EcoNAT Documentation

RADIUS server settings EcoNAT Documentation / BRAS functionality / RADIUS server settings

General settings for connecting to a RADIUS server
Configuring Dynamic Policies
RADIUS Server Groups
Client authorization on the RADIUS server
Counters

RADIUS settings are located in the system.bras.radius branch. The branch contains the following sections and parameters:

request_burst_interval – the time interval in milliseconds between sending bursts of Access-Request and Accounting-Request packets. The range is 1 to 1000. The default is 10;
request_burst_size – the maximum number of Access-Request and Accounting-Request packets in a burst. The range is 1 to 1000. The default is 64.
coa – the section of RADIUS Change of Authorization parameters;
radius_groups – the section of RADIUS server groups parameters;
radius_servers – the section of RADIUS server connection parameters.

The structure and configuration commands of the above listed sections are described below.

General settings for connecting to a RADIUS server

To create a new connection to the RADIUS server, you must run the create radius <connection name> command. When creating a connection, its name is formed in the same way as described in the section "Creating a new pool".

After creating a new connection, you need to go to the appropriate branch of the configuration tree and use the context commands to set the values of its parameters.

The connection parameters for the RADIUS server are described in the table below.

Parameter	Description
enable disable	Enabled or disabled access to the RADIUS server
server	IP address for authentication on the RADIUS server. By default: 0.0.0.0
acct_port	RADIUS server port for account
auth_port	RADIUS server port for authentication and authorization
acc_password	Password for authentication on the RADIUS server

An example of setting up a connection to a RADIUS server:

MyEcoNAT:1:system.bras.radius# create radius 1

MyEcoNAT:2:system.bras.radius# radius1

MyEcoNAT:3:system.bras.radius.radius_servers.radius1# enable

MyEcoNAT:4:system.bras.radius.radius_servers.radius1# server 192.168.5.1

MyEcoNAT:5:system.bras.radius.radius_servers.radius1# secret "econat"

MyEcoNAT:6:system.bras.radius.radius_servers.radius1# acct_port 1813

MyEcoNAT:7:system.bras.radius.radius_servers.radius1# auth_port 1812

MyEcoNAT:8:system.bras.radius.radius_servers.radius1# show

     enable

     server 192.168.5.1

     acct_port 1813     
     auth_port 1812      
     secret ""

To enable or disable access to the RADIUS server, use the context commands enable and disable, which must be started in the branch to the RADIUS server.

MyEcoNAT:5:system.bras.radius.radius_servers.radius1# enable

MyEcoNAT:6:system.bras.radius.radius_servers.radius1# disable

Configuring Dynamic Policies

When connecting to a RADIUS server, you must use dynamic policies. Such a policy is created and configured similarly to the static policy described in the section "Policies and Services". Only a few parameters differ. Dynamic policy settings are listed in the table below.

Parameter	Description
enable disable	Policy enabled or disabled
priority	Priority of applying policies. The lower the value, the higher the priority. By default, the first created policy has a priority of 100, the second has 200, the third has 300, and so on
local_ip local_ip_v6	Specify the addresses or subnets of clients to which this policy will apply
type dynamic	Enables RADIUS subscriber authorization
auth	Authorization options. The name of RADIUS servers group, or the keyword none
acct	Accounting options. The name of RADIUS servers group, or the keyword none
reauthorization_timeout	The time (in seconds) through which the client's authorization will be retried if there is no response from the RADIUS server (the BRAS client session is in the Error status). The default value is 180 seconds
session_timeout	The time (in seconds) during which a session exists, after the timer expires, the session is deleted. The default value is 86400 seconds. Note: after the specified interval has elapsed, a repeated Access-Request is sent (the RADIUS server can override the duration of this interval with the Session-Timeout parameter). The same thing happens for subscribers who have received an Access-Reject from a RADIUS server to attempt authorization
idle_timeout 28800	If there is no activity for a given period of time, the session will be interrupted. Specified in seconds. The default value is 28800 seconds
interim_interval	Interval of account (in seconds). Applicable with the Radius functionality enabled. The default value is 60 seconds
Binding services to the policy
default	Service (or services), which is applied to a subscriber who has got into a policy but has not yet been authorized
if_auth_accept	A service (or services) that is applied to a subscriber who has received an Access-Accept from a RADIUS server
if_auth_reject	A service (or services) that is applied to a subscriber who has received an Access-Reject from a RADIUS server
if_auth_fail	Service (or services) that is applied to the subscriber, if the radius of the server has not responded to the Access-Request after the timeout

ATTENTION! Before applying the changes, the value of the auth parameter should not be none, otherwise the apply command will end with an error.

