SYSTEM ADMINISTRATOR GUIDE     65/1543-CRA 119 1170/1-V1 Uen A    

Configuring RADIUS

© Copyright Ericsson AB 2009. All rights reserved.

Disclaimer

No part of this document may be reproduced in any form without the written permission of the copyright owner. The contents of this document are subject to revision without notice due to continued progress in methodology, design and manufacturing. Ericsson shall have no liability for any error or damage of any kind resulting from the use of this document.

Trademark List

SmartEdge is a registered trademark of Telefonaktiebolaget L M Ericsson.

Contents

1Overview
1.1RADIUS Servers
1.2RADIUS Services Engine
1.3Accounting and Service Accounting Messages

2

Configuration and Operations Tasks
2.1Configure the Server IP Address or Hostname
2.2Configure an IP Source Address (Optional)
2.3Configure Load Balancing Between RADIUS Servers (Optional)
2.4Modify RADIUS Connection Parameters (Optional)
2.5Strip the Domain Portion of Structured Usernames (Optional)
2.6Change or Ignore the Server Source Port Value (Optional)
2.7Configure and Assign a RADIUS Policy to a Context (Optional)
2.8Configure and Send Attributes in RADIUS Packets (Optional)
2.9Configure RADIUS-Guided Services (Optional)
2.10RADIUS-Guided Services
2.11Configuring Service Absolute Timeout Values
2.12Verifying your Service Absolute Timeout Values
2.13Configuring Your Service Traffic Limit
2.14Verifying your Configured Service Traffic Limit
2.15RADIUS-Guided Service Audit for Volume Counters
2.16Configuring and Overwriting the NAS-Port-Id RADIUS Attribute
2.17Verifying your Slot or Port Configuration
2.18Remap Account Termination Codes (Optional)
2.19Operations Tasks

3

Configuring Examples
3.1RADIUS Secret Key, Retry, and Timeout
3.2RADIUS Loopback Interface
3.3Custom RADIUS Policy
3.4Dynamic RADIUS Profile and Forward Policy


1   Overview

This document provides an overview of Remote Authentication Dial-In User Service (RADIUS) support on the SmartEdge® router and describes the tasks used to configure, monitor, and administer RADIUS features. This document also provides examples of configurations for RADIUS features.

The RADIUS protocol, which is based on a client/server architecture, enables remote access to networks and network services. When configured with the IP address or hostname of a RADIUS server, the SmartEdge router can act as a RADIUS client.

To enable authentication through RADIUS, you must also configure authentication, authorization, and accounting (AAA) features; for more information, see Configuring Authentication, Authorization, and Accounting.

1.1   RADIUS Servers

RADIUS servers can perform the following functions:

The SmartEdge router can perform the functions of any of these servers.

In addition to providing authentication, a RADIUS server can collect and store accounting data for subscriber sessions. You can configure a single server that provides both authentication and accounting functions, or you can configure separate authentication and accounting servers.

Accounting is the process of tracking activity and network resources used in a subscriber session, including the number of packets and bytes transmitted during the session. It occurs after the authentication phase in AAA is complete. Accounting can occur for specific contexts, enabling customers to manage activity in their individual accounts.

In addition, the AAA accounting feature enables you to track the services used by an Internet site owner, for example, a wholesaler. When you enable AAA accounting, the router reports user activity to the RADIUS server in the form of accounting records. Common services tracked through service accounting are voice and video.

A RADIUS server can also act as a Change of Authorization (CoA) server, allowing dynamic RADIUS-guided services for subscriber sessions. The SmartEdge router supports both RADIUS CoA messages and disconnect messages. CoA messages can modify the characteristics of existing subscriber sessions, without loss of service; disconnect messages can terminate subscriber sessions.

Note:  
Throughout this document, the term RADIUS server, refers to any of the server types. The terms, RADIUS accounting server, RADIUS authentication server, and RADIUS CoA server, refer to servers that support those specific features.

For more information about RADIUS messages, see RADIUS Attributes.

Load balancing between multiple servers is valuable if a large number of sessions are established and terminated every second, and a single RADIUS server is unable to handle the load.

