Cisco Content Services Gateway - 2nd Generation Release 2.0 Installation and Configuration Guide, for Cisco IOS Release 12.4(15)MD - Configuring RADIUS Support [Cisco Content Services Gateway]

Table Of Contents

Configuring RADIUS Support

Configuring RADIUS Proxy

Configuring RADIUS Endpoint

Configuring RADIUS Handoff

Configuring RADIUS Packet of Disconnect

Configuring RADIUS Monitor

RADIUS Attributes and VSA Subattributes

RADIUS Attributes Required for CSG2 User Table

Deleting Entries from the CSG2 User Table

Reporting RADIUS Attributes and VSA Subattributes

Enabling Roaming Service Control

Retrieving the Billing Plan ID from RADIUS

RADIUS Subscriber Cleanup

RADIUS Error Acknowledgment

RADIUS Correlation Processing

Configuring RADIUS Support

RADIUS is a distributed client/server system that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server that contains all subscriber authentication and network service access information. The RADIUS client and server retrieve subscriber correlation information (the IP address, the MSISDN, the User-Name, and the Billing Plan) for prepaid subscribers. The CSG2 acts as a RADIUS proxy or RADIUS endpoint to retrieve the subscriber correlation information. In addition, the CSG2 can report RADIUS attributes when it communicates with the BMA and quota servers.

Figure 9-1 illustrates the placement of the Content Services Gateway 2 (CSG2) as a RADIUS Accounting proxy or monitor in the RADIUS Accounting and data flows.

Figure 9-1 RADIUS Accounting and Data Flows—RADIUS Accounting Proxy or Monitor

Figure 9-2 illustrates the placement of the CSG2 as a RADIUS Accounting endpoint plus Access Registrar-Identity Cache Engine (AR-ICE) in the RADIUS Accounting and data flows.

Figure 9-2 RADIUS Accounting and Data Flows—RADIUS Accounting Endpoint Plus AR-ICE

The CSG2 provides the following RADIUS features:

•Configuring RADIUS Proxy

•Configuring RADIUS Endpoint

•Configuring RADIUS Handoff

•Configuring RADIUS Packet of Disconnect

•Configuring RADIUS Monitor

•RADIUS Attributes and VSA Subattributes

•Enabling Roaming Service Control

•Retrieving the Billing Plan ID from RADIUS

•RADIUS Subscriber Cleanup

•RADIUS Error Acknowledgment

•RADIUS Correlation Processing

Configuring RADIUS Proxy

The CSG2 can act as a RADIUS proxy, forwarding all of the RADIUS Accounting messages it receives to a configured RADIUS server. When the RADIUS server acknowledges a message with an ACK, the CSG2 forwards the ACK to the client. RADIUS proxy supports both RADIUS Access and RADIUS Accounting.

The CSG2 RADIUS proxy function allows operation with clients that use many port numbers. The RADIUS client sends messages to the configured CSG2 (virtual) IP address. The CSG2 accepts messages for all ports on the configured IP address.

You must configure a RADIUS proxy IP address for the CSG2 to use when it forwards a RADIUS message to the server.

You can also configure an optional RADIUS key.

•If you configure a RADIUS key, the CSG2 parses and acts on a message only if the RADIUS Authenticator is correct.

•If you do not configure a RADIUS key, the CSG2 always parses and forwards every message.

If you have enabled interface awareness, you can also associate a VLAN's Virtual Routing and Forwarding (VRF) table name with a particular RADIUS proxy.

To specify that the CSG2 is a proxy for RADIUS messages, enter the following command in global configuration mode:
Command

Purpose
csg2(config)# ip csg radius proxy [vrf csg-vrf-name] 
csg-address [vrf server-vrf-name] server-address 
[csg-source-address] [key [encrypt] secret-string] 
[vrf sub-vrf-name]
Specifies that the CSG2 is a proxy for RADIUS messages.
Note If you specify the ip csg entries user profile radius remove command, you might also need to configure a key.

For Enhanced RADIUS Proxy, in order for the CSG2 to act on the optional Quota Server TLV in a RADIUS Accounting Start message, the referenced quota server must be manually configured prior to receiving the RADIUS Accounting Start message that contains the TLV.

