Navigation
Back up to About Overview
[+] Expand All
[-] Collapse All
A
- access lines 1
- accesses
- configuring subscriptions
- accounting
- anonymous subscriber
- attributes
- authenticated subscriber
- authentication plug-ins
- authorization plug-ins
B
C
- captive portal
- classification scripts
- conditions 1
- configuring
- descriptions
- DHCP classification, C Series Controller
- interface classification, C Series Controller
- structure
- subscriber classification, C Series Controller
- target, C Series Controller
- component interactions
- conventions
- COPS (Common Open Policy Service)
- custom RADIUS accounting plug-ins 1
- configuring
- custom RADIUS authentication plug-ins 1
- configuring
- customer support 1
D
- default retailer authentication plug-ins
- configuring
- default retailer DHCP authentication plug-ins
- configuring
- denial-of-service attacks
- DHCP (Dynamic Host Configuration Protocol)
- address assignment
- classification scripts. See classification scripts
- options
- profiles
- subscribers
- documentation
E
- enterprise
- enterprise subscribers 1
- adding
- enterprise subscribers, login process
- event publishers
- configuring
- default retailer authentication, configuring
- default retailer DHCP authentication, configuring
- description
- retailer-specific
- service-specific
- virtual router-specific
- external plug-ins
- configuring
F
- file upload settings for log rotation
- configuring
- flat file accounting plug-ins 1
- flexible RADIUS accounting plug-ins 1
- attributes, defining
- configuring
- RADIUS packets, defining
- flexible RADIUS authentication plug-ins 1
- attributes, defining
- configuring
- RADIUS packets, defining
- setting responses
- FTP server for log rotation
G
- general properties
- configuring
H
- HTTP proxy 1, 2
- HTTPS traffic
I
- interface classification scripts. See classification scripts
- interim accounting, configuring on SAE
- internal plug-ins
- configuring
L
- LDAP authentication plug-in 1
- configuring
- limiting subscribers plug-in 1
- configuring
- log rotation
- overview
- logging
- login events, description
- login process
- login registration
- configuring
- logout process, residential
M
- managers
- manuals
N
- NAT (Network Address Translation)
- notice icons
P
- plug-ins
- activating service sessions
- authentication
- authorization
- basic RADIUS accounting 1
- basic RADIUS authentication 1
- creating subscriber sessions
- custom RADIUS accounting 1
- custom RADIUS authentication 1
- defining RADIUS packets
- DHCP address assignment
- event publishers. See event publishers
- external
- flat file accounting 1
- flexible RADIUS accounting 1
- flexible RADIUS authentication 1
- internal 1
- LDAP authentication 1
- limiting subscribers 1
- state synchronization
- tracking
- policy groups
- policy management
- PPP subscribers
- prevention, use of unauthorized resources
- protocols
- proxy HTTP 1, 2
- proxy request management
- public addresses, VPNs
Q
R
- RADIUS accounting
- RADIUS attributes
- defining in RADIUS plug-ins
- examples, defining in RADIUS plug-ins
- RADIUS client library, custom RADIUS plug-ins
- RADIUS packets, customizing in plug-ins
- RADIUS peers
- configuring in plug-ins
- RADIUS plug-ins 1, See also plug-ins
- redirect server
- assessing load
- configuration statements
- configuring
- configuring DNS server for
- configuring HTTP proxy support
- configuring redundant
- directory connection
- failover
- file extensions
- logging
- number of requests
- protection against denial-of-service attacks
- redundancy 1, 2, 3
- static route to router
- traffic definition
- verifying
- redundancy
- residential subscribers 1
- adding
- login process. See login process
- retailers
- subscribers 1
- router subscribers 1
- adding
- routing instances
- routing scheme
S
- SAE (service activation engine)
- classification scripts. See classification scripts
- login events
- login process. See login process
- SAE (service activation engine), configuring
- service activation engine. See SAE
- service sessions
- sites 1, 2, 3
- subscriber 1
- state synchronization plug-in interface
- configuring
- static IP subscribers, login process
- static routing
- subscriber classification scripts. See classification scripts
- subscriber folders 1
- adding
- subscriber sessions
- subscribers
- 3gpp attributes (Gx router driver)
- adding
- enterprise 1
- inheriting properties
- inheriting subscriptions
- residential 1
- retailer 1
- router 1
- sessions
- sites 1
- types
- subscriptions 1
- access, configuring
- an orderly deactivation, activation order, specifying
- configuring
- multiple per subscriber
- support, technical See technical support
T
- targets. See classification scripts
- technical support
- text conventions defined
- tracking plug-ins 1
- configuring
U
- UDP ports
- User Datagram Protocol. See UDP
V
- validating
- virtual private networks. See VPNs
- VPNs (virtual private networks)
- adding
- configuration requirements
- configuration statements
- extranet clients, modifying
- invalid subscriptions
- modifying
- routing schemes
- using NAT
- validating
Download This Guide
Using Flexible RADIUS Packet Definitions
This topic shows some of the ways you can use flexible RADIUS packet definitions. Remember that the name of the attribute instance determines the type of RADIUS packet in which the packet definition is used.
