Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Defining RADIUS Packets for Flexible RADIUS Plug-Ins

 

Flexible RADIUS Plug-Ins Overview

With flexible RADIUS accounting and authentication plug-ins, you can define the content of RADIUS packets that the service activation engine (SAE) sends to RADIUS servers. You can specify which attributes are included in different types of RADIUS packets (for example, session Start or Stop requests, or Accounting-On or Accounting-Off requests). You can also specify what information is contained in the attribute fields.

A RADIUS attribute configuration consists of RADIUS attribute instances. Each instance defines attributes for a specific type of packet—for example, Start requests or Accounting-Off requests.

Within each attribute instance, you define individual RADIUS attributes. The following is a RADIUS attribute instance for authentication requests:

Each RADIUS packet template can consist of multiple RADIUS attribute instances.

Using Default RADIUS Templates

The SRC module comes with two default templates:

  • stdAcct—Defines RADIUS accounting packets and is used in the default RADIUS flexible accounting plug-in instance flexRadiusAcct

  • stdAuth—Defines RADIUS authentication packets and is used in the default RADIUS flexible authentication plug-in instance flexRadiusAuth

Naming RADIUS Attribute Instances

Attribute instances define attributes for a specific type of RADIUS packet. The name that you assign to an attribute instance specifies the type of packet to which the attribute definition is applied. Table 12 lists the available packet types.

Table 12: RADIUS Attribute Instance Names

Attribute Instance (Packet Type)

Type of RADIUS Packet to Which Attribute Definition Is Applied

acct

Any accounting request

auth

Any authentication request

authresp

Any authorization response

dhcpresp

DHCP response

off

Accounting-Off requests

on

Accounting-On requests

onoff

Accounting-On or Accounting-Off requests

start

Start requests

startstop

Start, Stop, or Interim Update requests

stop

Stop or Interim Update requests

svcacct

Service Session Start, Stop, or Interim requests

svcresp

Any service authorization response

svcstart

Service Session Start requests

svcstop

Service Session Stop or Interim requests

useracct

Subscriber Session Start, Stop, or Interim requests

userresp

Any subscriber authorization response

userstart

Subscriber Session Start requests

userstop

Subscriber Session Stop, or Interim requests

Defining RADIUS Attributes

RADIUS attribute definitions consist of a RADIUS attribute and a value for the RADIUS attribute.

You can define values for standard RADIUS attributes or JunosE vendor-specific attributes (VSAs).

Standard RADIUS Attributes

For standard RADIUS attributes, use a name or number as defined in RFC 2865—Remote Authentication Dial In User Service (RADIUS) (June 2000), RFC 2866—RADIUS Accounting (June 2000), or RFC 2869—RADIUS Extensions (June 2000). For a full list, see http://www.iana.org/assignments/radius-types.

Juniper Networks VSAs

For Juniper Networks VSAs, use one of the following formats:

  • Vendor-Specific.4874.<vsa#>.<type>

  • 26.4874.<vsa#>.<type>

where <type> is one of the following:

  • text—Indicates that the value is 1–253 octets containing UTF-8 encoded characters

  • string—Indicates that the value is 1–253 octets containing binary data

  • address—Indicates that the value is a 32-bit value

  • integer—Indicates that the value is a 32-bit unsigned value

  • time—Indicates that the value is a 32-bit unsigned value, seconds since 00:00:00 UTC, January 1, 1970

The following is an example of RADIUS attribute instances that define RADIUS VSAs.

Defining the Values of RADIUS Attributes

The values of RADIUS attributes can be a standard value (see Table 13) or an expression. Expressions are evaluated with Python. For example: lowWord(inOctets) extracts the lower 32 bits of the 64-bit inOctets counter. You can define multiple values for an expression in a comma-separated list.

