Cisco BBSM 5.3 Configuration Guide
14 - Configuring RADIUS Billing
Download this chapter
14 - Configuring RADIUS Billing14 - Configuring RADIUS Billing
give_us_feedback

Table Of Contents

Configuring RADIUS Billing

Overview

RADIUS Authentication and Authorization

RADIUS Accounting

User-Provisioned Bandwidth

Using Prepaid RADIUS

RADIUS Attributes

Configuring the RADIUS Server Options

Configuring RADIUS for Multiple Sessions


Configuring RADIUS Billing

This chapter describes the BBSM interface with the RADIUS server, including the RADIUS attributes that BBSM supports, user-provisioned bandwidth page sets, and prepaid RADIUS. The procedure to configure the RADIUS server billing options assumes that you have already run the Switch Discovery Wizard to configure the ports to use either the RADIUS page set or a custom page set. (Refer to the "Running the Switch Discovery Wizard" section.)

The chapter provides these sections:

Overview

RADIUS Attributes

Configuring the RADIUS Server Options

Configuring RADIUS for Multiple Sessions

Refer also to the RADIUS Session History Report section in the Cisco BBSM 5.3 Operations Guide.

Overview

The BBSM server has a built-in RADIUS client that complies with RADIUS standards, IETF RFCs 2865 and 2866, and is compatible with any compliant RADIUS server, although the officially supported servers are Cisco ACS, Microsoft IAS, and Navis.

RADIUS Authentication and Authorization

Each time the end user connects to the BBSM server using a page set configured for RADIUS, BBSM prompts for a username and password. BBSM then sends this information to a configured RADIUS authentication server in an access-request packet.

Note The RADIUS authentication server does not have to be the same server as the RADIUS accounting server.

To provide redundancy in case the RADIUS server does not respond, you can configure multiple RADIUS servers in WEBconfig. This configuration includes the order in which these servers are contacted, with lowest ranked server being the first server contacted, the next highest ranked server being the second server contacted, and so on. For example, if two RADIUS servers are configured with rank 30 and 31, server 30 will be contacted first, then 31 will be contacted. (Refer to the "Configuring the RADIUS Server Options" section.) BBSM attempts to contact the servers until an access-accept packet is received:

If a server does not respond within the specified time, BBSM attempts to contact that server up to three times before moving to the next server.

If a server responds with an access-reject packet, BBSM immediately sends the access-request packet to the next server.

RADIUS Accounting

BBSM saves Internet session information and then sends it to a configured RADIUS accounting server in start and stop accounting-request packets and, if configured, in interim-update packets. BBSM sends this data in the same ranked order and manner that it uses for access-request packets. With this session data, administrators can perform independent billing on a flat-rate or per-minute basis.

User-Provisioned Bandwidth

The two user-provisioned bandwidth (UBand) page sets, RADIUSUBand and RADIUSUBandClear, enable administrators to define bandwidth offerings. The end user chooses a bandwidth on the Start page. These are examples:

64K for $0.15/minute

128K for $0.25/minute

Unlimited for $0.30/minute

BBSM throttles the session at the chosen bandwidth and sends the bandwidth VSA to the RADIUS accounting server in the start, stop, and interim-update accounting-request packets.

Note The administrator must ensure that the RADIUS accounting server is configured to accept this bandwidth so the data can be retrieved for billing. The RADIUS provider is responsible for charging the end user.

When the user ends a session, the Disconnect web page appears and displays the session summary information: username, session duration (in minutes), and estimated session charge.

Using Prepaid RADIUS

BBSM provides support for prepaid RADIUS user accounts, which are configured on the RADIUS server. For these accounts, after the end user is authenticated, a web page appears that shows how many minutes are left on the account. The user then clicks continue and is taken to the configured web portal. A disconnect window shows the number of minutes that remain until the session ends. At the end of the session, the window displays that the user is out of time, and the session terminates.

