RADIUS

From TBwiki
(Difference between revisions)
Jump to: navigation, search
(adjust link simpler for v2.3 to v2.5)
(Authorization/Authentication)
 
(30 intermediate revisions by 7 users not shown)
Line 1: Line 1:
Remote Authentication Dial In User Service, more popularly known as RADIUS, is used by telecom service providers for the purpose of authenticating, authorizing, and accounting for the use of services by subscribers. A RADIUS server is an application server that provides this functionality. It can take as input as well as output [[Call detail record]] (CDR) data.  
+
Remote Authentication Dial In User Service, more popularly known as RADIUS, is used by telecom service providers for the purpose of authenticating, authorizing, and accounting (AAA) for the use of services by subscribers. A RADIUS server is an application server that provides this functionality. It can take as input as well as output [[Call detail record]] (CDR) data.  
  
 
<br>  
 
<br>  
Line 5: Line 5:
 
== TelcoBridges and RADIUS  ==
 
== TelcoBridges and RADIUS  ==
  
Starting with release [[Toolpack_version_2.3|v2.3]] of [[Toolpack]], explicit support for the accounting function of RADIUS is now offered. Previously, Toolpack stored [[Call detail record]] (CDR) data in a local database. Starting with Toolpack v2.3, CDR data is stored on a dedicated, external server running an implementation of the RADIUS standard. Configuration of the location of the RADIUS server is performed through the Toolpack web portal. For this initial release, Toolpack only supports the Accounting functionality of RADIUS; it does not support the Authorization or Authentication options. That type of functionality can be performed outside of RADIUS using Toolpack.
+
Starting with release [[Toolpack_version_2.3|v2.3]] of [[Toolpack]], explicit support for the accounting function of RADIUS is now offered. Previously, Toolpack stored [[Call detail record]] (CDR) data in a local database. Starting with Toolpack v2.3, CDR data is stored on a dedicated, external server running an implementation of the RADIUS standard. Configuration of the location of the RADIUS server is performed through the Toolpack web portal.
  
 
Starting with release [[TMG-CONTROL_Version_2.6|v2.6]] of [[Toolpack]], multiple RADIUS servers can now be configured for backup purposes.
 
Starting with release [[TMG-CONTROL_Version_2.6|v2.6]] of [[Toolpack]], multiple RADIUS servers can now be configured for backup purposes.
 +
 +
Starting with release [[TMG-CONTROL_Version_2.7|v2.7]] of [[Toolpack]], calls can now be validated through a RADIUS server with authentication and authorization. The RADIUS server may also change routing parameters for calls.
  
 
[[File:Radius_High-level_drawing_v2.jpg]]
 
[[File:Radius_High-level_drawing_v2.jpg]]
 +
  
 
=== Prerequisites  ===
 
=== Prerequisites  ===
  
In order to enable RADIUS functionality in Toolpack, you must have a RADIUS server already up and running. It is highly recommended that the RADIUS server software being running on a separate machine from the one running the Toolpack software. Before configuring Toolpack, you will need the IP address of the RADIUS server(s). You will need to specify a ‘secret key’ which will authenticate the Toolpack server so that it can send CDR data to the RADIUS server and the RADIUS server will accept it.  
+
In order to enable RADIUS functionality in Toolpack, you must have a RADIUS server already up and running. It is highly recommended that the RADIUS server software being running on a separate machine from the one running the Toolpack software. Before configuring Toolpack, you will need the IP address of the RADIUS server(s). You will need to specify a ‘secret key’ which will authenticate the Toolpack server so that it can send accounting, authentication and authorization data and to the RADIUS server and the RADIUS server will accept it.  
  