- To use the Challenge Handshake Authentication Protocol
(CHAP) to authenticate subscribers, include the Chap-Password and
optionally the Chap-Challenge attributes in authentication requests.
(We recommend that you use Chap-Password only. Use Chap-Challenge
only if required.) To use a CHAP password, include the following in
attribute instance auth: Chap-Password = password
- To cause the Calling-Station-Id attribute to use the subscriber’s
MAC address: Calling-Station-Id = userMacAddress
- To set the value to prefix N followed by the service name
and the prefix S followed by the service session name:'N'+serviceName, 'S'+serviceSessionName
- To construct a value for the Nas-Port-Id attribute by
concatenating the value of routerName, a space, and the Nas-Port-ID
on the router:Nas-Port-Id=routerName + “ “ + portId
For example, the constructed value might be:
default@phoenix FastEthernet 4/2- The following example sets the User-Name attribute as follows:
- Sets the value to accountingId, or
- If accountingId is empty, sets the value to loginName, or
- If loginName is also empty, sets the value to NNUser-Name = accountingId or loginName or “NN”
- To extract the lower 32 bits of the 64-bit inOctet counter:Acct-Input-Octets = lowWord(inOctets)
- To set the counter fields in the RADIUS packet to the
appropriate 32-bit values:Acct-Input-Octets = lowWord(inOctets)Acct-Output-Octets = lowWord(outOctets)Acct-Input-Packets = inPacketsAcct-Output-Packets = outPacketsAcct-Input-Gigawords = highWord(inOctets)Acct-Output-Gigawords = highWord(outOctets)
- The inOctets and outOctets are 64-bit values and must be split into lower 32-bit (Acct-*-Octets) and upper 32-bit (Acct-*-Gigawords) values.
- The inPacket and outPacket counters are 32-bit values and can be assigned directly.
- You can map the user session property values to SAE radius-packet-template
for service tracking plug-in.
- If the user property attribute contains a hyphen (-),
use the following format:Callback-Number = userProperty['device-type’]
- If the user property attribute does not contain a hyphen
(-), use the following format:Chargeable-User-Identity = userProperty.imsi
- If the user property attribute contains a hyphen (-),
use the following format:
Setting Values in Authentication Response Packets
You can use some special attribute values to set values in authentication response packets. For example:
- setRadiusClass(ATTR)
- setSessionTimeout(ATTR)
- setSessionVolumeQuota(ATTR)
Flexible RADIUS Plug-Ins Overview lists the type of packets (authresp, userresp, or svcresp) in which you can use these values.
When the RADIUS client finds one of these attribute values in an authentication response, it binds ATTR to the current attribute and executes the defined expression. The expression calls one of the available set methods to set the value in the plug-in event.
Below are some examples.
- To set a session timeout:Session-Timeout = setSessionTimeout(ATTR)
- To set the RADIUS class:Class = setRadiusClass(ATTR)
- To set the service bundle in VSA 31:26.4874.31.text = setServiceBundle(ATTR)
- To set the session volume quota:26.4874.50.text = setSessionVolumeQuota(ATTR)
Selecting IP Address Pools Using DHCP Response Packets
For DHCP subscribers, you can set up RADIUS authorization plug-ins to return to the router attributes that can be used to select a DHCP address such as framed IP address and pool. You can also set up the name of the virtual router on which the address pool is located and select a fixed address for each subscriber.
- Framed IP address—Selects the pool from which the address is allocated; if the framed IP address is not available, the DHCP server allocates the next available address in the pool; use the setUserIpAddress value.
- Framed IP pool—Name of the address pool on the router from which an IP address is assigned; use the setPoolName value.
- Virtual router name—Name of the virtual router on which the address pool is located; use the setAuthVirtualRouterName value.
You can also select a fixed address for each subscriber. If you identify subscribers by port information (for example, NAS-IP and NAS-Port), the authorization response can select a fixed IP address for each subscriber.
 | Note: Parameters set in the DHCP profile override parameters set by DHCP authorization plug-ins. |
Related Documentation
- Configuring UDP Ports for RADIUS Plug-Ins (SRC CLI)
- Configuring a RADIUS Packet Template (SRC CLI)
- Defining the Values of RADIUS Attributes
