RADIUS and Diameter Configuration for the SIC Overview (SRC CLI)
The RADIUS and Diameter configuration for the SIC group consists of:
- RADIUS accounting and authentication listeners
- SIC Diameter server
- UDP transports for the group and each SIC server
- At least one RADIUS upstream network element with an accounting client, authentication client, and a dynamic authorization target
- At least one RADIUS downstream network element with an accounting target and an authentication target
- (Optional) A proxy function—Used for defining implicit routing rules
 | Note: Authentication clients and targets and dynamic authorization targets are optional and required only if you are supporting COA and DM requests. |
Figure 1 depicts the SIC RADIUS and Diameter configurations, which are detailed in the following sections.
Figure 1: SIC RADIUS and Diameter Configuration
RADIUS Accounting and Authentication Listeners
The SIC includes accounting and authentication listeners that listen for RADIUS accounting and authentication messages from the NAS and filter undesired events based on attachment session attributes. You must configure at least one accounting listener for the SIC group. If you are supporting COA or DM requests, you must also configure at least one authentication listener. To configure the listeners, you specify the UDP port that the SIC listens on as well as other parameters that control the receipt of UDP packets. The configuration options associated with the listeners control the RADIUS inbound transport for the SIC group, which is used to communicate with upstream network elements that contain one or more accounting and authentication clients.
SIC Diameter Server
The SIC includes a Diameter server. The SIC Diameter server communicates with the SRC Diameter server, which is a peer to the SIC Diameter server. The SIC Diameter server provides the translation between the SAE and SIC by translating COA or DM into VSAs so that they can be understood by the NAS. The SRC Diameter server also passes routing information from the SAE to the SIC Diameter server. This routing information is configured in the SRC CLI under [shared network nas-group name routes].
Typically, the SIC connects to more than one SRC Diameter server. The Diameter servers may belong to a different redundant group. Each redundant group manages one or more NAS groups. Depending on the configuration, the SIC may connect to the SRC Diameter server in the same C Series Controller.
| Note: Because both the SIC Diameter server and the SRC Diameter server need to listen to Diameter traffic, they should use different ports when both are active in the same C Series Controller. |
SIC Diameter Server Configuration Overview
To configure the SIC Diameter server, you need to configure the server identity, port, and protocol. To configure the SRC Diameter server as a peer, configure the Diameter network element, the failover policy information, address, protocol, and active peer information. Figure 2 depicts the Diameter configuration for SIC.
Figure 2: SIC Diameter Configuration
RADIUS Network Elements
A network element is an addressable, logical network entity that contains RADIUS clients and targets.
An upstream RADIUS network element contains:
- Accounting clients, which send accounting messages to the SIC accounting listeners
- Authentication clients, which send authentication requests to the SIC authentication listeners
- Dynamic authorization targets, which receive COA/DM requests from the SIC
A downstream RADIUS network element contains an AAA server (target), which receives accounting and authentication messages from the SIC.
Network elements can contain multiple clients and targets.
Figure 3 depicts network elements and the various clients and targets they contain.
Figure 3: Upstream and Downstream Network Element Clients and Targets
Configuring Upstream RADIUS Network Elements Overview
You need to configure at least one upstream network element containing at least one accounting client and one authentication client. If you are supporting dynamic authorization requests (Change of Authorization [COA] or Disconnect Messages [DMs], you also need to configure a dynamic authorization target in the upstream network element. For dynamic authorization targets, you also need to configure the failover policy and mode. You configure upstream network elements by using the shared sic group group-name radius network-element upstream statement and specifying the shared secret, IP address, and device model of the accounting or authentication client. Figure 4 depicts RADIUS network element upstream and downstream client and target configuration options.
Figure 4: Upstream and Downstream Network Element Client and Target Configuration Options
Configuring Downstream RADIUS Network Elements Overview
You need to configure a downstream network element for the accounting and authentication targets. Figure 4 depicts RADIUS network element upstream and downstream configurations. You configure downstream network elements by using the shared sic group group-name radius network-element downstream statement and specifying the outbound transport, UDP port, shared secret, and IP address of the accounting target. You also need to specify the failover policy, failover mode, and the device model of the accounting target (AAA server).
Using the Proxy Function to Define Implicit Routing Rules
You use the proxy function to define implicit routing rules for accounting and authentication requests by specifying a remote AAA server as a proxy and having the SIC forward accounting and authentication requests to it. When the SIC receives a request, it first evaluates any explicit routing rules. If no match is found, it evaluates implicit routing rules. If a match is found, the SIC routes the request to the proxy AAA server.
You configure the proxy function by configuring a network element and specifying it as a proxy. You can then either define a default route used for all requests from all realms, or you can specify that only requests from certain realms are routed to the proxy AAA server. When you specify realms, you have the option to specify a match condition of either an exact match of the realm string or a match on the prefix of the realm string.
