Untitled :: Resources

AAA Profile Configuration

Table: global.access.aaa.profile.config

Subscriber management requires the mandatory configuration of an Authentication, Authorization, and Accounting (AAA) profile.

The way that the AAA profile configuration relates to all subscriber management configuration tasks is shown in the picture below.

Figure 1. AAA Profile Configuration

Configuring the AAA Profile

supervisor@switch: cfg> set access aaa-profile
  <profile-name>        Name of the AAA profile

supervisor@switch: cfg> set access aaa-profile aaa-example
  <cr>
  aaa-radius-profile    AAA RADIUS profile name
  accounting            Accounting options
  authentication        Authentication options
  idle-timeout          Idle timeout in seconds (0 == infinity)
  session-timeout       Session timeout in seconds (0 == infinity)

The following example shows a typical AAA profile for RADIUS authentication and accounting.

supervisor@switch: cfg> show config access aaa-profile aaa-radius
{
  "rtbrick-config:aaa-profile": {
    "profile-name": "aaa-radius",
    "session-timeout": 0,
    "idle-timeout": 0,
    "aaa-radius-profile": "radius-default",
    "authentication": {
      "order": "RADIUS"
    },
    "accounting": {
      "order": "RADIUS",
      "session-id-format": "DEFAULT",
      "ingress": {
        "accounting-source": "POLICER"
      },
      "egress": {
        "accounting-source": "LIF",
        "class-byte-adjustment-value": 16
      }
    }
  }
}

Attribute	Description
session-timeout	The session timeout specifies the maximum uptime in seconds until a subscriber is terminated. The value 0 means infinity. Default: 0 Range: 0 - 4294967295
idle-timeout	The idle timeout specifies the time in seconds until a subscriber is terminated if not traffic is forwarded which is based on outgoing logical interface statistics of the subscriber IFL. Those statistics do not include control traffic. The subscriber is not considered as idle as long as egress traffic is detected. The idle timeout is not limited but should be set to at least double the time of the logical interface statistics counter update interval (between 5 to 30 seconds). The value 0 means infinity. Default: 0 Range: 0 - 4294967295
aaa-radius-profile	The RADIUS profile ([RADIUS Profile Configuration]) which is used if RADIUS authentication or accounting is enabled.

Attribute

Description

session-timeout

The session timeout specifies the maximum uptime in seconds until a subscriber is terminated. The value 0 means infinity.

Default: 0 Range: 0 - 4294967295

idle-timeout

The idle timeout specifies the time in seconds until a subscriber is terminated if not traffic is forwarded which is based on outgoing logical interface statistics of the subscriber IFL. Those statistics do not include control traffic. The subscriber is not considered as idle as long as egress traffic is detected. The idle timeout is not limited but should be set to at least double the time of the logical interface statistics counter update interval (between 5 to 30 seconds). The value 0 means infinity.

Default: 0 Range: 0 - 4294967295

aaa-radius-profile

The RADIUS profile ([RADIUS Profile Configuration]) which is used if RADIUS authentication or accounting is enabled.

Configuring Authentication

RBFS supports the authentication methods NONE, LOCAL, DOMAIN and RADIUS. The option NONE disables authentication by accepting all credentials. The authentication method LOCAL authenticates the subscriber based on local defined user profiles ([User Profile Configuration]). The method DOMAIN works similar to LOCAL but except of whole username, only the domain part separated by configurable domain delimiter (default @)is used like rtbrick.com for user user@rtbrick.com. The authentication method RADIUS authenticates the subscriber remotely by sending an authentication-request to the defined RADIUS servers.

The authentication method DOMAIN is currently not supported!

Some methods can be also combined together. With LOCAL_RADIUS the subscriber is first authenticated locally and secondly via RADIUS if no matching local user is found. The subscriber is immediately rejected without requesting RADIUS servers if local user is found but password does not match. The behavior is similar for RADIUS_LOCAL where the subscriber is immediately disconnected if authentication request is rejected by RADIUS. In this case local authentication is used as fallback if no response is received (timeout) from any RADIUS server configured.

supervisor@switch: cfg> show config access aaa-profile aaa-default authentication
  <cr>
  delimiter             Delimiter string
  order                 Authentication order

Attribute

Description

order

This option defines the order of authentication methods.

