QTECH SmartEdge 600 User Manual

Configuring Authentication, Authorization,
and Accounting

SYSTEM ADMINISTRATOR GUIDE

61/1543-CRA 119 1170/1 Uen L

Copyright

© Ericsson AB 2010-2012. All rights reserved. No part of this document may be
reproduced in any form without the written permission of the copyright owner.

Disclaimer

The contents of this document are subject to revision without notice due to
continued progress in methodology, design and manufacturing. Ericsson shall
have no liability for any error or damage of any kind resulting from the use
of this document.

Trademark List

SmartEdge

is a registered trademark of Telefonaktiebolaget LM
Ericsson.

61/1543-CRA 119 1170/1 Uen L | 2012-12-04

Contents

Contents

1 Overview 1

1.1 Authentication 1

1.2 Authorization and Reauthorization 5

1.3 Accounting 5

1.4 AAA Route Download Overview 7

2 Configuration and Operations 9

2.1 Configuring Global AAA 9

2.2 Configuring Authentication 11

2.3 Configuring Authorization and Reauthorization 17

2.4 Configuring Accounting 19

2.5 Performing Operation Tasks 24

2.6 Configuring AAA Route Download 25

3 Configuration Examples 27

3.1 Configuring Administrator Authentication 27

3.2 Configuring Administrator Accounting 27

3.3 Defining the Administrator Structured Username 27

3.4 Authenticating Subscribers 27

3.5 Reauthorizing Subscribers 28

61/1543-CRA 119 1170/1 Uen L | 2012-12-04

Configuring Authentication, Authorization, and Accounting

61/1543-CRA 119 1170/1 Uen L | 2012-12-04

1 Overview

This document applies to both the Ericsson SmartEdge®and SM family routers.
However, the software that applies to the SM family of systems is a subset of
the SmartEdge OS; some of the functionality described in this document may
not apply to SM family routers.

For information specific to the SM family chassis, including line cards, refer to
the SM family chassis documentation.

For specific information about the differences between the SmartEdge and SM
family routers, refer to the Technical Product Description SM Family of Systems
(part number 5/221 02-CRA 119 1170/1) in the Product Overview folder of
this Customer Product Information library.

Overview

This document provides an overview of the authentication, authorization, and
accounting (AAA) features of the Ericsson SmartEdge and SM family routers
and describes the tasks used to configure, monitor, and administer AAA. This
document also provides AAA configuration examples.

Note: In the following sections, the term controller card refers to the

Cross-Connect Route Processor (XCRP4) Controller card. The term
controller carrier card refers to the controller functions on the carrier
card in the SmartEdge100 chassis.

1.1 Authentication

The following sections describe the authentication features for administrators
and subscribers.

1.1.1 Administrators

By default, router configuration authenticates the administrators. You can also
authenticate administrators through database records on a RADIUS server, on
a Terminal Access Controller Access Control System Plus (TACACS+) server,
or on both the servers sequentially.

You must configure the IP address of a reachable RADIUS or TACACS+
server (or both) in the context in which the administrator is configured. You
can set a maximum limit on the number of administrator sessions that can be
simultaneously active in each context. For information about RADIUS and
TACACS+, see Configuring RADIUS and Configuring TACACS+ respectively.

61/1543-CRA 119 1170/1 Uen L | 2012-12-04

1

Configuring Authentication, Authorization, and Accounting

1.1.2 Subscribers

Authentication of Point-to-Point Protocol (PPP) subscribers now includes
support for IPv4, IPv6, and dual-stack subscribers. Dual-stack subscribers run
both IPv4 and IPv6. For information on IPv6 subscribers, refer to Configuring
IPv6 Subscriber Services. Authentication requests do not indicate if a session
is single or dual stack, but authentication responses do indicate.

An IPv6 subscriber must be authorized through AAA before PPP negotiates
connectivity and ND processes packets. If a protocol is not authorized, PPP
does not negotiate that protocol with a client, even when the PPP negotiation
process is initiated by a client.

1.1.2.1 Authentication Options

By default, operating system configuration authenticates the subscriber. You
can also authenticate subscribers through database records on a RADIUS
server.

When the IP address or hostname of the RADIUS server is configured in the
operating system local context, global RADIUS authentication is performed.
That is, although the subscribers are configured in a nonlocal context, they are
authenticated through the RADIUS server configured in the local context. With
global RADIUS authentication, the RADIUS server returns the Context-Name
vendor-specific attribute (VSA), indicating the name of the particular context to
which subscribers are bound.