BBSM supports the prepaid functionality by supporting the RADIUS Session-Timeout attribute. This attribute is sent from the RADIUS server in the access-accept packet and indicates the number of seconds allowed for the end user's session. Between sessions, the user account is maintained by the RADIUS server, not BBSM.

To set up BBSM for prepaid RADIUS, you need a RADIUS server that supports the following prepaid functionality:

It can establish a user account that has a certain amount of time associated with it.

When the user logs in, it sends the account time remaining in the Session-Timeout attribute in the access-accept packet.

When the user disconnects, it reads the Acct-Session-Time attribute in the accounting stop packet. The RADIUS server must decrement the user's account by this amount.

Some RADIUS servers, such as the Cisco Access Registrar (CAR), have native support for the prepaid feature. Other servers can be extended to support this functionality. In some cases, a RADIUS server and a billing server combined can support the prepaid feature.

Although the BBSM prepaid RADIUS feature supports only time-based billing, volume-based billing is possible on a post-paid basis. Users can be charged based on packet volume when they log out of a session because BBSM sends the volume data to the RADIUS server in the accounting stop packet in the Acct-Input-Packets (47) and Acct-Output-Packets (48) attributes.

If you are using RADIUS for billing, you must configure BBSM to operate as a RADIUS client. This section describes how to configure BBSM for RADIUS billing and how to configure multiple concurrent RADIUS sessions. This configuration enables BBSM clients to be authenticated against a RADIUS server.

RADIUS Attributes

This section describes the RADIUS attributes that BBSM sends to and receives from the RADIUS server. Table 14-1 lists the access-request and accounting-request attributes by packet type, and Table 14-2 describes these attributes and several others that could be included in the access-accept packet from the RADIUS server.

Table 14-1 RADIUS Access-Request and Accounting-Request Packets

Attribute
No.
Access-Request
Accounting-Request
         Start
Interim-Update
          Stop

User-Name

1

       X

      X

      X

      X

User-Password

2

       X

     

NAS-IP-Address

4

       X

      X

      X

      X

NAS-Port

5

       X

      X

      X

      X

Service-Type

6

       X

      X

      X

      X

Framed-Protocol

7

       X

      X

      X

      X

Framed-IP-Address

8

       X

      X

      X

      X

Reply-Message

18

       X

     

Class

25

 

      X

      X

      X

Vendor-Specific

26

 

      X

      X

      X

Session-Timeout

27

       X

     

Called-Station-ID

30

       X

      X

      X

      X

Calling-Station-ID

31

       X

      X

      X

      X

NAS-Identifier
(if configured in BBSM)

32

       X

      X

      X

      X

Acct-Status-Type

40

 

      X

      X

      X

Acct-Input-Octets

42

     

      X

Acct-Output-Octets

43

     

      X

Acct-Session-ID

44

       X

      X

      X

      X

Acct-Session-Time

46

     

      X

Acct-Input-Packets

47

     

       X

Acct-Output-Packets

48

     

      X

Acct-Terminate-Cause

49

     

      X

NAS-Port-Type

61

       X

      X

      X

      X


Table 14-2 RADIUS Attribute Descriptions 

Attribute
No.
Description

User-Name

1
The end user enters this name to authenticate against the RADIUS server and access the Internet through BBSM.

User-Password

2

The end user enters this password to authenticate against the RADIUS server and access the Internet through BBSM. The password is encrypted before being sent to the RADIUS server.

NAS-IP-Address

4

Either the IP address of the BBSM external NIC or the IP address entered as the NAS IP address on the WEBconfig RADIUS Server web page.

NAS-Port

5

The NAS-Port value is a numeric value (therefore the leading zeros of the site number are dropped). BBSM maps the NAS-Port attribute as the following:  aaabbccddd, where aaa = site number, bb = cluster, cc = switch, and ddd = port.

For example, if the site number = 1, the cluster number = 2, the switch number = 3, and the port number = 5, the NAS-Port number = 10203005.

Service-Type

6

The number 2 in this field indicates Framed.

