Cisco Service Control Subscriber Manager LEGs User Guide, Release 4.0.x

Configuring the SCE-Sniffer RADIUS Login Event Generator

Introduction

This chapter describes the configuration instructions to configure the Service Control Engine (SCE)-Sniffer RADIUS Login Event Generator (LEG).

The SCE-Sniffer RADIUS LEG is part of the Subscriber Manager (SM) installation package.

The SCE-Sniffer RADIUS LEG is configured using the configuration file rad_snif.cfg, which resides in the <sm-inst-dir>/sm/server/root/config directory (sm-inst-dir refers to the SM installation directory).

The configuration file consists of sections headed by a bracketed section title; for example, [SCE-Sniffer RADIUS LEG]. Each section consists of several parameters with the format of parameter=value. The number sign ("#") at the beginning of a line denotes that this is a remark line.

Note The Java programming language considers the single backslash (\) an escape sequence character. You should add another backlash to the Positional and One-Character Operators that have a lone backslash. For example, \\<, \\>, or \\x have backslashes added.

The SCE should be configured to send the Raw Data Records (RDRs) to the LEG.

•Configuring the General Settings

•Configuring the IP Address

•Configuring the Policy Settings

•Applying the Configuration on the Subscriber Manager

•Configuring the Cisco SCE to Send RDRs to the LEG

Configuring the General Settings

The general configuration of the LEG appears under the section name [SCE-Sniffer RADIUS LEG]. The following is a list of the general configuration parameters:

•start

Defines whether the SM should run the LEG at startup.

Possible values for this parameter are yes and no. The default value is no.

To start using the LEG, change this setting to yes.

•packet_types

Defines the RADIUS packet types to analyze. You should set this parameter according to the integration mode you have chosen.

Possible values are any combination of: access-request, access-accept, accounting-start, accounting-interim, and accounting-stop separated by commas.

The default value is accounting-start, accounting-interim, accounting-stop.

•log_failures

Defines whether the LEG should add messages about failures to the user log.

Possible values for this parameter are true and false. The default value is true.

•log_all

Defines whether the LEG should add all messages, including successful logins and logouts, to the user log.

Possible values for this parameter are true and false. The default value is false.

•interim_aging_timeout

Updates the lease time for each IP address received from RADIUS packets. After each autologout time interval, the SM checks for subscriber IP addresses with an expired lease time. These subscriber IP addresses are removed from the system and database. The autologout mechanism must be active to enable the interim_aging_timeout feature.

The default value is 0 hours. To activate the interim_aging_timeout feature, set value greater than 0.

Note The log_auto_logouts parameter in the [Auto Logout] section defines whether to issue user log messages for each removed mapping. Possible values are true or false. The default value is false.

Note For this LEG to work correctly, use the configuration file to enable the Raw Data Record (RDR) server in the SM.

[Radius.Subscriber Attributes] Section

The SCE-Sniffer RADIUS LEG can extract more RADIUS attributes from the RDRs. The users define the additional attributes to be extracted and these configurations are sent to the SCE. To define the additional attributes, configure the [Radius.Subscriber Attributes] section with the following parameters:

•attributes_list

This parameter defines the additional RADIUS attribute(s) to extract and process.

Multiple attribute names are separated by commas when listed in this parameter.

•enable_extended_vsa_support

This parameter enables this feature when the value is defined as true.

The default value for this parameter is false.

Note For IPv6, only Framed-IPv6-Prefix attribute is supported as part of Subscriber Attributes.

Note The SCE can only send a RDR with up to 20 attributes. An attribute can be part of a Policy, Subscriber ID, Subscriber IP, and Subscriber Attribute. The total number of these attributes should not exceed 20. If the total number of attributes is greater than 20, the first 20 will be part of the RDR that is sent to the SM by the SCE. The remaining attributes are discarded by the SCE.

Note Regular expressions are not applicable for subscriber attributes.

Example

The following is a configuration example defining a list of additional RADIUS attributes:

[Radius.Subscriber Attributes]

attributes_list=Cell-ID,SGSG-IP,RAI

enable_extended_vsa_support=true

[Radius.Field.Cell-ID]

radius_attribute=26(68;10)

radius_attribute_type=string

[Radius.Field.SGSG-IP]

radius_attribute=26(65;10)

radius_attribute_type=string

[Radius.Field.RAI]

radius_attribute=26(66;10)

radius_attribute_type=string

The command-line utility p3radiussniff -show would result in the following output:

Attributes:

        Cell-ID,attribute:26(10,68),string

        SGSG-IP,attribute:26(10,65),string

        RAI,attribute:26(10,66),string

Configuring the IP Address

Note The Subscriber IP Address configuration is optional.

