RADIUS

From TBwiki
(Difference between revisions)
Jump to: navigation, search
(Known issues)
(Authorization/Authentication)
 
(58 intermediate revisions by 11 users not shown)
Line 1: Line 1:
Remote Authentication Dial In User Service, more popularly known as RADIUS, is used by telecom service providers for the purpose of authenticating, authorizing, and accounting for the use of services by subscribers. A RADIUS server is an application server that provides this functionality. It can take as input as well as output [[Call detail record]] (CDR) data.  
+
Remote Authentication Dial In User Service, more popularly known as RADIUS, is used by telecom service providers for the purpose of authenticating, authorizing, and accounting (AAA) for the use of services by subscribers. A RADIUS server is an application server that provides this functionality. It can take as input as well as output [[Call detail record]] (CDR) data.  
  
 
<br>  
 
<br>  
Line 5: Line 5:
 
== TelcoBridges and RADIUS  ==
 
== TelcoBridges and RADIUS  ==
  
Starting with release [[Version 2.3|v2.3]] of [[Toolpack]], explicit support for the accounting function of RADIUS is now offered. Previously, Toolpack stored [[Call detail record]] (CDR) data in a local database. Starting with Toolpack v2.3, CDR data is stored on a dedicated, external server running an implementation of the RADIUS standard. Configuration of the location of the RADIUS server is performed through the Toolpack web portal. For this initial release, Toolpack only supports the Accounting functionality of RADIUS; it does not support the Administration or Authentication options. That type of functionality can be performed outside of RADIUS using Toolpack.'
+
Starting with release [[Toolpack_version_2.3|v2.3]] of [[Toolpack]], explicit support for the accounting function of RADIUS is now offered. Previously, Toolpack stored [[Call detail record]] (CDR) data in a local database. Starting with Toolpack v2.3, CDR data is stored on a dedicated, external server running an implementation of the RADIUS standard. Configuration of the location of the RADIUS server is performed through the Toolpack web portal.
 +
 
 +
Starting with release [[TMG-CONTROL_Version_2.6|v2.6]] of [[Toolpack]], multiple RADIUS servers can now be configured for backup purposes.
 +
 
 +
Starting with release [[TMG-CONTROL_Version_2.7|v2.7]] of [[Toolpack]], calls can now be validated through a RADIUS server with authentication and authorization. The RADIUS server may also change routing parameters for calls.
 +
 
 +
[[File:Radius_High-level_drawing_v2.jpg]]
 +
 
  
 
=== Prerequisites  ===
 
=== Prerequisites  ===
  
In order to enable this function in Toolpack v2.3, you must have a RADIUS server already up and running. It is highly recommended that the RADIUS server software being running on a separate machine from the one running the Toolpack software. Before configuring Toolpack, you will need the names and IP address of the RADIUS server. You will need to specify a ‘secret key’ which will authenticate the Toolpack server so that it can send CDR data to the RADIUS server and the RADIUS server will accept it.  
+
In order to enable RADIUS functionality in Toolpack, you must have a RADIUS server already up and running. It is highly recommended that the RADIUS server software being running on a separate machine from the one running the Toolpack software. Before configuring Toolpack, you will need the IP address of the RADIUS server(s). You will need to specify a ‘secret key’ which will authenticate the Toolpack server so that it can send accounting, authentication and authorization data and to the RADIUS server and the RADIUS server will accept it.  
  
=== Steps  ===
 
  
Assuming that you have already set up and configured a RADIUS server, you will now need to configure Toolpack.
+
== Configuration ==
  
*To configure RADIUS support in Toolpack, first go to '''Global &gt; Gateway &gt; Configurations'''. In the Configuration List, click on '''Create New Configuration'''. This is where you will create a RADIUS configuration.
+
=== Accounting ===
*In the new configuration, click on '''Use CDR Behaviour'''. Up until now, this is the same approach you would use where CDRs are written to the Toolpack database.  
+
*[[Toolpack:Tsbc_CDR_Settings_3.0|Web Portal v3.0: RADIUS configuration]]
*Now click on the '''CDR options''' section header, then click on '''Use RADIUS''' checkbox.
+
*[[Toolpack:CDR_Settings_C|Web Portal v2.10: RADIUS configuration]]
*Next, fill in the information in the '''RADIUS server parameters''' section. Please note that the '''port''' for the RADIUS Server must be set to 1813 (i.e., hostname:1813);. For the '''Server secret''' field, set it to the same authentication key that is configured on the RADIUS server.
+
*[[Toolpack:CDR_Settings_B|Web Portal v2.9: RADIUS configuration]]
 +
*[[Toolpack:CDR_Settings_A|Web Portal v2.8: RADIUS configuration]]
  