Default: NONE Values: LOCAL, LOCAL_RADIUS, RADIUS, RADIUS_LOCAL

delimiter

This option defines the delimiter for domain authentication. Default: @

Currently not supported!

Configuring Accounting

Accounting is the process of tracking subscriber activity and network resource usage in a subscriber session. This includes the session time called time accounting and the number of packets and bytes transmitted during the session called volume accounting.

RBFS supports the accounting method RADIUS only.

supervisor@switch: cfg> show config access aaa-profile aaa-default accounting
  <cr>
  egress                Egress volume accounting options
  ingress               Ingress volume accounting options
  interim-interval      Accounting interim interval in seconds (0 == disabled)
  order                 Accounting order
  session-id-format     Accounting-Session-Id format

Attribute Description

order

This option defines the order of accounting methods.

Default: NONE

interim-interval

The interim interval specifies the time between interim accounting requests in seconds where 0 means disabled.

Default: 0 Range: 0 - 4294967295

session-id-format

The format of the Accounting-Session-Id (RADIUS attribute 44).

Name Format Example

DEFAULT

<subscriber-id>.<timestamp>

72339069014639577.1551943760

BRIEF

<subscriber-id>>

72339069014639577

EXTENSIVE

<subscriber-id>.<ifp>.<outer-vlan>.<inner-vlan>.<client-mac>.<session-id>.<timestamp>

72339069014639577.ifp-0/0/0.128.7.01:02:03:04:05:05.1.1551943760

Default: DEFAULT Values: BRIEF, EXTENSIVE

Currently only DEFAULT is supported!

Configuring Accounting Adjustments

The accounting adjustment allows to do some basic counter adjustment for RADIUS interims and stop accounting request messages using the following parameters.

This counter adjustment allows normalizing counters with different encapsulations (double tagged, untagged, …) to L3 counters for example.

The byte adjustment value supports positive and negative values like -20.0 or 20.0. Provided decimal digits in the adjustment values are ignored. The byte adjustment factors support positive values and only the first two decimal digits are used like 0.98 (-2%) or 1.02 (+2%).

Ingress Accounting

supervisor@switch: cfg> show config access aaa-profile aaa-default accounting ingress
  <cr>
  accounting-source               Source of session ingress counter
  byte-adjustment-factor          Adjust ingress LIF counters by factor
  byte-adjustment-value           Adjust ingress LIF counters by N bytes per packet
  policer-byte-adjustment-factor  Adjust ingress policer counters by factor
  policer-byte-adjustment-value   Adjust ingress policer counters by N bytes per packet

Attribute	Description
accounting-source	This option allows to control which counters to use for ingress session accounting which refers to the RADIUS attributes Acct-Input-Packets (47), Acct-Input-Octets (42) and Acct-Input-Gigawords (52) if RADIUS accounting is enabled. Per default the logical interface (LIF) statistics are used which is all traffic received including control traffic and traffic dropped by ingress policer. Alternative this the policer statistics (POLICER) can be used instead which is the sum of all traffic accepted over all policer levels (1-4). Ingress control traffic will be hit by a separate control plane policer and therefore not counted in the session policer stats. The policer statistics should be selected if only if transit traffic forwarded by the device should be counted. Default: LIF Values: LIF, POLICER
byte-adjustment-value	Adjust ingress LIF counters by +/- N bytes per packet. Default: 0.00 Range: -32 - 32
byte-adjustment-factor	Adjust ingress LIF counters by factor (executed after adjustment value). Default: 1.00 Range: 0.00 - 2.00
policer-byte-adjustment-value	Adjust ingress POLICER counters by +/- N bytes per packet. Default: 0.00 Range: -32 - 32
policer-byte-adjustment-factor	Adjust ingress POLICER counters by factor (executed after adjustment value). Default: 1.00 Range: 0.00 - 2.00