=== Configuration ===
 
  
*[[Web_Portal_Tutorial_Guide_v2.6#CDR|Toolpack v2.6: RADIUS configuration]]
+
== Configuration ==
 +
 
 +
=== Accounting ===
 +
*[[Toolpack:Tsbc_CDR_Settings_3.0|Web Portal v3.0: RADIUS configuration]]
 +
*[[Toolpack:CDR_Settings_C|Web Portal v2.10: RADIUS configuration]]
 +
*[[Toolpack:CDR_Settings_B|Web Portal v2.9: RADIUS configuration]]
 +
*[[Toolpack:CDR_Settings_A|Web Portal v2.8: RADIUS configuration]]
 +
 
 +
<div class="mw-collapsible mw-collapsed" data-collapsetext="other versions" data-expandtext="Click here for other versions" style="width: 400px;">
 +
*[[Web_Portal_Tutorial_Guide_v2.7#CDR|Web Portal v2.7: RADIUS configuration]]
 +
*[[Web_Portal_Tutorial_Guide_v2.6#CDR|Web Portal v2.6: RADIUS configuration]]
 
*[[Toolpack:Configuring_RADIUS_A|Toolpack v2.5: RADIUS configuration]]
 
*[[Toolpack:Configuring_RADIUS_A|Toolpack v2.5: RADIUS configuration]]
 
*[[Toolpack:Configuring_RADIUS_A|Toolpack v2.4: RADIUS configuration]]
 
*[[Toolpack:Configuring_RADIUS_A|Toolpack v2.4: RADIUS configuration]]
 
*[[Toolpack:Configuring_RADIUS_A|Toolpack v2.3: RADIUS configuration]]
 
*[[Toolpack:Configuring_RADIUS_A|Toolpack v2.3: RADIUS configuration]]
 +
</div>
  
=== Toolpack to Radius CDR attributes remapping  ===
+
=== Authorization/Authentication ===
 +
*[[Toolpack:Tsbc_Call_Routes_Settings_3.0#RADIUS_Authorization_and_Authentication|Web Portal v3.0: RADIUS Authorization and Authentication configuration]]
 +
*[[Toolpack:Call_Routes_Settings_C#RADIUS_Authorization_and_Authentication|Web Portal v2.10: RADIUS Authorization and Authentication configuration]]
 +
*[[Toolpack:Call_Routes_Settings_B#RADIUS_Authorization_and_Authentication|Web Portal v2.9: RADIUS Authorization and Authentication configuration]]
 +
*[[Toolpack:Call_Routes_Settings_A#RADIUS_Authorization_and_Authentication|Web Portal v2.8: RADIUS Authorization and Authentication configuration]]
 +
<div class="mw-collapsible mw-collapsed" data-collapsetext="other versions" data-expandtext="Click here for other versions" style="width: 400px;">
 +
*[[Web_Portal_Tutorial_Guide_v2.7#RADIUS_Authorization_and_Authentication|Web Portal v2.7: RADIUS Authorization and Authentication configuration]]
 +
</div>
  
From RFC 2865 and RFC 2866 (Accounting) :
+
== Authorization ==
{| cellpadding="5" border="1" class="wikitable"
+
|-
+
! width="210" style="background: none repeat scroll 0% 0% rgb(239, 239, 239);" | AVP Id
+
! width="210" style="background: none repeat scroll 0% 0% rgb(239, 239, 239);" | Radius IETF param name
+
! width="210" style="background: none repeat scroll 0% 0% rgb(239, 239, 239);" | Type
+
! width="210" style="background: none repeat scroll 0% 0% rgb(239, 239, 239);" | Toolpack param
+
! width="610" style="background: none repeat scroll 0% 0% rgb(239, 239, 239);" | Description
+
|-
+
| align="center" | 1<br>
+
| User-Name
+
| align="center" | string<br>
+
| -
+
| For now this value is hardcoded to "100"
+
|-
+
| align="center" | 4<br>
+
| NAS-IP-Address
+
| align="center" | IP address<br>
+
| -
+
| IP address of the TMedia generating the CDR record
+
|-
+
| align="center" | 30<br>
+
| Called-Sation-Id
+
| align="center" | string<br>
+
| Called Number
+
| Called party number
+
|-
+
| align="center" | 31<br>
+
| Calling-Station-Id
+
| align="center" | string<br>
+
| Calling Number
+
| Calling party number
+
|-
+
| align="center" | 32<br>
+
| NAS-Identifier
+
| align="center" | string<br>
+
| Application Name
+
| Application name of the CDR provider
+
|-
+
| align="center" | 40<br>
+
| Acct-Status-Type
+
| align="center" | integer<br>
+
| -
+
| Start or Stop
+
|-
+
| align="center" | 44<br>
+
| Acct-Session-Id
+
| align="center" | integer<br>
+
| Leg Id
+
| Call Leg Identifier
+
|}
+
  
AVP: 26  VendorID: 9 (Cisco)
+
If a Radius authorization server is configured, the call authorization is done externally (using the Radius protocol).  The acceptance or refusal of the call is then returned into a routing script for further processing.  Refer to [[Routing_script_tutorial:Mini_Development_Guide#Authorization | Radius authorization ]] for more details.
  