Two load-balancing algorithms are supported:

1.2   RADIUS Services Engine

The RADIUS Services Engine (RSE) is the set of RADIUS-guided features and functions that support dynamic changes to subscriber services.

RADIUS-guided services include the following capabilities:

To support RADIUS-guided services, the SmartEdge router uses a service profile that specifies various service conditions and that activates services and establishes the service conditions for that subscriber session. It is these service conditions against which the service data in a CoA Request or Access Response message is matched.

A service condition in a RADIUS-guided service profile can be mandatory or optional. For a mandatory condition, the RADIUS server must include a value for that condition in the CoA Request or Access Response message. An optional condition includes a default value in the service profile; the SmartEdge router uses default value if the RADIUS server does not supply a value.

1.3   Accounting and Service Accounting Messages

In addition to providing authentication, a RADIUS server collects and stores accounting data for subscriber sessions. Accounting is the process of tracking activity and network resources used in a subscriber session. The process tracks the number of packets and bytes transmitted during the session. It occurs after the authentication phase. Accounting can occur for specific contexts, enabling customers to manage activity in their individual accounts.

The AAA accounting feature also enables you to track the services used by an Internet site, for example, a wholesaler. TheSmartEdge router reports service activity to the RADIUS server in the form of accounting records. Common services tracked through service accounting are voice and video.

As part of both general accounting and service accounting, the router generates messages indicating the states of the accounting process. Common service messages indicate when the router starts and stops sending service accounting packets to the RADIUS server. For example, when the router initiates accounting, the router generates a message (with an acct-start message) indicating the accounting process has begun.

While accounting messages can be helpful to identify accounting states, they create overhead, using system memory and CPU resources. To manage overhead associated with this activity, the operating system enables you to configure the SmartEdge router to drop RADIUS accounting messages in a specific context. To drop a message, you specify the message using the attribute command.

Common service messages indicate when the router begins and stops sending service accounting packets to the RADIUS server. The router sends these packets to the server when the RADIUS Change of Authorization (CoA) server initiates these actions.

For general accounting, the router generates the following messages:

For service accounting, the router generates the following messages:

Figure 1 shows the flow of service accounting messages.

Figure 1   Flow of Service Accounting Messages

2   Configuration and Operations Tasks

To configure RADIUS, perform the tasks described in the following sections.

Note:  
In this section, the command syntax in the task tables displays only the root command; for the complete command syntax, see Command List.

2.1   Configure the Server IP Address or Hostname

To configure the IP address or hostname of a RADIUS accounting server or RADIUS server, perform the appropriate task described in Table 1. Enter all commands in context configuration mode.

Table 1    Configure the Server IP Address or Hostname

Task

Root Command

Notes

Configure the RADIUS accounting server IP address or hostname.

radius accounting server

To enable accounting through RADIUS, you must also enter the aaa accounting subscriber radius command (in context configuration mode).

Configure the RADIUS server IP address or hostname.

radius server

To enable authentication through RADIUS, you must also enter the aaa authentication subscriber radius command (in context configuration mode).

To use the RADIUS server as a CoA server, use the CoA-server keyword for this command. To configure an independent CoA server, use the radius coa server command.

Configure the RADIUS CoA server IP address or hostname.

radius coa server

To configure an independent CoA server, use this command. To use the RADIUS authentication server as a CoA server, use the CoA-server keyword for the radius server command.

2.2   Configure an IP Source Address (Optional)

By default, the local IP address of the interface on which RADIUS is transmitted is included in the IP header of RADIUS packets sent by the SmartEdge router. If you do not want to publish the IP address of the RADIUS server, configure a loopback interface to appear to be the source address for RADIUS packets as described in Table 2.

Table 2    Configure an IP Source Address

Task

Root Command

Notes

Configure an IP source address.

ip source-address radius

Enter this command in interface configuration mode. The interface must be reachable by the RADIUS server; for command details, see Configuring Contexts and Interfaces.

