AAA Profile Configuration

Table: global.access.aaa.profile.config

Subscriber management requires the mandatory configuration of an Authentication, Authorization, and Accounting (AAA) profile.

The way that the AAA profile configuration relates to all subscriber management configuration tasks are shown in the picture below.

ngaccess cli2 aaa profile
Figure 1. AAA Profile Configuration

Configuring the AAA Profile

supervisor@switch: cfg> set access aaa-profile
  <profile-name>        Name of the AAA profile

supervisor@switch: cfg> set access aaa-profile aaa-example
  <cr>
  aaa-radius-profile    AAA RADIUS profile name
  accounting            Accounting options
  authentication        Authentication options
  idle-timeout          Idle timeout in seconds (0 == infinity)
  session-timeout       Session timeout in seconds (0 == infinity)

The following example shows a typical AAA profile for RADIUS authentication and accounting.

supervisor@switch: cfg> show config access aaa-profile aaa-radius
{
  "rtbrick-config:aaa-profile": {
    "profile-name": "aaa-radius",
    "session-timeout": 0,
    "idle-timeout": 0,
    "aaa-radius-profile": "radius-default",
    "authentication": {
      "order": "RADIUS"
    },
    "accounting": {
      "order": "RADIUS",
      "session-id-format": "DEFAULT",
      "ingress": {
        "accounting-source": "POLICER"
      },
      "egress": {
        "accounting-source": "CLASS",
        "class-byte-adjustment-value": 16
      }
    }
  }
}
Attribute Description

session-timeout

The session timeout specifies the maximum uptime in seconds until a subscriber is terminated. The value 0 means infinity.

Default: 0 Range: 0 - 4294967295

idle-timeout

The idle timeout specifies the time in seconds until a subscriber is terminated if no traffic is forwarded, based on outgoing logical interface statistics of the subscriber IFL. Those statistics do not include control traffic. The subscriber is not considered idle as long as egress traffic is detected. The idle timeout is not limited but should be set to at least double the time of the logical interface statistics counter update interval (between 5 to 30 seconds). The value 0 means infinity.

Default: 0 Range: 0 - 4294967295

aaa-radius-profile

The RADIUS profile ([RADIUS Profile Configuration]) which is used if RADIUS authentication or accounting is enabled.

Configuring Authentication

RBFS supports the authentication methods NONE, LOCAL, DOMAIN, and RADIUS. The option NONE disables authentication by accepting all credentials. The authentication method LOCAL authenticates the subscriber based on locally defined user profiles ([User Profile Configuration]). The method DOMAIN works similarly to LOCAL, but except for the whole username, only the domain part separated by a configurable domain delimiter (default @)is used like rtbrick.com for user user@rtbrick.com. The authentication method RADIUS authenticates the subscriber remotely by sending an authentication request to the defined RADIUS servers.

The authentication method DOMAIN is currently not supported!

Some methods can also be combined together. With LOCAL_RADIUS the subscriber is first authenticated locally and secondly via RADIUS if no matching local user is found. The subscriber is immediately rejected without requesting RADIUS servers if a local user is found, but the password does not match. The behavior is similar for RADIUS_LOCAL where the subscriber is immediately disconnected if the authentication request is rejected by RADIUS. In this case, local authentication is used as the fallback if no response is received (timeout) from any RADIUS server configured.

supervisor@switch: cfg> set config access aaa-profile aaa-default authentication
  <cr>
  delimiter             Delimiter string
  order                 Authentication order
Attribute Description

order

This option defines the order of authentication methods.

Default: NONE Values: LOCAL, LOCAL_RADIUS, RADIUS, RADIUS_LOCAL

delimiter

This option defines the delimiter for domain authentication. Default: @

Currently not supported!

Configuring Accounting

Subscriber accounting refers to the process of measuring and recording the time and data usage of an corresponding subscriber. This includes the session time, called time accounting, and the number of packets and bytes transmitted or received called volume accounting.

Subscriber volume accounting works in both directions, but ingress and egress direction can be configured independently.

Today RBFS supports the accounting method RADIUS only!
supervisor@switch: cfg> set config access aaa-profile aaa-default accounting
  <cr>
  egress                Egress volume accounting options
  ingress               Ingress volume accounting options
  interim-interval      Accounting interim interval in seconds (0 == disabled)
  order                 Accounting order
  session-id-format     Accounting-Session-Id format
Attribute Description

order

This option defines the order of accounting methods.

Default: NONE

interim-interval

The interim interval specifies the time between interim accounting requests in seconds where 0 means disabled.

Default: 0 Range: 0 - 4294967295

session-id-format

The format of the Accounting-Session-Id (RADIUS attribute 44).

Name Format Example

DEFAULT

<subscriber-id>.<timestamp>

72339069014639577.1551943760

BRIEF

<subscriber-id>>

72339069014639577

EXTENSIVE

<subscriber-id>.<ifp>.<outer-vlan>.<inner-vlan>.<client-mac>.<session-id>.<timestamp>

72339069014639577.ifp-0/0/0.128.7.01:02:03:04:05:05.1.1551943760

Default: DEFAULT Values: BRIEF, EXTENSIVE

Currently, only DEFAULT is supported!