Framed-Protocol

7

The number 1 in this field indicates PPP (point-to-point protocol). For historical reasons, BBSM sends 1 in this attribute even though clients do not usually use PPP.

Framed-IP-Address

8

IP address of client connecting to the Internet through BBSM.

Reply-Message

18

If this attribute is included in the access-accept packet, BBSM forwards this string to the iPass client using the XML tag, <AuthenticationReply>.

Class

25

Use this attribute to send optional information to the accounting server. If this attribute is included in the access-accept packet, BBSM sends this information unmodified to the accounting server.

Vendor-Specific

26

The end-user bandwidth (in kbps). You can use the bandwidth vendor-specific attribute (VSA) in two different scenarios:

VSA sent from the RADIUS server to BBSM—In this scenario, BBSM is configured to use the RADIUS or RADIUSClear page set and the end user logs on. The RADIUS server sends the bandwidth VSA to BBSM in an access-accept packet. BBSM reads the VSA, and if the Bandwidth Throttle check box in WEBconfig is checked (bandwidth enabled), BBSM throttles the end user to that speed. The VSA is not sent back to the RADIUS server in the accounting packets. For setting the Bandwidth Throttle option, refer to "Changing the Internal Network IP Address Ranges."

VSA sent from BBSM to the RADIUS server—In this scenario, BBSM is configured to use the RADIUSUBand or RADIUSUBandClear page set. If the Bandwidth Throttle check box in WEBconfig is checked (bandwidth enabled), the bandwidth choice is displayed on the Start page and the end user selects a bandwidth and logs on. BBSM throttles the user to the chosen speed and sends the bandwidth VSA in all accounting packets.

The following is the format for the BBSM bandwidth VSA:

Type = 26

Length (bytes) = 12

Vendor-ID = 5263

Vendor-type = 1

Vendor-length (bytes) = 6

Vendor-string (kbps) = Specified bandwidth, such as 256

Session-Timeout

27

If this attribute is included in the access-accept packet, BBSM terminates the session after the number of Session-Timeout seconds unless the session has terminated earlier for another reason.

Called-Station-Id

30

The MAC address of the BBSM internal NIC. The string is a sequence of 12 hexadecimal characters.

Calling-Station-Id

31

The MAC address of the client (end-user) NIC.

NAS-Identifier

32

The NAS Identifier value entered on the WEBconfig RADIUS Server web page. If no value is entered in this field, BBSM does not include this attribute in the RADIUS Access-Request packet.

Acct-Status-Type

40

The number contained in this field indicates one of the following types of Accounting-Request packets:

1 = Start Accounting-Request

2 = Interim-Update Accounting-Request

3 = Stop Accounting-Request

Acct-Input-Octets

42

The number of octets (bytes) that BBSM received from the end user during the session.

Acct-Output-Octets

43

The number of octets (bytes) that BBSM transmitted to the end user during the session.

Acct-Session-Id

44

The unique Session ID assigned to each BBSM end-user session used to identify all authentication and accounting messages generated for one user session.

Acct-Session-Time

46

The number of seconds for which the end user received service.

Acct-Input-Packets

47

The number of packets that BBSM received from the end user during the session.

Acct-Output-Packets

48

The number of packets that BBSM transmitted to the end user during the session.


Configuring the RADIUS Server Options

Follow this procedure to configure the RADIUS server billing options.

This procedure assumes that you have already run the Switch Discovery Wizard to configure the ports to use either the RADIUS page set or a custom page set. (Refer to the "Running the Switch Discovery Wizard" section.)

Step 1 From the Dashboard, click WEBconfig. The BBSM Server Settings web page appears.

Step 2 In the NavBar, navigate to the RADIUS Server web page by choosing Billing > RADIUS > Server. The RADIUS Servers web page appears. (See Figure 14-1.)

Figure 14-1 RADIUS Servers Web Page

Step 3 Configure the RADIUS server parameters, as described in Table 14-3 and click Save.

