Manual Chapter : Performing Radius Authentication and Accounting

Applies To:

Show Versions Show Versions

BIG-IP PEM

  • 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
Manual Chapter

Performing Radius Authentication and Accounting

Overview: Performing RADIUS authentication and accounting

In Policy Enforcement Manager™, the RADIUS client has the ability to initiate RADIUS authentication for a subscriber. You can configure the virtual servers that are used to request for authentication of DHCPv4 and DHCPv6 discovered subscribers. The subscriber authentication may be triggered by subscriber discovery based on other means, such as obtaining RADIUS accounting messages. The ability to generate accounting messages helps to track subscriber usage as a RADIUS client.

RADIUS authentication is initiated when PEM receives messages, showing that the subscribers are attempting to connect to the network. The two factors of initiation are:

  • The start of DHCP exchange showing that the subscriber attempts to obtain an IP address (fixed line deployments).
  • When the RADIUS accounting start message indicates that the subscriber has passed through the initial phase of access but still needs authentication.

Task summary

Creating a RADIUS AAA profile for policy enforcement

Create a RADIUS profile, which contains the shared secret of the RADIUS server, the transaction timeout, password, and retransmission timeout details, for configuring the RADIUS authentication profile settings.

  1. On the Main tab, click Local Traffic > Profiles > Policy Enforcement > RADIUS AAA .
  2. Click Create.
    The New Radius Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. In the Description field, type a descriptive text that identifies the profile.
  5. From the Parent Profile list, select the default radiusaaa profile.
  6. Select the Custom check box.
  7. For the Secret setting, select the Custom check box to enable this option. Type the shared secret of the RADIUS server used for authentication.
  8. For the Password setting, select the Custom check box to enable this option. Type the password of the RADIUS AAA profile for RADIUS server authentication.
  9. For the Transaction Timeout setting, select the Custom check box to enable this option. Type the number, in seconds, of the time taken for server to respond.
  10. For the Retransmission Timeout setting, select the Custom check box to enable this option. Type the number of seconds to wait before resending authentication or accounting messages to the RADIUS server.

The RADIUS profile that you created can be chosen from the RADIUS profile in Local Traffic > Virtual Servers > Virtual Server List > New Virtual Server > , depending on the virtual server IP address type.

Creating a listener for RADIUS AAA Virtual

You can create new RADIUS AAA virtuals to authenticate or send accounting information about the subscriber to the RADIUS server.
  1. On the Main tab, click Policy Enforcement > Listeners .
    The Listeners screen opens.
  2. From the Authentication Virtuals area, click Add.
    The New RADIUS AAA Virtual screen opens.
  3. In the Name field, type a unique name for the RADIUS AAA virtual.
  4. In the Description field, type a description of the listener.
  5. From the VLAN and Tunnel Traffic list, select Enabled on. Then, for the VLANs and Tunnels setting, move the VLAN or VLANs on which you want to allow the virtual servers to share traffic from the Available list to the Selected list.
  6. From the Mode list, select the Authentication or Accounting to specify the type of RADIUS virtual you are creating.
  7. For the Secret setting, select the Custom check box to enable this option. Type the shared secret of the RADIUS server used for authentication or accounting.
  8. For the Password setting, select the Custom check box to enable this option. Type the password of the RADIUS AAA profile for RADIUS server authentication.
  9. For the Pool Member Configuration setting, add the RADIUS AAA virtual servers that are to be members of the pool. Type the Member IP Address and Port number, then click Add.
    You can use port 1812 for RADIUS authentication and port 1813 for RADIUS accounting.
  10. Click Finished.
    The Policy Enforcement Manager creates a RADIUS AAA virtual server, and displays in the authentication virtuals list.
When you create a RADIUS AAA virtual for a subscriber, the Policy Enforcement Manager™ initiates RADIUS authentication or sends accounting information, for that subscriber. A RADIUS AAA profile is also created and is assigned to the virtual server automatically.

Creating policy rule for RADIUS accounting reports

Policy Enforcement Manager™ (PEM™) allows you to specify a RADIUS internal virtual server as a reporting destination. The reporting thresholds are optional if RADIUS destination is selected.
Note: Only one reporting destination can be specified in a given rule.
  1. On the Main tab, click Policy Enforcement > Policies .
    The Policies screen opens.
  2. Click the name of the enforcement policy you want to add rules to.
    The properties screen for the policy opens.
  3. In the Policy Rules area, click Add.
    The New Rule screen opens.
  4. In the Name field, type a name for the rule.
  5. In the Precedence field, type an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.
    Tip: All rules in a policy are run concurrently. Precedence takes effect when there are conflicting rules. The conflict occurs when the traffic matches two rules and the policy actions from these rules differ. For example, if you have rule 1 with precedence 10 and Gate Status disabled for a search engine, and you have rule 2 with precedence 11 and Gate Status enabled, then rule 1 is processed first because it has higher precedence. Rules conflict if they have identical or overlapping classification criteria (for the traffic that matches more than one rule). In some cases, different policy actions are not conflicting, and hence, applied in parallel.
  6. Use the Classification, URL, Flow, and Custom Criteria tabs to identify the traffic that you want to be affected by this rule.
  7. From the Usage Reporting list, select Enabled.
  8. From the Report Granularity list, select from one the the granular reporting options:
    Option Description
    Session Select Session to log details about subscribers and application sessions.
    Flow Select Flow, for more granular reporting of every TCP connection.
    Transaction select Transaction, for more granular reporting of every HTTP transaction.
  9. If you select Session or Flow, in the Volume Threshold setting, specify in octets, the threshold to send RADIUS reporting records. You can send reporting data from uplink traffic, to downlink traffic and the total traffic volume before logging the information.
  10. If you select Transaction, in the Additional HTTP Information setting, specify in bytes, the HTTP Hostname, the HTTP User Agent and the HTTP URI.
  11. In the Destination setting, Select the RADIUS Accounting option from the destination.
  12. From the RADIUS AAA Virtual list, select the RADIUS AAA virtual that you created earlier.
  13. Click Finished.
You have created a RADIUS internal virtual server as a reporting destination.