Authentication, Authorization, Accounting EcoRouter Documentation / BRAS settings / Authentication, Authorization, Accounting
An IPoE subscriber is considered locally authenticated if the subscriber's IP address matches a static or dynamic rule in a subscriber-map sequence that lacks the set aaa command with the name of the group of remote AAA RADIUS servers.
For PPPoE subscribers, local authentication is not possible, but you can completely disable subscriber authentication in the PPPoE profile using the no authentication command. In this case, any attempt at a PPP subscriber connection will be considered successful.
Local Authorization
Authorization is meant as a configuration for subscribers of certain services (at what speed data is transmitted for the subscriber in different directions). It is possible to use a locally configured service, as well as received via a remote RADIUS server. The following information applies to both IPoE and PPPoE subscribers.To configure the access speed for the profile (IPoE/PPPoE), you need to create a subscriber-service. The created subscriber-service can be linked to a PPPoE profile or to IPoE subscriber cards manually or obtained from a RADIUS server:
ecorouter(config)#subscriber-service ?
SUBSCRIBER_SERVICE Subscriber service name
For subscriber-service one should assign subscriber-policy.
ecorouter(config-sub-service)#set ?
policy Set policy
ecorouter(config-sub-service)#set policy ?
SUBSCRIBER_POLICY_NAME Subscriber policy name
<cr>
The subscriber-policy specifies the subscriber speed for upstream and downstream packets in kbps and applies the filter-map policy (also for upstream and downstream):
ecorouter(config)#subscriber-policy <NAME>
ecorouter(config-sub-policy)#bandwidth ?
in Upstream packets
out Downstream packets
ecorouter(config-sub-policy)#bandwidth in
kbps Bandwidth value in kbps
ecorouter(config-sub-policy)#bandwidth in kbps ?
<64-10000000> Kbits per second
ecorouter(config-sub-policy)#set filter-map ?
in Upstream packets
out Downstream packets
ecorouter(config-sub-policy)#set filter-map in ?
FILTER_MAP_POLICY_IPV4 Filter map name
ecorouter(config-sub-policy)#set filter-map in
The filter-map policy specifies the parameter by which settings will be applied to subscribers.
ecorouter(config)#filter-map policy ipv4 ?
FILTER_MAP_POLICY_IPV4 Filter map name
ecorouter(config)#filter-map policy ipv4 <NAME> ?
<0-65535> Sequence number
<cr>
ecorouter(config)#filter-map policy ipv4 <NAME> 10
Example:
filter-map policy ipv4 <NAME> 10
match any any any
set accept
After setting up the subscriber-service, one can manually set its use in the PPPoE profile and the IPoE subscriber map:
ecorouter(config-pppoe)#set subscriber-service ?
SUBSCRIBER_SERVICE Specify subscriber service name
Below is an example of a complete configuration for PPPoE.
1. Configure filter-map policy.
ecorouter(config)#filter-map policy ipv4 50kk 10
ecorouter(config-filter-map-policy-ipv4)#match any any any
ecorouter(config-filter-map-policy-ipv4)#set accept
2. Configure subscriber-policy.
ecorouter(config)#subscriber-policy 50kk
ecorouter(config-sub-policy)#bandwidth in kbps 500032
ecorouter(config-sub-policy)#bandwidth out kbps 500032
ecorouter(config-sub-policy)#set filter-map in 50kk
ecorouter(config-sub-policy)#set filter-map out 50kk
3. Configure subscriber-service.
ecorouter(config)#subscriber-service 50kk
ecorouter(config-sub-service)#set policy 50kk
4.1 Set the subscriber-service.
Subscriber-service manual applying in ppppoe-profile:
ecorouter(config)#pppoe-profile 0
ecorouter(config-pppoe)#set subscriber-service 50kk
4.2 When using a service from a RADIUS server, an attribute must be set on it.
5. After the connection is established, the status of the service can be viewed with the show subscribers <interface bmi> <ip addr> command.