2.3   Configure Load Balancing Between RADIUS Servers (Optional)

To load balance between multiple RADIUS accounting or RADIUS servers, perform the appropriate task described in Table 3. Enter all commands in context configuration mode.

Table 3    Configure Load Balancing Between RADIUS Servers

Task

Root Command

Specify a load-balancing algorithm to use among multiple RADIUS accounting servers.

radius accounting algorithm

Specify a load-balancing algorithm to use among multiple RADIUS servers.

radius algorithm

2.4   Modify RADIUS Connection Parameters (Optional)

To configure how the SmartEdge router responds to connections with RADIUS servers, perform the tasks described in the following sections.

2.4.1   Send Accounting On and Off Messages

To send “accounting on” or “accounting off” messages to any other RADIUS servers that are configured in the current context when a RADIUS server is added or removed, perform the task described in Table 4.

Table 4    Send Accounting On and Off Messages

Task

Root Command

Notes

When an accounting server is added to or removed from the configuration, send an accounting on or accounting off message, respectively, to any other RADIUS servers that are configured in the current context.

radius accounting send‑acct‑on‑off

Enter this command in context configuration mode. By default, the SmartEdge router sends these messages.

2.4.2   Modify RADIUS Timeout Parameters

RADIUS timeout parameters allow you to configure three different intervals that are used by the system to manage responses when a RADIUS server is not responding. Table 5 presents a timeline that describes the intervals and how you can configure them.

Table 5    RADIUS Timeout Intervals

Time

RADIUS Action

Interval Set By

T0

Sends a request to a RADIUS server and sets a time for interval T1.

radius timeout

radius accounting timeout

T0+T1

T1 expires. Assumes packet is lost or server is unreachable; sets a timer for interval T2.

radius server-timeout

radius accounting server-timeout

T0+T1+T2

T2 expires. Marks the server as “dead” and tries another server; sets a timer for interval T3.

radius deadtime

radius accounting deadtime

T0+T1+T2+T3

T3 expires. Sends another request to the first server.

To modify the RADIUS timeout parameters that the SmartEdge router uses for managing the connections to and from RADIUS servers and RADIUS accounting servers, perform the appropriate tasks described in Table 6. Enter all commands in context configuration mode.

Table 6    Modify RADIUS Timeout Parameters

Step

Task

Root Command

Notes

1.

Optional. Modify the interval that the SmartEdge router waits for a response from a RADIUS server after sending a packet:

   
 

For a RADIUS accounting server.

radius accounting timeout

 
 

For a RADIUS server.

radius timeout

 

2.

Optional. Modify the maximum number of retransmission attempts during the timeout interval:

   
 

For a RADIUS accounting server.

radius accounting max‑retries

 
 

For a RADIUS server.

radius max‑retries

 

3.

Optional. Modify the interval that the SmartEdge router waits for a response before marking a nonresponsive server “dead”:

   

4.

For a RADIUS accounting server.

radius accounting server‑timeout

Setting the value to 0 disables the feature.

5.

For a RADIUS server.

radius server‑timeout

 

6.

Optional. Modify the interval that the SmartEdge router treats a nonresponsive server as “dead” before trying to reach it again:

   
 

For a RADIUS accounting server.

radius accounting deadtime

Setting this value to 0 disables the feature.

 

For a RADIUS server.

radius deadtime

 

7.

Optional. Modify the number of outstanding requests that can be sent:

   
 

For a RADIUS accounting server.

radius accounting max‑outstanding

 
 

For a RADIUS server.

radius accounting max‑outstanding

 

2.5   Strip the Domain Portion of Structured Usernames (Optional)

To specify that the domain portion of structured usernames is to be removed before sending the usernames to a RADIUS server for authentication, perform the task described in Table 7.

Table 7    Strip the Domain Portion of Structured Usernames

Task

Root Command

Notes

Strip the domain portion of structured usernames.

radius strip‑domain

Enter this command in context configuration mode.

2.6   Change or Ignore the Server Source Port Value (Optional)

To increase the number of outstanding authentication requests per RADIUS server by sending the requests, using a different source port value, perform the task described in Table 8.

