Defining RADIUS Packets for Flexible RADIUS Plug-Ins
Flexible RADIUS Plug-Ins Overview
With flexible RADIUS accounting and authentication plug-ins, you can define the content of RADIUS packets that the service activation engine (SAE) sends to RADIUS servers. You can specify which attributes are included in different types of RADIUS packets (for example, session Start or Stop requests, or Accounting-On or Accounting-Off requests). You can also specify what information is contained in the attribute fields.
A RADIUS attribute configuration consists of RADIUS attribute instances. Each instance defines attributes for a specific type of packet—for example, Start requests or Accounting-Off requests.
Within each attribute instance, you define individual RADIUS attributes. The following is a RADIUS attribute instance for authentication requests:
radius-attributes auth {
attributes {
Chargeable-User-Identity ''''
User-Name loginId;
User-Password password;
NAS-Identifier localNasId;
NAS-IP-Address localNasIp;
NAS-Port nasPort;
}
}Each RADIUS packet template can consist of multiple RADIUS attribute instances.
Using Default RADIUS Templates
The SRC module comes with two default templates:
stdAcct—Defines RADIUS accounting packets and is used in the default RADIUS flexible accounting plug-in instance flexRadiusAcct
stdAuth—Defines RADIUS authentication packets and is used in the default RADIUS flexible authentication plug-in instance flexRadiusAuth
Naming RADIUS Attribute Instances
Attribute instances define attributes for a specific type of RADIUS packet. The name that you assign to an attribute instance specifies the type of packet to which the attribute definition is applied. Table 12 lists the available packet types.
Table 12: RADIUS Attribute Instance Names
Attribute Instance (Packet Type) | Type of RADIUS Packet to Which Attribute Definition Is Applied |
|---|---|
acct | Any accounting request |
auth | Any authentication request |
authresp | Any authorization response |
dhcpresp | DHCP response |
off | Accounting-Off requests |
on | Accounting-On requests |
onoff | Accounting-On or Accounting-Off requests |
start | Start requests |
startstop | Start, Stop, or Interim Update requests |
stop | Stop or Interim Update requests |
svcacct | Service Session Start, Stop, or Interim requests |
svcresp | Any service authorization response |
svcstart | Service Session Start requests |
svcstop | Service Session Stop or Interim requests |
useracct | Subscriber Session Start, Stop, or Interim requests |
userresp | Any subscriber authorization response |
userstart | Subscriber Session Start requests |
userstop | Subscriber Session Stop, or Interim requests |
Defining RADIUS Attributes
RADIUS attribute definitions consist of a RADIUS attribute and a value for the RADIUS attribute.
You can define values for standard RADIUS attributes or JunosE vendor-specific attributes (VSAs).
Standard RADIUS Attributes
For standard RADIUS attributes, use a name or number as defined in RFC 2865—Remote Authentication Dial In User Service (RADIUS) (June 2000), RFC 2866—RADIUS Accounting (June 2000), or RFC 2869—RADIUS Extensions (June 2000). For a full list, see http://www.iana.org/assignments/radius-types.
Juniper Networks VSAs
For Juniper Networks VSAs, use one of the following formats:
Vendor-Specific.4874.<vsa#>.<type>
26.4874.<vsa#>.<type>
where <type> is one of the following:
text—Indicates that the value is 1–253 octets containing UTF-8 encoded characters
string—Indicates that the value is 1–253 octets containing binary data
address—Indicates that the value is a 32-bit value
integer—Indicates that the value is a 32-bit unsigned value
time—Indicates that the value is a 32-bit unsigned value, seconds since 00:00:00 UTC, January 1, 1970
The following is an example of RADIUS attribute instances that define RADIUS VSAs.
