About the SCE-Sniffer RADIUS Login Event Generator
Published: February 25, 2015
The Cisco Service Control Subscriber Manager SCE-Sniffer RADIUS Login Event Generator (LEG) is a software module that receives Raw Data Record (RDR) messages containing RADIUS information from Service Control Engine (SCE) devices configured with a RADIUS sniffer service. The SCE-Sniffer RADIUS LEG is an extension of the Cisco Service Control Subscriber Manager software and runs as part of the Cisco Service Control Subscriber Manager process.
Information About the SCE-Sniffer RADIUS LEG
The Cisco SCE device analyzes RADIUS traffic that traverses it (1) and reports the RADIUS transactions to the LEG using the RDR protocol (2). The LEG associates the RDR data to subscriber properties (name, subscriber IP, domain, and policies) and triggers a login or logout operation to the Cisco Service Control Subscriber Manager (3) as shown in Figure 23-1.
Figure 23-1 Cisco SCE-Sniffer RADIUS LEG Operation
RADIUS Integration Overview
This implementation of the Cisco SCE-Sniffer RADIUS LEG supports RFC 2865 (RADIUS Protocol) and RFC 2866 (RADIUS Accounting).
The LEG uses the following packet types:
- Accounting-Start—Initiates login operations (with subscriber IP, domain, and policies).
- Accounting-Interim-Update—Initiates login operations (with subscriber IP, domain, and policies).
- Accounting-Stop—Initiates logout operations.
- Access-Request—Initiates domain and policies associations.
- Access-Accept—Initiates login operations (with subscriber IP and policies).
The LEG uses the following attributes:
- User Name (Attribute no. 1)—Default attribute for subscriber ID.
- NAS-IP-Address (Attribute no. 4)—Associates the NAS IP address as the subscriber's domain (optional).
- Framed-IP-Address (Attribute no. 8)—Associates an IP address to the subscriber.
- Framed-IP-Netmask (Attribute no. 9)—Associates an IP netmask to the subscriber.
- Framed-Route (Attribute no. 22)—Associates an IP/IP-range to the subscriber.
- NAS-Identifier (Attribute no. 32)—Associates the NAS identifier as the subscriber's domain (optional).
- Acct-Status-Type (Attribute no. 40)—Distinguishes between the different accounting transactions.
- Framed-IPv6-Prefix (Attribute no. 97)—Associates an IPv6 address to a subscriber.
- Framed-IPv6-Route (Attribute no. 99)—Associates an IPv6 route to a subscriber.
To associate policies to the subscribers, configure the LEG with the attribute that contains the policy information. The Vendor-Specific attribute (Attribute no. 26) can be used to associate policies to the subscribers in addition to all other RADIUS attributes of type string or integer.
To determine the subscriber ID, configure the LEG with the attribute that contains the subscriber ID information. The Vendor-Specific attribute (Attribute no. 26) can be used to determine the subscriber ID in addition to all other RADIUS attributes of type string. By default, the User-Name (Attribute no. 1) is configured to hold the Subscriber ID.
Fair Usage Policy
When a subscriber logs in through the SCE-Sniffer RADIUS LEG, that subscriber is mapped to an appropriate package ID based on the mapping defined in the SCE-Sniffer RADIUS LEG configuration file. If the Cisco SCMS Quota Manager is used to define quota for each subscriber, at some point of time, the subscriber may move to a penalty package based on the usage, as defined in the Quota Manager configuration.
RADIUS LEG does not change the package ID if the subscriber is in a penalty package.
To use this feature, you must add the list of penalty packages to the SCE-Sniffer RADIUS LEG configuration file by using the ignore_policy_list parameter. For details on the ignore_policy_list parameter, see the “Configuring the General Settings” section.
If the penalty packages are added to the configuration file, the Subscriber Manager checks whether the subscriber is in any of the penalty package defined in the ignore policy list. If the subscriber is in any of the penalty package, the Subscriber Manager will not update the new package and continue with the existing penalty package until the penalty period is over.
If you have configured the default_policy parameter, do not use the same value in the ignore_policy_list parameter.