Configuring RADIUS Endpoint

The CSG2 RADIUS features require that you configure the Network Access Server (NAS) to direct RADIUS messages to the CSG2 IP address (or to the alias address if this is a redundant configuration). You must also configure the NAS to the specific port number for the CSG2.

You can also configure an optional RADIUS key.

•If you configure a RADIUS key, the CSG2 parses and acts on a message only if the RADIUS Authenticator is correct.

•If you do not configure a RADIUS key, the CSG2 always parses every message.

If you have enabled interface awareness, you can also associate a VLAN's Virtual Routing and Forwarding (VRF) table name with a particular RADIUS endpoint.

To configure the CSG2 as a RADIUS Accounting endpoint, enter the following command in global configuration mode:
Command

Purpose
csg2(config)# ip csg radius endpoint [vrf csg-vrf-name] 
csg-address key [encrypt] secret-string [vrf sub-vrf-name]
(Optional) Identifies the CSG2 as an endpoint for RADIUS Accounting messages.
Configuring RADIUS Handoff

In networks that do not use Cisco Home Agents (HAs), the CSG2's RADIUS handoff feature can manage handoffs for roaming subscribers.

When RADIUS handoff is configured, and a RADIUS Accounting Stop is received, the CSG2 starts a handoff timer instead of immediately deleting the CSG2 User Table entry for the roaming subscriber.

•When a handoff occurs, the CSG2 detects a RADIUS Accounting Start message for the same subscriber with a different network address server (NAS) IP address. The CSG2 then uses the existing User Table entry for the subscriber, to preserve the subscriber information, and turns off the timer.

•If the handoff timer expires before the CSG2 detects a RADIUS Accounting Start message for the subscriber, the CSG2 assumes a handoff did not occur and deletes the User Table entry for the subscriber.

•In the event of a failover, all handoff timers are restarted.

To configure RADIUS handoff support, enter the following command in global configuration mode:
Command

Purpose
csg2(config)# ip csg radius handoff duration
(Optional) Configures the CSG2 RADIUS handoff timer.
Configuring RADIUS Packet of Disconnect

The quota server can use the RADIUS Packet of Disconnect (PoD) feature to instruct the CSG2 to disconnect a subscriber. The CSG2 sends a Disconnect-Request to the NAS, identifying the subscriber, and the NAS responds with a Disconnect_ACK (positive acknowledgement) or Disconnect_NAK (negative acknowledgement).

By using one of the following methods, the quota server instructs the CSG2 to disconnect a subscriber:

•The quota server can send the UserDisconnectRequest message to the CSG2. This message uses the UserIndex TLV to identify the subscriber to be disconnected.

•The quota server can use Action Code 4 in the Action TLV in one of the following requests and responses:

–The Service Authorization Response (indicating that the CSG2 will send the PoD message when the quota runs out)

–The Service Stop Request (indicating that the CSG2 will send the PoD message immediately)

–The User Profile Response (indicating that the CSG2 will send the PoD message immediately)

The CSG2 sends the PoD message to the NAS that is specified by the NAS-IP-Address attribute (4) in the RADIUS Accounting Start.

You can also configure an optional RADIUS key.

To configure support for RADIUS PoD, enter the following commands in global configuration mode:
Command

Purpose
Step 1
csg2(config)# ip csg radius pod attribute 
{radius-attribute-number | vsa {vendor-id | 
3gpp} radius-subattribute-number}
(Optional) Specifies the RADIUS attributes and vendor-specific attribute (VSA) subattributes to be copied from the RADIUS Start message and sent to the Network Access Server (NAS) in the PoD message.
Step 2
csg2(config)# ip csg radius pod nas 
[vrf vrf-name] [start-ip end-ip] port 
key [encrypt] secret-string
(Optional) Specifies the NAS port to which the CSG2 is to send the PoD message, and the key to use in calculating the Authenticator.
Step 3
csg2(config)# ip csg radius pod timeout 
timeout retransmit retransmit
(Optional) Specifies the number of times to retry the RADIUS PoD message if it is not acknowledged by means of an ACK message, and the interval between retransmissions.
The following sample configuration specifies the following Packet of Disconnect (PoD) characteristics:

•The RADIUS attributes to be copied from the RADIUS Start message and sent to the NAS in the PoD message