When the IP address or the hostname of the RADIUS server is configured in a
context other than the local context, context-specific RADIUS authentication is
performed. This means that only subscribers bound to the context in which the
RADIUS server’s IP address or hostname is configured are authenticated.

You can also configure the router to authenticate through a RADIUS server
configured in the nonlocal context, and then through a RADIUS server
configured in the local context, if the previous server is unavailable; else,
proceed to router configuration.

AAA includes the following Layer 2 Tunneling Protocol (L2TP) attribute-value
pairs (AVPs), RADIUS standard attributes, and vendor-specific attributes
(VSAs) provided by Ericsson in RADIUS Access-Request messages for L2TP
network server (LNS) subscribers that are authenticated using RADIUS:

• Tunnel-Client-Endpoint (66)

• Tunnel-Server-Endpoint (67)

• Acct-Tunnel-Connection (68)

• Tunnel-Assignment-ID (82)

• Tunnel-Client-Auth-ID (90)

2

61/1543-CRA 119 1170/1 Uen L | 2012-12-04

Overview

• Tunnel-Server-Auth-ID (91)

• Tunnel-Function (VSA 18)

• Tx-Connect-Speed (L2TP AVP 24)

• Rx-Connect-Speed (L2TP AVP 38)

If you have IPv6 PPP subscriber sessions, the following standard RADIUS
attributes and Ericsson VSAs are supported:

• NAS-IPv6-Address (95)

• Framed-Interface-Id (96)

• Framed-IPv6-Prefix (97)

• Framed-IPv6-Route (99)

• Framed-IPv6-Pool (100)

• Delegated-IPv6-Prefix (123)

• RB-IPv6-DNS (207)

• RB-IPv6-Option (208)

• Delegated-Max-Prefix (212)

For more information about RADIUS standard attributes and vendor VSAs
provided by Ericsson AB, see RADIUS Attributes. For more information about
L2TP AVPs, see Configuring L2TP.

1.1.2.2 Maximum Subscriber Sessions

You can set a maximum limit on the number of subscriber sessions that can be
simultaneously active in a given context and for all configured contexts.

1.1.2.3 Limited Subscriber Services

You can limit the services provided to subscribers based on volume of traffic.
You can monitor volume-based services in the upstream and downstream
directions independently, separately, or aggregated in both directions.
However, you cannot simultaneously monitor aggregated traffic and either
upstream or downstream traffic.

Volume limits are imposed by the RADIUS VSA 113 in Access-Accept and
Accounting-Request messages.

AAA supports inbound and outbound traffic counters, as well as an aggregated
counter of both incoming and outgoing traffic. If the aggregated counter
exceeds the configured value for aggregated traffic limit, AAA sends a RADIUS

61/1543-CRA 119 1170/1 Uen L | 2012-12-04

3

Configuring Authentication, Authorization, and Accounting

accounting message or tears down the subscriber session, depending on the
configured action to perform.

If the RADIUS attribute does not include the direction to which the limit is
applied, the downstream direction is assumed. If no limit is included, the traffic
volume is unlimited in both the directions and is not monitored. If a limit of 0
is configured for a direction, traffic is treated as unlimited in that direction and
is not monitored.

VSA 113 is also supported in a subscriber reauthorize Access-Accept message.

1.1.2.4 Binding Order

If a subscriber circuit has been configured with a dynamic binding, using the
bind authentication command (in the circuit’s configuration mode),
AAA uses subscriber attributes in messages received during subscriber
authentication to determine which IPv4 address (and the associated interface)
to use when binding the subscriber circuit.

By default, the router considers L2TP attributes before considering RADIUS
attributes. You can reverse this order so that the IPv4 address provided in the
RADIUS record is used before one provided by L2TP.

1.1.2.5 IP Address Assignment

By default, the router uses a round-robin algorithm to allocate subscriber
IPv4 addresses from the IP pool. You can also configure the router to use a
first-available algorithm.

AAA typically assigns an IPv4 address to a PPP subscriber from an IP pool
after receiving an Access-Accept packet from a RADIUS server. However,
you can configure AAA to provide an IPv4 address from an IP pool in the
Framed-IP-Address attribute in the RADIUS Access-Request packet. This IPV4
IP address is provided to the RADIUS server as a preferred address. If there
are no unassigned IPv4 addresses in the pool, the authentication request is
sent without an IPv4 address.