{| cellpadding="5" border="1" class="wikitable"
+
== RADIUS Redundancy and Association  ==
|-
+
! width="210" style="background: none repeat scroll 0% 0% rgb(239, 239, 239);" | VSA Id
+
! width="210" style="background: none repeat scroll 0% 0% rgb(239, 239, 239);" | Radius IETF param name
+
! width="210" style="background: none repeat scroll 0% 0% rgb(239, 239, 239);" | Type
+
! width="210" style="background: none repeat scroll 0% 0% rgb(239, 239, 239);" | Toolpack param
+
! width="610" style="background: none repeat scroll 0% 0% rgb(239, 239, 239);" | Description
+
|-
+
| align="center" | 2<br>
+
| Cisco-NAS-Port
+
| align="center" | string<br>
+
| NAP name
+
| Network Access Point name for the call leg
+
|-
+
| align="center" | 24<br>
+
| h323-conf-id
+
| align="center" | string<br>
+
| Unique Id
+
| Unique call identifier for the two initial legs (incoming and outgoing) - 128 bits integer formated as xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
+
|-
+
| align="center" | 25<br>
+
| h323-setup-time
+
| align="center" | string<br>
+
| Start Time
+
| Represent the call leg setup time - Coordinated Universal Time (UTC)
+
|-
+
| align="center" | 26<br>
+
| h323-call-origin
+
| align="center" | string<br>
+
| Originator Name
+
| "answer" for an outgoing leg - "originate" for an incoming leg
+
|-
+
| align="center" | 27<br>
+
| h323-call-type
+
| align="center" | string<br>
+
| Protocol Type
+
| If protocol is SIP the value is "VOIP", otherwise it is "Telephony"
+
|-
+
| align="center" | 28<br>
+
| h323-connect-time
+
| align="center" | string<br>
+
| Connected Time
+
| Represent the call leg answer time (connect time) - Coordinated Universal Time (UTC)
+
|-
+
| align="center" | 29<br>
+
| h323-disconnect-time
+
| align="center" | string<br>
+
| EndTime
+
| Represent the call leg disconnect time - Coordinated Universal Time (UTC)
+
|-
+
| align="center" | 30<br>
+
| h323-disconnect-cause
+
| align="center" | string<br>
+
| Termination Reason
+
| Q.931 disconnect (1 to 160) cause, TB Toolpack system cause (200 to 300) and SIP cause (400 to 600)
+
|-
+
| align="center" | 35<br>
+
| h323-incoming-conf-id
+
| align="center" | string<br>
+
| Unique Id
+
| Contains the original h323-conf-id in case of call transfer for subsequent outgoing legs - 128 bits integer formated as xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
+
|-
+
| align="center" | 115
+
| release-source
+
| align="center" | string<br>
+
| Termination Source
+
| "localLeg" if this leg terminate the call or "connectedLeg" if its the connected leg - We use a Cisco string field with our own value definition
+
|-
+
|}
+
  
AVP: 26  VendorID: 21776 (TelcoBridges)
+
*[[Radius_Acct_Auth_Redundancy|Radius Accounting and Authentication Redundancy]]
 +
*[[Radius_Acct_Auth_Association|Radius Accounting and Authentication Association]]
  
{| cellpadding="5" border="1" class="wikitable"
+
== Toolpack to RADIUS CDR attributes remapping  ==
|-
+
When Toolpack sends ''Access-Request'' messages to a RADIUS server, some specific attributes are included in the message. These attributes have been improved through Toolpack releases to better meet accounting services requirements.
! width="210" style="background: none repeat scroll 0% 0% rgb(239, 239, 239);" | VSA Id
+
 