Table 13: Standard Values for RADIUS Attributes

Value

Type of Plug-In

Comments

accountingId

User and service tracking

 

authUserId

Service tracking

 

Chargeable-User-Identity

User authorization and service accounting

This attribute must be configured in the RADIUS Access-Request packet with an empty value. The RADIUS server sends a unique value with the RADIUS Access-Response packet. This attribute value in the RADIUS Accounting-Request packet is used for service accounting.

dhcp

User and service tracking

Provides access to the DHCP packet. See Sending DHCP Options to the JunosE Router for details.

domain

Authorization

 

eventTime

User and service tracking

Seconds since 1970-01-01T00:00Z

ifRadiusClass

User and service tracking

 

ifSessionId

User and service tracking

 

inOctets

Service tracking

64-bit counter

inPackets

Service tracking

 

interfaceAlias

User and service tracking

 

interfaceDescr

User and service tracking

 

interfaceName

User and service tracking

 

ipv6InOctets

Service tracking

64-bit counter

ipv6InPackets

Service tracking

 

ipv6OutOctets

Service tracking

64-bit counter

ipv6OutPackets

Service tracking

 

localNasId

All

Configured NAS-ID

localNasIp

All

Configured NAS-IP

loginId

User and service authorization

ID provided by the subscriber; the loginId value is not separated into UID and domain name.

loginName

User and service tracking

Name that the subscriber uses to log in to the portal

nasIp

User and service tracking

NAS IP address of the router

nasPort

User and service tracking

32-bit integer

outOctets

Service tracking

64-bit counter

outPackets

Service tracking

 

password

User and service authorization

 

portId

User and service tracking

ID of the port on the JunosE router—for example, FastEthernet 3/1:2001

primaryUserName

User and service tracking

Name that the subscriber uses for DHCP/PPP authentication

radiusClass

User tracking, user and service authorization

For service tracking, this value is taken from the RADIUS Access-Accept response. If the response does not contain a value, the RADIUS class defined in the service definition is used.

This attribute can be set by an authorization response.

replyMessage

User and service authorization

This attribute can only be set.

routerName

User and service tracking

 

serviceBundle

User tracking and authorization

This attribute can be set by an authorization response.

serviceName

Service tracking

Sets an arbitrary attribute (for example, class) to the name of the service

serviceSessionName

Service tracking

Named service session; empty for default session

serviceSessionTag

Service tracking

 

sessionId

User and service tracking

 

sessionTime

User and service tracking

 

sessionTimeout

User tracking, user and service authorization

This attribute can be set by an authorization response.

sessionVolumeQuota

User authorization

This attribute can only be set. It is sent to session tracking events and can be returned by service authorization events. It can be set and retrieved through the portal API and can also be defined through an LDAP attribute in the service definition.

If the attribute is defined multiple times, the following precedence is observed:

  1. Service definition (lowest)

  2. Authorization

  3. API call (highest)

    NOTE: The SAE does not enforce a volume quota directly; it only makes the attribute available to an external application that can control the volume quota.

setAcctInterimTime

User authorization

Integer

setAuthVirtualRouterName

DHCP authorization

Text

setIdleTimeout(ATTR)

User authorization

 

setLoadServices(ATTR)

User authorization

This attribute can only be set.

setPoolName

DHCP authorization

Text

setRadiusClass(ATTR)

User and service authorization

 

setReplyMessage(ATTR)

User and service authorization

 

setSessionTimeout(ATTR)

User and service authorization

 

setServiceBundle(ATTR)

User authorization

 

setSessionVolumeQuota(ATTR)

User authorization

 

setSubstitution

User authorization

Text. Substitutions can be set only for service sessions.

setTerminateTime

User authorization

Text

setUserIpAddress

DHCP authorization

Integer

sspHost

User and service tracking

 

terminateCause

User and service tracking

 

uid

User and service authorization

 

userDn

User and service tracking

 

userIpAddress

User and service tracking

 

userMacAddress

User and service tracking

 

userRadiusClass

Service tracking

RADIUS class of the associated subscriber session

userSessionId

Service tracking

RADIUS session ID of the associated subscriber session

Configuring a RADIUS Packet Template (SRC CLI)

You can define RADIUS packets for flexible RADIUS accounting and authentication plug-ins in two ways.

  • Define attributes in a template, and then apply the template to flexible RADIUS accounting and authentication plug-ins.

  • Define attributes in the packet definition configuration of a flexible plug-in instance. These definitions override definitions in packet templates.

Use the following configuration statements to configure a RADIUS packet template:

To configure a template:

  1. From configuration mode, access the RADIUS packet template configuration. In this sample procedure, the stdAcct template is configured in the west-region service activation engine (SAE) group.

