Manual Chapter : Performing Radius Authentication and Accounting

Applies To:

Show Versions Show Versions

BIG-IP PEM

  • 15.0.1, 15.0.0, 14.1.0
Manual Chapter

Performing Radius Authentication and Accounting

Overview: Performing RADIUS authentication and accounting

In Policy Enforcement Manager, the RADIUS client has the ability to initiate RADIUS authentication for a subscriber. You can configure the virtual servers that are used to request for authentication of DHCPv4 and DHCPv6 discovered subscribers. The subscriber authentication may be triggered by subscriber discovery based on other means, such as obtaining RADIUS accounting messages. The ability to generate accounting messages helps to track subscriber usage as a RADIUS client.
RADIUS authentication is initiated when PEM receives messages, showing that the subscribers are attempting to connect to the network. The two factors of initiation are:
  • The start of DHCP exchange showing that the subscriber attempts to obtain an IP address (fixed line deployments).
  • When the RADIUS accounting start message indicates that the subscriber has passed through the initial phase of access but still needs authentication.

Task summary

Creating a RADIUS AAA profile for policy enforcement

Create a RADIUS profile, which contains the shared secret of the RADIUS server, the transaction timeout, password, and retransmission timeout details, for configuring the RADIUS authentication profile settings.
  1. On the Main tab, click
    Local Traffic
    Profiles
    Policy Enforcement
    RADIUS AAA
    .
  2. Click
    Create
    .
    The New Radius Profile screen opens.
  3. In the
    Name
    field, type a unique name for the profile.
  4. In the
    Description
    field, type a descriptive text that identifies the profile.
  5. From the
    Parent Profile
    list, select the default
    radiusaaa
    profile.
  6. Select the
    Custom
    check box.
  7. For the
    Secret
    setting, select the
    Custom
    check box to enable this option. Type the shared secret of the RADIUS server used for authentication.
  8. For the
    Password
    setting, select the
    Custom
    check box to enable this option. Type the password of the RADIUS AAA profile for RADIUS server authentication.
  9. For the
    Transaction Timeout
    setting, select the
    Custom
    check box to enable this option. Type the number, in seconds, of the time taken for server to respond.
  10. For the
    Retransmission Timeout
    setting, select the
    Custom
    check box to enable this option. Type the number of seconds to wait before resending authentication or accounting messages to the RADIUS server.
The RADIUS profile that you created can be chosen from the RADIUS profile in
Local Traffic
Virtual Servers
Virtual Server List
New Virtual Server
, depending on the virtual server IP address type.

Creating a listener for RADIUS AAA Virtual

You can create new RADIUS AAA virtuals to authenticate or send accounting information about the subscriber to the RADIUS server.
  1. On the Main tab, click
    Subscriber Management
    Control Plane Listeners
    .
    The Control Plane Listeners screen opens.
  2. From the AAA Virtuals area, click
    Add
    .
    The New RADIUS AAA Virtual screen opens.
  3. In the
    Name
    field, type a unique name for the RADIUS AAA virtual.
  4. In the
    Description
    field, type a description of the listener.
  5. From the
    VLAN and Tunnel Traffic
    list, select
    Enabled on
    . Then, for the
    VLANs and Tunnels
    setting, move the VLAN or VLANs on which you want to allow the virtual servers to share traffic from the
    Available
    list to the
    Selected
    list.
  6. From the
    Mode
    list, select the
    Authentication
    or
    Accounting
    to specify the type of RADIUS virtual you are creating.
  7. For the
    Secret
    setting, select the
    Custom
    check box to enable this option. Type the shared secret of the RADIUS server used for authentication or accounting.
  8. For the
    Password
    setting, select the
    Custom
    check box to enable this option. Type the password of the RADIUS AAA profile for RADIUS server authentication.
  9. For the
    Pool Member Configuration
    setting, add the RADIUS AAA virtual servers that are to be members of the pool. Type the
    Member IP Address
    and
    Port
    number, then click
    Add
    .
    You can use port 1812 for RADIUS authentication and port 1813 for RADIUS accounting.
  10. Click
    Finished
    .
    The Policy Enforcement Manager creates a RADIUS AAA virtual server, and displays in the authentication virtuals list.
When you create a RADIUS AAA virtual for a subscriber, the Policy Enforcement Manager initiates RADIUS authentication or sends accounting information, for that subscriber. A RADIUS AAA profile is also created and is assigned to the virtual server automatically.

Creating policy rule for RADIUS accounting reports

Policy Enforcement Manager (PEM) allows you to specify a RADIUS internal virtual server as a reporting destination. The reporting thresholds are optional if RADIUS destination is selected.
Only one reporting destination can be specified in a given rule.
  1. On the Main tab, click
    Policy Enforcement
    Policies
    .
    The Policies screen opens.
  2. Click the name of the enforcement policy you want to add rules to.
    The properties screen for the policy opens.
  3. In the Policy Rules area, click
    Add
    .
    The New Rule screen opens.
  4. In the
    Name
    field, type a name for the rule.
  5. In the
    Precedence
    field, type an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.
    All rules in a policy are run concurrently. Precedence takes effect when there are conflicting rules. The conflict occurs when the traffic matches two rules and the policy actions from these rules differ. For example, if you have rule 1 with precedence 10 and
    Gate Status
    disabled for a search engine, and you have rule 2 with precedence 11 and
    Gate Status
    enabled, then rule 1 is processed first because it has higher precedence. Rules conflict if they have identical or overlapping classification criteria (for the traffic that matches more than one rule). In some cases, different policy actions are not conflicting, and hence, applied in parallel.
  6. Use the Classification, URL, Flow, and Custom Criteria tabs to identify the traffic that you want to be affected by this rule.
  7. From the
    Usage Reporting
    list, select
    Enabled
    .
  8. From the
    Report Granularity
    list, select from one the the granular reporting options:
    Option
    Description
    Session
    Select
    Session
    to log details about subscribers and application sessions.
    Flow
    Select
    Flow
    , for more granular reporting of every TCP connection.
    Transaction
    select
    Transaction
    , for more granular reporting of every HTTP transaction.
  9. If you select
    Session
    or
    Flow
    , in the
    Volume Threshold
    setting, specify in octets, the threshold to send RADIUS reporting records. You can send reporting data from uplink traffic, to downlink traffic and the total traffic volume before logging the information.
  10. If you select
    Transaction
    , in the
    Additional HTTP Information
    setting, specify in bytes, the HTTP
    Hostname
    , the HTTP
    User Agent
    and the HTTP
    URI
    .
  11. In the
    Destination
    setting, Select the
    RADIUS Accounting
    option from the destination.
  12. From the
    RADIUS AAA Virtual
    list, select the RADIUS AAA virtual that you created earlier.
  13. Click
    Finished
    .
You have created a RADIUS internal virtual server as a reporting destination.