This chapter describes the configuration instructions to configure the Service Control Engine (SCE)-Sniffer RADIUS Login Event Generator (LEG).
The SCE-Sniffer RADIUS LEG is part of the Subscriber Manager (SM) installation package.
The SCE-Sniffer RADIUS LEG is configured using the configuration file rad_snif.cfg, which resides in the <sm-inst-dir>/sm/server/root/config directory (sm-inst-dir refers to the SM installation directory).
The configuration file consists of sections headed by a bracketed section title; for example, [SCE-Sniffer RADIUS LEG]. Each section consists of several parameters with the format of parameter=value. The number sign ("#") at the beginning of a line denotes that this is a remark line.
Note The Java programming language considers the single backslash (\) an escape sequence character. You should add another backlash to the Positional and One-Character Operators that have a lone backslash. For example, \\<, \\>, or \\x have backslashes added.
The SCE should be configured to send the Raw Data Records (RDRs) to the LEG.
•Configuring the General Settings
•Configuring the Policy Settings
•Applying the Configuration on the Subscriber Manager
•Configuring the Cisco SCE to Send RDRs to the LEG
The general configuration of the LEG appears under the section name [SCE-Sniffer RADIUS LEG]. The following is a list of the general configuration parameters:
•start
Defines whether the SM should run the LEG at startup.
Possible values for this parameter are yes and no. The default value is no.
To start using the LEG, change this setting to yes.
•packet_types
Defines the RADIUS packet types to analyze. You should set this parameter according to the integration mode you have chosen.
Possible values are any combination of: access-request, access-accept, accounting-start, accounting-interim, and accounting-stop separated by commas.
The default value is accounting-start, accounting-interim, accounting-stop.
•log_failures
Defines whether the LEG should add messages about failures to the user log.
Possible values for this parameter are true and false. The default value is true.
•log_all
Defines whether the LEG should add all messages, including successful logins and logouts, to the user log.
Possible values for this parameter are true and false. The default value is false.
•interim_aging_timeout
Updates the lease time for each IP address received from RADIUS packets. After each autologout time interval, the SM checks for subscriber IP addresses with an expired lease time. These subscriber IP addresses are removed from the system and database. The autologout mechanism must be active to enable the interim_aging_timeout feature.
The default value is 0 hours. To activate the interim_aging_timeout feature, set value greater than 0.
Note The log_auto_logouts parameter in the [Auto Logout] section defines whether to issue user log messages for each removed mapping. Possible values are true or false. The default value is false.
Note For this LEG to work correctly, use the configuration file to enable the Raw Data Record (RDR) server in the SM.
The SCE-Sniffer RADIUS LEG can extract more RADIUS attributes from the RDRs. The users define the additional attributes to be extracted and these configurations are sent to the SCE. To define the additional attributes, configure the [Radius.Subscriber Attributes] section with the following parameters:
•attributes_list
This parameter defines the additional RADIUS attribute(s) to extract and process.
Multiple attribute names are separated by commas when listed in this parameter.
•enable_extended_vsa_support
This parameter enables this feature when the value is defined as true.
The default value for this parameter is false.
Note For IPv6, only Framed-IPv6-Prefix attribute is supported as part of Subscriber Attributes.
Note The SCE can only send a RDR with up to 20 attributes. An attribute can be part of a Policy, Subscriber ID, Subscriber IP, and Subscriber Attribute. The total number of these attributes should not exceed 20. If the total number of attributes is greater than 20, the first 20 will be part of the RDR that is sent to the SM by the SCE. The remaining attributes are discarded by the SCE.
Note Regular expressions are not applicable for subscriber attributes.
The following is a configuration example defining a list of additional RADIUS attributes:
[Radius.Subscriber Attributes]
attributes_list=Cell-ID,SGSG-IP,RAI
enable_extended_vsa_support=true
[Radius.Field.Cell-ID]
radius_attribute=26(68;10)
radius_attribute_type=string
[Radius.Field.SGSG-IP]
radius_attribute=26(65;10)
radius_attribute_type=string
[Radius.Field.RAI]
radius_attribute=26(66;10)
radius_attribute_type=string
The command-line utility p3radiussniff -show would result in the following output:
Attributes:
Cell-ID,attribute:26(10,68),string
SGSG-IP,attribute:26(10,65),string
RAI,attribute:26(10,66),string
Note The Subscriber IP Address configuration is optional.
