AAA Profile Configuration
Table: global.access.aaa.profile.config
Subscriber management requires the mandatory configuration of an Authentication, Authorization, and Accounting (AAA) profile.
The way that the AAA profile configuration relates to all subscriber management configuration tasks are shown in the picture below.
Configuring the AAA Profile
supervisor@switch: cfg> set access aaa-profile <profile-name> Name of the AAA profile supervisor@switch: cfg> set access aaa-profile aaa-example <cr> aaa-radius-profile AAA RADIUS profile name accounting Accounting options authentication Authentication options idle-timeout Idle timeout in seconds (0 == infinity) session-timeout Session timeout in seconds (0 == infinity)
The following example shows a typical AAA profile for RADIUS authentication and accounting.
supervisor@switch: cfg> show config access aaa-profile aaa-radius { "rtbrick-config:aaa-profile": { "profile-name": "aaa-radius", "session-timeout": 0, "idle-timeout": 0, "aaa-radius-profile": "radius-default", "authentication": { "order": "RADIUS" }, "accounting": { "order": "RADIUS", "session-id-format": "DEFAULT", "ingress": { "accounting-source": "POLICER" }, "egress": { "accounting-source": "CLASS", "class-byte-adjustment-value": 16 } } } }
Attribute | Description |
---|---|
session-timeout |
The session timeout specifies the maximum uptime in seconds until a subscriber is terminated. The value 0 means infinity. Default: 0 Range: 0 - 4294967295 |
idle-timeout |
The idle timeout specifies the time in seconds until a subscriber is terminated if no traffic is forwarded, based on outgoing logical interface statistics of the subscriber IFL. Those statistics do not include control traffic. The subscriber is not considered idle as long as egress traffic is detected. The idle timeout is not limited but should be set to at least double the time of the logical interface statistics counter update interval (between 5 to 30 seconds). The value 0 means infinity. Default: 0 Range: 0 - 4294967295 |
aaa-radius-profile |
The RADIUS profile (RADIUS Profile Configuration) which is used if RADIUS authentication or accounting is enabled. |
Configuring Authentication
RBFS supports the authentication methods NONE, LOCAL, DOMAIN, and RADIUS. The option
NONE disables authentication by accepting all credentials. The authentication method
LOCAL authenticates the subscriber based on locally defined user profiles User Profile Configuration. The method DOMAIN works similarly to LOCAL, but except for the whole username, only the domain part separated by a configurable domain delimiter (default @)is used like rtbrick.com
for user user@rtbrick.com
. The authentication method RADIUS authenticates the subscriber remotely by sending an authentication request to the defined RADIUS servers.
The authentication method DOMAIN is currently not supported! |
Some methods can also be combined together. With LOCAL_RADIUS the subscriber is first authenticated locally and secondly via RADIUS if no matching local user is found. The subscriber is immediately rejected without requesting RADIUS servers if a local user is found, but the password does not match. The behavior is similar for RADIUS_LOCAL where the subscriber is immediately disconnected if the authentication request is rejected by RADIUS. In this case, local authentication is used as the fallback if no response is received (timeout) from any RADIUS server configured.
supervisor@switch: cfg> set config access aaa-profile aaa-default authentication <cr> delimiter Delimiter string order Authentication order
Attribute | Description | ||
---|---|---|---|
order |
This option defines the order of authentication methods. Default: NONE Values: LOCAL, LOCAL_RADIUS, RADIUS, RADIUS_LOCAL |
||
delimiter |
This option defines the delimiter for domain authentication. Default: @
|
Configuring Accounting
Subscriber accounting refers to the process of measuring and recording the time and data usage of an corresponding subscriber. This includes the session time, called time accounting, and the number of packets and bytes transmitted or received called volume accounting.
Subscriber volume accounting works in both directions, but ingress and egress direction can be configured independently.
Today RBFS supports the accounting method RADIUS only! |
supervisor@switch: cfg> set config access aaa-profile aaa-default accounting <cr> egress Egress volume accounting options ingress Ingress volume accounting options interim-interval Accounting interim interval in seconds (0 == disabled) order Accounting order session-id-format Accounting-Session-Id format
Attribute | Description | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
order |
This option defines the order of accounting methods. Default: NONE |
||||||||||||||
interim-interval |
The interim interval specifies the time between interim accounting requests in seconds where 0 means disabled. Default: 0 Range: 0 - 4294967295 |
||||||||||||||
session-id-format |
The format of the Accounting-Session-Id (RADIUS attribute 44).
Default: DEFAULT Values: BRIEF, EXTENSIVE
|
Configuring Accounting Adjustments
The accounting adjustment feature enables basic counter modifications for the configured accounting method, such as RADIUS accounting. This configuration is necessary to normalize counters across different platforms in each direction. On Broadcom Q2C and Q2A based platforms, packets are counted in the size they enter the switch. Without adjustment, egress accounting would count downstream traffic as received from the core, complete with MPLS labels, while ingress accounting typically includes VLAN headers and/or PPPoE headers.
