Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
Using RADIUS to Manage Subscriber Service Sessions
Service Manager supports two RADIUS-based methods for dynamically activating subscriber service sessions. Dynamic service sessions that RADIUS activates are not stored in NVS. Both methods can also apply optional statistics and session threshold (volume and time) configurations. The two methods differ in how Service Manager activates a subscriber service session:
- RADIUS login method—The service session is activated when the subscriber logs in. At login, RADIUS verifies that the Activate-Service attribute is configured in the subscriber’s RADIUS record. RADIUS then uses vendor-specific attributes (VSAs) in the Access-Accept packet to activate the service session for the subscriber. This method is useful when your subscribers are not currently logged in.
- RADIUS CoA method—Supports dynamic service selection
for subscribers. For example, the subscriber might have logged in
without a service, or might have used the RADIUS login method to activate
a service at login. If no service was activated at login (because
of no Activate-Service attribute in the user’s RADIUS record),
you can later use the CoA method and a separate RADIUS record to create
a subscriber session and activate a service session for the subscriber.
Or, if the RADIUS login method was used and the subscriber already
has an active service session, you can use the CoA method and a new
RADIUS record to activate a new service session for the subscriber
(and optionally deactivate the existing service session). The RADIUS
CoA method is useful when you have a large number of users already
logged in through RADIUS and you want to activate new services for
them. This method is also used for the guided entrance service described
in Guided Entrance
Service Definition Example.
The RADIUS CoA method also supports the use of mutex groups to create mutex services. See Using Mutex Groups to Activate and Deactivate Subscriber Services.
Figure 31 compares the two RADIUS-based methods.
Figure 31: Comparing RADIUS Login and RADIUS CoA Methods
Using RADIUS to Activate Subscriber Service Sessions
To use RADIUS to activate subscriber service sessions, you create a RADIUS record that includes the Activate-Service VSA. For the RADIUS login method, this RADIUS record is used by the Access-Accept message to start Service Manager and activate the service when the subscriber logs in.
For the RADIUS CoA method, the service provider uses a CoA-Request message to activate and deactivate the service for the subscriber who is already logged in.
To configure a service session that will be activated by RADIUS:
- Create the RADIUS record for the subscriber and service:
- For RADIUS login—Create the RADIUS record for the subscriber and include the Activate-Service VSA in the record. Specify values for the parameters defined in the service template name of the definition macro file.
- For RADIUS CoA—Format the CoA message to create
the RADIUS record for the subscriber. Include the Activate-Service
VSA in the record. Optionally, include the Deactivate-Service VSA
if the subscriber has an active service session that you want to deactivate.
Specify values for the parameters defined in the service template
name of the definition macro file.
Note: You specify the parameter values in the order in which the parameters appear in the template name of the service definition file. For example, in the tiered service that is defined in Figure 29, the template name is:
<# tiered(inputBW, outputBW) #>For the RADIUS Activate-Service VSA, you specify values for the input and output bandwidth:
tiered(1280000, 5120000)
- Specify optional VSAs for the service session as needed:
- Service-Volume
- Service-Timeout
- Service-Statistics
Service Manager RADIUS Attributes
For the RADIUS login method, the RADIUS VSAs for service activation, threshold configuration, statistics configuration, and interim accounting in Access-Accept messages at subscriber login are used by Service Manager to activate the appropriate service session. For the RADIUS CoA method, Service Manager uses the VSAs for service activation and deactivation, threshold configuration, statistics configuration, and interim accounting in CoA-Request messages to activate the service session. The accounting-related VSAs are included in RADIUS accounting messages.
Table 146 lists the Service Manager-related attributes and indicates which are tagged VSAs. See Using Tags with RADIUS Attributes for a discussion about using tagged VSAs to group attributes for a service.
Table 146: Service Manager RADIUS Attributes
Attribute Number | Attribute Name | RADIUS Message Type | VSA Description |
|---|---|---|---|
[1] | User-Name (used with Virtual-Router, Juniper Networks VSA 26-1) | Access-Accept | Uniquely identifies the subscriber session |
[8] | Framed-IP-Address (used with Virtual-Router, Juniper Networks VSA 26-1) | Access-Accept | Uniquely identifies the subscriber session |
[26-65] | Activate-Service | Access-Accept and CoA-Request | Name of the service to be activated; includes parameter values; a tagged VSA |
[26-66] | Deactivate-Service | Access-Accept and CoA-Request | Name of the service to be deactivated Note: This VSA is only used by CoA. |
[26-67] | Service-Volume | Access-Accept and CoA-Request | Number of MB of traffic that the service can consume; the service is terminated when output byte count exceeds this value; a tagged VSA |
[26-68] | Service-Timeout | Access-Accept and CoA-Request | Number of seconds that the service is to remain active; the service is terminated when the time expires; a tagged VSA |
[26-69] | Service-Statistics | Access-Accept and CoA-Request | Statistics configuration; a tagged VSA: |
[26-83] | Service-Session | For service sessions only: | Name of the service (including parameter values) with which the statistics are associated |
[26-140] | Service-Interim-Acct- | Access-Accept and | Number of seconds between accounting updates for a service; a tagged VSA |
[31] | Calling-Station-ID | Access-Accept | Uniquely identifies the subscriber session |
[44] | Acct-Session-ID | Acct-Start | Accounting identifier that makes it easy to match start and stop records in a log file; the format is extended to include a colon-separated value that uniquely identifies the subscriber session |
| Note: Service Manager statistics collection is a three-part procedure. You must configure statistics information in the service definition macro file, enable statistics collection in the RADIUS record, and also enable statistics collection for the policy referenced in the service macro using the statistics enabled keyword in the command used for policy attachment in the profile. The Service-Volume and Service-Timeout VSAs rely on the values captured by the Service Manager statistics feature to determine when a threshold is exceeded. Therefore, you must configure and enable statistics collection to use these attributes. Service-Volume For detailed information about Service Manager statistics see Configuring Service Manager Statistics . |
Table 147 describes a partial RADIUS Access-Accept packet that activates a service session for subscriber client1@isp1.com. (Figure 29 shows the service definition macro file that creates the tiered service.) The session enables the subscriber to use the tiered service with an input bandwidth of 1280000 and output bandwidth of 5120000. The subscriber can use the service for 5 hours (18000 seconds), and Service Manager captures both timestamp and volume statistics during the session (service-statistics value of 2). Also, accounting for the service is updated every 600 seconds (10 minutes).
