The following policy
configuration explains how the authentication and authorization process occurs
in IPoE subscriber sessions. The authentication and authorization processes are
performed using two RADIUS servers (one located remotely and the other located
locally). At first, the authentication request is routed to the remotely
located RADIUS server, which is not in the user's control. Then, to authorize
the session, the authorization request is routed to the local RADIUS server,
where the subscriber profile for the service provider is maintained.
As a first step in the
authorization process, you can configure the authentication process to download
the authorization profile from the local RADIUS server. However, when both
RADIUS servers have the same authorization profiles, either partially or
completely, that part of the authorization profile that is the same is
overridden by the one downloaded from the local RADIUS server, and the other
part of the authorization profile is merged.
Case 1: Subscriber
session created by applying the user profile downloaded from the local RADIUS
server.
Radius Server1 (located remotely, profile not controlled by the operator
0000.0000.0001 Cleartext-Password := "shootme"
Fall-Through = no
Radius Server2 (located locally, profile controlled by the operator)
0000.0000.0001 Cleartext-Password := "shootme"
Class = "IPSUB",
Cisco-avpair += "ip:sub-qos-policy-in=12MUp",
Cisco-avpair += "ip:sub-qos-policy-out=12MDown",
Fall-Through = no
Case 2: Subscriber
session created by applying the user profile downloaded from the remote RADIUS
server, and in this case, the policy attribute values are overridden by the
local RADIUS server profile.
Radius Server1 (located remotely, profile not controlled by the operator)
0000.0000.0001 Cleartext-Password := "shootme"
Cisco-avpair += "ip:sub-qos-policy-in=6MUp",
Cisco-avpair += "ip:sub-qos-policy-out=6MDown",
Fall-Through = no
Radius Server2 (located locally, profile controlled by the operator)
0000.0000.0001 Cleartext-Password := "shootme"
Class = "IPSUB",
Cisco-avpair += "ip:sub-qos-policy-in=12MUp",
Cisco-avpair += "ip:sub-qos-policy-out=12MDown",
Fall-Through = no
Profile Created
by the Attribute Merging of both the Local and Remote Server Profiles
RP/0/RSP0/CPU0:BNG#sh run aaa
radius-server host 10.105.236.46 auth-port 1812 acct-port 1813
key 7 111B1801464058
!
radius-server host 10.105.236.237 auth-port 1812 acct-port 1813
key 7 095E4F0D485744
!
aaa group server radius local_server
server 10.105.236.237 auth-port 1812 acct-port 1813
!
aaa group server radius remote_server
server 10.105.236.46 auth-port 1812 acct-port 1813
!
aaa accounting subscriber acct_meth broadcast group local_server group remote_server
aaa authorization subscriber local_server group local_server
aaa authorization subscriber remote_server group remote_server
RP/0/RSP0/CPU0:BNG#
RP/0/RSP0/CPU0:BNG#sh run policy-map type control subscriber ISN_CNTRL_1
policy-map type control subscriber ISN_CNTRL_1
event session-start match-all
class type control subscriber ISN_CM do-all
10 activate dynamic-template ISN_TEMPLATE_1
11 authorize aaa list remote_server identifier source-address-mac password shootme
12 authorize aaa list local_server identifier source-address-mac password shootme
!
!
end-policy-map
!