•The NAS port to which the CSG2 is to send the PoD message, and the key to use in calculating the Authenticator

•The number of times to retry the RADIUS PoD message if it is not acknowledged, and the interval between retries

Here is a sample configuration for RADIUS PoD:
ip csg radius userid User-Name
ip csg radius pod attribute 44
ip csg radius pod nas 1.1.1.0 1.1.1.255 1700 key secret
ip csg radius pod nas 1701 key password
ip csg radius pod timeout 30 retransmits 5
ip csg radius proxy 1.2.3.4 5.6.7.8 key secret
Configuring RADIUS Monitor

RADIUS monitor provides a way to insert the CSG2 into the RADIUS flow without changing the authentication, authorization, and accounting (AAA) or Network Access Server (NAS) addresses in the network. The CSG2 monitors the traffic between the RADIUS client and the RADIUS server, and watches for RADIUS messages that match the configured rule.

You must configure the IP address of the RADIUS server. You can also configure an optional RADIUS key.

To configure RADIUS monitor support, enter the following command in global configuration mode:
Command

Purpose
Router(config)# ip csg radius monitor [vrf csg-vrf-name] 
server-address server-port [key [encrypt] secret-string] 
[vrf sub-vrf-name]
Specifies that the CSG2 is to monitor the RADIUS flows to the specified server.
To specify that the CSG2 is to monitor the RADIUS flows to the specified Network Access Server (NAS), enter the following command in global configuration mode:
Command

Purpose
Router(config)# ip csg radius monitor nas 
nas-ip-address [vrf csg-vrf-name]
Specifies that the CSG2 is to monitor the RADIUS flows to the specified Network Access Server (NAS).
Here is a sample configuration for RADIUS monitor:
ip csg radius monitor 1.2.3.4 1813 key NAS_TABLE
RADIUS Attributes and VSA Subattributes

This section contains the following information:

•RADIUS Attributes Required for CSG2 User Table

•Deleting Entries from the CSG2 User Table

•Reporting RADIUS Attributes and VSA Subattributes

RADIUS Attributes Required for CSG2 User Table

The User Table identifies all subscribers known to the CSG2. The table is populated from the contents of RADIUS Accounting Start messages, or from the user database, if either feature is enabled in your configuration.

The following RADIUS attributes must be in the RADIUS Accounting Start in order for the CSG2 to build an entry for a subscriber in the User Table:

•8 (Framed-IP-Address)

•Either 4 (NAS-IP-Address) or 32 (NAS-Identifier)

•Either 1 (User-Name) or 31 (Calling-Station-Id), as configured

The CSG RADIUS interface recognizes the following Cisco-specific VSAs:

•Subattribute value csg:quota_server=<ip>:<port> includes the quota server IP address and port in a RADIUS Start Accounting Message. You must manually configure the quota server referenced by this subattribute in order for the CSG2 to act on this VSA. If the quota server is not configured, the CSG2 creates a null entry in the User Table for the quota server. The user specified by the RADIUS message uses the quota server in the VSA.

•Subattribute value csg:downlink_nexthop=<ip> includes the downlink next-hop IP address in a RADIUS Start Accounting Message. The downlink next-hop IP address is the address to which all downlink traffic is sent for a given user IP address, plus table pairing. If this VSA is not present, traffic is routed based on the routing tables of the CSG2.

When the CSG2 receives the RADIUS Access-Accept with Billing Plan ID included, it caches the information. The cached information is identified by user ID (either RADIUS Attribute 1 or RADIUS Attribute 31, as configured). When the CSG2 receives the RADIUS Accounting Start message with the user ID, the CSG2 builds a User Table entry by using the cached information.

Note Cached information is not displayed in the output of the show ip csg users command.

Deleting Entries from the CSG2 User Table

For enhanced network connectivity options, such as secondary packet data protocol (PDP) contexts, the NAS sends multiple RADIUS Accounting Stop messages. In the case of secondary PDP contexts, for example, the NAS sends a RADIUS Accounting Stop as each context is terminated.

The CSG2 removes the subscriber from the User Table when it receives the final stop, which contains an attribute indicating it is final. The CSG2 support for this functionality allows the specific attribute to be configured. If this function is configured, the CSG2 processes only the RADIUS Accounting Stop that contains the configured attribute. The contents of the specified attribute are not examined.