! width="210" style="background: none repeat scroll 0% 0% rgb(239, 239, 239);" | Radius IETF param name
+
==== RADIUS CDR attributes list ====
! width="210" style="background: none repeat scroll 0% 0% rgb(239, 239, 239);" | Type
+
*[[Toolpack:RADIUS_CDR_attributes_D|Toolpack v3.0 and higher]]
! width="210" style="background: none repeat scroll 0% 0% rgb(239, 239, 239);" | Toolpack param
+
*[[Toolpack:RADIUS_CDR_attributes_C|Toolpack v2.7, v2.8, v2.9, v2.10]]
! width="610" style="background: none repeat scroll 0% 0% rgb(239, 239, 239);" | Description
+
<div class="mw-collapsible mw-collapsed" data-collapsetext="other versions" data-expandtext="Click here for other versions" style="width: 400px;">
|-
+
*[[Toolpack:RADIUS_CDR_attributes_B|Toolpack v2.6]]
| align="center" | 9<br>
+
*[[Toolpack:RADIUS_CDR_attributes_A|Toolpack v2.5 and earlier]]
| Telcob-ChargeIndicator
+
</div>
| align="center" | String<br>
+
| ChargeIndicator
+
| Represent the charge indicator value
+
|-
+
| align="center" | 10<br>
+
| Telcob-Protocol
+
| align="center" | String<br>
+
| Protocol
+
| Protocol used for this LegID. Ex. SIP, ISDN, etc.
+
|-
+
| align="center" | 11<br>
+
| Telcob-Codec
+
| align="center" | String<br>
+
| Codec
+
| Codec used for this LegID
+
|-
+
| align="center" | 12<br>
+
| Telcob-RemoteIP
+
| align="center" | IP address<br>
+
| RemoteIP
+
| RemoteIP used for the media. This is only for VOIP.
+
|-
+
| align="center" | 13<br>
+
| Telcob-RemotePort
+
| align="center" | Integer<br>
+
| RemotePort
+
| RTP Port of the remote peer. This is only for VOIP.
+
|-
+
| align="center" | 14<br>
+
| Telcob-TrunkName
+
| align="center" | String<br>
+
| TrunkName
+
| Name of the trunk (ex. "LS004400E1_0_00").<br/>
+
This attribute is only for non-VOIP.
+
|-
+
| align="center" | 15<br>
+
| Telcob-TimeslotNumber
+
| align="center" | Integer<br>
+
| TimeslotNumber
+
| This is the Timeslot Number.<br/>
+
This attribute is only for non-VOIP.
+
|-
+
| align="center" | 16<br>
+
| Telcob-MediaInfo
+
| align="center" | String<br>
+
| MediaInfo
+
| String that represents the MediaInfo (ex. "PCMU@10.3.10.124:20054" for SIP and "LS_T1_BITS_00:1" for ISDN)
+
|-
+
| align="center" | 17<br>
+
| Telcob-StartTime
+
| align="center" | String<br>
+
| StartTime
+
| String that represents the StartTime of the call.
+
|-
+
| align="center" | 18<br>
+
| Telcob-ConnectedTime
+
| align="center" | String<br>
+
| ConnectedTime
+
| String that represents the time when the call was connected
+
|-
+
| align="center" | 19<br>
+
| Telcob-EndTime
+
| align="center" | String<br>
+
| EndTime
+
| String that represents when the call was completed.
+
|-
+
| align="center" | 20<br>
+
| Telcob-TerminationCause
+
| align="center" | Integer<br>
+
| TerminationCause
+
| Integer that represents the Termination Cause
+
|-
+
| align="center" | 21<br>
+
| Telcob-Other-Leg-Id
+
| align="center" | Integer<br>
+
| Other-Leg-Id
+
| Integer that represents the other LegID bridged for this call
+
|-
+
| align="center" | 22<br>
+
| Telcob-TerminationCauseString
+
| align="center" | String<br>  
+
| TerminationCauseString
+
| String that represents the TerminationCause, but in a String format.
+
|-
+
| align="center" | 23<br>
+
| Telcob-TerminationSource
+
| align="center" | String<br>
+
| TerminationSource
+
| String that represents the Termination Source
+
|-
+
| align="center" | 24<br>
+
| Telcob-LocalSipIP*
+
| align="center" | String<br>
+
| LocalSipIP
+
| IP Address that represents the Local IP used for SIP.
+
|-
+
| align="center" | 25<br>
+
| Telcob-LocalSipPort*
+
| align="center" | Integer<br>
+
| LocalSipPort
+
| Integer that represents the Local port used for SIP.
+
|-
+
| align="center" | 26<br>  
+
| Telcob-LocalMediaIP
+
| align="center" | IPAddr<br>
+
| LocalMediaIP
+
| IP Address that represents the Local IP used for the media.
+
|-
+
| align="center" | 27<br>
+
| Telcob-LocalMediaPort
+
| align="center" | String<br>
+
| LocalMediaPort
+
| Integer that represents the Local port used for the media.
+
|-
+
| align="center" | 28<br>
+
| Telcob-LocalMediaInfo
+
| align="center" | String<br>
+
| LocalMediaInfo
+
| String that represents the Local Media Info.(ex. "PCMU@10.3.10.124:20054")
+
Only for VOIP calls.
+
|-
+
| align="center" | 29<br>
+
| Telcob-RemoteMediaInfo
+
| align="center" | String<br>
+
| RemoteMediaInfo
+
| String that represents the Remote Media Info.(ex. "PCMU@10.3.10.124:20054")
+
This is the same as Telcob-MediaInfo. Only for VOIP calls.
+
|}
+
* = Not currently implemented.
+
  