Configuring Accounting Adjustments

The accounting adjustment feature enables basic counter modifications for the configured accounting method, such as RADIUS accounting. This configuration is necessary to normalize counters across different platforms in each direction. On Broadcom Q2C and Q2A based platforms, packets are counted in the size they enter the switch. Without adjustment, egress accounting would count downstream traffic as received from the core, complete with MPLS labels, while ingress accounting typically includes VLAN headers and/or PPPoE headers.

This counter adjustment aims to normalize counters with diverse encapsulations (double-tagged, untagged, etc.), potentially aligning to L3 counters (IP header and payload) as an example, or exclusively adapting egress traffic to match the outgoing packet encapsulation. The possibility for seperate adjustment configurations per direction allows parity in the counters for both ingress and egress.

Within RBFS, there are two configurations available for this purpose: the byte adjustment value and the factor, with the latter rarely needed. The byte adjustment value accommodates both positive and negative values, like -20.0 or 20.0. Any provided decimal digits in the adjustment values are ignored (e.g. 20.2 becomes 20.0). The byte adjustment factors accept positive values and utilize only the first two decimal places, such as 0.98 (-2%) or 1.02 (+2%).

Ingress Accounting

Subscriber ingress accounting refers to the process of measuring and recording the data usage or traffic that enters a subscriber interface (upstream).

supervisor@switch: cfg> set config access aaa-profile aaa-default accounting ingress
  <cr>
  accounting-source               Source of session ingress counter
  byte-adjustment-factor          Adjust ingress LIF counters by factor
  byte-adjustment-value           Adjust ingress LIF counters by N bytes per packet
  policer-byte-adjustment-factor  Adjust ingress policer counters by factor
  policer-byte-adjustment-value   Adjust ingress policer counters by N bytes per packet
Attribute Description

accounting-source

This option provides control over the counters used for subscriber ingress accounting when RADIUS accounting is enabled. The counters in question are the RADIUS attributes Acct-Input-Packets (47), Acct-Input-Octets (42), and Acct-Input-Gigawords (52).

By default, the policer statistics (POLICER) are utilized, which represent the total traffic accepted across all policer levels (1-4). However, ingress control traffic is subject to a separate control plane policer and is therefore not included in the session policer statistics. Consequently, policers are necessary if session accounting is required.

Alternatively, the logical interface (LIF) statistics can be employed, encompassing all received traffic, including control traffic and traffic dropped by the ingress policer. It is important to note that this option may not be available on all platforms.

Default: POLICER Values: POLICER, LIF

byte-adjustment-value

Adjust ingress LIF counters by +/- N bytes per packet.

Default: 0.00 Range: -32 - 32

byte-adjustment-factor

Adjust ingress LIF counters by a factor (executed after adjustment value).

Default: 1.00 Range: 0.00 - 2.00

policer-byte-adjustment-value

Adjust ingress POLICER counters by +/- N bytes per packet.

Default: 0.00 Range: -32 - 32

policer-byte-adjustment-factor

Adjust ingress POLICER counters by factor (executed after adjustment value).

Default: 1.00 Range: 0.00 - 2.00

Egress Accounting

Subscriber egress accounting refers to the process of measuring and recording the data usage or traffic that is sent from a subscriber interface (downstram).

supervisor@switch: cfg> set config access aaa-profile aaa-default accounting egress
  <cr>
  accounting-source             Source of session egress counter
  byte-adjustment-factor        Adjust egress LIF counters by a factor
  byte-adjustment-value         Adjust egress LIF counters by N bytes per packet
  class-byte-adjustment-factor  Adjust egress class counters by a factor
  class-byte-adjustment-value   Adjust egress class counters by N bytes per packet
Attribute Description

accounting-source

This option provides control over the counters used for egress session accounting when RADIUS accounting is enabled. The counters in question are the RADIUS attributes Acct-Output-Packets (48), Acct-Output-Octets (43), and Acct-Output-Gigawords (53).

By default, the class statistics (CLASS) are utilized, which represent the total traffic accepted across all queues. However, the egress control traffic is sent directly to the IFP and is therefore not included in the session class statistics. Consequently, QoS is necessary if session accounting is required.

As an alternative, the logical interface (LIF) statistics can be utilized, which cover all sent traffic, excluding control traffic. However, it is important to be aware that this option might not be accessible on all platforms.

Default: CLASS Values: CLASS, LIF

byte-adjustment-value

Adjust egress LIF counters by +/- N bytes per packet.

Default: 0.00 Range: -32 - 32

byte-adjustment-factor

Adjust egress LIF counters by a factor (executed after adjustment value).

Default: 1.00 Range: 0.00 - 2.00

class-byte-adjustment-value

Adjust egress CLASS (queue) counters by +/- N bytes per packet.

Default: 0.00 Range: -32 - 32

class-byte-adjustment-factor

Adjust egress CLASS (queue) counters by factor (executed after adjustment value).

Default: 1.00 Range: 0.00 - 2.00