Note Retransmitted RADIUS Accounting Stop messages might cause problems when associating traffic with a subscriber. To avoid any problems, do not configure your RADIUS server to reuse an IP address immediately after it is released by a subscriber.

You can specify the attribute that must be included in the RADIUS Accounting Stop request in order for the CSG2 User Table entry to be deleted. To do so, enter the following command in global configuration mode:
Command

Purpose
csg2(config)# ip csg radius stop purge 
{radius-attribute-number | vsa} {vendor-id | 3gpp} 
radius-subattribute-number}
(Optional) Specifies the attribute that must be included in the RADIUS Accounting Stop request in order for the CSG2 User Table entry to be deleted.
By default, the CSG2 deletes 1000 User Table entries per second in response to a RADIUS Accounting On or RADIUS Accounting Off message, or in response to the clear ip csg user all command. To specify a different deletion rate, enter the following command in global configuration mode:
Command

Purpose
csg2(config)# ip csg radius on-off purge 
deletions-per-second
(Optional) Specifies the rate at which the CSG2 is to delete CSG2 User Table entries in response to a RADIUS Accounting On or RADIUS Accounting Off message, or in response to the clear ip csg user all command.

The actual rate at which the CSG2 deletes User Table entries might be slightly higher or lower than the specified rate.
Reporting RADIUS Attributes and VSA Subattributes

You can specify a set of attributes and VSA subattributes to be extracted from the RADIUS Accounting Start messages for each subscriber. The CSG2 then reports those attributes and subattributes to the Billing Mediation Agent (BMA) and quota server in every call detail record (CDR). The CSG2 can also include the attributes and subattributes in RADIUS PoD messages, if configured to do so.

You can use RADIUS attributes and subattributes to determine where a subscriber is connecting to the network, and for correlation purposes. For example, in a gateway general packet radio service (GPRS) environment you can use attributes and subattributes as follows:

•NAS-IP-Address (4) identifies the gateway that provides accounting control for the subscriber. Examples of such devices include the gateway general packet radio service (GPRS) support node (GGSN), the Packet Data Serving Node (PDSN), the Home Agent, and the Cisco AS5300 Universal Access Server.

•SGSN IP (26/10415/6) identifies the Service GPRS Support Node (SGSN) that the subscriber is accessing.CSG2

•Acct-session-ID (44) uniquely identifies the session on the NAS and can be used correlate GGSN accounting records.

The CSG2 reports attributes and subattributes in the order in which they appear in the RADIUS message. If there are multiple instances of an attribute, the CSG2 reports all of them.

The CSG2 saves and reports attribute and subattribute information for each subscriber.

When the CSG2 receives a new RADIUS Accounting Start or RADIUS Interim Accounting Request, it saves the attribute and subattribute information parsed from the new request.

The CSG2 saves only those attributes or subattributes which meet both of the following criteria:

•They are present in the new RADIUS Accounting Start or RADIUS Interim Accounting Request.

•They are configured for reporting at the time the new request arrives at the CSG2.

All previously stored attribute and subattribute information from previous requests is destroyed, even if the new RADIUS Accounting Start or RADIUS Interim Accounting Request does not contain all of the attributes and subattributes that were present in the previous request. Only the currently stored attributes are reported in CDRs.

Note The impact of RADIUS VSA subattribute parsing on CSG2 performance has not been measured. Storage is consumed based on the attributes selected.

To configure the list of attributes and subattributes to be copied from the RADIUS Start message and sent to the BMA and quota server, enter the following command in global configuration mode:
Command

Purpose
csg2(config)# ip csg report radius attribute 
{radius-attribute-number | vsa} {vendor-id | 3gpp} 
radius-subattribute-number}
(Optional) Specifies the RADIUS attributes and VSA subattributes to be copied from the RADIUS Start message and sent to the BMA in CSG2 CDRs.
The attributes are configured by their standard number, as shown in the following example:
ip csg report radius attribute 3
ip csg report radius attribute 5
ip csg report radius attribute 7
ip csg report radius attribute 44
You can specify as many attributes as you want. If you specify so many attributes that the total message size is greater than a single UDP packet, the CSG2 supports continuation messages. A continuation message includes a correlator, a continuation number (so that messages that are received out of order can be reordered), and an indication of the final message.

