AAA acts as a
framework for effective network management and security. It helps in managing
network resources, enforcing policies, auditing network usage, and providing
bill-related information. BNG connects to an external RADIUS server that
provides the AAA functions.
The RADIUS server
performs the three independent security functions (authentication,
authorization, and accounting) to secure networks against unauthorized access.
The RADIUS server runs the Remote Authentication Dial-In User Service (RADIUS)
protocol. (For details about RADIUS protocol, refer to RFC 2865). The RADIUS
server manages the AAA process by interacting with BNG, and databases and
directories containing user information.
The RADIUS protocol
runs on a distributed client-server system. The RADIUS client runs on BNG
(Cisco ASR 9000 Series Router) that sends authentication requests to a central
RADIUS server. The RADIUS server contains all user authentication and network
service access information.
The AAA processes, the
role of RADIUS server during these processes, and some BNG restrictions, are
explained in these sections:
process identifies a subscriber on the network, before granting access to the
network and network services. The process of authentication works on a unique
set of criteria that each subscriber has for gaining access to the network.
Typically, the RADIUS server performs authentication by matching the
credentials (user name and password) the subscriber enters with those present
in the database for that subscriber. If the credentials match, the subscriber
is granted access to the network. Otherwise, the authentication process fails,
and network access is denied.
authentication process, the subscriber is authorized for performing certain
activity. Authorization is the process that determines what type of activities,
resources, or services a subscriber is permitted to use. For example, after
logging into the network, the subscriber may try to access a database, or a
restricted website. The authorization process determines whether the subscriber
has the authority to access these network resources.
works by assembling a set of attributes based on the authentication credentials
provided by the subscriber. The RADIUS server compares these attributes, for a
given username, with information contained in a database. The result is
returned to BNG to determine the actual capabilities and restrictions that are
to be applied for that subscriber.
The accounting keeps
track of resources used by the subscriber during network access. Accounting is
used for billing, trend analysis, tracking resource utilization, and capacity
planning activities. During the accounting process, a log is maintained for
network usage statistics. The information monitored include, but are not
limited to - subscriber identities, applied configurations on the subscriber,
the start and stop times of network connections, and the number of packets and
bytes transferred to, and from, the network.
subscriber activity to the RADIUS server in the form of accounting records.
Each accounting record comprises of an accounting attribute value. This value
is analyzed and used by the RADIUS server for network management, client
billing, auditing, etc.
records of the subscriber sessions may timeout if the BNG does not receive
acknowledgments from the RADIUS server. This timeout can be due to RADIUS
server being unreachable or due to network connectivity issues leading to slow
performance of the RADIUS server. If the sessions on the BNG are not
acknowledged for their Account-Start request, loss of sessions on route
processor fail over (RPFO) and other critical failures are reported. It is
therefore recommended that a RADIUS server
configured on the BNG, to avoid loss of sessions. Once this value is
configured, and if a particular session is not receiving an accounting response
even after retries, then that particular RADIUS server is considered to be
non-working and further requests are not sent to that server.
can be used to configure the
RADIUS server. For details, see
Configuring RADIUS Server Settings.
On BNG, local
authentication and local authorization are not supported. It must be done by
the RADIUS server.
disconnect, transmission of the Accounting-Stop request to RADIUS may be
delayed for a few seconds while the system waits for the "final" session
statistics to be collected from the hardware. The Event-Timestamp attribute in
that Accounting-Stop request should, however, reflect the time the client
disconnects, and not the transmission time.
RADIUS over IPv6 is not supported.