and Service-Timeout VSAs rely on the values captured by the Service Manager statistics feature to determine when a threshold is exceeded. Therefore, you must configure and enable statistics collection to use these attributes. Service-Volume For detailed information about Service Manager statistics see Configuring Service Manager Statistics. |
Table 137 describes a partial RADIUS Access-Accept packet that activates a service session for subscriber client1@isp1.com. (Figure 27 shows the service definition macro file that creates the tiered service.) The session enables the subscriber to use the tiered service with an input bandwidth of 1280000 and output bandwidth of 5120000. The subscriber can use the service for 5 hours (18000 seconds), and Service Manager captures both timestamp and volume statistics during the session (service-statistics value of 2). Also, accounting for the service is updated every 600 seconds (10 minutes).
Using Tags with RADIUS Attributes
Service Manager uses tagged RADIUS VSAs to enable a single RADIUS record to activate multiple service sessions for a subscriber, with each session having unique attributes. A particular tag identifies a specific Activate-Service attribute and all other RADIUS attributes that are associated with that Activate-Service attribute.
You can specify a maximum of 8 tags (1–8), which enables you to activate up to eight unique service sessions for a subscriber in a single RADIUS record. The following are tagged VSAs—they must always have a tag in their RADIUS entry:
Table 138 describes an Access-Accept packet that activates the two services, tiered and voice, for subscriber client1@isp1.com. Each service has its own unique tag, enabling you to assign attributes for one service, but not the other. For example, the two services have different timeout settings and different interim accounting intervals, and statistics are enabled only for the tiered service.
Using RADIUS to Deactivate Service Sessions
A service session can be deactivated by a CoA-Request message or when a subscriber logs out of a RADIUS-activated service session. If the subscriber logs off the router, Service Manager deactivates that subscriber session and all associated service sessions.
RADIUS also supports attributes that you can use to manage deactivation of service sessions. You can:
Setting Thresholds
You can set a threshold for the session by including one or both of the following attributes in the RADIUS record:
|
NOTE: The Service-Timeout and Service-Volume attributes use values captured by the Service Manager statistics feature to determine when a threshold is exceeded. Therefore, you must configure and enable statistics collection to use these attributes. See Configuring Service Manager Statistics. |
- Service-Timeout—The number of seconds that the service session is active. You can specify a number in the range 0–16777251. A value of 0 indicates that the session never times out. A particular Service-Timeout VSA can be used by a maximum of 2000 services.
The service-timeout threshold accuracy is within 30 seconds of the specified value.
- Service-Volume—The total number of MB of traffic that can use the service session. You can specify a number in the range 0–16777251 MB. A value of 0 indicates that there is no limit to the amount of traffic for the session. A particular Service-Volume VSA can be used by a maximum of 1000 services.
Service Manager terminates a session when the output byte count exceeds the configured service-volume threshold. The output byte count is captured by the output-stat-clacl string in the classifier list variable that you configure to collect statistics. See Configuring Service Manager Statistics.
The service-volume threshold accuracy is based on a 10-second period. Service Manager does not immediately deactivate a service session when the output byte count reaches the service-volume threshold. Instead, Service Manager checks the volume in 10-second intervals and deactivates a service session at the end of the 10-second period in which the output byte count reaches the volume threshold. For example, if a threshold is reached 4seconds into the 10-second interval, the session continues for the remaining 6 seconds in the measuring period and is then terminated. Therefore, the total volume equals the threshold plus the volume during the additional 6 seconds.
When the output byte count reaches the threshold, RADIUS deactivates the service session. You must use tags to associate threshold attributes with the Activate-Service attribute for the service session.
Using the Deactivate-Service Attribute
You can also include the Deactivate-Service attribute in the subscriber's RADIUS record. The format for this attribute is the same as the format of the Activate-Service attribute—the name of the service, including parameters. The Deactivate-Service attribute is used by RADIUS CoA messages, such as in a guided entrance service. See Guided Entrance Service Example for more information.