This section
provides AAA engineering rules and guidelines that must be considered
prior to configuring the system for AAA functionality.
AAA Interface Rules
The following
engineering rules apply to the AAA interface including RADIUS and
Diameter:
- AAA interfaces are
specified by assigning the IP address of a logical interface within
a specific context as the RADIUS NAS IP Address (RFC-2865 and RFC-2866)
within the same context. This is done using the radius attribute nas-ip-address command
in the context configuration mode.
- AAA interfaces in support
of data services can be configured within any context.Typically it exists
in the:
- Ingress context for
PDSN and ASNGW services
- Egress context for
GGSN services
- A AAA interface is
selected in the following order:
- NAI-based selection
- Default AAA context
- Last-resort AAA context
- If all else fails defaults
to the Ingress Context
- AAA servers can be
configured with “primary” and “backup” servers
for any context.
- Authentication and
Accounting servers can be configured individually per context.
- Multiple AAA contexts
can be configured to support different accounting and authentication
servers based on the domain where that the subscriber belongs.
- AAA server group provides
AAA functionality to the each subscriber separately with in the
same context.
- AAA server group for
AAA functionality can be configured with following limits:
- A total of 800 AAA
server groups (including “default” server group)
are available per context or system.
- A maximum number of
authentication/accounting servers per AAA server group
is 128.
- A maximum of 1600 servers
can be configured in a context or a system, regardless of the number
of server groups, with any combination for authentication and/or accounting.
- A maximum of 800 NAS-IP
addresses/NAS identifier (1 primary and 1 secondary per
server group) can be configured per context.