Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring Upstream and Downstream RADIUS Network Elements (SRC CLI)

    Configuration Statements for Downstream Network Elements and Accounting and Authentication Targets (SRC CLI)

    Use the following statements to configure downstream RADIUS network elements and accounting and authentication targets for the SIC group:

    shared sic group identifier radius network-element id
    shared sic group identifier radius network-element id downstream { model model; }
    shared sic group identifier radius network-element id downstream (authentication | accounting) {failover-mode (round-robin | primary-backup);}
    shared sic group identifier radius network-element id downstream (authentication | accounting) failover-policy
    shared sic group identifier radius network-element id downstream (authentication | accounting) failover-policy fast-fail { minimum-number minimum-number; timeout timeout; reset-delay reset-delay; }
    shared sic group identifier radius network-element id downstream (authentication | accounting) failover-policy retry { number number; timeout timeout; }
    shared sic group identifier radius network-element id downstream (authentication | accounting) accounting-target name { address address; priority priority;}
    shared sic group identifier radius network-element id downstream (authentication | accounting) accounting-target name { secret secret; outbound-transport outbound-transport; port port; }
    shared sic group identifier radius network-element id downstream (authentication | accounting) authentication-target name {address address;priority priority;}
    shared sic group identifier radius network-element id downstream (authentication | accounting) authentication-target name {secret secret;outbound-transport outbound-transport;port port;}

    Configuration Statements for Upstream Network Elements, Accounting and Authentication Clients, and Dynamic Authorization Targets (SRC CLI)

    Use the following statements to configure upstream RADIUS network elements, accounting and authentication clients, and dynamic authorization targets for the SIC group:

    shared sic group identifier radius network-element id
    shared sic group identifier radius network-element id upstream { model model; }
    shared sic group identifier radius network-element id upstream radius-client id {address address;accounting-secret accounting-secret;authentication-secret authentication-secret;}
    shared sic group identifier radius network-element id upstream dynamic-authorization-target {failover-mode (round-robin | primary-backup);}
    shared sic group identifier radius network-element id upstream dynamic-authorization-target failover-policy
    shared sic group identifier radius network-element id upstream dynamic-authorization-target failover-policy retry {number number;timeout timeout;}
    shared sic group identifier radius network-element id upstream dynamic-authorization-target failover-policy fast-fail {minimum-number minimum-number;timeout timeout;reset-delay reset-delay;}
    shared sic group identifier radius network-element id upstream dynamic-authorization-target target name {address address;priority priority;}
    shared sic group identifier radius network-element id upstream dynamic-authorization-target target name {secret secret;port port;}

    Creating a Network Element (SRC CLI)

    Network elements are logical entities that are considered either upstream or downstream from the SIC. Upstream network elements contain logical clients and targets for NAS devices. Downstream network elements contain logical targets for the downstream AAA server responsible for accounting and authentication.

    Use the following statement to create a network element:

    shared sic group identifier radius network-element id

    To create a network element:

    • From configuration mode, access the statement that creates a RADIUS network element. For example, to create a network element called ne1 for the SIC group group1:
      [edit]user@host# edit shared sic group group1 radius network-element ne1

    Configuring the Device Models Supported in the Network Element (SRC CLI)

    You must configure which device models are supported by the upstream and downstream network elements.

    Note: To assign a device model to a network element, you must first configure the device models and the associated dictionaries supported by the SIC group using the shared sic group identifier model id statement. See Configuring the Device Models Supported by the SIC Group (SRC CLI).

    Use the following statements to configure the device model:

    shared sic group identifier radius network-element id downstream { model model; }
    shared sic group identifier radius network-element id upstream { model model; }

    To configure the device models supported in the network element:

    1. From configuration mode, access the statement that configures the RADIUS network element and specify a name for the network element. This sample procedure uses group1 for the SIC group and ne1 for the downstream network element identifier.
      [edit]user@host# edit shared sic group group1 radius network-element ne1 downstream
    2. Specify a device model. The device model must have previously been configured for the SIC group.
      [edit shared sic group group1 radius network-element ne1 downstream]user@host# set model model

    Configuring Upstream Network Elements and Accounting and Authentication Clients (SRC CLI)

    Accounting and authentication clients are NAS devices that logically reside in upstream network elements. Accounting clients send RADIUS accounting requests to the SIC accounting listener. Authentication clients send RADIUS authentication requests to the SIC authentication listener. You must configure at least one accounting client and one authentication client. Each client must have a unique name and address.