radius-attributes svcresp {
attributes {
Session-Timeout setSessionTimeout(ATTR);
Idle-Timeout setIdleTimeout(ATTR);
vendor-specific.Juniper.Sdx-Session-Volume-Quota setSessionVolumeQuota(ATTR);
vendor-specific.WISPr.Redirection-URL "setProperty(\"startURL=%s\" % ATTR)";
vendor-specific.WISPr.Bandwidth-Min-Up "setSubstitution(\"min_up_rate=%s\" % ATTR)";
vendor-specific.WISPr.Bandwidth-Min-Down "setSubstitution(\"min_down_rate=%s\" % ATTR)";
vendor-specific.WISPr.Bandwidth-Max-Up "setSubstitution(\"max_up_rate=%s\" % ATTR)";
vendor-specific.WISPr.Bandwidth-Max-Down "setSubstitution(\"max_down_rate=%s\" % ATTR)";
}
}
radius-attributes dhcpresp {
attributes {
Framed-Pool setPoolName(ATTR);
Framed-IP-Address setUserIpAddress(ATTR);
26.4874.1.text setAuthVirtualRouterName(ATTR);
26.4874.2.text setPoolName(ATTR);
26.4874.31.text setServiceBundle(ATTR);
}
}
Defining the Values of RADIUS Attributes
The values of RADIUS attributes can be a standard value (see Table 13) or an expression. Expressions are evaluated with Python. For example: lowWord(inOctets) extracts the lower 32 bits of the 64-bit inOctets counter. You can define multiple values for an expression in a comma-separated list.
Table 13: Standard Values for RADIUS Attributes
Value | Type of Plug-In | Comments |
|---|---|---|
accountingId | User and service tracking |
|
authUserId | Service tracking |
|
Chargeable-User-Identity | User authorization and service accounting | This attribute must be configured in the RADIUS Access-Request packet with an empty value. The RADIUS server sends a unique value with the RADIUS Access-Response packet. This attribute value in the RADIUS Accounting-Request packet is used for service accounting. |
dhcp | User and service tracking | Provides access to the DHCP packet. See Sending DHCP Options to the JunosE Router for details. |
domain | Authorization |
|
eventTime | User and service tracking | Seconds since 1970-01-01T00:00Z |
ifRadiusClass | User and service tracking |
|
ifSessionId | User and service tracking |
|
inOctets | Service tracking | 64-bit counter |
inPackets | Service tracking |
|
interfaceAlias | User and service tracking |
|
interfaceDescr | User and service tracking |
|
interfaceName | User and service tracking |
|
ipv6InOctets | Service tracking | 64-bit counter |
ipv6InPackets | Service tracking |
|
ipv6OutOctets | Service tracking | 64-bit counter |
ipv6OutPackets | Service tracking |
|
localNasId | All | Configured NAS-ID |
localNasIp | All | Configured NAS-IP |
loginId | User and service authorization | ID provided by the subscriber; the loginId value is not separated into UID and domain name. |
loginName | User and service tracking | Name that the subscriber uses to log in to the portal |
nasIp | User and service tracking | NAS IP address of the router |
nasPort | User and service tracking | 32-bit integer |
outOctets | Service tracking | 64-bit counter |
outPackets | Service tracking |
|
password | User and service authorization |
|
portId | User and service tracking | ID of the port on the JunosE router—for example, FastEthernet 3/1:2001 |
primaryUserName | User and service tracking | Name that the subscriber uses for DHCP/PPP authentication |
radiusClass | User tracking, user and service authorization | For service tracking, this value is taken from the RADIUS Access-Accept response. If the response does not contain a value, the RADIUS class defined in the service definition is used. This attribute can be set by an authorization response. |
replyMessage | User and service authorization | This attribute can only be set. |
routerName | User and service tracking |
|
serviceBundle | User tracking and authorization | This attribute can be set by an authorization response. |
serviceName | Service tracking | Sets an arbitrary attribute (for example, class) to the name of the service |
serviceSessionName | Service tracking | Named service session; empty for default session |
serviceSessionTag | Service tracking |
|
sessionId | User and service tracking |
|
sessionTime | User and service tracking |
|
sessionTimeout | User tracking, user and service authorization | This attribute can be set by an authorization response. |
sessionVolumeQuota | User authorization | This attribute can only be set. It is sent to session tracking events and can be returned by service authorization events. It can be set and retrieved through the portal API and can also be defined through an LDAP attribute in the service definition. If the attribute is defined multiple times, the following precedence is observed:
|
setAcctInterimTime | User authorization | Integer |
setAuthVirtualRouterName | DHCP authorization | Text |
setIdleTimeout(ATTR) | User authorization |
|
setLoadServices(ATTR) | User authorization | This attribute can only be set. |
setPoolName | DHCP authorization | Text |
setRadiusClass(ATTR) | User and service authorization |
|
setReplyMessage(ATTR) | User and service authorization |
|
setSessionTimeout(ATTR) | User and service authorization |
|
setServiceBundle(ATTR) | User authorization |
|
setSessionVolumeQuota(ATTR) | User authorization |
|
setSubstitution | User authorization | Text. Substitutions can be set only for service sessions. |
setTerminateTime | User authorization | Text |
setUserIpAddress | DHCP authorization | Integer |
sspHost | User and service tracking |
|
terminateCause | User and service tracking |
|
uid | User and service authorization |
|
userDn | User and service tracking |
|
userIpAddress | User and service tracking |
|
userMacAddress | User and service tracking |
|
userRadiusClass | Service tracking | RADIUS class of the associated subscriber session |
userSessionId | Service tracking | RADIUS session ID of the associated subscriber session |
Configuring a RADIUS Packet Template (SRC CLI)
You can define RADIUS packets for flexible RADIUS accounting and authentication plug-ins in two ways.