Table 8    Change the Server Source Port Value

Task

Root Command

Notes

Change the server source port value.

radius source‑port

Enter this command in global configuration mode.

To enable the SmartEdge router to ignore the source port sent by a RADIUS server in an Access-Response message, perform the task described in Table 9.

Table 9    Ignore the Server Source Port Value

Task

Root Command

Notes

Ignore the server source port value in RADIUS Access-Response messages.

radius source‑port

Enter this command in context configuration mode.

2.7   Configure and Assign a RADIUS Policy to a Context (Optional)

To configure and assign a RADIUS policy to a context, perform the tasks described in Table 10.

Table 10    Configure and Assign a RADIUS Policy to a Context

Step

Task

Root Command

Notes

1.

Create or modify a RADIUS policy and access RADIUS policy configuration mode.

radius policy

Enter this command in global configuration mode.

2.

Specify the RADIUS attribute or VSA, and optionally the RADIUS messages, from which it is to be dropped.

attribute

Enter this command in RADIUS policy configuration mode.

3.

Assign the policy to a context.

radius policy

Enter this command in context configuration mode.

2.8   Configure and Send Attributes in RADIUS Packets (Optional)

To configure and send attributes in RADIUS request packets, perform one or more of the tasks described in Table 11. Enter all commands in context configuration mode, unless otherwise noted.

Table 11    Configure and Send Attributes in RADIUS Request Packets

Task

Root Command

Notes

Send the Acct-Delay-Time attribute in RADIUS Access-Request and Accounting-Request packets.

radius attribute acct‑delay‑time

By default, this attribute is not sent.

Send the Acct-Session-Id attribute in RADIUS Access-Request packets.

radius attribute acct‑session‑id

By default, this attribute is sent only in Accounting-Request packets.

Send a Layer 2 Tunneling Protocol (L2TP) call serial number type value in the Acct-Tunnel-Connection attribute in RADIUS packets.

radius attribute acct‑tunnel‑connection l2tp-call-serial-num

By default, this attribute is not sent.

Specify the behavior of the SmartEdge router when it receives a RADIUS Filter-Id attribute that does not specify a direction and there is an access control list (ACL) applied to the circuit.

radius attribute filter-id

By default, this attribute is not sent.

Send the NAS-Identifier attribute in RADIUS Access-Request and Accounting-Request packets.

radius attribute nas‑identifier

By default, this attribute is not sent.

Send the NAS-IP-Address attribute in RADIUS Access-Request and Accounting-Request packets.

radius attribute nas‑ip‑address

By default, this attribute is not sent.

Modify the format in which the NAS-Port attribute is sent in RADIUS Access-Request and Accounting-Request packets.

radius attribute nas‑port

By default, this attribute is sent using the slot-port format.

Modify the format in which the NAS-Port-Id attribute in RADIUS Access-Request and Accounting-Request packets.

radius attribute nas‑port‑id

By default, this attribute is sent using the all format.

Modify the value of the NAS-Port-Type attribute sent in RADIUS Access-Request and Accounting-Request packets.

radius attribute nas‑port‑type

Enter this command in ATM profile, dot1q profile, or port configuration mode.

By default, this attribute is sent using a value of either 0 or 5, indicating an asynchronous connection through a console port or a virtual connection through a transport protocol, respectively.

Specify the character the SmartEdge router uses to separate the fields for the medium access control (MAC) addresses in the vendor VSA 145 provided by Ericsson AB, Mac-Addr.

radius attribute vendor‑specific

 

2.9   Configure RADIUS-Guided Services (Optional)

To enable RADIUS-guided services for subscriber sessions using a service profile, perform the following tasks.

To configure how the SmartEdge router responds to connections with RADIUS servers, perform the tasks described in the following sections.

2.9.1   Configure the RADIUS-Guided Policies for the Service Profile

Configure one or more RADIUS-guided policies, such as a forward policy, NAT policy, or QoS metering or policing policy, to be applied to the subscriber record or profile. For more information, see Configuring Forward Policies, Configuring NAT Policies, and Configuring Rate-Limiting and Class-Limiting.

