SIC Dynamic Authorization Support Overview
The SIC can dynamically manage services on RADIUS-enabled devices. The RADIUS capabilities of the SIC allow the SRC software to be aware of the subscriber activity and make dynamic RADIUS requests using the following RADIUS features:
Authentication, authorization, and accounting (AAA)
Change of Authorization (COA) message
Disconnect Message (DM)
The SIC uses RADIUS AAA messages to communicate with the RADIUS server and the network access server (NAS). The SIC converts Diameter messages to RADIUS messages and vice versa. The SIC also performs conversion between Diameter attribute-value pairs (AVPs) and RADIUS attributes.
The SIC can provide:
Device abstraction and shared secrets for the NAS device
Accounting and authentication support for subscriber sessions and service sessions
COA and DM support
Service parameter changes
RADIUS was designed as an AAA protocol in client/server mode. Supporting dynamic authorization requests requires that the SIC communicate Change of Authorization (COA) requests and Disconnect Messages (DM) to the network access server (NAS). However, every NAS vendor implements services by using different sets of vendor-specific attributes (VSAs); there is no universal language for sending requests to a NAS. To translate COA or DM requests into the correct dialect, the SIC uses service templates, which define services that the router activates and deactivates. These service templates translate COA or DM requests into VSAs so that the NAS device can understand and implement them. Service templates are created using the SRC CLI and they specify initial authorization, activation, deactivation, and abort session requests.
We provide device templates for Juniper Networks E Series Broadband Services Routers running JunosE Software release 7.2 or later and for Cisco routers running Cisco IOS Release 12.2SB. These templates include sample global and service templates that you can modify for your specific environment. If you want to add a router from another vendor, you must create a new template so that the SRC can communicate properly with your new router.
The SIC dynamic authorization function includes:
RADIUS listeners for authentication and accounting requests.
RADIUS dynamic authorization interface for sending COA or DM requests to the NAS.
RADIUS proxy function for forwarding RADIUS authentication and accounting requests to a downstream RADIUS server.
SIC Diameter server interacts with the SRC Diameter server. User access, accounting requests, and service accounting information are sent to the SAE through this Diameter interface.
The SIC generates COA or DM requests on request from the SAE. Translations between SAE, SRC Diameter server, SIC, and your router must take place. This translation process is called rendering. The rendering process is shown in Figure 76.
The rendering process takes three inputs and produces one output. Inputs are:
The data the SAE sends (to and from the SRC Diameter server)
SIC configuration (device and service) templates
Data that returns with the authentication response from the downstream AAA server (available only for initial authorization process)