Define attributes in a template, and then apply the template to flexible RADIUS accounting and authentication plug-ins.
Define attributes in the packet definition configuration of a flexible plug-in instance. These definitions override definitions in packet templates.
Use the following configuration statements to configure a RADIUS packet template:
To configure a template:
From configuration mode, access the RADIUS packet template configuration. In this sample procedure, the stdAcct template is configured in the west-region service activation engine (SAE) group.
user@host# edit shared sae group west-region configuration radius-packet-template stdAcctCreate an attribute instance using the names in Flexible RADIUS Plug-Ins Overview, and enter the configuration for the RADIUS attribute instance.
[edit shared sae group west-region configuration radius-packet-template stdAcct]user@host# edit radius-attributes nameAdd RADIUS attribute definitions to the attribute instance. Repeat this step for each attribute.
[edit shared sae group west-region configuration radius-packet-template stdAcct radius-attributes svcstop]user@host# set attributes name valueFor example:
[edit shared sae group west-region configuration radius-packet-template stdAcct radius-attributes svcstop]user@host# set attributes Acct-Session-ID sessionId(Optional) Verify the configuration of your attribute instance.
[edit shared sae group west-region configuration radius-packet-template stdAcct radius-attributes svcstop] user@host# show attributes { Acct-Input-Octets lowWord(inOctets); Acct-Output-Octets lowWord(outOctets); Acct-Input-Packets lowWord(inPackets); Acct-Output-Packets lowWord(outPackets); Acct-Input-Gigawords highWord(inOctets); Acct-Output-Gigawords highWord(outOctets); }(Optional) Verify the configuration of the RADIUS packet template.
[edit shared sae group west-region configuration radius-packet-template stdAcct radius-attributes svcstop] user@host# up [edit shared sae group west-region configuration radius-packet-template stdAcct] user@host# show radius-attributes svcstop { attributes { Acct-Input-Octets lowWord(inOctets); Acct-Output-Octets lowWord(outOctets); Acct-Input-Packets lowWord(inPackets); Acct-Output-Packets lowWord(outPackets); Acct-Input-Gigawords highWord(inOctets); Acct-Output-Gigawords highWord(outOctets); } } radius-attributes stop { attributes { Acct-Session-Time sessionTime; Acct-Terminate-Cause terminateCause; } } radius-attributes svcacct { attributes { Chargeable-User-Identity userSessionProperties.CUI; Class radiusClass; } } radius-attributes acct { attributes { Acct-Session-Id sessionId; NAS-Identifier localNasId; NAS-IP-Address localNasIp; Event-Time eventTime; } } radius-attributes startstop { attributes { Acct-Multi-Session-Id ifSessionId; NAS-Port-Id "\"%s %s\" %(routerName, portId or interfaceName)"; NAS-Port "nasPort or None"; } }Note You must configure any one of the following values to set the Chargeable-User-Identity attribute value in the accounting-request packet.
userSessionProperties.CUI
getUserSessionProperties().CUI
getUserSessionProperties().get(“CUI”)
getUserSessionProperties()[CUI]
userSessionProperties().CUI
Using Flexible RADIUS Packet Definitions
This topic shows some of the ways you can use flexible RADIUS packet definitions. Remember that the name of the attribute instance determines the type of RADIUS packet in which the packet definition is used.