<br>  
+
<div class="mw-collapsible mw-collapsed" data-collapsetext="other versions" data-expandtext="Click here for other versions" style="width: 400px;">
 +
*[[Web_Portal_Tutorial_Guide_v2.7#CDR|Web Portal v2.7: RADIUS configuration]]
 +
*[[Web_Portal_Tutorial_Guide_v2.6#CDR|Web Portal v2.6: RADIUS configuration]]
 +
*[[Toolpack:Configuring_RADIUS_A|Toolpack v2.5: RADIUS configuration]]
 +
*[[Toolpack:Configuring_RADIUS_A|Toolpack v2.4: RADIUS configuration]]
 +
*[[Toolpack:Configuring_RADIUS_A|Toolpack v2.3: RADIUS configuration]]
 +
</div>
  
=== Testing this feature  ===
+
=== Authorization/Authentication ===
 +
*[[Toolpack:Tsbc_Call_Routes_Settings_3.0#RADIUS_Authorization_and_Authentication|Web Portal v3.0: RADIUS Authorization and Authentication configuration]]
 +
*[[Toolpack:Call_Routes_Settings_C#RADIUS_Authorization_and_Authentication|Web Portal v2.10: RADIUS Authorization and Authentication configuration]]
 +
*[[Toolpack:Call_Routes_Settings_B#RADIUS_Authorization_and_Authentication|Web Portal v2.9: RADIUS Authorization and Authentication configuration]]
 +
*[[Toolpack:Call_Routes_Settings_A#RADIUS_Authorization_and_Authentication|Web Portal v2.8: RADIUS Authorization and Authentication configuration]]
 +
<div class="mw-collapsible mw-collapsed" data-collapsetext="other versions" data-expandtext="Click here for other versions" style="width: 400px;">
 +
*[[Web_Portal_Tutorial_Guide_v2.7#RADIUS_Authorization_and_Authentication|Web Portal v2.7: RADIUS Authorization and Authentication configuration]]
 +
</div>
  
Testing this feature is as simple as activating the functionality in Toolpack and validating that CDR data is being properly received by the RADIUS server. If you have the ability to simulate calling data, you might find it worthwhile to gradually increase call volumes over time to identify and understand any limitations experienced with your RADIUS application server (see Known issues below for more on this.)
+
== Authorization ==
  
<br>
+
If a Radius authorization server is configured, the call authorization is done externally (using the Radius protocol).  The acceptance or refusal of the call is then returned into a routing script for further processing.  Refer to [[Routing_script_tutorial:Mini_Development_Guide#Authorization | Radius authorization ]] for more details.
  
=== Toolpack to Radius CDR attributes remapping ===
+
== RADIUS Redundancy and Association ==
  
