RADIUS Profile Configuration

Subscriber management allows the configuration of a RADIUS profile, which is mandatory if RADIUS is used for authentication or accounting.

The diagram below illustrates how the RADIUS profile is associated with the subscriber management tasks at a broader level.

Figure 1. RADIUS Profile Configuration

Configuring the RADIUS Profile

The RADIUS profile configuration involves setting up various parameters that define how the router interacts with the RADIUS server for authentication, accounting, and so on.

supervisor@switch: cfg> set config access radius-profile
  <profile-name>        Name of the RADIUS profile

supervisor@switch: cfg> set config access radius-profile radius-default
  <cr>
  accounting            RADIUS accounting options
  authentication        RADIUS authentication options
  nas-identifier        NAS identifier
  nas-ip-address        NAS IP address (IPv4 Address)
  nas-port-format       NAS-Port format
  nas-port-type         NAS-Port type

The following example shows a typical RADIUS profile for authentication and accounting. The RADIUS profile name is specified as 'radius-default'. NAS Identifier is set as BNG and NAS Port Type is specified as 'Ethernet'. RADIUS servers used for authentication is set 'radius-server-1' and 'radius-server-2'. RADIUS servers used for accounting is also set as 'radius-server-1' and 'radius-server-2'.

The Accounting RADIUS servers are specified as 'radius-server-1' 'radius-server-2'. For information about other options, see the table descriptions below.

supervisor@switch: cfg> show config access radius-profile radius-default
{
  "rtbrick-config:radius-profile": {
    "profile-name": "radius-default",
    "nas-identifier": "BNG",
    "nas-port-type": "Ethernet",
    "authentication": {
      "radius-server-profile-name": [
        "radius-server-1",
        "radius-server-2"
        ]
    },
    "accounting": {
      "radius-server-profile-name": [
        "radius-server-1",
        "radius-server-2"
        ],
      "stop-on-reject": "true",
      "stop-on-failure": "true",
      "accounting-on-off": "true",
      "accounting-on-wait": "true",
      "accounting-backup": "true",
      "accounting-backup-max": 86400
    }
  }
}

Attribute

Description

nas-identifier

Set the value for the RADIUS attribute NAS-Identifier (32).

Default: system hostname

nas-ip-address

Set the value for RADIUS attribute NAS-IP-Address (4).

Default: source IPv4 address

nas-port-type

Set the value for RADIUS attribute NAS-Port-Type (61).

Default: Ethernet

nas-port-format

Set the format of the 32-bit RADIUS attribute NAS-Port (5).

Name

Bits

Values

DEFAULT

1:1:6:12:12

slot:subslot:port:vlan:vlan

SLOTS

6:2:6:12:6

slot:subslot:port:vlan:vlan

PORTS

0:1:7:12:12

slot:subslot:port:vlan:vlan

Configuring Authentication

The following configuration command and options set the 'radius-profile' as authentication method. It also defines the list of RADIUS servers and the algorithm for RADIUS high-availability.

supervisor@switch: cfg> set config access radius-profile radius-default authentication
  <cr>
  algorithm-type              Authentication redundancy algorithm
  radius-server-profile-name  RADIUS server profile name

Attribute	Description
radius-server-profile-name	List of multiple RADIUS servers used for authentication.
algorithm-type	Specifies the authentication server selection algorithm. For more information, see RADIUS Redundancy. Default: DIRECT Values: DIRECT, ROUND-ROBIN

Attribute

Description

radius-server-profile-name

List of multiple RADIUS servers used for authentication.

algorithm-type

Specifies the authentication server selection algorithm. For more information, see RADIUS Redundancy.

Default: DIRECT Values: DIRECT, ROUND-ROBIN

Configuring Accounting

Configuring accounting involves specifying its name and defining various parameters.

The following command and options allow you to configure RADIUS accounting.

supervisor@switch: cfg> set config access radius-profile radius-default accounting
  <cr>
  accounting-backup           Enables backup accounting
  accounting-backup-max       Maximum backup accounting hold time, in seconds
  accounting-on-off           Enables accounting on/off
  accounting-on-wait          Wait for an accounting-on response before sending authentication requests
  algorithm-type              Accounting redundancy algorithm
  radius-server-profile-name  RADIUS server profile name
  stop-on-failure             Send accounting-stop on failure
  stop-on-reject              Send accounting-stop on authentication reject

Attribute Description

Attribute	Description
radius-server-profile-name	List of RADIUS servers used for accounting.
algorithm-type	Specifies the accounting server selection algorithm. For more information, see RADIUS Redundancy. Default: DIRECT Values: DIRECT, ROUND-ROBIN
stop-on-failure	If set to `true`, the accounting will stop, if there is a failure in the process after authentication was accepted. Default: false
stop-on-reject	If set to `true`, when the authentication is rejected, the accounting process will stop. Default: false
accounting-on-off	Enables RADIUS Accounting-On/Off messages. For more information, see RADIUS Accounting. Default: false
accounting-on-wait	Waits for an `Accounting-On` response ensuring that no new subscriber is allowed until the accounting process has been initiated. Default: false
accounting-backup	Enables backup for accounting (optional). RADIUS accounting requests are often used for billing and, therefore should be able to store and retry over a longer period (commonly, up to 24 hours or more). Default: false
accounting-backup-max	If enabled, this option defines maximum backup accounting hold time, in seconds. Default: 3600 Range: 1 - 4294967295

radius-server-profile-name

List of RADIUS servers used for accounting.

algorithm-type

Specifies the accounting server selection algorithm. For more information, see RADIUS Redundancy.

Default: DIRECT Values: DIRECT, ROUND-ROBIN

stop-on-failure

If set to true, the accounting will stop, if there is a failure in the process after authentication was accepted.

Default: false

stop-on-reject

If set to true, when the authentication is rejected, the accounting process will stop.

Default: false

accounting-on-off

Enables RADIUS Accounting-On/Off messages. For more information, see RADIUS Accounting.

Default: false

accounting-on-wait

Waits for an Accounting-On response ensuring that no new subscriber is allowed until the accounting process has been initiated.

Default: false

accounting-backup

Enables backup for accounting (optional). RADIUS accounting requests are often used for billing and, therefore should be able to store and retry over a longer period (commonly, up to 24 hours or more).

Default: false

accounting-backup-max

If enabled, this option defines maximum backup accounting hold time, in seconds.

Default: 3600 Range: 1 - 4294967295