    Use the following statements to configure accounting clients:

    shared sic group identifier radius network-element id upstream radius-client id {address address;accounting-secret accounting-secret;authentication-secret authentication-secret;}

    To configure RADIUS accounting and authentication clients:

    1. From configuration mode, access the statement that configures an upstream network element and RADIUS client. For example, to configure an upstream RADIUS network element called ne1 and RADIUS client called rc1 for the SIC group group1:
      [edit]user@host# edit shared sic group group1 radius network-element ne1 upstream radius-client rc1
    2. (Optional) Specify the IP address of the RADIUS client.
      [edit shared sic group group1 radius network-element ne1 upstream radius-client rc1]user@host# set address address
    3. (Optional) Specify the shared secret used by the accounting client.
      [edit shared sic group group1 radius network-element ne1 upstream radius-client rc1]user@host# set accounting-secret authentication-secret
    4. Specify the shared secret used by the authentication client.
      [edit shared sic group group1 radius network-element ne1 upstream accounting-client]]user@host# set accounting-secret accounting-secret

    Configuring Upstream Network Elements and Dynamic Authorization Targets (SRC CLI)

    Dynamic authorization targets are logical entities that represent the NAS device in upstream network elements. The SIC forwards COA/DM requests to dynamic authorization targets.

    Use the following statements to configure dynamic authorization targets:

    shared sic group identifier radius network-element id upstream dynamic-authorization-target target name {address address;priority priority;}
    shared sic group identifier radius network-element id upstream dynamic-authorization-target target name {secret secret;port port;}
    shared sic group identifier radius network-element id upstream dynamic-authorization-target {failover-mode (round-robin | primary-backup);}
    shared sic group identifier radius network-element id upstream dynamic-authorization-target failover-policy {priority priority;}
    shared sic group identifier radius network-element id upstream dynamic-authorization-target failover-policy retry {number number;timeout timeout;}
    shared sic group identifier radius network-element id upstream dynamic-authorization-target failover-policy fast-fail {minimum-number minimum-number;timeout timeout;reset-delay reset-delay;}

    To configure a dynamic authorization target:

    1. From configuration mode, access the statement that configures an upstream network element and dynamic authorization target. For example, to configure an upstream RADIUS network element called ne1 and dynamic authorization target called dat1 for the SIC group group1:
      [edit]user@host# edit shared sic group group1 radius network-element ne1 upstream dynamic-authorization-target target dat1
    2. Specify the IP address of the target.
      [edit shared sic group group1 radius network-element ne1 upstream dynamic-authorization-target target dat1]user@host# set address address
    3. Specify the priority of the target. Targets with lower priority values are selected before other targets in a failover policy.
      [edit shared sic group group1 radius network-element ne1 upstream dynamic-authorization-target target dat1]user@host# set priority priority
    4. Specify the shared secret used by the target.
      [edit shared sic group group1 radius network-element ne1 upstream dynamic-authorization-target target dat1]user@host# set secret secret
    5. (Optional) Specify the port used by the target to receive dynamic authorization messages.
      [edit shared sic group group1 radius network-element ne1 upstream dynamic-authorization-target target dat1]]user@host# set port port

    Configuring Downstream Network Elements and Accounting and Authentication Targets (SRC CLI)

    Accounting and authentication targets (RADIUS AAA server) receive requests forwarded by the SIC. These targets reside in downstream network elements. You must configure at least one accounting target and one authentication target. Each target must have a unique name and address.