{| cellpadding="5" border="1" class="wikitable"
+
*[[Radius_Acct_Auth_Redundancy|Radius Accounting and Authentication Redundancy]]
|-
+
*[[Radius_Acct_Auth_Association|Radius Accounting and Authentication Association]]
! width="210" style="background: none repeat scroll 0% 0% rgb(239, 239, 239);" | AVP Id
+
! width="210" style="background: none repeat scroll 0% 0% rgb(239, 239, 239);" | Radius IETF param name
+
! width="210" style="background: none repeat scroll 0% 0% rgb(239, 239, 239);" | Type
+
! width="210" style="background: none repeat scroll 0% 0% rgb(239, 239, 239);" | Toolpack param
+
! width="610" style="background: none repeat scroll 0% 0% rgb(239, 239, 239);" | Description
+
|-
+
| align="center" | 4<br>
+
| NAS-Identifier
+
| align="center" | string<br>
+
| Application Name
+
| Application name of the CDR provider
+
|-
+
| align="center" | 2<br>
+
| Acct-Session-Id
+
| align="center" | integer<br>
+
| Leg Id
+
| Call Leg Identifier
+
|-
+
| align="center" | 21
+
| Telcob-Other-Leg-Id
+
| align="center" | integer<br>
+
| Other Leg Id
+
| Call Leg Identifier of the other call leg joined with current call leg
+
|-
+
| align="center" | 9
+
| Telcob-ChargeIndicator
+
| align="center" | string<br>
+
| Charge indicator
+
| Represent the charge indicator value
+
|-
+
| align="center" | 5<br>
+
| Cisco-NAS-Port
+
| align="center" | string<br>
+
| NAP name
+
| Network Access Point name for the call leg
+
|-
+
| align="center" | 7<br>
+
| Called-Sation-Id
+
| align="center" | string<br>
+
| Called Number
+
| Called party number
+
|-
+
| align="center" | 6<br>
+
| Calling-Station-Id
+
| align="center" | string<br>
+
| Calling Number
+
| Calling party number
+
|-
+
| align="center" | 10<br>
+
| h323-call-type
+
| align="center" | string<br>
+
| Protocol Type
+
| If protocol is SIP the value is "VOIP", otherwise it is "Telephony"
+
|-
+
| align="center" | 17<br>
+
| h323-setup-time
+
| align="center" | string<br>
+
| Start Time
+
| Represent the call leg setup time - Coordinated Universal Time (UTC)
+
|-
+
| align="center" | 8<br>
+
| h323-call-origin
+
| align="center" | string<br>
+
| Originator Name
+
| "answer" for an outgoing leg - "originate" for an incoming leg
+
|-
+
| align="center" | 18<br>
+
| h323-connect-time
+
| align="center" | string<br>
+
| &nbsp; Connected Time
+
| Represent the call leg answer time (connect time) - Coordinated Universal Time (UTC)
+
|-
+
| align="center" | 19<br>
+
| h323-disconnect-time
+
| align="center" | string<br>
+
| &nbsp; EndTime
+
| Represent the call leg disconnect time - Coordinated Universal Time (UTC)
+
|-
+
| align="center" | 3<br>
+
| h323-conf-id
+
| align="center" | integer<br>
+
| &nbsp; Link Id
+
| Unique call Identifier - Link Id formated as xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx (~Linkid ~Linkid&lt;&lt;4 ~Linkid&lt;&lt;12 ~Linkid&lt;&lt;20)
+
|-
+
| align="center" | 1<br>
+
| User-Name
+
| align="center" | string<br>
+
| -
+
| For now this value is hardcoded to "100"
+
|-
+
| align="center" | 30<br>
+
| h323-disconnect-cause
+
| align="center" | string<br>
+
| Termination Reason
+
| Q.931 disconnect (1 to 160) cause, TB Toolpack system cause (200 to 300) and SIP cause (400 to 600)
+
|-
+
| align="center" | 115
+
| release-source
+
| align="center" | string<br>
+
| Termination Source
+
| "localLeg" if this leg terminate the call or "connectedLeg" if its the connected leg - We use a Cisco string field with our own value definition
+
|-
+
| align="center" | 40<br>
+
| Acct-Status-Type
+
| align="center" | integer<br>
+
| -
+
| Start or Stop
+
|}
+
  
=== Known issues with some freeware Radius servers ===
+
== Toolpack to RADIUS CDR attributes remapping ==
 +
When Toolpack sends ''Access-Request'' messages to a RADIUS server, some specific attributes are included in the message. These attributes have been improved through Toolpack releases to better meet accounting services requirements.
  