 
== Dealing with incoherent CDR entries ==
 
== Dealing with incoherent CDR entries ==
Line 298: Line 72:
  
 
== References  ==
 
== References  ==
 
 
*[[Toolpack:Status_Menus:RADIUS_A|Radius status in TMG web portal]]
 
*[[Toolpack:Status_Menus:RADIUS_A|Radius status in TMG web portal]]
 
*[http://en.wikipedia.org/wiki/RADIUS Radius Wikipedia article]  
 
*[http://en.wikipedia.org/wiki/RADIUS Radius Wikipedia article]  
Line 305: Line 78:
  
 
[[Category:Glossary]]
 
[[Category:Glossary]]
 +
[[Category:Revise on Major]]

Latest revision as of 10:10, 20 February 2018

Remote Authentication Dial In User Service, more popularly known as RADIUS, is used by telecom service providers for the purpose of authenticating, authorizing, and accounting (AAA) for the use of services by subscribers. A RADIUS server is an application server that provides this functionality. It can take as input as well as output Call detail record (CDR) data.


Contents

TelcoBridges and RADIUS

Starting with release v2.3 of Toolpack, explicit support for the accounting function of RADIUS is now offered. Previously, Toolpack stored Call detail record (CDR) data in a local database. Starting with Toolpack v2.3, CDR data is stored on a dedicated, external server running an implementation of the RADIUS standard. Configuration of the location of the RADIUS server is performed through the Toolpack web portal.

Starting with release v2.6 of Toolpack, multiple RADIUS servers can now be configured for backup purposes.

Starting with release v2.7 of Toolpack, calls can now be validated through a RADIUS server with authentication and authorization. The RADIUS server may also change routing parameters for calls.

Radius High-level drawing v2.jpg


Prerequisites

In order to enable RADIUS functionality in Toolpack, you must have a RADIUS server already up and running. It is highly recommended that the RADIUS server software being running on a separate machine from the one running the Toolpack software. Before configuring Toolpack, you will need the IP address of the RADIUS server(s). You will need to specify a ‘secret key’ which will authenticate the Toolpack server so that it can send accounting, authentication and authorization data and to the RADIUS server and the RADIUS server will accept it.


Configuration

Accounting

Authorization/Authentication

Authorization

If a Radius authorization server is configured, the call authorization is done externally (using the Radius protocol). The acceptance or refusal of the call is then returned into a routing script for further processing. Refer to Radius authorization for more details.

RADIUS Redundancy and Association

Toolpack to RADIUS CDR attributes remapping

When Toolpack sends Access-Request messages to a RADIUS server, some specific attributes are included in the message. These attributes have been improved through Toolpack releases to better meet accounting services requirements.

RADIUS CDR attributes list

Dealing with incoherent CDR entries

In some situations (during HA switchover for example), some CDR entries may be lost.

The following guide lines provide information on how to deal with these corner cases:

Deal with CDR entries loss

References

Personal tools