RADIUS Profile Configuration

Subscriber management allows the configuration of a RADIUS profile which is mandatory if RADIUS is used for authentication or accounting.

The way that the RADIUS profile configuration relates to all subscriber management configuration tasks is shown in the picture below.

ngaccess cli2 radius profile
Figure 1. RADIUS Profile Configuration

Configuring the RADIUS Profile

supervisor@switch: cfg> set config access radius-profile
  <profile-name>        Name of the RADIUS profile

supervisor@switch: cfg> set config access radius-profile radius-default
  <cr>
  accounting            RADIUS accounting options
  authentication        RADIUS authentication options
  nas-identifier        NAS identifier
  nas-ip-address        NAS IP address (IPv4 Address)
  nas-port-format       NAS-Port format
  nas-port-type         NAS-Port type

The following example shows a typical RADIUS profile for authentication and accounting.

supervisor@switch: cfg> show config access radius-profile radius-default
{
  "rtbrick-config:radius-profile": {
    "profile-name": "radius-default",
    "nas-identifier": "BNG",
    "nas-port-type": "Ethernet",
    "authentication": {
      "radius-server-profile-name": [
        "radius-server-1",
        "radius-server-2"
        ]
    },
    "accounting": {
      "radius-server-profile-name": [
        "radius-server-1",
        "radius-server-2"
        ],
      "stop-on-reject": "true",
      "stop-on-failure": "true",
      "accounting-on-off": "true",
      "accounting-on-wait": "true",
      "accounting-backup": "true",
      "accounting-backup-max": 86400
    }
  }
}
Attribute Description

nas-identifier

Set the value for the RADIUS attribute NAS-Identifier (32).

Default: system hostname

nas-ip-address

Set the value for RADIUS attribute NAS-IP-Address (4).

Default: source IPv4 address

nas-port-type

Set the value for RADIUS attribute NAS-Port-Type (61).

Default: Ethernet

nas-port-format

Set the format of the 32-bit RADIUS attribute NAS-Port (5).

Name Bits Values

DEFAULT

1:1:6:12:12

slot:subslot:port:vlan:vlan

SLOTS

6:2:6:12:6

slot:subslot:port:vlan:vlan

Configuring Authentication

supervisor@switch: cfg> set config access radius-profile radius-default authentication
  <cr>
  algorithm-type              Authentication redundancy algorithm
  radius-server-profile-name  RADIUS server profile name
Attribute Description

radius-server-profile-name

List of RADIUS servers used for authentication.

algorithm-type

Authentication server selection algorithm as described in RADIUS Redundancy.

Default: DIRECT Values: DIRECT, ROUND-ROBIN

Configuring Accounting

supervisor@switch: cfg> set config access radius-profile radius-default accounting
  <cr>
  accounting-backup           Enable backup accounting
  accounting-backup-max       Max backup accounting hold time in seconds
  accounting-on-off           Enable accounting on/off
  accounting-on-wait          Wait for an accounting-on response before sending authentication requests
  algorithm-type              Accounting redundancy algorithm
  radius-server-profile-name  RADIUS server profile name
  stop-on-failure             Send accounting-stop on failure
  stop-on-reject              Send accounting-stop on authentication reject
Attribute Description

radius-server-profile-name

List of RADIUS servers used for accounting.

algorithm-type

Accounting server selection algorithm as described in RADIUS Redundancy.

Default: DIRECT Values: DIRECT, ROUND-ROBIN

stop-on-failure

Sent RADIUS accounting request stop in case of failure after authentication was accepted.

Default: false

stop-on-reject

Sent RADIUS accounting request stop in case of authentication is rejected.

Default: false

accounting-on-off

Enable RADIUS Accounting-On/Off messages as described in RADIUS Accounting.

Default: false

accounting-on-wait

This option prevents any new subscriber until the accounting hast started meaning that the Accounting-On response was received.

Default: false

accounting-backup

RADIUS accounting requests are often used for billing and, therefore should be able to store and retry over a longer period (common up to 24 hours or more) which can be optionally enabled here.

Default: false

accounting-backup-max

This option defines maximum backup accounting hold time in seconds if accounting backup is enabled.

Default: 3600 Range: 1 - 4294967295