The Subscriber IP Address is identified by the Framed-Route attributes, or the Framed-IP-Address attribute (Framed-IP-Netmask optional) by default. The LEG can be configured to use any other RADIUS attribute to identify the subscriber IP Address, including using the Vendor-Specific attribute as described in the Subscriber IP Association section.

The following algorithm is applied to handle IP addresses in this LEG:

1. If the user configured an attribute from which to extract the IP, the LEG will look for that attribute in the packet. If the attribute exists, the LEG will use the attribute as the subscriber IP address.

2. If the attribute does not exist or is not configured, the LEG will look for the Framed-Route attributes; several Framed-Route attributes may exist. If any Framed-Route attributes exist, the LEG will use these attributes as the subscriber IP addresses.

3. If there are no Framed-Route attributes, the LEG will look for a Framed-IP-Address attribute and a Framed-IP-Netmask attribute. If a Framed-IP-Address attribute exists, the LEG will use this attribute as the subscriber IP address. If both the Framed-IP-Address and the Framed-IP-Netmask attributes exist, the operation is performed with the IP range represented by the IP address and the IP netmask.

4. Otherwise, the LEG will perform a login without the IP address.

To define which attribute to use for the subscriber IP address, configure the
[Radius.Subscriber IP Address] and [Radius.Field.<field name>] sections. To define the attributes, configure the following parameters:

•fields

Defines the RADIUS protocol field name. Only one field name can be defined.

The default value is not set.

For the field defined by the fields parameter, you must also define a [Radius.Field.<field name>] section with the following parameters:

•radius_attribute

Configure the radius_attribute parameter with the RADIUS attribute number. Use the following format for Vendor-Specific Attributes (VSA): 26(vendor-id;sub-attribute). For example, 26(10415;1).

The default value is -1.

•radius_attribute_type

Configure radius_attribute_type parameter according to the RADIUS attribute format.

Possible values for this parameter are integer and string. The default value is string.

To define which attribute to use for the subscriber IP address, configure the [RADIUS.Subscriber IP Address] section with the following parameters:

•radius_attribute_vendor_id

This parameter is relevant only if radius_attribute is configured to 26 (vendor-specific attribute).

The parameter defines the vendor ID number for the subscriber ID classification.

It has no default value.

•radius_sub_attribute

This parameter is relevant only if radius_attribute is configured to 26 (vendor-specific attribute).

The parameter defines the subattribute within the vendor-specific attribute that is used for subscriber ID classification.

It has no default value.

•radius_attribute_type

Configure the radius_attribute_type parameter according to the RADIUS attribute format.

Possible values for this parameter are integer or string. If the type is string, you must supply a mapping table. The default value is string.

Subscriber IP Address Configuration Example

The following is an example of the configuration section to define which attribute to use for the subscriber IP address:

[Radius.Subscriber IP Address] 

fields=frame-ip-address

[Radius.Field.frame-ip-address] 

radius_attribute=8 

radius_attribute_type=integer

Configuring the Policy Settings

Policy configuration assigns policy information such as package ID, according to the RADIUS packets. Configure the SCE-Sniffer RADIUS LEG using the policy section(s) to assign the policy information.

The policy configuration is optional. If you do not need to set policy information according to RADIUS packets, you can skip this section. The SCE-Sniffer RADIUS LEG will not include any policy information when it logs in subscribers. If the subscriber already has some policies set, the LEG will not affect it.

Specifying the Radius.Property.Package and Radius.Field

For each policy, you need to define which RADIUS attribute to use for the subscriber policy, configure the [Radius.Property.Package] and [Radius.Field.<field name>] sections. To define the attribute to be used, configure the following parameters:

•fields

Defines the RADIUS protocol field name. Only one field name can be defined.

The default value is not set.

For the field defined by the fields parameter, you must also define a [Radius.Field.<field name>] section with the following parameters:

•radius_attribute

Configure the radius_attribute parameter with the RADIUS attribute number that holds the policy information. Use the following format for Vendor-Specific Attributes (VSA): 26(vendor-id;sub-attribute). For example, 26(10415;1).

•radius_attribute_type

Defines the type of the attribute.

Possible values are string or integer.

This parameter has no default value.

•skip_policy_update_on_interim

If the property of a subscriber is not to be updated during the interim packets, then the skip_policy_update_on_interim parameter should be set to true. The default value is false.