2.9.2   Configure a RADIUS-Guided Service Profile

Configure the service profile that references the RADIUS-guided policies that you have configured. To configure a RADIUS-guided service profile, perform the tasks in Table 12; enter all commands in service profile configuration mode, unless otherwise noted.

Table 12    Configure a RADIUS-Guided Service Profile

Step

Task

Root Command

Notes

1.

Create or select a context in which to configure the policies and service profile and access context configuration mode.

context

Enter this command in global configuration mode.

2.

Create or select the service profile and access service profile configuration mode.

radius service profile

Enter this command in context configuration mode.

 

Specify a service condition for the service profile and its default condition, if necessary.

parameter

Enter this command to specify a mandatory or optional condition for the profile.

 

Optional. Specify counters for service accounting.

accounting

 
 

Specify a service policy attribute with its options.

attribute

Enter this command to specify an attribute for each service condition in this profile.

 

Specify a parameter that can have multiple values.

foreach

Enter this command preceding an attribute command when a field has multiple values.

2.9.3   Configure the Subscriber Profile or Record

Configure the subscriber profile or record. You do not apply the policies to the subscriber profile or record; they are specified by the RADIUS server and applied by the RADIUS-guided service profile.

2.10   RADIUS-Guided Services

RADIUS Service Engine (RSE) provides a framework to activate and deactivate subscriber services dynamically. You can use the RSE framework for various applications or subscriber services. The service volume limits per direction and Service Absolute timer limits can be reauthorized. RSE supports reauthorization of the service parameters or attributes dynamically when the service is active. However, not all service parameters can be reauthorized.

The following example outlines the steps in a typical service reauthorization scenario—in this case, for VoIP:

2.11   Configuring Service Absolute Timeout Values

To configure the service absolute timeout value, enter commands in the RADIUS service profile mode.

The following is an example shows how to configure the timeout value. The context name is RSE, and the router is called router:

[RSE]router#config
Enter configuration commands, one per line, 'end' to exit
[RSE]router(config)#context RSE
[RSE]router(config-ctx)#radius service profile HTTP-REDIR
[RSE]router(config-service-profile)#service-action absolute-timeout acct-alive
<cr>

The service timeout value is an absolute time of the service since the service started. If the service time is greater than or equal to the new timeout, the service is deactivated immediately. However, the service is not deactivated if the service action command is configured. The current timer is restarted at AAA with new value and the change takes effect immediately.

When the absolute-timeout service action command is configured, and the service absolute timer has been reached, the RADIUS server receives a Service-Alive accounting message; however the service is not deactivated.

The valid range for the timeout value is from 1 to 2147483647 seconds. If the absolute timeout service action is set, a Service-Alive accounting packet is sent to the RADIUS server.

If the service action is not set, the service remains deactivated.

2.12   Verifying your Service Absolute Timeout Values

Use the show configuration command to verify that you have configured the absolute timeout values:

[RSE]router#show configuration 
Building configuration...

Current Configuration:

!
 radius service profile HTTP-REDIR
  service-action absolute-timeout acct-alive
  parameter value prof
  parameter value url
  parameter value svc-timeout
  parameter value in-limit
  accounting in fwd PASSTHRU
  seq 10 attribute HTTP-Redirect-Profile $prof
  seq 20 attribute Forward-Policy in http_redir_policy
  seq 30 attribute Service-Interim-Accounting 900
  seq 40 attribute Service-Timeout $svc-timeout
  seq 50 attribute HTTP-Redirect-url $url
  seq 60 attribute Service-Volume-Limit in $in-limit

2.13   Configuring Your Service Traffic Limit

In the RADIUS service profile, you can configure the service action traffic limit by using the service-action traffic-limit acct-alive command:

[RSE]router(config-ctx)#radius service profile HTTP-REDIR
[RSE]router(config-service-profile)#service-action traffic-limit 
acct-alive

When the service-action traffic-limit acct-alive command is configured, and the service action traffic limit has been reached, you receive a Service-Alive accounting message; however the service will not be deactivated.