*There appears to be a limit to the rate and quantity at which RADIUS accepts CDRs. Using a copy of FreeRADIUS on Windows XP Server, we are currently working to determine the maximum rate that RADIUS accepts CDRs for that specific configuration. While it may not be broadly representative—it is an open source solution compared to commercial software solutions—it should provide us with a benchmark or order of magnitude.  
+
==== RADIUS CDR attributes list ====
*Our experience with FreeRADIUS to date has shown that by the time you attain 110 calls/second for a duration of 3 seconds, the buffer in Toolpack is soon overflowed.  
+
*[[Toolpack:RADIUS_CDR_attributes_D|Toolpack v3.0 and higher]]
*Should RADIUS stop accepting CDRs (i.e., after a certain number per second (quantity / frequency)), Toolpack will then begin buffering to a maximum of 250 CDRs; over and above that buffer, Toolpack will drop CDR information
+
*[[Toolpack:RADIUS_CDR_attributes_C|Toolpack v2.7, v2.8, v2.9, v2.10]]
 +
<div class="mw-collapsible mw-collapsed" data-collapsetext="other versions" data-expandtext="Click here for other versions" style="width: 400px;">
 +
*[[Toolpack:RADIUS_CDR_attributes_B|Toolpack v2.6]]
 +
*[[Toolpack:RADIUS_CDR_attributes_A|Toolpack v2.5 and earlier]]
 +
</div>
  
<br>
+
== Dealing with incoherent CDR entries ==
 +
In some situations (during HA switchover for example), some CDR entries may be lost.
  
== References  ==
+
The following guide lines provide information on how to deal with these corner cases:
  
*[http://en.wikipedia.org/wiki/RADIUS Wikipedia article]  
+
[[Call_Detail_Records_Entry_Loss|Deal with CDR entries loss]]
 +
 
 +
== References  ==
 +
*[[Toolpack:Status_Menus:RADIUS_A|Radius status in TMG web portal]]
 +
*[http://en.wikipedia.org/wiki/RADIUS Radius Wikipedia article]
 +
*[http://www.ietf.org/rfc/rfc2866.txt Link to RFC 2866 – Radius Accounting]
 
*[http://www.freeradius.net FreeRADIUS website]
 
*[http://www.freeradius.net FreeRADIUS website]
  
 
[[Category:Glossary]]
 
[[Category:Glossary]]
 +
[[Category:Revise on Major]]

Latest revision as of 10:10, 20 February 2018

Remote Authentication Dial In User Service, more popularly known as RADIUS, is used by telecom service providers for the purpose of authenticating, authorizing, and accounting (AAA) for the use of services by subscribers. A RADIUS server is an application server that provides this functionality. It can take as input as well as output Call detail record (CDR) data.


Contents

TelcoBridges and RADIUS

Starting with release v2.3 of Toolpack, explicit support for the accounting function of RADIUS is now offered. Previously, Toolpack stored Call detail record (CDR) data in a local database. Starting with Toolpack v2.3, CDR data is stored on a dedicated, external server running an implementation of the RADIUS standard. Configuration of the location of the RADIUS server is performed through the Toolpack web portal.

Starting with release v2.6 of Toolpack, multiple RADIUS servers can now be configured for backup purposes.

Starting with release v2.7 of Toolpack, calls can now be validated through a RADIUS server with authentication and authorization. The RADIUS server may also change routing parameters for calls.

Radius High-level drawing v2.jpg


Prerequisites

In order to enable RADIUS functionality in Toolpack, you must have a RADIUS server already up and running. It is highly recommended that the RADIUS server software being running on a separate machine from the one running the Toolpack software. Before configuring Toolpack, you will need the IP address of the RADIUS server(s). You will need to specify a ‘secret key’ which will authenticate the Toolpack server so that it can send accounting, authentication and authorization data and to the RADIUS server and the RADIUS server will accept it.


Configuration

Accounting

Authorization/Authentication

Authorization

If a Radius authorization server is configured, the call authorization is done externally (using the Radius protocol). The acceptance or refusal of the call is then returned into a routing script for further processing. Refer to Radius authorization for more details.

RADIUS Redundancy and Association

Toolpack to RADIUS CDR attributes remapping

When Toolpack sends Access-Request messages to a RADIUS server, some specific attributes are included in the message. These attributes have been improved through Toolpack releases to better meet accounting services requirements.

RADIUS CDR attributes list

Dealing with incoherent CDR entries

In some situations (during HA switchover for example), some CDR entries may be lost.

The following guide lines provide information on how to deal with these corner cases:

Deal with CDR entries loss

References

Personal tools