RP/0/RSP0/CPU0:BNG#
Remote User Profile
0000.0c00.0001 Cleartext-Password := "shootme"
cisco-avpair += "subscriber:accounting-list=acct_meth", -- [(A) Same attribute on both profile]
Session-Timeout += 1000, --------------------------------- [(B) Attribute defined in remote profile only]
Acct-Interim-Interval = 3600 ----------------------------- [(C) Same attribute on both profiles with diff value}
Local User profile
0000.0c00.0001 Cleartext-Password := "shootme"
cisco-avpair += "subscriber:accounting-list=acct_meth", -- [(A) Same attribute on both profile]
cisco-avpair += "sub-qos-policy-in=12MUp",---------------- [(D) Attribute defined in local profile only]
cisco-avpair += "sub-qos-policy-out=12MDown",------------- [(E) Attribute defined in local profile only]
cisco-avpair += "ipv4:inacl=innet", ---------------------- [(F) Attribute defined in local profile only]
cisco-avpair += "ipv4:outacl=outnet", -------------------- [(G) Attribute defined in local profile only]
Acct-Interim-Interval = 3000 ----------------------------- [(H) Same attributes on both profiles with diff value]
RP/0/RSP0/CPU0:BNG#sh subscriber session all detail internal
Interface: Bundle-Ether1.1.ip22
Circuit ID: Unknown
Remote ID: Unknown
Type: IP: DHCP-trigger
IPv4 State: Up, Wed Jun 18 16:56:25 2014
IPv4 Address: 12.16.0.24, VRF: default
IPv4 Up helpers: 0x00000040 {IPSUB}
IPv4 Up requestors: 0x00000040 {IPSUB}
Mac Address: 0000.0c00.0001
Account-Session Id: 000000bb
Nas-Port: Unknown
User name: 0000.0c00.0001
Outer VLAN ID: 10
Subscriber Label: 0x00000075
Created: Wed Jun 18 16:56:15 2014
State: Activated
Authentication: unauthenticated
Authorization: authorized
Ifhandle: 0x000012a0
Session History ID: 11
Access-interface: Bundle-Ether1.1
Policy Executed:
event Session-Start match-all [at Wed Jun 18 16:56:15 2014]
class type control subscriber ISN_CM do-all [Succeeded]
10 activate dynamic-template ISN_TEMPLATE_1 [cerr: No error][aaa: Success]
11 authorize aaa list remote_server [cerr: No error][aaa: Success]
12 authorize aaa list local_server [cerr: No error][aaa: Success]
Session Accounting:
Acct-Session-Id: 000000bb
Method-list: acct_meth
Accounting started: Wed Jun 18 16:56:25 2014
Interim accounting: On, interval 50 mins
Last successful update: Never
Next update in: 00:46:48 (dhms)
Last update sent: Never
Updates sent: 0
Updates accepted: 0
Updates rejected: 0
Update send failures: 0
Last COA request received: unavailable
User Profile received from AAA:
Attribute List: 0x1000e764
1: session-timeout len= 4 value= 1000(3e8) ------- [(B) Attribute value fetched from the remote profile]
2: accounting-list len= 9 value= acct_meth ------- [(A) Attribute common to both the profiles]
3: sub-qos-policy-in len= 5 value= 12MUp ------- [(D) Attribute defined in the local profile]
4: sub-qos-policy-out len= 7 value= 12MDown ------- [(E) Attribute defined in the local profile]
5: inacl len= 5 value= innet ------------ [(F) Attribute defined in the local profile]
6: outacl len= 6 value= outnet ----------- [(G) Attribute defined in the local profile]
7: acct-interval len= 4 value= 3000(bb8) -------- [(I) Attribute value fetched from the local profile]
Services:
Name : ISN_TEMPLATE_1
Service-ID : 0x4000002
Type : Template
Status : Applied
-------------------------
In the above
example, the server profile attributes are defined in both the Local RADIUS and
the Remote RADIUS servers. Attributes (A), (B), and (C) are defined in remote
RADIUS server profile, and attributes (A), (D), (E), (F), (G), and (H) are
defined in the local RADIUS server profile. The subscriber session created by
applying the user profile downloaded from the local RADIUS server contains
attributes (B), (A), (D), (E), (F), (G), and (I), where the attribute (B) is
fetched from the remote RADIUS server profile; the attribute (A) is common to
both the RADIUS server profiles; the attributes (D), (E), (F), and (G) are the
attributes fetched from the local RADIUS server profile; and attribute (I) is
common to both the profiles, however, the attribute value differs on both the
profiles. In this case, the value of the attribute (I) is fetched from the
local RADIUS server profile.