  2. Create an attribute instance using the names in Flexible RADIUS Plug-Ins Overview, and enter the configuration for the RADIUS attribute instance.

  3. Add RADIUS attribute definitions to the attribute instance. Repeat this step for each attribute.

    For example:

  4. (Optional) Verify the configuration of your attribute instance.

  5. (Optional) Verify the configuration of the RADIUS packet template.

    Note

    You must configure any one of the following values to set the Chargeable-User-Identity attribute value in the accounting-request packet.

    • userSessionProperties.CUI

    • getUserSessionProperties().CUI

    • getUserSessionProperties().get(“CUI”)

    • getUserSessionProperties()[CUI]

    • userSessionProperties().CUI

Using Flexible RADIUS Packet Definitions

This topic shows some of the ways you can use flexible RADIUS packet definitions. Remember that the name of the attribute instance determines the type of RADIUS packet in which the packet definition is used.

  • To use the Challenge Handshake Authentication Protocol (CHAP) to authenticate subscribers, include the Chap-Password and optionally the Chap-Challenge attributes in authentication requests. (We recommend that you use Chap-Password only. Use Chap-Challenge only if required.) To use a CHAP password, include the following in attribute instance auth:

  • To cause the Calling-Station-Id attribute to use the subscriber’s MAC address:

  • To set the value to prefix N followed by the service name and the prefix S followed by the service session name:

  • To construct a value for the Nas-Port-Id attribute by concatenating the value of routerName, a space, and the Nas-Port-ID on the router:

    For example, the constructed value might be:

    • The following example sets the User-Name attribute as follows:

    • Sets the value to accountingId, or

    • If accountingId is empty, sets the value to loginName, or

    • If loginName is also empty, sets the value to NN

    • To extract the lower 32 bits of the 64-bit inOctet counter:

  • To set the counter fields in the RADIUS packet to the appropriate 32-bit values:

    • The inOctets and outOctets are 64-bit values and must be split into lower 32-bit (Acct-*-Octets) and upper 32-bit (Acct-*-Gigawords) values.

    • The inPacket and outPacket counters are 32-bit values and can be assigned directly.

    • The ipv6InOctets and ipv6OutOctets are 64-bit values and must be split into lower 32-bit (Ipv6-Acct-*-Octets) and upper 32-bit (Ipv6-Acct-*-Gigawords) values.

    • The ipv6InPackets and ipv6OutPackets counters are 32-bit values and can be assigned directly.

  • You can map the user session property values to SAE radius-packet-template for service tracking plug-in.

    • If the user property attribute contains a hyphen (-), use the following format:

    • If the user property attribute does not contain a hyphen (-), use the following format:

Setting Values in Authentication Response Packets

You can use some special attribute values to set values in authentication response packets. For example:

  • setRadiusClass(ATTR)

  • setSessionTimeout(ATTR)

  • setSessionVolumeQuota(ATTR)

Flexible RADIUS Plug-Ins Overview lists the type of packets (authresp, userresp, or svcresp) in which you can use these values.

When the RADIUS client finds one of these attribute values in an authentication response, it binds ATTR to the current attribute and executes the defined expression. The expression calls one of the available set methods to set the value in the plug-in event.

Below are some examples.

  • To set a session timeout:

  • To set the RADIUS class:

  • To set the service bundle in VSA 31:

  • To set the session volume quota:

Selecting IP Address Pools Using DHCP Response Packets

For DHCP subscribers, you can set up RADIUS authorization plug-ins to return to the router attributes that can be used to select a DHCP address such as framed IP address and pool. You can also set up the name of the virtual router on which the address pool is located and select a fixed address for each subscriber.

  • Framed IP address—Selects the pool from which the address is allocated; if the framed IP address is not available, the DHCP server allocates the next available address in the pool; use the setUserIpAddress value.

  • Framed IP pool—Name of the address pool on the router from which an IP address is assigned; use the setPoolName value.

  • Virtual router name—Name of the virtual router on which the address pool is located; use the setAuthVirtualRouterName value.

You can also select a fixed address for each subscriber. If you identify subscribers by port information (for example, NAS-IP and NAS-Port), the authorization response can select a fixed IP address for each subscriber.

Note

Parameters set in the DHCP profile override parameters set by DHCP authorization plug-ins.