About the RADIUS Listener LEG
This module describes the Subscriber Manager RADIUS Listener LEG software module and the terms and concepts used in this guide.
•About the RADIUS Listener LEG
•Terms and Concepts
About the RADIUS Listener LEG
The RADIUS Listener LEG is a software module that receives RADIUS Accounting messages, and according to their content, invokes logon operations to the Subscriber Manager (SM). It also provides dynamic integration for subscribers over VPN. The RADIUS Listener LEG is an extension to the SM software and runs concurrently with the SM.
When the RADIUS Listener LEG receives an Accounting-Start message, it extracts the subscriber ID, the subscriber IP-address, the VLAN-ID, and optionally, the subscriber package index from the message attributes, and triggers a login operation to the SM. In the same manner, Accounting-Interim-Update triggers a login operation, and the Accounting-Stop message triggers a logout operation.
The RADIUS Listener LEG also contains a regular expression utility. This command line utility (CLU) can be used to test regular expression "spelling" validity, test and show the reduction and pattern-matching of an input list of strings against certain regular-expression patterns, and provide the user with detailed output for each manipulation operation result.
The RADIUS Listener LEG was carefully developed and thoroughly tested with several RADIUS AAA servers and NAS devices.
Terms and Concepts
The following is a list of some terms and concepts that are necessary to understand the RADIUS Listener and SM configuration and operation. Additional information regarding the various issues can be found in the Cisco SCMS Subscriber Manager User Guide.
•NAS (Network Access System)
•RADIUS Accounting Start/Interim/Stop
•Subscriber Mappings over VPN
NAS (Network Access System)
A network device that serves as an access point for a remote user. It initiates RADIUS transactions to the RADIUS server to authenticate a remote user.
The RADIUS Listener LEG refers to all of its RADIUS clients as NAS devices, even though they might be RADIUS servers acting as a proxy or forwarding messages.
RADIUS Accounting Start/Interim/Stop
The RADIUS Accounting messages must hold an attribute called Acct-Status-Type. This attribute can receive the value of start, interim-update, stop, or other RADIUS Accounting messages. An Accounting-Start message contains the Acct-Status-Type with the value start.
For additional information, see the relevant RADIUS RFC documentation.
The SCE platform requires mappings between the network IDs (IP addresses) of the flows it encounters and the subscriber IDs. The SM database contains the network IDs that map to the subscriber IDs. The SCE network-ID-to-subscriber mappings are constantly updated from the SM database.
The main function of the RADIUS Listener LEG is to provide the SM with network-ID-to-subscriber mappings in real time.
For information about the SCE platforms, see the Cisco SCE 1000 2xGBE Installation and Configuration Guide and the Cisco SCE 2000 4xGBE Installation and Configuration Guide.
Subscriber Mappings over VPN
Starting from version 3.1.5 the RADIUS Listener LEG supports dynamic integration for subscriber mappings over VPN. The LEG can be configured to extract a VLAN-ID from a RADIUS attribute and use it along with the extracted IP address.
Note Currently the LEG supports subscriber mappings over VPN only for VPNs that are defined by a VLAN-ID (also referred to as "VPNs of type VLAN").
Note The SM is able to learn VLAN VPNs automatically: upon subscriber login with a VLAN-ID that is unknown to the SM, the SM will add the VPN automatically using the VLAN-ID as a VPN name
The SM provides the option of partitioning SCE platforms and subscribers into subscriber domains. A subscriber domain is a group of SCE platforms that share a group of subscribers. Subscriber domains can be configured using the SM configuration file and can be viewed using the SM CLU.
For additional information about domains and domain aliases, see the "Configuration File Options" module of the Cisco SCMS Subscriber Manager User Guide.
A subscriber property usually defines the policy enforced by Cisco SCMS solutions on each subscriber. The RADIUS Listener LEG can handle the property ID in any of the following ways:
•Set the property ID according to a value of a RADIUS attribute
•Set the property ID using a constant default value
•Leave the property ID unset
For additional information, see Mapping of RADIUS Attribute to Subscriber Policy, page 3-11, and the Cisco Service Control Application for Broadband (SCA BB) User Guide.
The following diagram illustrates a topology in which a RADIUS server/proxy forwards or proxies the RADIUS Accounting messages to the RADIUS Listener LEG.
Figure 1-1 Example of Radius Server Forwarding Radius Accounting Messages to Radius Listener LEG
The following diagram illustrates a topology in which the NAS performs authentication with the RADIUS server, and sends RADIUS Accounting messages to the RADIUS Listener LEG and, optionally, to the RADIUS server.
Figure 1-2 Example of NAS Sending Radius Accounting Messages to both the Radius Listener LEG and the Radius Server