Configuring RADIUS-Initiated Subscriber Secure Policy Mirroring Overview

You can configure RADIUS-initiated subscriber secure policy mirroring to mirror the traffic of a particular subscriber.

Note: Subscriber secure policy RADIUS-initiated mirroring runs on the radius-flow-tap service infrastructure. To configure the subscriber secure policy service, you must have the same privileges that are required to configure the radius-flow-tap service.

To configure the subscriber secure policy service:

1. Configure the radius-flow-tap service support for secure subscriber policy. This support includes configuring the tunnels and optional forwarding-class information that the subscriber secure policy service uses to send mirrored traffic to the content destination device.

   See Configuring RADIUS-Flow-Tap Service Support for Subscriber Secure Policy Mirroring.

2. Configure an access profile that specifies the RADIUS-related support for subscriber secure policy on the router, including a list of one or more RADIUS authentication servers. The router uses the list of specified servers for both authentication and dynamic request operations. You must also configure the RADIUS dynamic request feature, which provides the CoA message support used in-session traffic mirroring.

   See Configuring RADIUS Server Support for Subscriber Secure Policy Mirroring.

   See Using RADIUS Dynamic Requests for Subscriber Access Management.

3. Ensure that the following support is also configured:

   • The RADIUS record of the mirrored subscriber must include the RADIUS attributes and VSAs required for subscriber secure policy mirroring. See RADIUS Attributes Used for Subscriber Secure Policy for descriptions of the supported attributes used in RADIUS Accept-Accept and CoA messages.
   • The content destination device must be configured to accept the mirrored data from the mediation device.
   The descriptions of these configurations are beyond the scope of this document.
4. (Optional) Configure SNMPv3 trap support to report mirroring information to an external device.

   See Configuring SNMPv3 Traps for Subscriber Secure Policy Mirroring.

5. You can terminate an active subscriber mirroring session at any time.

   See Terminating Subscriber Secure Policy Mirroring Sessions.

Note: The subscriber secure policy feature requires some system resources while mirroring, encrypting, and sending traffic to the mediation device. We recommend that you consider this requirement when you configure subscriber secure policy. For example, you might elect to use a 10-Gigabit Ethernet interface for the tunnel and mediation device if you expect the amount of traffic you plan to mirror to approach 1 Gbps of actual user data.

Related Topics

• RADIUS Attributes Used for Subscriber Secure Policy
• Subscriber Secure Policy Mirroring and SNMP Traps
• Terminating Subscriber Secure Policy Mirroring Sessions
• Example: Subscriber Secure Policy Mirroring Using RADIUS