To use the Challenge Handshake Authentication Protocol (CHAP) to authenticate subscribers, include the Chap-Password and optionally the Chap-Challenge attributes in authentication requests. (We recommend that you use Chap-Password only. Use Chap-Challenge only if required.) To use a CHAP password, include the following in attribute instance auth:
Chap-Password = passwordTo cause the Calling-Station-Id attribute to use the subscriber’s MAC address:
Calling-Station-Id = userMacAddressTo set the value to prefix N followed by the service name and the prefix S followed by the service session name:
'N'+serviceName, 'S'+serviceSessionNameTo construct a value for the Nas-Port-Id attribute by concatenating the value of routerName, a space, and the Nas-Port-ID on the router:
Nas-Port-Id=routerName + “ “ + portIdFor example, the constructed value might be:
default@phoenix FastEthernet 4/2The following example sets the User-Name attribute as follows:
Sets the value to accountingId, or
If accountingId is empty, sets the value to loginName, or
If loginName is also empty, sets the value to NN
User-Name = accountingId or loginName or “NN”To extract the lower 32 bits of the 64-bit inOctet counter:
Acct-Input-Octets = lowWord(inOctets)
To set the counter fields in the RADIUS packet to the appropriate 32-bit values:
Acct-Input-Octets = lowWord(inOctets)Acct-Output-Octets = lowWord(outOctets)Acct-Input-Packets = inPacketsAcct-Output-Packets = outPacketsAcct-Input-Gigawords = highWord(inOctets)Acct-Output-Gigawords = highWord(outOctets)Ipv6-Acct-Input-Octets = lowWord(ipv6InOctets)Ipv6-Acct-Output-Octets = lowWord(ipv6OutOctets)Ipv6-Acct-Input-Packets = ipv6InPacketsIpv6-Acct-Output-Packets = ipv6OutPacketsIpv6-Acct-Input-Gigawords = highWord(ipv6InOctets)Ipv6-Acct-Output-Gigawords = highWord(ipv6OutOctets)The inOctets and outOctets are 64-bit values and must be split into lower 32-bit (Acct-*-Octets) and upper 32-bit (Acct-*-Gigawords) values.
The inPacket and outPacket counters are 32-bit values and can be assigned directly.
The ipv6InOctets and ipv6OutOctets are 64-bit values and must be split into lower 32-bit (Ipv6-Acct-*-Octets) and upper 32-bit (Ipv6-Acct-*-Gigawords) values.
The ipv6InPackets and ipv6OutPackets counters are 32-bit values and can be assigned directly.
You can map the user session property values to SAE radius-packet-template for service tracking plug-in.
If the user property attribute contains a hyphen (-), use the following format:
Callback-Number = userProperty['device-type’]If the user property attribute does not contain a hyphen (-), use the following format:
Chargeable-User-Identity = userProperty.imsi
Setting Values in Authentication Response Packets
You can use some special attribute values to set values in authentication response packets. For example:
setRadiusClass(ATTR)
setSessionTimeout(ATTR)
setSessionVolumeQuota(ATTR)
Flexible RADIUS Plug-Ins Overview lists the type of packets (authresp, userresp, or svcresp) in which you can use these values.
When the RADIUS client finds one of these attribute values in an authentication response, it binds ATTR to the current attribute and executes the defined expression. The expression calls one of the available set methods to set the value in the plug-in event.
Below are some examples.
To set a session timeout:
Session-Timeout = setSessionTimeout(ATTR)To set the RADIUS class:
Class = setRadiusClass(ATTR)To set the service bundle in VSA 31:
26.4874.31.text = setServiceBundle(ATTR)To set the session volume quota:
26.4874.50.text = setSessionVolumeQuota(ATTR)
Selecting IP Address Pools Using DHCP Response Packets
For DHCP subscribers, you can set up RADIUS authorization plug-ins to return to the router attributes that can be used to select a DHCP address such as framed IP address and pool. You can also set up the name of the virtual router on which the address pool is located and select a fixed address for each subscriber.
Framed IP address—Selects the pool from which the address is allocated; if the framed IP address is not available, the DHCP server allocates the next available address in the pool; use the setUserIpAddress value.
Framed IP pool—Name of the address pool on the router from which an IP address is assigned; use the setPoolName value.
Virtual router name—Name of the virtual router on which the address pool is located; use the setAuthVirtualRouterName value.
You can also select a fixed address for each subscriber. If you identify subscribers by port information (for example, NAS-IP and NAS-Port), the authorization response can select a fixed IP address for each subscriber.
Parameters set in the DHCP profile override parameters set by DHCP authorization plug-ins.