Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Using Flexible RADIUS Packet Definitions

 

This topic shows some of the ways you can use flexible RADIUS packet definitions. Remember that the name of the attribute instance determines the type of RADIUS packet in which the packet definition is used.

  • To use the Challenge Handshake Authentication Protocol (CHAP) to authenticate subscribers, include the Chap-Password and optionally the Chap-Challenge attributes in authentication requests. (We recommend that you use Chap-Password only. Use Chap-Challenge only if required.) To use a CHAP password, include the following in attribute instance auth:

  • To cause the Calling-Station-Id attribute to use the subscriber’s MAC address:

  • To set the value to prefix N followed by the service name and the prefix S followed by the service session name:

  • To construct a value for the Nas-Port-Id attribute by concatenating the value of routerName, a space, and the Nas-Port-ID on the router:

    For example, the constructed value might be:

    • The following example sets the User-Name attribute as follows:

    • Sets the value to accountingId, or

    • If accountingId is empty, sets the value to loginName, or

    • If loginName is also empty, sets the value to NN

    • To extract the lower 32 bits of the 64-bit inOctet counter:

  • To set the counter fields in the RADIUS packet to the appropriate 32-bit values:

    • The inOctets and outOctets are 64-bit values and must be split into lower 32-bit (Acct-*-Octets) and upper 32-bit (Acct-*-Gigawords) values.

    • The inPacket and outPacket counters are 32-bit values and can be assigned directly.

    • The ipv6InOctets and ipv6OutOctets are 64-bit values and must be split into lower 32-bit (Ipv6-Acct-*-Octets) and upper 32-bit (Ipv6-Acct-*-Gigawords) values.

    • The ipv6InPackets and ipv6OutPackets counters are 32-bit values and can be assigned directly.

  • You can map the user session property values to SAE radius-packet-template for service tracking plug-in.

    • If the user property attribute contains a hyphen (-), use the following format:

    • If the user property attribute does not contain a hyphen (-), use the following format:

Setting Values in Authentication Response Packets

You can use some special attribute values to set values in authentication response packets. For example:

  • setRadiusClass(ATTR)

  • setSessionTimeout(ATTR)

  • setSessionVolumeQuota(ATTR)

Flexible RADIUS Plug-Ins Overview lists the type of packets (authresp, userresp, or svcresp) in which you can use these values.

When the RADIUS client finds one of these attribute values in an authentication response, it binds ATTR to the current attribute and executes the defined expression. The expression calls one of the available set methods to set the value in the plug-in event.

Below are some examples.

  • To set a session timeout:

  • To set the RADIUS class:

  • To set the service bundle in VSA 31:

  • To set the session volume quota:

Selecting IP Address Pools Using DHCP Response Packets

For DHCP subscribers, you can set up RADIUS authorization plug-ins to return to the router attributes that can be used to select a DHCP address such as framed IP address and pool. You can also set up the name of the virtual router on which the address pool is located and select a fixed address for each subscriber.

  • Framed IP address—Selects the pool from which the address is allocated; if the framed IP address is not available, the DHCP server allocates the next available address in the pool; use the setUserIpAddress value.

  • Framed IP pool—Name of the address pool on the router from which an IP address is assigned; use the setPoolName value.

  • Virtual router name—Name of the virtual router on which the address pool is located; use the setAuthVirtualRouterName value.

You can also select a fixed address for each subscriber. If you identify subscribers by port information (for example, NAS-IP and NAS-Port), the authorization response can select a fixed IP address for each subscriber.

Note

Parameters set in the DHCP profile override parameters set by DHCP authorization plug-ins.