•use_default

Defines whether to use a default policy if no match is found in the mapping table.

Possible values for this parameter are true and false.

The default value is false.

•default_policy

Defines the default policy ID to use if no policy information is extracted. This parameter is relevant only if the use_default parameter is set to true.

Possible values for this parameter are any integer number.

This parameter has no default value.

•ignore_policy_list

Defines a list of policy IDs separated by commas. During login, if the policy ID matches one of the values defined in this parameter, a login operation occurs without changing the policy value.

This parameter is valid only if the allow_login_with_no_policy parameter is set as true.

This parameter has no default value.

•allow_login_with_no_policy

Defines whether a login can be performed when no policy is found for assignment.

Possible values for this parameter are true and false.

The default value is false.

•property_name

Defines the name of the subscriber property. For instance, the packageId property defines the policies of the SCA BB solution.

This parameter has no default value.

Note The property_name parameter is case sensitive and must be written exactly as defined by the SCA BB Console, for example, packageId, monitor, upVlinkId, or downVlinkId.

•property_type

The type of the property to be used for package assignment. Supported types are integer or string.

The default type is integer.

•mapping_table.<key>=<value>

A set of values (key, value) used to map the data retrieved from the RADIUS attribute to the policy index configured by the application.

There is no default value for this parameter, but it is possible to set a default value by using the following expression: mapping_table.^$=<value>. It defines the default value to set in case the attribute is not found in the traffic. The default value is set only if this policy has not been already set, for example by other LEG interfaces. This parameter is optional. If it does not exist, a default value is not set for this policy.

Note The mapping table key is case sensitive and must be written exactly as it exists in the RADIUS packets.

Policy Configuration Example

The following configuration section associates the packageId property of the SCA BB solution with a vendor-specific attribute of the RADIUS packet:

[Radius.Property.My-PolicyP-cube-policy]

fields=policy1

property_name=packageId

property_type=integer

mapping_table.^gold$=11

mapping_table.^silver$=12

mapping_table.^bronze$=13

#default value

mapping_table.^$=1

[Radius.Field.policy1]

radius_attribute=26(1000:2)

radius_attribute_type=string

This configuration indicates that if the configured RADIUS attribute of data type string holds the value gold, the package ID that is introduced to the SM has the value 11. If the configured vendor-specific attribute does not appear in the traffic, the package ID that is introduced to the SM has the value 1.

Configuring the Subscriber ID

The subscriber ID is identified by the User-Name attribute by default. You can configure the LEG to use any other RADIUS attribute to identify the subscriber ID, including using the Vendor-Specific attribute.

Note The configuration described in this section is optional.

Note If you want to keep the default identification according to the User-Name attribute, you can skip this section.

•fields

Defines the RADIUS protocol field name. Only one field name can be defined.

The default value is user_name.

For the field defined by the fields parameter, you must also define a [Radius.Field.<field name>] section with the following parameters:

•radius_attribute

Configure the radius_attribute parameter with the RADIUS attribute number. Use the following format for Vendor-Specific Attributes (VSA): 26(vendor-id;sub-attribute), for example, 26(10415;1).

The default value is 1 (User-Name attribute).

•radius_attribute_type

Defines the attribute type. Possible values for this parameter are integer or string.

The default value is string.

Configuring the Subscriber ID Example

[Radius.Subscriber ID] 

# Field name 

fields=id 

Radius.Field.id] 

# RADIUS protocol attribute number 

radius_attribute=4 

# the type of the attribute (type "integer" or "string") 

radius_attribute_type = string 

Configuring the Vendor-Specific Attribute (VSA) as Subscriber ID Example

[Radius.Subscriber ID] 

# Field name 

fields=vid 

[Radius.Field.vid] 

# in case of a vendor specific attribute (VSA) 

# when the 'radius_attribute' is set to 26 

radius_attribute = 26(233;1) 

# the type of the attribute (type "integer" or "string") 

radius_attribute_type = string

Applying the Configuration on the Subscriber Manager

After editing the relevant configuration files, use the following p3sm command-line utility to load the configuration file:

>p3sm --load-config

Configuring the Cisco SCE to Send RDRs to the LEG

Run the RDR-formatter Command-Line Interface (CLI) in the SCE to add the LEG as a category 3 RDR destination. Use the same port number as defined by the RDR server in the SM. The default port number is 33001.

SCE2000>configure

SCE2000(config)>RDR-formatter destination SM-IP port port category number 3 priority 100

SCE2000(config)>exit