5.1 In the case of a subscriber-service setting manually, “(L)” will be added after the service name, which means "local".
ecorouter#show subscribers bmi.0 192.168.10.2
...
service: 50kk(L)
...
5.2 In the case of receiving a subscriber-service from a RADIUS server, "(R)" will be added after the service name, which means "remote aaa".
ecorouter#show subscribers bmi.0 192.168.10.2
...
service: 50kk(R)
… Local authorization for IPoE subscribers is configured in the same way, by installing the required subscriber-service in the subscriber-map sequence. By default, authorization via RADIUS has the highest priority; the strict keyword in the set subscriber-service <NAME> command allows you to make local authorization a priority.
No service in the subscriber card
If in one of the subscriber card sequences there is no set rule, then in this sequence all subscribers that fall under the match rule (the absence of the match rule matches all IP addresses) fall under the implicit DROP rule. All traffic from these subscribers is blocked, and the service is considered invalid. The lifetime for such sessions is set to 5 minutes, that is, the session will be deleted automatically from the global table of subscribers in 5 minutes.RADIUS Server Groups
The EcoRouter supports RADIUS server group use for authorization. This functionality is used for configuring RADIUS for BRAS (authorization and authentication must be performed on the separate RADIUs servers).
In the current implementation up to 16 groups each containing up to 16 RADIUS servers are allowed. One RADIUS server can be included into several groups in the same time.
Use the radius-group <RADIUS_GROUP> command in configuration mode to create RADIUS server group where <RADIUS_GROUP> is the group name. If the group with the specified name already exists or was just created, as a result of the command execution the context configuration mode will be entered automatically, the invitation prefix will be changed to (config-radius-group).
Use the no radius-group <RADIUS_GROUP> command in configuration mode to delete RADIUS server group where <RADIUS_GROUP> is the group name to be deleted.
In the context configuration mode of RADIUS server group operator can edit or delete group description, edit group mode, edit parameters of the specific RADIUS server or delete it form the group.
Use the commands and parameters specified in the table below in the context configuration mode (config-radius-group) to configure RADIUS server group.
| Command/parameter | Description |
|---|---|
description <TEXT> | Set RADIUS server group description where <TEXT> is the description string |
no description | Delete RADIUS server group description |
mode <MODE> | Set the RADIUS server group mode where <MODE> is the group operating mode. The allowed modes of RADIUS server group operating mode are the following:
The default value is active-standby |
transmission-rate threads <NUMBER> packets <NUMBER> | Sets the maximum allowed number of simultaneous requests to RADIUS server. It is defined by two parameters:
The total number of simultaneous requests is calculated as threads x packets |
| Timer Configuration | |
request-max-tries <NUMBER> | Number of requests after no response to which the server will be marked as unavailable (DEAD). Default value is 3 |
request-timeout <INTERVAL> | Time interval between request sending in seconds. Default value is 3 |
dead-time-interval <MIN> <MAX> | Time interval in seconds during which the server will be unavailable (DEAD). The minimum <MIN> and the maximum <MAX> values can be specified. The default <MIN> value is 15 seconds, <MAX> - 300 seconds. The valid values of <MIN> and <MAX> are from 0 to 65535. The principle of using the dead-time-interval timer After the RADIUS server previously marked as ACTIVE, has not responded to <NUMBER> requests (the request-max-tries parameter), such server is marked as DEAD for the <MIN> period, and the router sending requests, redirects them to the backup RADIUS server inside the same group. At the end of this interval, the requests will be sent again to the inactive RADIUS server. If it responds successively, then it becomes ACTIVE again. If the RADIUS server does not respond it remains marked as DEAD. The interval for such its state will be increased by <MIN> (that is, after the first unsuccessful attempt, the interval is <MIN>, after the second one - 2*<MIN>, after the third - 3*<MIN>, etc.). This will continue until the interval of the DEAD mark reaches the <MAX> value. After that, attempts to access such a RADIUS server will be done once in the interval <MAX> until the first successful transition of the RADIUS server to the ACTIVE state. If <MAX> is not a multiple of <MIN>, the interval will become equal to <MAX> after its first exceeding as a result of increasing for the next <MIN> |