The Subscriber IP Address is identified by the Framed-Route attributes, or the Framed-IP-Address attribute (Framed-IP-Netmask optional) by default. The LEG can be configured to use any other RADIUS attribute to identify the subscriber IP Address, including using the Vendor-Specific attribute as described in the Subscriber IP Association section.
The following algorithm is applied to handle IP addresses in this LEG:
1. If the user configured an attribute from which to extract the IP, the LEG will look for that attribute in the packet. If the attribute exists, the LEG will use the attribute as the subscriber IP address.
2. If the attribute does not exist or is not configured, the LEG will look for the Framed-Route attributes; several Framed-Route attributes may exist. If any Framed-Route attributes exist, the LEG will use these attributes as the subscriber IP addresses.
3. If there are no Framed-Route attributes, the LEG will look for a Framed-IP-Address attribute and a Framed-IP-Netmask attribute. If a Framed-IP-Address attribute exists, the LEG will use this attribute as the subscriber IP address. If both the Framed-IP-Address and the Framed-IP-Netmask attributes exist, the operation is performed with the IP range represented by the IP address and the IP netmask.
4. Otherwise, the LEG will perform a login without the IP address.
To define which attribute to use for the subscriber IP address, configure the
[Radius.Subscriber IP Address] and [Radius.Field.<field name>] sections. To define the attributes, configure the following parameters:
•fields
Defines the RADIUS protocol field name. Only one field name can be defined.
The default value is not set.
For the field defined by the fields parameter, you must also define a [Radius.Field.<field name>] section with the following parameters:
•radius_attribute
Configure the radius_attribute parameter with the RADIUS attribute number. Use the following format for Vendor-Specific Attributes (VSA): 26(vendor-id;sub-attribute). For example, 26(10415;1).
The default value is -1.
•radius_attribute_type
Configure radius_attribute_type parameter according to the RADIUS attribute format.
Possible values for this parameter are integer and string. The default value is string.
To define which attribute to use for the subscriber IP address, configure the [RADIUS.Subscriber IP Address] section with the following parameters:
•radius_attribute_vendor_id
This parameter is relevant only if radius_attribute is configured to 26 (vendor-specific attribute).
The parameter defines the vendor ID number for the subscriber ID classification.
It has no default value.
•radius_sub_attribute
This parameter is relevant only if radius_attribute is configured to 26 (vendor-specific attribute).
The parameter defines the subattribute within the vendor-specific attribute that is used for subscriber ID classification.
It has no default value.
•radius_attribute_type
Configure the radius_attribute_type parameter according to the RADIUS attribute format.
Possible values for this parameter are integer or string. If the type is string, you must supply a mapping table. The default value is string.
The following is an example of the configuration section to define which attribute to use for the subscriber IP address:
[Radius.Subscriber IP Address]
fields=frame-ip-address
[Radius.Field.frame-ip-address]
radius_attribute=8
radius_attribute_type=integer
Policy configuration assigns policy information such as package ID, according to the RADIUS packets. Configure the SCE-Sniffer RADIUS LEG using the policy section(s) to assign the policy information.
The policy configuration is optional. If you do not need to set policy information according to RADIUS packets, you can skip this section. The SCE-Sniffer RADIUS LEG will not include any policy information when it logs in subscribers. If the subscriber already has some policies set, the LEG will not affect it.
For each policy, you need to define which RADIUS attribute to use for the subscriber policy, configure the [Radius.Property.Package] and [Radius.Field.<field name>] sections. To define the attribute to be used, configure the following parameters:
•fields
Defines the RADIUS protocol field name. Only one field name can be defined.
The default value is not set.
For the field defined by the fields parameter, you must also define a [Radius.Field.<field name>] section with the following parameters:
•radius_attribute
Configure the radius_attribute parameter with the RADIUS attribute number that holds the policy information. Use the following format for Vendor-Specific Attributes (VSA): 26(vendor-id;sub-attribute). For example, 26(10415;1).
•radius_attribute_type
Defines the type of the attribute.
Possible values are string or integer.
This parameter has no default value.