    1. Configuring SIC Accounting Targets (SRC CLI)
    2. Configuring SIC Authentication Targets (SRC CLI)

    Configuring SIC Accounting Targets (SRC CLI)

    Use the following statements to configure accounting targets:

    shared sic group identifier radius network-element id downstream (authentication | accounting) accounting-target name { address address; priority priority;}
    shared sic group identifier radius network-element id downstream (authentication | accounting) accounting-target name { secret secret; outbound-transport outbound-transport; port port; }

    To configure an accounting target:

    1. From configuration mode, access the statement that configures the accounting target. This sample procedure uses group1 for the group identifier, ne1 for the network element identifier, and target1 as the accounting target name.
      edit shared sic group group1 radius network-element ne1 downstream accounting accounting-target target1
    2. Specify the IP address of the RADIUS accounting target contained in the network element.
      [edit shared sic group group1 radius network-element ne1 downstream accounting accounting-target target1]user@host# set address address
    3. Specify the priority of the target. Targets with lower priority values are selected before other targets in a failover policy.
      [edit shared sic group group1 radius network-element ne1 downstream accounting accounting-target target1]user@host# set priority priority
    4. Specify the shared secret used by the RADIUS accounting target.
      [edit shared sic group group1 radius network-element ne1 downstream accounting accounting-target target1]user@host# set secret secret
    5. (Optional) Specify the name of the local transport used to send requests to the accounting target.
      [edit shared sic group group1 radius network-element ne1 downstream accounting accounting-target target1]user@host# set outbound-transport outbound-transport
    6. (Optional) Specify the UDP port number on which the RADIUS accounting target listens for requests.
      [edit shared sic group group1 radius network-element ne1 downstream accounting accounting-target target1]user@host# set port port

    Configuring SIC Authentication Targets (SRC CLI)

    Use the following statements to configure authentication targets:

    shared sic group identifier radius network-element id downstream (authentication | accounting) authentication-target name {address address;priority priority;}
    shared sic group identifier radius network-element id downstream (authentication | accounting) authentication-target name {secret secret;outbound-transport outbound-transport;port port;}

    To configure an authentication target:

    1. From configuration mode, access the statement that configures the authentication target. This sample procedure uses group1 for the group identifier, ne1 for the network element identifier, and target1 as the authentication target name.
      edit shared sic group group1 radius network-element ne1 downstream authentication authentication-target target1
    2. Specify the IP address of the RADIUS authentication target contained in the network element.
      [edit shared sic group group1 radius network-element ne1 downstream authentication authentication-target target1]user@host# set address address
    3. Specify the priority of the target. Targets with lower priority values are selected before other targets in a failover policy.
      [edit shared sic group group1 radius network-element ne1 downstream authentication authentication-target target1]user@host# set priority priority
    4. Specify the shared secret used by the RADIUS authentication target.
      [edit shared sic group group1 radius network-element ne1 downstream authentication authentication-target target1]user@host# set secret secret
    5. (Optional) Specify the name of the local transport used to send outbound requests to the authentication target.
      [edit shared sic group group1 radius network-element ne1 downstream authentication authentication-target target1]user@host# set outbound-transport outbound-transport
    6. (Optional) Specify the UDP port number on which the RADIUS authentication target listens for requests.
      [edit shared sic group group1 radius network-element ne1 downstream authentication authentication-target target1]user@host# set port port

    Configuration Statements for SIC Group Failover Mode and Policy (SRC CLI)

    Use the following statements to configure failover mode and policy:

    shared sic group identifier radius network-element id downstream (authentication | accounting) {failover-mode (round-robin | primary-backup);}
    shared sic group identifier radius network-element id downstream (authentication | accounting) failover-policy
    shared sic group identifier radius network-element id downstream (authentication | accounting) failover-policy fast-fail { minimum-number minimum-number; timeout timeout; reset-delay reset-delay; }
    shared sic group identifier radius network-element id downstream (authentication | accounting) failover-policy retry { number number; timeout timeout; }
    shared sic group identifier radius network-element id upstream dynamic-authorization-target {failover-mode (round-robin | primary-backup);}
    shared sic group identifier radius network-element id upstream dynamic-authorization-target failover-policy
    shared sic group identifier radius network-element id upstream dynamic-authorization-target failover-policy retry {number number;timeout timeout;}
    shared sic group identifier radius network-element id upstream dynamic-authorization-target failover-policy fast-fail {minimum-number minimum-number;timeout timeout;reset-delay reset-delay;}