| Setting the Calling-Station-Id Attribute Format | |
attribute mac default | Use default format. It looks like - XXXX.XXXX.XXXX |
attribute mac ietf | Use IETF format. It looks like - XXXX.XXXX.XXXX |
attribute mac unformatted | Use a format without separators. It looks like - XXXXXXXXXXXX |
| Setting the Nas-Port Attribute Format | |
attribute nas-port default | Use a combination of service and client VLAN |
attribute nas-port session-id | Use a session identificator |
| Setting the username Attribute Format | |
attribute username format <> | Setting the username Attribute Format. Values:
Fields delimiter by a hyphen symbol '-'. The Attribute mdifying is possible only for the IPoE abonents |
| Setting the traffic counter by session | |
attribute accounting direction port | For the traffic direction relative to the router port |
attribute accounting direction subscriber | For the traffic direction relative to the subscriber |
Single RADIUS Server Configuration in a Group
Use the following command in the context configuration mode (config-radius-group) to configure the single RADIUS server parameters in the group:
server A.B.C.D secret <WORD> [priority <0-65535> | vrf <VRF> | source A.B.C.D | auth-port <1-65535> | acct-port <1-65535> | coa-listen-port <1-65535>]
All the parameters except the IP address and the secret key are optional and can be specified in random order. If the IP address of an existing RADIUS server is specified in the command call, its parameters will be changed. Otherwise, a RADIUS server with the specified IP address will be created.
The command parameters are described in the table below.
| Parameter | Description |
|---|---|
server A.B.C.D | RADIUS server IP address |
secret <WORD> | The secret attribute value (the default value is undefined) |
priority <0-65535> | RADIUS server priority (for active/standby mode). The smaller is value the higher priority |
vrf <VRF> | The VRF name where RADIUS server IP address is created (the default value is the current virtual router VRF) |
source A.B.C.D | IP address to be specified as a source in a request packet (the default value is the interface address from which the request is sent) |
auth-port <1-65535> | Port for authentication requests (the default value is 1812) |
acct-port <1-65535> | Port for accounting requests (the default value is 1813) |
coa-listen-port <1-65535> | Port for socket opening, where coa and disconnect request will be processed. |
Use the no server A.B.C.D [vrf <VRF>] command in the context configuration mode (config-radius-group) to delete the RADIUS server from group.
Example:
ecorouter(config)#radius-group test
ecorouter(config-radius-group)#server 3.3.3.2 secret 12121212
ecorouter(config-radius-group)#server 3.3.3.4 secret dsfsfsf
ecorouter(config-radius-group)#mode active-standby
ecorouter(config-radius-group)#description ABRACADABRA
?corouter(config-radius-group)#
RADIUS group commands:
dead-time-interval Specify a RADIUS servers dead time interval
description Redirect URL description
exit Exit from the current mode to the previous mode
help Description of the interactive help system
mode Specify a RADIUS group mode
no Negate a command or set its defaults
request-max-tries Specify a RADIUS servers max number of tries to
retransmit a request
request-timeout Specify a RADIUS servers response waiting time
server Specify a RADIUS server
show Show running system information
ecorouter(config-radius-group)#server 3.3.3.3 vrf test source 12121212
The corresponding fragment of the configuration will look as following:
!
radius-group test
description ABRACADABRA
mode active-standby
dead-time-interval 15 300
request-max-tries 3
request-timeout 3
server 3.3.3.2 secret 12121212 priority 10
server 3.3.3.4 secret dsfsfsf priority 20
server 3.3.3.3 secret fsfd priority 30 vrf test source 12121212
!