If the service-action traffic limit is not set, the service remains deactivated.

2.14   Verifying your Configured Service Traffic Limit

Use the show configuration command to verify that you have configured the service traffic limit:

[RSE]router#show configuration 
Building configuration...

Current configuration:
!
 radius service profile HTTP-REDIR
  service-action traffic-limit acct-alive
  parameter value prof
  parameter value url
  parameter value svc-timeout
  parameter value in-limit
  accounting in fwd PASSTHRU
  seq 10 attribute HTTP-Redirect-Profile $prof
  seq 20 attribute Forward-Policy in http_redir_policy
  seq 30 attribute Service-Interim-Accounting 900
  seq 40 attribute Service-Timeout $svc-timeout
  seq 50 attribute HTTP-Redirect-url $url
  seq 60 attribute Service-Volume-Limit in $in-limit

2.15   RADIUS-Guided Service Audit for Volume Counters

You can send SNMP queries using the RBN-SUBSCRIBER-ACTIVE-MIB to retrieve a snapshot of each subscriber’s RADIUS-guided service volume counters while a volume-limit-enabled subscriber session is active.

2.16   Configuring and Overwriting the NAS-Port-Id RADIUS Attribute

On Ethernet and ATM cards, you can configure and overwrite the NAS-Port-Id RADIUS attribute. NAS-Port-ID indicates the physical slot/port number of the NAS that is authenticating the user. Configure the NAS-Port-Id by using the radius attribute nas-port-id slot/port command at the port level command mode. You can configure command on multiple ports.

When configuring or unconfiguring the slot/port values using the CLI after a session is successfully created, it will not have any effect on the NAS-Port-Id of the existing session. However, the NAS-Port-Id attribute of all the subsequently created sessions will have the following impact:

The NAS-Port-Id overwrite function is restricted to PPPoE/PPPoEoA-based subscribers. Configuring the radius attribute nas-port-id x/y command has no effect on non-PPPoE subscribers. When configured at the port level, slot/port substitution is performed for all circuits configured under that port, and has no impact on link-group subscribers.

2.16.1   Enable Overwriting the NAS-Port-Id RADIUS Attribute

To enable overwriting of the NAS-Port-ID, use the following command syntax:

[local]Redback(config-port)# radius attribute nas-port-id slot/port

If you configure a slot value outside the valid ranges, the following error message will be displayed to prevent slot misconfiguration:

[local]Redback(config-port)#radius attribute nas-port-id 99/1
                                                               ^ 
% Invalid input at '^' marker 

To correct this error, specify a slot value between 1-14.

Similarly, if you configure a port value outside the valid ranges, the following error message will be displayed to prevent port misconfiguration:

[local]Redback(config-port)#radius attribute nas-port-id 14/65
                                                                  ^ 
% Invalid input at '^' marker

Again, to correct this error, specify a port value between 1-64.

2.16.2   Disable Overwriting the RADIUS Attribute

To disable overwriting the RADIUS attribute, enter the following commands at the port configuration level:

local]Redback(config)#port ethernet slotX/portY
[local]Redback(config-port)#no radius attribute nas-port-id

2.17   Verifying your Slot or Port Configuration

When NAS-Port-Id is not configured or has been unconfigured, the show configuration command displays the following information:

Current configuration:
port ethernet <slotA/slotB>
 no radius attribute nas-port-id
!

When you have correctly configured your slot/port values, to ensure that you have overwritten the NAS-Port-Id, and to view the existing NAS Port Type command under the port level, use the show port slot/port detail command. When these attributes are not configured, no values are displayed.