    Configuring Failover Mode and Policy (SRC CLI)

    You must configure failover mode and policy for accounting and authentication targets upstream by completing the following tasks:

    1. Configuring Failover Mode (SRC CLI)
    2. Configuring Fast Fail Options for the Failover Policy
    3. Configuring Retry Options for the Failover Policy

    Configuring Failover Mode (SRC CLI)

    You must configure failover mode for both accounting and authentication messages. Use the following statement to configure failover mode:

    shared sic group identifier radius network-element id downstream (authentication | accounting) {failover-mode (round-robin | primary-backup);}

    To configure failover mode:

    1. From configuration mode, access the statement that configures the network element failover mode and specify whether the connection is for authentication or accounting messages.

      For example, this sample procedure uses group1 for the group identifier, ne1 for the network element identifier, and accounting as the connection.

      [edit]user@host# edit shared sic group group1 radius network-element ne1 downstream accounting
    2. Specify failover mode used by the network element.
      [edit shared sic group group1 radius network-element ne1 downstream]user@host# set failover-mode (round-robin | primary-backup)

      Where:

      • round-robin—When this failover mode is used, messages are sent to the network element over alternating paths.
      • primary-backup—When this failover mode is used, messages are sent over the primary path unless it is unavailable, in which case messages are sent over the backup path.

    Configuring Fast Fail Options for the Failover Policy

    You must configure fast fail options for the failover policy for both accounting and authentication messages. Use the following statement to configure fast fail options:

    shared sic group identifier radius network-element id downstream (authentication | accounting) failover-policy
    shared sic group identifier radius network-element id downstream (authentication | accounting) failover-policy fast-fail { minimum-number minimum-number; timeout timeout; reset-delay reset-delay; }

    To configure fast fail options for the failover policy:

    1. From configuration mode, access the statement that configures fast fail options for the failover policy. For example, this sample procedure uses group1 for the group identifier, ne1 for the network element identifier, and accounting as the connection type.
      edit shared sic group group1 radius network-element ne1 downstream accounting failover-policy fast-fail
    2. Specify the minimum number of times the message is retransmitted if an acknowledgment from the target is not received.
      [edit shared sic group group1 radius network-element ne1 downstream accounting failover-policy fast-fail]user@host# set minimum-number minimum-number
    3. Specify the time in seconds before the target is placed into fast fail mode.
      [edit shared sic group group1 radius network-element ne1 downstream accounting failover-policy fast-fail]user@host# set timeout timeout
    4. Specify the time in seconds after which the target is taken out of fast fail mode.
      [edit shared sic group group1 radius network-element ne1 downstream accounting failover-policy fast-fail]user@host# set reset-delay reset-delay

    Configuring Retry Options for the Failover Policy

    You must configure retry options for the failover policy for both accounting and authentication messages. Use the following statement to configure retry options:

    shared sic group identifier radius network-element id downstream (authentication | accounting) failover-policy retry { number number; timeout timeout; }

    To configure retry options for the failover policy:

    1. From configuration mode, access the statement that configures retry options for the failover policy. For example, this sample procedure uses group1 for the group identifier, ne1 for the network element identifier, and accounting as the connection type.
      edit shared sic group group1 radius network-element ne1 downstream accounting failover-policy retry
    2. Specify the maximum number of times a message is retransmitted if an acknowledgment from the target is not received.
      [edit shared sic group group1 radius network-element ne1 downstream accounting failover-policy retry]user@host# set number number
    3. Specify the number of seconds between retry attempts.
      [edit shared sic group group1 radius network-element ne1 downstream accounting failover-policy retry]user@host# set timeout timeout

    Modified: 2012-06-06