This counter adjustment aims to normalize counters with diverse encapsulations (double-tagged, untagged, etc.), potentially aligning to L3 counters (IP header and payload) as an example, or exclusively adapting egress traffic to match the outgoing packet encapsulation. The possibility for seperate adjustment configurations per direction allows parity in the counters for both ingress and egress.
Within RBFS, there are two configurations available for this purpose: the byte adjustment value and the factor, with the latter rarely needed. The byte adjustment value accommodates both positive and negative values, like -20.0 or 20.0. Any provided decimal digits in the adjustment values are ignored (e.g. 20.2 becomes 20.0). The byte adjustment factors accept positive values and utilize only the first two decimal places, such as 0.98 (-2%) or 1.02 (+2%).
Ingress Accounting
Subscriber ingress accounting refers to the process of measuring and recording the data usage or traffic that enters a subscriber interface (upstream).
supervisor@switch: cfg> set config access aaa-profile aaa-default accounting ingress <cr> accounting-source Source of session ingress counter byte-adjustment-factor Adjust ingress LIF counters by factor byte-adjustment-value Adjust ingress LIF counters by N bytes per packet policer-byte-adjustment-factor Adjust ingress policer counters by factor policer-byte-adjustment-value Adjust ingress policer counters by N bytes per packet
Attribute | Description |
---|---|
accounting-source |
This option provides control over the counters used for subscriber ingress accounting when RADIUS accounting is enabled. The counters in question are the RADIUS attributes Acct-Input-Packets (47), Acct-Input-Octets (42), and Acct-Input-Gigawords (52). By default, the policer statistics (POLICER) are utilized, which represent the total traffic accepted across all policer levels (1-4). However, ingress control traffic is subject to a separate control plane policer and is therefore not included in the session policer statistics. Consequently, policers are necessary if session accounting is required. Alternatively, the logical interface (LIF) statistics can be employed, encompassing all received traffic, including control traffic and traffic dropped by the ingress policer. It is important to note that this option may not be available on all platforms. Default: POLICER Values: POLICER, LIF |
byte-adjustment-value |
Adjust ingress LIF counters by +/- N bytes per packet. Default: 0.00 Range: -32 - 32 |
byte-adjustment-factor |
Adjust ingress LIF counters by a factor (executed after adjustment value). Default: 1.00 Range: 0.00 - 2.00 |
policer-byte-adjustment-value |
Adjust ingress POLICER counters by +/- N bytes per packet. Default: 0.00 Range: -32 - 32 |
policer-byte-adjustment-factor |
Adjust ingress POLICER counters by factor (executed after adjustment value). Default: 1.00 Range: 0.00 - 2.00 |
Egress Accounting
Subscriber egress accounting refers to the process of measuring and recording the data usage or traffic that is sent from a subscriber interface (downstram).
supervisor@switch: cfg> set config access aaa-profile aaa-default accounting egress <cr> accounting-source Source of session egress counter byte-adjustment-factor Adjust egress LIF counters by a factor byte-adjustment-value Adjust egress LIF counters by N bytes per packet class-byte-adjustment-factor Adjust egress class counters by a factor class-byte-adjustment-value Adjust egress class counters by N bytes per packet
Attribute | Description |
---|---|
accounting-source |
This option provides control over the counters used for egress session accounting when RADIUS accounting is enabled. The counters in question are the RADIUS attributes Acct-Output-Packets (48), Acct-Output-Octets (43), and Acct-Output-Gigawords (53). By default, the class statistics (CLASS) are utilized, which represent the total traffic accepted across all queues. However, the egress control traffic is sent directly to the IFP and is therefore not included in the session class statistics. Consequently, QoS is necessary if session accounting is required. As an alternative, the logical interface (LIF) statistics can be utilized, which cover all sent traffic, excluding control traffic. However, it is important to be aware that this option might not be accessible on all platforms. Default: CLASS Values: CLASS, LIF |
byte-adjustment-value |
Adjust egress LIF counters by +/- N bytes per packet. Default: 0.00 Range: -32 - 32 |
byte-adjustment-factor |
Adjust egress LIF counters by a factor (executed after adjustment value). Default: 1.00 Range: 0.00 - 2.00 |
class-byte-adjustment-value |
Adjust egress CLASS (queue) counters by +/- N bytes per packet. Default: 0.00 Range: -32 - 32 |
class-byte-adjustment-factor |
Adjust egress CLASS (queue) counters by factor (executed after adjustment value). Default: 1.00 Range: 0.00 - 2.00 |