Following is an example of the information displayed by the show port slot/portdetail command:

[local]Redback#show port 5/1 detail

ethernet 5/1 state is No card
Description                :
Line state                 : No card
Admin state                : Down
Link Dampening             : disabled
Undampened line state      : No card
Dampening Count            : 0
Encapsulation              : ethernet
MTU size                   : 1500 Bytes
NAS Port Type              : 4
NAS-Port-ID                : 3/4
Media type                 : Unknown

Auto-negotiation           : on                 state: unknown
   Flc negotiated set      : tx&rx-or-rx-only   state: unknown
   force                   : disabled           state: inactive
Flow control               : rx                 state: n/a
Link Distance              : N/A
Loopback                   : off
Active Alarms              : N/A

2.18   Remap Account Termination Codes (Optional)

When a subscriber session is terminated, the system reports the reason for the termination to RADIUS, using one of several terminate cause codes that are defined in RFC 2866, RADIUS Accounting, in attribute 49 (Acct-Terminate-Cause). Because the set of codes defined for RADIUS attribute 49 is very limited, the SmartEdge router defines a more extensive set of terminate cause codes to more precisely indicate the reason for the termination. The system transmits these codes in vendor VSA 142 (Session-Error-Code) and 143 (Session-Error-message).

Terminate error codes and their RADIUS attribute 49 error codes are listed in the “RADIUS Attribute 49 Error Codes” section in RADIUS Attributes. You can change the RADIUS attribute 49 error code for a Redback terminate cause code to a different attribute 49 error code.

To remap an Redback terminate error code to a different RADIUS attribute 49 error code, perform the tasks described in Table 13.

Table 13    Remap Redback Terminate Error Codes

Task

Root Command

Notes

Enable the remapping of account termination error codes and access terminate error cause configuration mode.

radius attribute acct‑terminate‑cause remap

Enter this command in global configuration mode.

Remap a Redback terminate error code to a different RADIUS attribute 49 error code.

rbak‑term‑ec

Enter this command in terminate error cause configuration mode for each Redback terminate error code that you want to remap.

2.19   Operations Tasks

Note:  
In this section, the command syntax in the task tables displays only the root command; for the complete command syntax, see Command List.

To monitor, troubleshoot, and administer RADIUS features, perform the RADIUS operations tasks described in Table 14. Enter the clear and debug commands in exec mode; enter the show commands in any mode.

Table 14    RADIUS Operations Tasks

Task

Root Command

Clear RADIUS counters for access and accounting messages.

clear radius counters

Enable the generation of RADIUS debug messages.

debug radius

Display RADIUS server control information.

show radius control

Display RADIUS access, accounting, and CoA message counters.

show radius counters

Display RADIUS server configuration and status information.

show radius server

Display RADIUS server statistics.

show radius statistics

3   Configuring Examples

This section provides examples of configuring RADIUS secret key, retry, and timeout settings, a RADIUS loopback interface, a custom RADIUS policy, and a dynamic RADIUS profile and forward policy.

3.1   RADIUS Secret Key, Retry, and Timeout

The following example configures the IP address of the RADIUS server, 10.43.32.56, using the key, Secret, and configures related behaviors of the SmartEdge router:

[local]Redback(config-ctx)#radius server 10.43.32.56 key Secret

[local]Redback(config-ctx)#radius max-retries 5

[local]Redback(config-ctx)#radius timeout 30

3.2   RADIUS Loopback Interface

The following example configures the interface at IP address, 108.1.1.1, to connect to the RADIUS server; however, a loopback interface is also configured using IP address, 11.200.1.1, which is sent to the RADIUS server as the source IP address for RADIUS packets.

[local]Redback(config)#context local

[local]Redback(config-ctx)#interface to-radius-server

[local]Redback(config-if)#ip address 108.1.1.1/24

[local]Redback(config-if)#exit

[local]Redback(config-ctx)#interface loop1 loopback

[local]Redback(config-if)#ip address 11.200.1.1/32

[local]Redback(config-if)#ip source-address radius

3.3   Custom RADIUS Policy

The following example creates the custom RADIUS policy to drop RADIUS attribute 123 in all RADIUS messages, vendor VSA 10 in Access-Request messages, and vendor VSAs 11 and 12 in various Accounting messages, and then assigns it to the gold-isp context:

[local]Redback(config)#radius policy name custom

[local]Redback(config-rad-policy)#attribute 123 drop

[local]Redback(config-rad-policy)#attribute rbak 10 drop access-request

[local]Redback(config-rad-policy)#attribute rbak 11 drop acct-start acct-update

[local]Redback(config-rad-policy)#attribute rbak 12 drop acct-start acct-stop

[local]Redback(config-rad-policy)#exit

[local]Redback(config)#context gold-isp

[local]Redback(config-ctx)#radius policy custom

3.4   Dynamic RADIUS Profile and Forward Policy

The following examples create a RADIUS-guided forward policy and a RADIUS-guided service profile that specifies the dynamic service conditions for the forward policy. All configurations are created in the local context. The subscriber configuration on a RADIUS server is listed after the service profile.