Example of creating and configuring a dynamic policy:

MyEcoNAT:1:system.bras.policies# create policy 2

MyEcoNAT:2:system.bras.policies# policy2

MyEcoNAT:3:system.bras.policies.policy2# enable

MyEcoNAT:4:system.bras.policies.policy2# local_ip (0.0.0.0/0)

MyEcoNAT:5:system.bras.policies.policy2# type dynamic

MyEcoNAT:6:system.bras.policies.policy2# auth radius1

MyEcoNAT:7:system.bras.policies.policy2# default (service5M)

MyEcoNAT:8:system.bras.policies.policy2# if_auth_accept (service1 service5M)

MyEcoNAT:9:system.bras.policies.policy2# if_auth_reject (service2)

MyEcoNAT:10:system.bras.policies.policy2# if_auth_fail (service2)

MyEcoNAT:11:system.bras.policies.policy2# show

MyEcoNAT:12:system.bras.policies.policy2#

      priority 200

      enable

      local_ip ( 0.0.0.0/0 )

      type dynamic

      auth radius1

      reauthorization_timeout 180

      session_timeout 86400

      idle_timeout 28800

      interim_interval 15

      default ( service5M )

      if_auth_accept ( service1 service5M )

      if_auth_reject ( service2 )

      if_auth_fail ( service2 )

RADIUS Server Groups

To increase reliability, RADIUS servers are combined into groups in which you can distribute the load between the servers and implement redundancy. BRAS dynamic policies specify groups rather than individual servers.

In the current implementation up to 16 RADIUS server groups. One RADIUS server can be included into several groups in the same time.

Use the create radiusgroup <RADIUS_GROUP> command to create RADIUS server group where <RADIUS_GROUP> is the group name.

By default, the configuration of the newly created group is as follows.

EcoNAT:8:system.bras.radius.radius_groups.radiusgroupb# ls
type active_standby
description ""
request_max 3
request_timeout 3
dead_time_min 15
dead_time_max 300
servers ( )

Use the no radiusgroup <RADIUS_GROUP> command in configuration mode to delete RADIUS server group where <RADIUS_GROUP> is the group name to be deleted. The dropradius command can also be used, as a result of which all groups and RADIUS servers will be deleted.

In the configuration mode of RADIUS server group operator can edit or delete group description, edit group mode, add the specific RADIUS server or delete it form the group.

Use the commands and parameters specified in the table below to configure RADIUS server group.

Command/parameter	Description
description <TEXT>	Set RADIUS server group description where <TEXT> is the description string. Descriptions of radius groups containing spaces must be quoted
no description	Delete RADIUS server group description
type <MODE>	Set the RADIUS server group mode where <MODE> is the group operating mode. The allowed modes of RADIUS server group operating mode are the following: active_standby - the RADIUS server having highest priority in the group (the minimum value of the priority parameter) is used for all requests. This server is active, all others are in the standby mode. If the RADIUS server having highest priority in the group stops responding, the requests begin to arrive on the next highest priority server. After a certain period of time, the retry attempt sending requests to the highest priority server is made. If such an attempt is successful, then the server becomes active again; round_robin - requests are distributed among all RADIUS servers of the group. For example, if a group consists of 3 RADIUS servers, 5 requests from customers have come. The first request is sent to the 1st server, the second one to the second server, the third one to the third server, the fourth request to the 1st server, the fifth request to the second server, etc. The default value is active_standby
Timer Configuration
request_max <NUMBER>	Number of requests after no response to which the server will be marked as unavailable (DEAD). Default value is 3
request_timeout <INTERVAL>	Time interval between request sending in seconds. Default value is 3
dead_time_min <MIN> dead_time_max <MAX>	Time interval in seconds during which the server will be unavailable (DEAD). The minimum <MIN> and the maximum <MAX> values can be specified. The default <MIN> value is 15 seconds, <MAX> - 300 seconds. The valid values of <MIN> and <MAX> are from 0 to 65535. The principle of using the dead_time timer After the RADIUS server previously marked as ACTIVE, has not responded to <NUMBER> requests (the request_max parameter), such server is marked as DEAD for the <MIN> period, and the router sending requests, redirects them to the backup RADIUS server inside the same group. At the end of this interval, the requests will be sent again to the inactive RADIUS server. If it responds successively, then it becomes ACTIVE again. If the RADIUS server does not respond it remains marked as DEAD. The interval for such its state will be increased by <MIN> (that is, after the first unsuccessful attempt, the interval is <MIN>, after the second one - 2<MIN>, after the third - 3<MIN>, etc.). This will continue until the interval of the DEAD mark reaches the <MAX> value. After that, attempts to access such a RADIUS server will be done once in the interval <MAX> until the first successful transition of the RADIUS server to the ACTIVE state. If <MAX> is not a multiple of <MIN>, the interval will become equal to <MAX> after its first exceeding as a result of increasing for the next <MIN>

RADIUS Servers Configuration in a Group (the servers parameter)

Servers are included in the group using the add <server name> command, symbolic '+=' command, or by space-separated listing of server names in brackets of the servers () parameter.