To specify the list of attributes and subattributes to be copied from the RADIUS Start message and sent to the NAS in the PoD message, see the description of the ip csg radius pod attribute command in the "Configuring RADIUS Packet of Disconnect" section.

If both the reporting of RADIUS attributes and Roaming Service Control are enabled, the CSG2 monitors both sets of attributes, but only changes in the Roaming Service Control attributes trigger reauthorization. For more information about Roaming Service Control, see the "Enabling Roaming Service Control" section.

Enabling Roaming Service Control

Roaming Service Control, also known as seamless roaming or RADIUS reauthorization, enables the CSG2 to reauthorize prepaid users when specified RADIUS attributes change, rather than ending the users' sessions.

When a RADIUS Start request is received, the specified attributes are saved. When a subsequent Start or Intermediate Accounting message is received, the specified attributes in the new message are compared with the saved attributes. If any attribute is different, each service is reauthorized, as new traffic for the service arrives.

If service-level CDR summarization is configured, the CSG2 then sends a Service Usage CDR for each service. Otherwise, if intermediate billing is supported, the CSG2 sends an intermediate billing CDR for each service. However, if you have enabled Roaming Service Control, and you have configured fixed-format CDRs using the ip csg records format fixed command in global configuration mode, the CSG2 does not generate intermediate CDRs during roaming events. For more information about service-level CDR summarization, see the "Enabling Service-Level CDR Summarization" section on page 5-9. For more information about intermediate billing, see the "Intermediate Billing Records" section on page 1-39.

To enable Roaming Service Control, enter the following command in global configuration mode:
Command

Purpose
csg2(config)# ip csg radius reauthorization attribute 
{radius-attribute-number | vsa} {vendor-id | 3gpp} 
radius-subattribute-number}
(Optional) Defines the RADIUS attributes and VSA subattributes to be monitored by the CSG2, and enables Roaming Service Control.
The attributes are configured by their standard number, as shown in the following example:
ip csg radius reauthorization attribute 14
ip csg radius reauthorization attribute vsa 7777 44
ip csg radius reauthorization attribute 26 7778 4
If both Roaming Service Control and the reporting of RADIUS attributes are enabled, the CSG2 monitors both sets of attributes, but only changes in the Roaming Service Control attributes trigger reauthorization. For more information about the reporting of RADIUS attributes, see the "Reporting RADIUS Attributes and VSA Subattributes" section.

Retrieving the Billing Plan ID from RADIUS

The CSG2 can extract the Billing Plan ID from the RADIUS Access-Accept message or RADIUS Accounting-Request message by using the Cisco subattribute 1 VSA. The format of the VSA is:

•Attribute number: 26 (=vendor specific)

•Vendor ID: 9 (=Cisco)

•Subattribute: 1 (=Cisco generic)

•Format: csg:billing_plan= billing_plan_name

The billing_plan_name can be null, indicating that the subscriber is a postpaid subscriber. Otherwise, the billing plan name must be sent as an uppercase string to match a configured billing plan on the CSG2.

If the message includes the billing plan, the user ID (RADIUS attribute 1 or 31, as configured) must also be included; otherwise, the CSG2 cannot associate the billing plan with the subscriber.

If the CSG2 is configured to obtain the billing plan from RADIUS, and the billing plan subattribute is not included in the RADIUS messages, the CSG2 queries the quota server to obtain the attribute (that is, the CSG2 sends a User Profile Request).

To configure the CSG2 to obtain the billing plan from RADIUS, the following command in global configuration mode:
Command

Purpose
csg2(config)# ip csg entries user profile 
radius {remove | pass | timeout timeout}
(Optional) Specifies that the CSG2 is to obtain the Cisco vendor-specific attribute (VSA) subattribute 1, which contains the billing plan name, from the RADIUS Access-Accept and RADIUS Accounting-Request messages when generating entries for the CSG2 User Table.
To specify the RADIUS attribute that the CSG2 is to use to extract the user identifier from a RADIUS record, enter the following command in global configuration mode:
Command

Purpose
csg2(config)# ip csg radius userid 
{1 | 31 | User-Name | Calling-Station-Id}
(Optional) Specifies the RADIUS attribute used to extract the user identifier from a RADIUS record.
RADIUS Subscriber Cleanup

A subscriber's connectivity attributes might change over time without a RADIUS Accounting Stop message arriving to close down the previous accounting. Instead, it is possible that a new RADIUS Accounting Start message or a RADIUS Interim Accounting message might arrive with the updated information. Some customers might choose to close all of a subscriber's services if a significant change has occurred in the subscriber's status.

