Technical Documentation
New
Using RADIUS to Create and Apply Policies Overview
E Series routers enable you to use RADIUS to create and apply policies on IPv4 and IPv6 interfaces. This feature supports the Ascend-Data-Filter attribute [242] through a RADIUS vendor-specific attribute (VSA) that specifies a hexadecimal field. The hexadecimal field is encoded with policy attachment, classification, and policy action information
The policy defined in the Ascend-Data-Filter attribute is applied when RADIUS receives a client authorization request and replies with an Access-Accept message.
When you use RADIUS to apply policies, a subset of the router’s classification fields and actions is supported. The supported actions and classification fields are:
- Actions
- Filter
- Forward
- Packet marking
- Rate limit
- Traffic class
- Classifiers
- Destination address
- Destination port
- Protocol
- Source address
- Source port
 | Note: An E Series router dynamically assigns names to the new classifier list and policy list as described in Ascend-Data-Filter Attribute for IPv4/IPv6 Subscribers in a Dual Stack. |
To create a policy, you use hexadecimal format to configure the Ascend-Data-Filter attribute on the RADIUS server. For example:
Ascend-Data-Filter="01000100 0A020100 00000000 18000000 00000000 00000000"
Table 1 lists the fields in the order in which they are specified in the hexadecimal Ascend-Data-Filter attribute.
Table 1: Ascend-Data-Filter Fields
Action or Classifier | Format | Comments |
|---|---|---|
Type | 1 byte | 1=IPv4 3=IPv6 |
Filter or forward | 1 byte | 0=filter 1=forward |
Indirection | 1 byte | 0=egress 1=ingress |
Spare | 1 byte | - |
Source IP address | 4 bytes for IPv4 16 bytes for IPv6 | - |
Destination IP address | 4 bytes for IPv4 16 bytes for IPv6 | - |
Source IP prefix | 1 byte | Type 1 = Number of leading zeros in the wildcard mask Type 3 = Higher-order contiguous bits of the address that comprise the network portion of the address |
Destination IP prefix | 1 byte | Type 1 = Number of leading zeros in the wildcard mask Type 3 = Higher-order contiguous bits of the address that comprise the network portion of the address |
Protocol | 1 byte | - |
Established | 1 byte | Non implemented |
Source port | 2 bytes | - |
Destination port | 2 bytes | - |
Source port qualifier | 1 byte | 0= no compare 1= less than 2= equal to 3= greater than 4= not equal to |
Destination port qualifier | 1 byte | 0= no compare 1= less than 2= equal to 3= greater than 4= not equal to |
Reserved | 2 bytes | - |
Marking value | 1 byte | Type of Service (ToS)—for IPv4 Differentiated Services Code Point (DSCP)—for IPv6 |
Marking mask | 1 byte | 0= no packet marking |
Traffic class | 1–41 bytes |
|
Rate-limit profile | 1–41 bytes |
|
| Note: To create a rate-limit profile, traffic class, or marking rule, you must first configure the filter/forward field as forward. |
A single RADIUS record can contain two policies—one ingress policy and one egress policy. Each policy can have a maximum of 512 ascend-data filters. Each ascend data-filter creates a classifier group and the action associated with the classifier group.
Construction of IPv6 Classifiers from the Hexadecimal Ascend-Data-Filter Attribute
If both the source and destination IP prefixes are 128, the IPv6 classifier is created using the IPv6 host argument as follows:
If either the source or destination IP prefix is non-zero, but less than 128 bits, (for example, 64 bits), the IPv6 classifier is created using the IPv6 address argument as follows:
| Note: In JunosE Release 10.1.x and earlier, the maximum width of a CAM hardware classifier entry for IPv4 or IPv6 in a single policy was 128 bits. In JunosE Release 10.2.x and later, based on the size limit for a combined IPv6 classifier entry, a maximum of 336 bits of CAM entry is supported for full IPv6 classification with an additional 16 bits for rule set ID. However, OC48/STM16 line modules on ERX14xx models, ERX7xx models, and the ERX310 router support only 128-bit IPv6 classification. For more information on size limits for IP and IPv6 classifiers, see Size Limit for IP and IPv6 CAM Hardware Classifiers. |
Ascend-Data-Filter Attribute for IPv4/IPv6 Subscribers in a Dual Stack
The PPP link between the customer premises equipment (CPE) and the provider edge (PE) device or E Series router equipment might require both IPv4 and IPv6 protocols for transmission of data. Such networks require that PE devices run a dual stack of IPv4 and IPv6 services. Dual-stack routers allow simultaneous support for both IPv4 and IPv6 applications. The following guidelines are used to create a policy defined in the Ascend-Data-Filter attribute when IPv4 and IPv6 subscribers are in a network:
- If a subscriber requires only IPv4 services, only the Type 1 action is used in the Access-Accept message returned from the RADIUS server in response to the client authentication request.
- If a subscriber requires only IPv6 services, only the Type 3 action is used in the Access-Accept message returned from the RADIUS server.
- If both IPv4 and IPv6 addresses are assigned to the subscriber interface, then either Type 1 or Type 3 or both the actions are used in the Access-Accept message.
- If the Type 1 action is used and the Indirection action field is set to 01 in the Ascend-Data-Filter attribute, one primary input policy is created and applied on the ingress IPv4 interface.
- If the Type 3 action is used and the Indirection action field is set to 01 in the Ascend-Data-Filter attribute, one primary input policy is created and applied on the ingress IPv6 interface.
- If the Type 1 action is used and the Indirection action field is set to 00 in the Ascend-Data-Filter attribute, one primary output policy is created and applied on the egress IPv4 interface.
- If the Type 3 action is used and the Indirection action field is set to 00 in the Ascend-Data-Filter attribute, one primary output policy is created and applied on the egress IPv6 interface.
- Ascend-Data-Filter attributes for both IPv4 and IPv6 interfaces are stored on the RADIUS server and the appropriate policies are created and applied to the corresponding interfaces when they come up, depending on the type of subscribers.
In lower-numbered releases, the formats of the input and output classifier list names and policy list names were as follows:
- clin_<InterfaceId>_<filterNum>
- clout_<InterfaceId>_<filterNum>
- plin_<InterfaceId>
- plout_<InterfaceId>
where:
- clin—Classifier list included in an input policy list
- clout—Classifier list included in an output policy list
- plin—Policy list applied to the ingress interface
- plout—Policy list applied to the egress interface
- InterfaceId—A unique identifier for the interface to which the policy is applied
- filterNum—A value that denotes the sequence of Ascend-Data-Filter attribute configured on the RADIUS server
In this release, the formats of the input and output classifier list names and policy list names are modified to support IPv6 subscribers. The following is the new format of the input and output classifier list and policy list:
- clin_<AuthId>_<filterNum>
- clout_<AuthId>_<filterNum>
- plin_<ip/ipv6>_<AuthId>
- plout_<ip/ipv6>_<AuthId>
where:
- AuthId—A unique identifier that is used during the authentication of the client with the RADIUS server
- ip/ipv6—Type of protocol used based on the Type action field