Attribute

Description

accounting-source

This option allows to control which counters to use for ingress session accounting which refers to the RADIUS attributes Acct-Input-Packets (47), Acct-Input-Octets (42) and Acct-Input-Gigawords (52) if RADIUS accounting is enabled. Per default the logical interface (LIF) statistics are used which is all traffic received including control traffic and traffic dropped by ingress policer. Alternative this the policer statistics (POLICER) can be used instead which is the sum of all traffic accepted over all policer levels (1-4). Ingress control traffic will be hit by a separate control plane policer and therefore not counted in the session policer stats. The policer statistics should be selected if only if transit traffic forwarded by the device should be counted.

Default: LIF Values: LIF, POLICER

byte-adjustment-value

Adjust ingress LIF counters by +/- N bytes per packet.

Default: 0.00 Range: -32 - 32

byte-adjustment-factor

Adjust ingress LIF counters by factor (executed after adjustment value).

Default: 1.00 Range: 0.00 - 2.00

policer-byte-adjustment-value

Adjust ingress POLICER counters by +/- N bytes per packet.

Default: 0.00 Range: -32 - 32

policer-byte-adjustment-factor

Adjust ingress POLICER counters by factor (executed after adjustment value).

Default: 1.00 Range: 0.00 - 2.00

Egress Accounting

supervisor@switch: cfg> show config access aaa-profile aaa-default accounting egress
  <cr>
  accounting-source             Source of session egress counter
  byte-adjustment-factor        Adjust egress LIF counters by factor
  byte-adjustment-value         Adjust egress LIF counters by N bytes per packet
  class-byte-adjustment-factor  Adjust egress class counters by factor
  class-byte-adjustment-value   Adjust egress class counters by N bytes per packet

Attribute	Description
accounting-source	This option allows to control which counters to use for egress session accounting which refers to the RADIUS attributes Acct-Output-Packets (48), Acct-Output-Octets (43) and Acct-Output-Gigawords (53) if RADIUS accounting is enabled. Per default the logical interface (LIF) statistics are used which is all traffic sent on the logical interface except control traffic which is directly sent to the IFP. Default: LIF Values: LIF, CLASS
byte-adjustment-value	Adjust egress LIF counters by +/- N bytes per packet. Default: 0.00 Range: -32 - 32
byte-adjustment-factor	Adjust egress LIF counters by factor (executed after adjustment value). Default: 1.00 Range: 0.00 - 2.00
class-byte-adjustment-value	Adjust egress CLASS (queue) counters by +/- N bytes per packet. Default: 0.00 Range: -32 - 32
class-byte-adjustment-factor	Adjust egress CLASS (queue) counters by factor (executed after adjustment value). Default: 1.00 Range: 0.00 - 2.00

Attribute

Description

accounting-source

This option allows to control which counters to use for egress session accounting which refers to the RADIUS attributes Acct-Output-Packets (48), Acct-Output-Octets (43) and Acct-Output-Gigawords (53) if RADIUS accounting is enabled. Per default the logical interface (LIF) statistics are used which is all traffic sent on the logical interface except control traffic which is directly sent to the IFP.

Default: LIF Values: LIF, CLASS

byte-adjustment-value

Adjust egress LIF counters by +/- N bytes per packet.

Default: 0.00 Range: -32 - 32

byte-adjustment-factor

Adjust egress LIF counters by factor (executed after adjustment value).

Default: 1.00 Range: 0.00 - 2.00

class-byte-adjustment-value

Adjust egress CLASS (queue) counters by +/- N bytes per packet.

Default: 0.00 Range: -32 - 32

class-byte-adjustment-factor

Adjust egress CLASS (queue) counters by factor (executed after adjustment value).

Default: 1.00 Range: 0.00 - 2.00