Settings example:

2:2:# create radiusgroup 1
2:3:# create radius 1
2:4:# create radius 2
2:5:# create radius 3
2:6:# create radius 4
2:7:# go radiusgroup1
2:8:system.bras.radius.radius_groups.radiusgroup1# servers (radius1 radius2)
2:9:system.bras.radius.radius_groups.radiusgroup1# servers add radius3
2:10:system.bras.radius.radius_groups.radiusgroup1# servers += radius4
2:11:system.bras.radius.radius_groups.radiusgroup1# show servers
servers ( radius1 radius2 radius3 radius4 )

The order of the servers in the list matters! It determines the polling order of the servers. You cannot include a server in the group that has not yet been created.

To remove a RADIUS server from a group, use the symbolic '-=' command.

Client authorization on the RADIUS server

When authorizing a client on a RADIUS server, BRAS sends a RADIUS access request with the following information:

User_Name: <user IP address>
Calling-Station-Id: = <user MAC address>
User-Password = <EcoBRAS hostname>

The User-Password attribute is used only to ensure compatibility with some billing systems. Since such systems are only required to have this attribute in Access-Request messages, its value is the same for all users. The value of the parameter User-Password is automatically used as the value of the hostname parameter from the branch of the configuration tree system_log (see section "Logging"). At authorization values of this attribute are not used.

When Access-Accept is received from the RADIUS server, the user is assigned the service specified in the parameter if_auth_accept and the corresponding speed limits. The user session is controlled by the timeouts specified in the parameters: session_timeout, idle_timeout, interim_interval. However, if Access-Accept from the RADIUS server contains additional attributes with services, then they are automatically applied to the subscriber, in spite of the settings of BRAS policies and services.

BRAS processes the following attributes contained in RADIUS24:

Cisco-Account-Info – Upload and Download speed limit in bps;
Cisco-Service-Info – forced assignment of a service configured for BRAS. In this case, the service name is specified in the form: A <service name>;
Callback-Id is a unique identifier of the user, which is substituted into redirect_url through the qualifier <a href = " ">% c </a>;
Idle-Timeout;
Session-Timeout;
Acct-Interim-Interval;
Framed-IP-Address.

Example:

Cisco-Account-Info := "Pqq0",
Cisco-Account-Info := "VU;20000000;D;20000000",
Delegated-IPv6-Prefix := "::1:1900:0:0/125"
Callback-Id := "c6958059a295af355e5b8dfbbfcf4fd4",
Idle-Timeout := 500,
Session-Timeout := 500,
Acct-Interim-Interval :=500.

Counters

To view counters by RADIUS, use the show counters all | include radius command.

MyEcoNAT:7:# show counters all | include radius

Printing counters...

The table below describes the existing counters in this section.

Counter	Description
radius_authorization_success	The number of packets accepted with Access_Response with Accept status
radius_authorization_reject	Number of packets received with Access_Response with Reject status
radius_authorization_bad_response	Number of packets received by Access_Response due to problems with EcoNAT and RADIUS server settings (for example, a mismatched password)
radius_authorization_error	Number of packets sent by Access_Request with problems other than those described above
radius_accounting_send_try	Number of attempts to perform RADIUS accounting of user
radius_accounting_success	The number of received Accounting_Response packets
radius_accounting_reject	Number of reject responses when sending/receiving RADIUS packets
radius_accounting_error	Number of error responses when sending/receiving RADIUS packets
radius_accounting_bad_response	Number of bad_response responses when sending/receiving RADIUS packets
radius_accounting_default_handler	Number of accounting requests via RADIUS with problems other than those described above
radius_accounting_session_timeout	Number of session_timeout operations
radius_accounting_idle_timeout	Number of idle_timeout operations
radius_coa_get_packet	Number of received packets on the EcoNAT CoA port
radius_coa_bad_packet	The number of packets received on the CoA port that are unsuitable for processing
radius_coa_no_entry	The number of packets received on the CoA port for which we did not find the abonent
radius_coa_request	The number of packets of type coa_request received on the CoA port
radius_coa_ack	The number of coa_request packets for which a coa_ack packet was sent
radius_coa_nak	The number of coa_request packets for which a coa_nak packet was sent
radius_coa_disconnect_request	The number of packets received on the CoA port type coa_disconnect_request
radius_coa_disconnect_ack	The number of packets of type coa_disconnect_request for which a packet of type coa_disconnect_ack was sent
radius_coa_disconnect_nak	The number of packets of type coa_disconnect_request for which a packet of type coa_disconnect_nak was sent