[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]


RADIUS Configuration Overview

This section describes steps that are specific to configuring RADIUS Remote Network Elements.

The basic steps for configuring a RADIUS Remote Network Element are:

RADIUS Client and Target Communication

Configuring the communication to a RADIUS Remote Network Element consists of configuration of clients and targets. Clients send RADIUS messages towards the server and targets receive RADIUS messages from the server. You may configure multiple clients and targets.

Figure 13 illustrates this concept.


Figure 13: RADIUS Clients and Targets

Due to this uni-directional communication, the RADIUS Remote Network Element configuration is split into two parts: upstream and downstream. Note that this upstream and downstream terminology does not refer to the functions listed in Table 9.

Figure 14 illustrates the configuration concepts for a single RADIUS Remote Network Element.


Figure 14: RADIUS Remote Network Element Configuration

RADIUS Remote Network Element-Upstream Configuration

The left hand side of Figure 14 shows the upstream configuration of the RADIUS Remote Network Element. Notice that the clients for the upstream configuration send authentication and accounting messages towards the server. These clients are called Authentication and Accounting Clients. The targets receive CoA/DM (Change of Authorization/Disconnect Messages) from the server. These targets are called Dynamic Authorization Targets.

RADIUS Remote Network Element-Downstream Configuration

The right hand side of Figure 14 shows the downstream configuration of the RADIUS Remote Network Element. Notice that the clients for the downstream configuration send CoA/DM (Change of Authorization/Disconnect Messages) to the server. These clients are called Dynamic Authorization Clients. The targets receive authentication/authorization messages from the server. These targets are called Authentication Targets.

NOTE: Depending on your network configuration, you may not need to configure both the upstream and downstream part of the Remote Network Element. For example, if the Remote Network Element had only the "Downstream" (server) function assigned to it, you would not need to configure the upstream part of the Remote Network Element.


RADIUS Client and Target Configuration Parameters

Each RADIUS client and target requires certain parameters to be configured. Table 10 summarizes these parameters for each RADIUS client and target.

Table 10: RADIUS Client and Target Configuration Parameters
Upstream or Downstream Configuration
Target or Client
IP Address & format1
UDP Port Number
Shared Secret

Upstream

Authentication & Accounting Client

-

4

Dynamic Authorization Target

Downstream

Authentication Target

Dynamic Authorization Client

-


1The IP address can be either IPv4 or IPv6 for RADIUS.

Some of the parameters in Table 10 are straightforward, such as the IP address/format and the UDP port number. Shared Secrets and Dynamic Authorization are unique to the RADIUS protocol and require further explanation.

Shared Secrets

A RADIUS shared secret is a case-sensitive password (text string) used to validate communications between two RADIUS devices, such as a RADIUS-based server and a RADIUS client or target. The shared secret must be configured to match on both devices. Configure shared secrets that are long enough and random enough to resist attack, and you should avoid using the same shared secret throughout your network.

The IMS AAA Server supports shared secrets of up to 127 alphanumeric characters, including spaces and the following special characters:

~!@#$%^&*()_+|\=-`{}[]:"';<>?/.,

You need to configure the shared secret on each RADIUS client and target in the RADIUS Remote Network Element.

RADIUS Change of Authorization/Disconnect Messages

The RADIUS protocol, defined in RFC 2865 does not support unsolicited messages from the RADIUS server to access devices such as a WLAN AN device. Under some circumstances, it may be desirable for a network administrator to make changes in session characteristics without requiring the access device to initiate an exchange. For example, a network administrator may need to terminate a session or change the authorization attributes associated with a session.

RFC 3576, "Dynamic Authorization Extensions to RADIUS," describes a mechanism that extends the RADIUS protocol to support unsolicited messages sent from the RADIUS server to the access device. These messages allow network administrators to issue change of authorization (CoA) messages, which affect session authorization, or disconnect messages, which cause a session to be terminated immediately.

How Disconnect Messages Work

When a network administrator wants to terminate a session, the administrator causes the RADIUS server to send a Disconnect-Request message to the access device. The Disconnect-Request message identifies the access device and the session to be terminated. If the Disconnect-Request message correctly identifies a session being maintained by the access device, the access device disconnects the session and sends a confirmation message (Disconnect-ACK) back to the RADIUS server.

How Change of Authorization Messages Work

When a network administrator wants to change session authorizations they cause the RADIUS server to send a CoA-Request to the access device. If the access device is able to change the authorizations for the session, it returns a confirmation message (CoA-ACK) to the RADIUS server. If the request is unsuccessful the access device returns a failure message (CoA-NAK).

RADIUS Dynamic Authorization Support in the IMS AAA Server

The IMS AAA Server supports Dynamic Authorization by sending CoA/DM to the RADIUS WLAN. It also routes CoA/DM received from a downstream RADIUS AAA server. Figure 15 illustrates the Dynamic Authorization support in the IMS AAA Server.


Figure 15: RADIUS Dynamic Authorization in the IMS AAA Server

Notice in Figure 15 that the CoA/DM in the upstream configuration (on the left) are sent from the server to the Dynamic Authorization Target, and in the downstream configuration (on the right) the CoA/DM are received from the Dynamic Authorization Client.

NOTE: To support Dynamic Authorization in the IMS AAA Server, you must configure the Dynamic Authorization Target in the upstream configuration and/or the Dynamic Authorization Client in the downstream configuration.


Assigning Functions to a RADIUS Remote Network Element

To assign the functions to a RADIUS Remote Network Element, you select the function from a predefined list in the IMS AAA Server Administrator. The IMS AAA Server internally configures the associated 3GPP reference point parameters. The following functions are supported for RADIUS:

WLAN—this function can be assigned in the upstream configuration of the Remote Network Element. No configuration is required for this function.

Downstream—this function can be assigned in the downstream configuration of the Remote Network Element, and requires implicit routing to be configured. Implicit routing rules for the downstream function include routing by IMSI prefix or realm. See Request Routing50 for more information.

See Table 9 for a description of these functions.

RADIUS Accounting

A RADIUS-based WLAN device can issue an Accounting-Request whenever it chooses, for example upon successful authentication.

Each time RADIUS accounting data arrives at the IMS AAA Server, it is translated to Diameter and forwarded to the Charging Data Function.

Example RADIUS Configuration

Figure 16 illustrates an example configuration for a RADIUS Remote Network Element. This illustration shows example configuration parameters for the upstream and downstream configuration of the Remote Network Element, as well as for the IMS AAA Server.


Figure 16: Example RADIUS Configuration

[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]