First, you create a RADIUS-guided forward policy with three classes. The forward policy redirects one class with an ACL policy and takes no action on the other two classes. For the class named portal you set the optional field name for the destination port number for the portal class to 80 and the service timeout value to 900.

[local]Redback(config-ctx)#forward policy captive-portal radius-guided

[local]Redback(config-frwd)#access-group

[local]Redback(config-policy-group)#class redirect

[local]Redback(config-policy-group-class)#redirect destination local

[local]Redback(config-policy-group-class)#exit

[local]Redback(config-policy-group)#class portal

[local]Redback(config-policy-group-class)#exit

[local]Redback(config-policy-group)#class bypass

[local]Redback(config-policy-group-class)#exit

[local]Redback(config-policy-group)#exit

[local]Redback(config-frwd)#exit



! Create a service profile for the redirect and portal classes of traffic

[local]Redback(config-ctx)#radius service profile redirect



! Specify the URL field name for the redirect class

[local]Redback(config-svc-profile)#parameter value redirect-url



! Specify the field name for the IP address of the destination port for the portal class

[local]Redback(config-svc-profile)#parameter value portal-ip

[local]Redback(config-svc-profile)#parameter value portal-port 80



! Specify the field name for an array of TCP port numbers for the redirect class

[local]Redback(config-svc-profile)#parameter list tcp-port 

[local]Redback(config-svc-profile)#parameter value service-timeout 900



! Enable accounting for incoming traffic for the redirect class 

[local]Redback(config-svc-profile)#accounting in fwd redirect



! Specify the fields in the attributes for dynamic service conditions

! Names beginning with $ are replaced when the value of the field is specified by a
 RADIUS server

! Names are those previously defined by the parameter statements

! Specify the name of the forward policy; 

!   in this example, all subscriber sessions use the same policy

[local]Redback(config-svc-profile)#attribute Forward-Policy “in:$captive-portal”



! Specify the field name for the dynamic URL for the redirect class

[local]Redback(config-svc-profile)#attribute HTTP-Redirect “$redirect-url”



! Specify the field name for the service timeout

[local]Redback(config-svc-profile)#attribute Service-Timeout “$service-timeout”



! Specify the field names for the IP address and port number for the portal class

[local]Redback(config-svc-profile)#attribute Dynamic-Policy-Filter “ip in forward dstip
 $portal-ip tcp dstport = $portal-port class portal fwd”



! Specify the TCP port array for the destination port numbers for the redirect class

[local]Redback(config-svc-profile)#foreach tcp-port

[local]Redback(config-svc-profile)#attribute Dynamic-Policy-Filter “ip in forward tcp 
 dstport = $tcp-port class redirect fwd” 



! RADIUS server subscriber configuration with values for the dynamic service conditions

! In this example, the dynamic conditions are tagged with the value 1

! Specify the name of the service profile

Redback-Service-Name:1 = “redirect”

! Enable service accounting

Redback-Service-Options:1 = 0x01

! Specify the service condition field names

! Specify the redirect URL

Redback-Service-Parameters:1 = “redirect-url=http://172.16.1.1/portal.php”

! Specify the destination IP address for the portal class 

! Use the default value in the profile for the port number

Redback-Service-Parameters:1 = “portal-ip=172.16.1.1/32”

! Specify the TCP port numbers for the redirect class

Redback-Service-Parameters:1 = “tcp-port=www,443,8080”

! Specify the timeout interval; this value overrides the default value (900)

Redback-Service-Parameters:1 = “Service-Timeout=1800”