Table 147: Sample RADIUS Access-Accept Packet
RADIUS Attribute | Tag | Value |
|---|---|---|
username | none | client1@isp1.com |
class | none | (binary data) |
service-activation | 6 | tiered(1280000, 5120000) |
service-timeout | 6 | 18000 |
service-statistics | 6 | 2 |
service-interim-acct-interval | 6 | 600 |
Using Tags with RADIUS Attributes
Service Manager uses tagged RADIUS VSAs to enable a single RADIUS record to activate multiple service sessions for a subscriber, with each session having unique attributes. A particular tag identifies a specific Activate-Service attribute and all other RADIUS attributes that are associated with that Activate-Service attribute.
You can specify a maximum of 8 tags (1–8), which enables you to activate up to eight unique service sessions for a subscriber in a single RADIUS record. The following are tagged VSAs—they must always have a tag in their RADIUS entry:
- Activate-Service
- Service-Statistics
- Service-Timeout
- Service-Volume
- Service-Interim-Acct-Interval
Table 148 describes an Access-Accept packet that activates the two services, tiered and voice, for subscriber client1@isp1.com. Each service has its own unique tag, enabling you to assign attributes for one service, but not the other. For example, the two services have different timeout settings and different interim accounting intervals, and statistics are enabled only for the tiered service.
Table 148: Using Tags
RADIUS Attribute | Tag | Value |
|---|---|---|
username | none | client1@isp1.com |
class | none | (binary data) |
service-activation | 2 | tiered(1280000, 5120000) |
service-timeout | 2 | 18000 |
service-statistics | 2 | 1 |
service-interim-acct-interval | 2 | 600 |
service-activation | 6 | voice(100000) |
service-timeout | 6 | 1440 |
service-interim-acct-interval | 6 | 1200 |
Using RADIUS to Deactivate Service Sessions
A service session can be deactivated by a CoA-Request message or when a subscriber logs out of a RADIUS-activated service session. If the subscriber logs off the router, Service Manager deactivates that subscriber session and all associated service sessions.
RADIUS also supports attributes that you can use to manage deactivation of service sessions. You can:
- Set time or volume thresholds for the service
- Use the Deactivate-Service RADIUS attribute
Setting Thresholds
You can set a threshold for the session by including one or both of the following attributes in the RADIUS record:
| Note: The Service-Timeout and Service-Volume attributes use values captured by the Service Manager statistics feature to determine when a threshold is exceeded. Therefore, you must configure and enable statistics collection to use these attributes. See Configuring Service Manager Statistics . |
- Service-Timeout—The number
of seconds that the service session is active. You can specify a number
in the range 0–16777215. Values greater than 16777215 are recycled,
starting from the initial value of 0. For example, if you specify
the value for Service-Timeout VSA as 16777218, this value is equivalent
to 2 for this VSA. A value of 0 indicates that the session never times
out. A particular Service-Timeout VSA can be used by a maximum of
2000 services.
The service-timeout threshold accuracy is within 30 seconds of the specified value.
- Service-Volume—The total number
of MB of traffic that can use the service session. You can specify
a number in the range 0–16777215 MB. Values greater than 16777215
are recycled, starting from the initial value of 0. A value of 0 indicates
that there is no limit to the amount of traffic for the session. For
example, if you specify the value for Service-Timeout and Service-Volume
VSAs as 16777216 and 16777217, these values are equivalent to 0 and
1 respectively for these VSAs. A particular Service-Volume VSA can
be used by a maximum of 1000 services.
Note: Service Manager terminates a session when the output byte count exceeds the configured service-volume threshold. The output byte count is captured by the output-stat-clacl string in the classifier list variable that you configure to collect statistics. See Configuring Service Manager Statistics .
The service-volume threshold accuracy is based on a 10-second period. Service Manager does not immediately deactivate a service session when the output byte count reaches the service-volume threshold. Instead, Service Manager checks the volume in 10-second intervals and deactivates a service session at the end of the 10-second period in which the output byte count reaches the volume threshold. For example, if a threshold is reached 4seconds into the 10-second interval, the session continues for the remaining 6 seconds in the measuring period and is then terminated. Therefore, the total volume equals the threshold plus the volume during the additional 6 seconds.
When the output byte count reaches the threshold, RADIUS deactivates the service session. You must use tags to associate threshold attributes with the Activate-Service attribute for the service session.
Using the Deactivate-Service Attribute
You can also include the Deactivate-Service attribute in the subscriber’s RADIUS record. The format for this attribute is the same as the format of the Activate-Service attribute—the name of the service, including parameters. The Deactivate-Service attribute is used by RADIUS CoA messages, such as in a guided entrance service. See Guided Entrance Service Example for more information.
