RADIUS Configuration Overview
This section describes steps that are specific to configuring RADIUS Remote Network Elements.
The basic steps for configuring a RADIUS Remote Network Element are:
- Creating and naming the RADIUS Remote Network Element. See Creating and Naming the Remote Network Element.
- Configuring the client and target communication.
- Assigning the function(s) and configuring the Implicit routing rules (if applicable to the function).
RADIUS Client and Target Communication
Configuring the communication to a RADIUS Remote Network Element consists of configuration of clients and targets. Clients send RADIUS messages towards the server and targets receive RADIUS messages from the server. You may configure multiple clients and targets.
Figure 13 illustrates this concept.
Due to this uni-directional communication, the RADIUS Remote Network Element configuration is split into two parts: upstream and downstream. Note that this upstream and downstream terminology does not refer to the functions listed in Table 9.
Figure 14 illustrates the configuration concepts for a single RADIUS Remote Network Element.
RADIUS Remote Network Element-Upstream Configuration
The left hand side of Figure 14 shows the upstream configuration of the RADIUS Remote Network Element. Notice that the clients for the upstream configuration send authentication and accounting messages towards the server. These clients are called Authentication and Accounting Clients. The targets receive CoA/DM (Change of Authorization/Disconnect Messages) from the server. These targets are called Dynamic Authorization Targets.
RADIUS Remote Network Element-Downstream Configuration
The right hand side of Figure 14 shows the downstream configuration of the RADIUS Remote Network Element. Notice that the clients for the downstream configuration send CoA/DM (Change of Authorization/Disconnect Messages) to the server. These clients are called Dynamic Authorization Clients. The targets receive authentication/authorization messages from the server. These targets are called Authentication Targets.
RADIUS Client and Target Configuration Parameters
Each RADIUS client and target requires certain parameters to be configured. Table 10 summarizes these parameters for each RADIUS client and target.
IP Address & format1 |
||||
|---|---|---|---|---|
 |
||||
|
|
|
||
|
|
|
||
|
|
1The IP address can be either IPv4 or IPv6 for RADIUS. |
Some of the parameters in Table 10 are straightforward, such as the IP address/format and the UDP port number. Shared Secrets and Dynamic Authorization are unique to the RADIUS protocol and require further explanation.
Shared Secrets
A RADIUS shared secret is a case-sensitive password (text string) used to validate communications between two RADIUS devices, such as a RADIUS-based server and a RADIUS client or target. The shared secret must be configured to match on both devices. Configure shared secrets that are long enough and random enough to resist attack, and you should avoid using the same shared secret throughout your network.
The IMS AAA Server supports shared secrets of up to 127 alphanumeric characters, including spaces and the following special characters:
~!@#$%^&*()_+|\=-`{}[]:"';<>?/.,
You need to configure the shared secret on each RADIUS client and target in the RADIUS Remote Network Element.
RADIUS Change of Authorization/Disconnect Messages
The RADIUS protocol, defined in RFC 2865 does not support unsolicited messages from the RADIUS server to access devices such as a WLAN AN device. Under some circumstances, it may be desirable for a network administrator to make changes in session characteristics without requiring the access device to initiate an exchange. For example, a network administrator may need to terminate a session or change the authorization attributes associated with a session.
RFC 3576, "Dynamic Authorization Extensions to RADIUS," describes a mechanism that extends the RADIUS protocol to support unsolicited messages sent from the RADIUS server to the access device. These messages allow network administrators to issue change of authorization (CoA) messages, which affect session authorization, or disconnect messages, which cause a session to be terminated immediately.
How Disconnect Messages Work
When a network administrator wants to terminate a session, the administrator causes the RADIUS server to send a Disconnect-Request message to the access device. The Disconnect-Request message identifies the access device and the session to be terminated. If the Disconnect-Request message correctly identifies a session being maintained by the access device, the access device disconnects the session and sends a confirmation message (Disconnect-ACK) back to the RADIUS server.
How Change of Authorization Messages Work
When a network administrator wants to change session authorizations they cause the RADIUS server to send a CoA-Request to the access device. If the access device is able to change the authorizations for the session, it returns a confirmation message (CoA-ACK) to the RADIUS server. If the request is unsuccessful the access device returns a failure message (CoA-NAK).
RADIUS Dynamic Authorization Support in the IMS AAA Server
The IMS AAA Server supports Dynamic Authorization by sending CoA/DM to the RADIUS WLAN. It also routes CoA/DM received from a downstream RADIUS AAA server. Figure 15 illustrates the Dynamic Authorization support in the IMS AAA Server.
Notice in Figure 15 that the CoA/DM in the upstream configuration (on the left) are sent from the server to the Dynamic Authorization Target, and in the downstream configuration (on the right) the CoA/DM are received from the Dynamic Authorization Client.
Assigning Functions to a RADIUS Remote Network Element
To assign the functions to a RADIUS Remote Network Element, you select the function from a predefined list in the IMS AAA Server Administrator. The IMS AAA Server internally configures the associated 3GPP reference point parameters. The following functions are supported for RADIUS:
WLAN—this function can be assigned in the upstream configuration of the Remote Network Element. No configuration is required for this function.
Downstream—this function can be assigned in the downstream configuration of the Remote Network Element, and requires implicit routing to be configured. Implicit routing rules for the downstream function include routing by IMSI prefix or realm. See Request Routing50 for more information.
See Table 9 for a description of these functions.
RADIUS Accounting
A RADIUS-based WLAN device can issue an Accounting-Request whenever it chooses, for example upon successful authentication.
Each time RADIUS accounting data arrives at the IMS AAA Server, it is translated to Diameter and forwarded to the Charging Data Function.
Example RADIUS Configuration
Figure 16 illustrates an example configuration for a RADIUS Remote Network Element. This illustration shows example configuration parameters for the upstream and downstream configuration of the Remote Network Element, as well as for the IMS AAA Server.
