Overview of the RADIUS Listener Login Event Generator
Published: July 30, 2014
This chapter describes the Cisco Service Control Subscriber Manager RADIUS listener Login Event Generator (LEG) software module.
About the RADIUS Listener LEG
The RADIUS listener LEG is a software module that receives RADIUS accounting messages, and according to their content, invokes logon operations to the SM. It also provides dynamic integration for subscribers over virtual private network (VPN). The RADIUS listener LEG is an extension to the Subscriber Manager software and runs concurrently with the Subscriber Manager.
When the RADIUS listener LEG receives an Accounting-Start message, it extracts the subscriber ID, the subscriber IP-address, the VLAN-ID, and optionally, the subscriber package index from the message attributes, and triggers a login operation to the Subscriber Manager. In the same manner, Accounting-Interim-Update triggers a login operation, and the Accounting-Stop message triggers a logout operation.
If configured by the user, when no interim update message is received over an aging time, the Subscriber Manager removes the subscriber’s mappings and triggers a logout operation. This feature is disabled by default and configurable on each RADIUS listener or sniffer LEG.
The RADIUS listener LEG also contains a regular expression utility. This command-line utility (CLU) can be used to test regular expression “spelling” validity, test and show the reduction and pattern-matching of an input list of strings against certain regular-expression patterns, and provide the user with detailed output for each manipulation operation result.
The RADIUS listener LEG was carefully developed and thoroughly tested with several RADIUS AAA servers and NAS devices.
From Cisco SCE Release 4.0.0, the Cisco Service Control Subscriber Manager can process more than 2000 RADIUS messages per second. For more details on improving the performance of the RADIUS listener LEG, see the “Improving the Performance of the RADIUS Listener LEG” section.
Figure 17-1 illustrates a topology in which a RADIUS server/proxy forwards or proxies the RADIUS accounting messages to the RADIUS listener LEG.
Figure 17-1 Example of RADIUS Server Forwarding RADIUS Accounting Messages to RADIUS Listener LEG
Figure 17-2 illustrates a topology in which the NAS performs authentication with the RADIUS server, and sends RADIUS accounting messages to the RADIUS listener LEG and, optionally, to the RADIUS server.
Figure 17-2 Example of NAS Sending RADIUS Accounting Messages to both the RADIUS Listener LEG and the RADIUS Server
Fair Usage Policy
When a subscriber logs in through the RADIUS Listener LEG, that subscriber is mapped to an appropriate package ID based on the mapping defined in the RADIUS Listener configuration file. If Quota Manager is used to define quota for each subscriber, at some point of time, the subscriber may move to a penalty package based on the usage, as defined in the Quota Manager configuration.
RADIUS LEG does not change the package ID if the subscriber is in a penalty package.
To use this feature, you must add the list of penalty packages to the RADIUS Listener configuration file by using the attribute ignore_policy_list parameter. For details on the ignore_policy_list parameter, see the “Configuring the General Settings” section.
If penalty packages are added to the configuration file, the Subscriber Manager checks whether the corresponding subscriber is in any of the penalty packages defined in the ignore policy list parameter. If the subscriber is in any of the penalty packages, the Subscriber Manager will not update the new package and will continue with the existing penalty package until the penalty period is over.
If you have configured default_policy, do not use the same value for the ignore_policy_list parameter.