The RADIUS server may or may not accept the address ; Table 1 lists the
RADIUS server responses and the corresponding router actions.

Table 1 RADIUS Server Response and Router Actions

RADIUS Server Response Corresponding Router Action

Framed-IP-Address attribute

The router assigns preferred IPv4 address.

contains 255.255.255.254,

0.0.0.0, or is missing.

Framed-IP-Address attribute
contains a different IPv4
address.

The router assigns the IPv4 address in the
Framed-IP-Address attribute and returns the
preferred IPv4 address to its pool.

4 61/1543-CRA 119 1170/1 Uen L | 2012-12-04

1.2 Authorization and Reauthorization

The following sections describe the authorization and reauthorization features.

1.2.1 CLI Commands Authorization

You can specify that commands with a matching privilege level (or higher)
require authorization through TACACS+.

1.2.2 Dynamic Subscriber Reauthorization

When subscribers request new or modified services during active sessions, the
requests can be translated to changes that are applied during the active session
through dynamic subscriber reauthorization. Reauthentication occurs without
PPP renegotiation and without interrupting or dropping the active session.

Overview

1.3 Accounting

The following sections describe the accounting features.

1.3.1 CLI Commands Accounting

You can configure the router so that accounting messages are sent to a
TACACS+ server whenever an administrator enters commands at the specified
privilege level (or higher).

1.3.2 Administrator Accounting

You can configure administrator accounting, which tracks messages for the
administrator sessions; the messages are sent to a RADIUS or TACACS+
server.

1.3.3 Subscriber Accounting

You can configure subscriber accounting, which tracks messages for subscriber
sessions; the messages are sent to a RADIUS accounting server. Use the
aaa accounting subscriber command with the radius keyword to
configure subscriber accounting. When the IP address or hostname of the
RADIUS accounting server is configured in the router local context, global
authentication is performed. That is, although the subscribers are configured
in a non-local context, accounting messages for subscribers sessions in the
context are sent through the RADIUS accounting server configured in the local
context. When using global RADIUS subscriber accounting, configuring global
RADIUS subscriber authentication is required.

61/1543-CRA 119 1170/1 Uen L | 2012-12-04

5

Configuring Authentication, Authorization, and Accounting

Note: Configuring the global keyword with the aaa accounting

subscriber command allows you to enable global RADIUS

subscriber accounting even without global authentication. For more
information, refer to the Command Description document.

When the IP address or hostname of the RADIUS accounting server is
configured in a context other than the local context, context-specific accounting
is performed; accounting messages are sent only for subscribers bound to
the context in which the RADIUS accounting server IP address or hostname
is configured.

You can configure two-stage accounting where the router sends accounting
messages to a RADIUS accounting server configured in the non-local context
and to a RADIUS accounting server configured in the local context. For
example, a copy of the accounting data can be sent to both a wholesaler's
and an upstream service provider’s RADIUS accounting server, so that the
end-of-period accounting data can be reconciled and validated by both the
parties.

You can also specify the error conditions for which the router suppresses the
sending of accounting messages to a RADIUS accounting server.

1.3.4 L2TP Accounting

You can configure L2TP accounting that tracks messages for L2TP tunnels or
sessions in L2TP tunnels; the messages are sent to a RADIUS accounting
server. When the IP address or hostname of the RADIUS accounting server is
configured in the router local context, global accounting is performed. When
the IP address or hostname of the RADIUS accounting server is configured in a
context other than the local context, context-specific accounting is performed.
You can also configure two-stage accounting.

The router sends just a single accounting on message when more than
one type of RADIUS accounting is enabled. For example, if you enable
both subscriber accounting and L2TP accounting, the router sends only one
accounting on message to each RADIUS accounting server, even if you
enable L2TP accounting at a later time. Similarly, the accounting off
message is not sent until you have disabled all types of RADIUS accounting.

Note: Configuring the global keyword with the aaa accounting l2tp

session command allows you to enable global RADIUS accounting

for sessions in L2TP tunnels even without global authentication. For
more information, see the aaa accounting l2tp command.

If a subscriber session cannot be tunneled to a specific L2TP network server
(LNS) or to an LNS in a group of L2TP peers, or if the router has received a
Link Control Protocol (LCP) termination request from the subscriber before the
session establishment is complete, the Acct-Session-Time attribute is set to 0.

6

61/1543-CRA 119 1170/1 Uen L | 2012-12-04