[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    [OT] RADIUS network architecture with Cisco SSG prepaid
From:       <mms-fr () gazeta ! pl>
Date:       2004-09-30 12:02:11
Message-ID: 1096545731528.ew12.mms-fr () gazeta ! pl
[Download RAW message or body]

Hello,

this topic is maybe some OT, but I assume that some of you are
familiar with Cisco's SSG feature and maybe could help me and answer
for some key questions. We are preparing network configuration which
core is based on FreeRADIUS (1.0) and Cisco 2651 router (IOS
12.3(8)). Our main functionality is to serve prepaid services.

I configured router to support sending service authorization
requests (quota requests) to different radius server. Because we
don't want to put too much business logic info FreeRADIUS, we are
preparing to develop our own RADIUS functionality for billing server
(receiving service authorization requests and sending back answers
with quota that is allowed for requested user and requested
service). I think this is good idea - if not, please correct me.

As I found in SSG logging informations, SSG is first sending
authentication request to authenticate user with it's IP as
username, and globally configured password to our RADIUS server
(FreeRADIUS 1.0). FreeRADIUS is responding with Accesss-Accept and
some of VSA attributes that defines which services user should be
subscribed. At the beginning SSG has no service definition so it
downloads it from our FreeRADIUS. Service profile contains "Z" value
in Service-Info VSA, that means that is should be authorized for
requesting user.

In the next step, SSG tries to authorize service for this user. This
request is sent to other host (at now it is dumb and no process is
listening on the socket, so I'm prepared that no response will be
send :-) but I'm only looking at debug informations). One thing is
not clear in packet that SSG sends to this host. It contains name of
service, accounting session id, and few other attributes but no
User-Name attribute. It isn't necessary to have this User-Name
because we can compute it from accounting session id, but this is
strange to me. If it is normal, please correct me.

This is some of my SSG configuration:

! AAA prepaid group definition

aaa group server radius group-prepaid
 server 172.16.0.2 auth-port 1812 acct-port 1813

aaa authorization network ssg_sg_prepaid_author_internal group
noc-prepaid

! turning on group-prepaid for SSG prepaid
ssg aaa group prepaid group-prepaid

! RADIUS definition
radius-server attribute 44 include-in-access-req
radius-server attribute 55 include-in-acct-req
radius-server host 172.16.0.2 auth-port 1812 acct-port 1813 key mysecret
radius-server vsa send accounting
radius-server vsa send authentication




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]