Subscriber cleanup enables the CSG2 to delete the subscriber entry as if it had received a Stop, to close all of the subscriber's services, and to create a new entry.

To clean up the CSG2 User Table entry for a subscriber, enter the following command in global configuration mode:
Command

Purpose
csg2(config)# ip csg radius start restart session-id 
{radius-attribute-number | vsa} {vendor-id | 3gpp} 
radius-subattribute-number}
(Optional) Deletes an existing CSG2 User Table entry for a specific subscriber, and creates a new entry for that subscriber.
To avoid deleting the subscriber entry because of a retransmission of the RADIUS message, the ip csg radius start restart session-id command specifies an attribute to detect duplicate messages. If the contents of the attribute in the message match the contents of the previous message, the existing entry is not deleted.

RADIUS Error Acknowledgment

By default, the CSG2 acknowledges the following RADIUS parse errors:

•Invalid RADIUS message or attribute length

•RADIUS Authenticator does not match what the CSG2 calculates

•Incorrect RADIUS attribute length

•User profile information such as billing plan or quota server does not match the CSG2 configuration

You can prevent the CSG2 from acknowledging these errors.

To prevent the CSG2 from acknowledging RADIUS parse errors, enter the following command in global configuration mode:
Command

Purpose
csg2(config)# no ip csg radius ack error parse
(Optional) Prevents the CSG2 from generating a RADIUS response to a RADIUS Accounting Start Request or a RADIUS Accounting Interim Request when it encounters a RADIUS parse error condition.
Note You must use the no form of this command, no ip csg radius ack error parse, to prevent the CSG2 from acknowledging these RADIUS parse errors.

By default, the CSG2 acknowledges the following user resource errors:

•Maximum number of users reached

•Unable to allocate memory for creating a user entry or for storing RADIUS attribute information (such as report attributes or parsed billing plan information)

•Unable to communicate user information via inter-processor communication

•Load manager prevents allocation of a user

You can prevent the CSG2 from acknowledging these errors.

To prevent the CSG2 from acknowledging user resource errors, enter the following command in global configuration mode:
Command

Purpose
csg2(config)# no ip csg radius ack error user
(Optional) Prevents the CSG2 from generating a RADIUS response to a RADIUS Accounting Start Request or a RADIUS Accounting Interim Request when it encounters a user resource error condition.
Note You must use the no form of this command, no ip csg radius ack error user, to prevent the CSG2 from acknowledging these user resource errors.

RADIUS Correlation Processing

A retransmitted RADIUS Stop might cause the CSG2 to remove a subscriber entry from the CSG2 User Table when the entry should not be removed.

To avoid this problem, the CSG2 must be able to associate a session correlator from the RADIUS Start message with a subscriber entry in the User Table, and compare that correlator with the correlator in the RADIUS Stop message. If the correlators match, the CSG2 deletes the subscriber entry; otherwise, the CSG2 retains the entry in the User Table.

The CSG2 can use the Acct-Session-Id (attribute 44) as the correlator, or it can use the following vendor-specific attribute (VSA) subattribute (attribute 26, Vendor-Id 9, subattribute 1):

csg:user_session_correlator=string

If both attributes are included in the RADIUS Start or RADIUS Stop message, the CSG2 uses the VSA subattribute.

When RADIUS correlation processing is enabled,:

•If there is no correlator saved in the User Table entry, the CSG2 deletes the entry.

•If there is a correlator saved in the User Table entry, the CSG2 compares it to the correlator in the RADIUS Stop. If the correlators match, the CSG2 deletes the entry; if they do not match, or if there is no correlator in the RADIUS Stop, the CSG2 retains the entry in the User Table.

To enable RADIUS correlation processing by the CSG2, enter the following command in global configuration mode:
Command

Purpose
csg2(config)# no ip csg radius correlation
(Optional) Enables RADIUS correlation processing by the CSG2.