•skip_policy_update_on_interim
If the property of a subscriber is not to be updated during the interim packets, then the skip_policy_update_on_interim parameter should be set to true. The default value is false.
•use_default
Defines whether to use a default policy if no match is found in the mapping table.
Possible values for this parameter are true and false.
The default value is false.
•default_policy
Defines the default policy ID to use if no policy information is extracted. This parameter is relevant only if the use_default parameter is set to true.
Possible values for this parameter are any integer number.
This parameter has no default value.
•ignore_policy_list
Defines a list of policy IDs separated by commas. During login, if the policy ID matches one of the values defined in this parameter, a login operation occurs without changing the policy value.
This parameter is valid only if the allow_login_with_no_policy parameter is set as true.
This parameter has no default value.
•allow_login_with_no_policy
Defines whether a login can be performed when no policy is found for assignment.
Possible values for this parameter are true and false.
The default value is false.
•property_name
Defines the name of the subscriber property. For instance, the packageId property defines the policies of the SCA BB solution.
This parameter has no default value.
Note The property_name parameter is case sensitive and must be written exactly as defined by the SCA BB Console, for example, packageId, monitor, upVlinkId, or downVlinkId.
•property_type
The type of the property to be used for package assignment. Supported types are integer or string.
The default type is integer.
•mapping_table.<key>=<value>
A set of values (key, value) used to map the data retrieved from the RADIUS attribute to the policy index configured by the application.
There is no default value for this parameter, but it is possible to set a default value by using the following expression: mapping_table.^$=<value>. It defines the default value to set in case the attribute is not found in the traffic. The default value is set only if this policy has not been already set, for example by other LEG interfaces. This parameter is optional. If it does not exist, a default value is not set for this policy.
Note The mapping table key is case sensitive and must be written exactly as it exists in the RADIUS packets.
The following configuration section associates the packageId property of the SCA BB solution with a vendor-specific attribute of the RADIUS packet:
[Radius.Property.My-PolicyP-cube-policy]
fields=policy1
property_name=packageId
property_type=integer
mapping_table.^gold$=11
mapping_table.^silver$=12
mapping_table.^bronze$=13
#default value
mapping_table.^$=1
[Radius.Field.policy1]
radius_attribute=26(1000:2)
radius_attribute_type=string
This configuration indicates that if the configured RADIUS attribute of data type string holds the value gold, the package ID that is introduced to the SM has the value 11. If the configured vendor-specific attribute does not appear in the traffic, the package ID that is introduced to the SM has the value 1.
The subscriber ID is identified by the User-Name attribute by default. You can configure the LEG to use any other RADIUS attribute to identify the subscriber ID, including using the Vendor-Specific attribute.
Note The configuration described in this section is optional.
Note If you want to keep the default identification according to the User-Name attribute, you can skip this section.
•fields
Defines the RADIUS protocol field name. Only one field name can be defined.
The default value is user_name.
For the field defined by the fields parameter, you must also define a [Radius.Field.<field name>] section with the following parameters:
•radius_attribute
Configure the radius_attribute parameter with the RADIUS attribute number. Use the following format for Vendor-Specific Attributes (VSA): 26(vendor-id;sub-attribute), for example, 26(10415;1).
The default value is 1 (User-Name attribute).
•radius_attribute_type
Defines the attribute type. Possible values for this parameter are integer or string.
The default value is string.
[Radius.Subscriber ID]
# Field name
fields=id
Radius.Field.id]
# RADIUS protocol attribute number
radius_attribute=4
# the type of the attribute (type "integer" or "string")
radius_attribute_type = string
[Radius.Subscriber ID]
# Field name
fields=vid
[Radius.Field.vid]
# in case of a vendor specific attribute (VSA)
# when the 'radius_attribute' is set to 26
radius_attribute = 26(233;1)
# the type of the attribute (type "integer" or "string")
radius_attribute_type = string
After editing the relevant configuration files, use the following p3sm command-line utility to load the configuration file:
>p3sm --load-config
Run the RDR-formatter Command-Line Interface (CLI) in the SCE to add the LEG as a category 3 RDR destination. Use the same port number as defined by the RDR server in the SM. The default port number is 33001.
SCE2000>configure
SCE2000(config)>RDR-formatter destination SM-IP port port category number 3 priority 100
SCE2000(config)>exit