Note Install a server SSL certificate to enable secure connections between client sessions and the BBSM server. Refer to the "Installing an SSL Certificate" section.

Table 14-3 RADIUS Server Web Page Options 

Field
Description

Server Name

Enter the unique DNS name or IP address of the RADIUS server. The DNS name can contain a maximum of 64 characters.

Secret

Enter the RADIUS client password used to access the RADIUS server.

Timeout
(in seconds)

Enter the number of seconds that the BBSM server waits before attempting to access the RADIUS server a second or third time or before going to the next RADIUS server. BBSM attempts to contact each RADIUS server three times before attempting to contact the next RADIUS server. The default for this setting is 5 seconds.

Note The IIS default ASP Script timeout period is 90 seconds. This timeout period is the number of seconds that the browser will attempt to access the Internet before timing out. This time period is important to note because if you increase the RADIUS Servers Timeout period and more than one RADIUS server is unavailable, the total time period during which BBSM attempts to contact the RADIUS servers may be greater than the timeout period for the browser itself. This will cause the end-user's browser to time-out during authentication.

For example, if the timeout period set is 20 seconds and two RADIUS servers are not responding, BBSM attempts to contact the first RADIUS server three times within 60 seconds. If BBSM cannot contact the first RADIUS server, it tries to contact the second server three times, again within 60 seconds. However, because the timeout period for IIS is 90 seconds, the browser will time out before BBSM finishes searching for the second RADIUS server.

Rank

Enter the order in which the BBSM server attempts to contact the RADIUS servers. The first server to be contacted is the lowest ranked server, the second server to be contacted is the next ranked server; and so on. For example, if two RADIUS servers are configured with rank 30 and 31, server 30 will be contacted first, then 31 will be contacted. The default is 30.

NAS IP Address

If the BBSM server is behind a NAT router, enter the public IP address that the router assigned to the BBSM server. (Changing this IP address for one RADIUS server changes it for all previously configured RADIUS servers. If the field is left blank, the RADIUS access policy uses the IP address of the external NIC.)

NAS Identifier

Enter a unique server identifier, such as "BBSMServer1." The RADIUS access policy uses this NAS identifier when sending authentication or accounting packets to the RADIUS server. If the field is left blank, the attribute is not sent.

RADIUS Accounting Interim Interval

Enter the number of minutes between sending Interim-Update packets to a RADIUS Accounting server. If the value is 0, Interim-Update packets are not sent. The default is 0.

Enable
Authentication

Check to enable BBSM to verify the username and password with a RADIUS Authentication server (Authentication Access-Request message).

   Using Port

Enter the TCP port on the BBSM server that the RADIUS server uses to communicate with the RADIUS authentication server. The default is 1645.

Enable Accounting

Check to enable BBSM to contact the RADIUS Accounting server to log the Start, Interim-Update Accounting, and Stop accounting messages.

   Using Port

Enter the TCP port on the BBSM server that the RADIUS server uses to communicate with the RADIUS accounting server. The default is 1646.

Buttons

New

Adds a new RADIUS server. A new RADIUS web page appears, showing the parameters that can be configured.

Requery

Refreshes the web page (click before saving changes).

Save

Saves the changes made to the web page.

Delete

Deletes the RADIUS server.


Configuring RADIUS for Multiple Sessions

You can enable RADIUS to support multiple sessions on a single RADIUS account at one time. Follow this procedure to configure multiple concurrent RADIUS sessions.

Step 1 From the Dashboard, click WEBconfig. The BBSM Server Settings web page appears.

Step 2 In the NavBar, navigate to the RADIUS Site web page by choosing Billing > RADIUS > Site x. The Site x web page appears. (See Figure 14-2.)

Figure 14-2 RADIUS Site Web Page

Step 3 To enable a RADIUS user to have a BBSM session active on more than one computer at the same time, check the Allow multiple concurrent RADIUS sessions check box. Leave it unchecked to prevent multiple computers from using the same RADIUS account at the same time. Click Save.