RADIUS Server Application Blog

This RADIUS server application blog is about RADIUS servers in general and Interlink's RAD-Series RADIUS Server specifically. Our goal here is to discuss how different RADIUS server applications can be extended to build unique, differentiated offerings for Carriers and ISPs.

Thursday, July 12, 2007

Using RADIUS Attributes to Implement Services

Defining RADIUS Attributes using Vendor Specific Attributes (VSAs) for use in policies is a flexible and powerful way for service providers to enhance their services and enterprises to better manage their networks.

Service providers can use their own RADIUS attributes to define multiple levels of service with each at a different price point and each serving a different market segment. Platinum, Gold, and Standard service levels with their associated pricing plans will appeal to different users. By moving past the “one size fits all” approach, new markets can be entered and new profits realized.

Another approach to expand the service provider’s sales reach is to sell services a la carte. RADIUS attributes can be defined for each service component making it possible to enable and sell them independently of each other. RADIUS attributes can be created to access services such as e-mail, priority support areas, special downloads, and to grant toll free access.

In the enterprise, RADIUS attributes can be used to define departments, group memberships, and roles in the organization. For example, only the accounting department should have access to the financial system and only the engineers to the lab environment. Members of the outside sales team are entitled to toll-free remote access while on the road. Only system administrators are permitted access to network administrative consoles.

Our last RADIUS blog entry walked through the steps of defining RADIUS VSAs to define new services. This month we will complete the project by writing the RADIUS policies that give the services their meaning.


What is a Policy?

A policy is a set of business rules concerning access to network resources. This does not have to be a highly technical exercise. It can be as simple as a list of who has access to what resources written in plain English. Because Interlink RADIUS policies are implemented in text based Decision Files, they are easy to create from a list of business rules, easy to read, and easy to understand at a later time. Much like a computer language is used to implement an algorithm as a computer program, Decision Files are used to implement business rules that are centrally enforced by the Interlink Networks RAD-Series RADIUS Server Advanced Policy Engine.

Implementing Levels of Service for a Service Provider

In our last RADIUS Server blog entry, our fictitious service provider, NewISP, defined a RADIUS Vendor Specific Attribute named Service-Level with three levels of service: Platinum, Gold, and Silver. Having laid that groundwork, NewISP is now ready to establish its service level business rules as a policy managed by the RAD-Series RADIUS Server Advanced Policy Engine.

Step One is to establish the business rules in plain English. NewISP’s product management team has decided upon the following service offerings.

Platinum level gets

  • Internet browsing and email
  • Access to premium services and downloads from the NewISP web site
  • Unlimited length of sessions
  • Access to the NewISP toll free number, 800-555-1000

Gold level gets

  • Internet browsing and email
  • Sessions up to 4 hours

Silver level gets

  • Internet browsing and email
  • Sessions up to 1 hour during business hours (M-F, 8 am – 5 pm)
  • Sessions up to 4 hours during evenings and weekends

The standard Internet and email access is defined with an IP filter named StandardArea. The standard Internet and email access plus the premium service area is defined with an IP filter named PremiumArea.

Step Two is to write the business rules in Decision File format. A Decision File is made up of a series of Groups. Each Group consists of a set of conditions and a set of replies if the conditions are fully met. Both the conditions and the replies are defined in terms of RADIUS attributes including Vendor Specific Attributes. The RADIUS Advanced Policy Engine searches the policy until it finds the first Group for which the RADIUS Attribute-Value pairs (AV-pairs) in the request satisfy all of the conditions. Then the AV-pairs in the Reply section are added to the RADIUS response for the purpose of configuring the session at the NAS.

NewISP’s business rules now take the following form in a Decision File.

# Platinum accounts are unlimited with access to the
# premium services.
Group Platinum {
Condition {
Service-Level = Platinum
}
Reply {
Decision = ACK
Filter-Id = PremiumArea
}
}

# Gold accounts get standard services for up to 4 hours.
# Toll free access is restricted.

Group Gold {
Condition {
(Service-Level = Gold) &&
(Called-Station-Id != "800-555-1000")
}
Reply {
Decision = ACK
Filter-Id = StandardArea
Session-Timeout = 14400
}
}

# Silver accounts get standard services for up to 1 hour
# during business hours. Toll free access is restricted.

Group Silver-Primetime {
Condition {
(Service-Level = Silver) &&
(Called-Station-Id != "800-555-1000") &&
(Day-Of-Week >= Monday) &&
(Day-Of-Week <= Friday) && (Time-Of-Day >= 8:00 ) && (Time-Of-Day <= 17:00)
}
Reply {
Decision = ACK
Filter-Id = StandardArea
Session-Timeout = 3600
}
}

# Silver accounts get standard services for up to 4 hours
# during off hours. Toll free access is restricted.

Group Silver-Offtime {
Condition {
(Service-Level = Silver) &&
(Called-Station-Id != "800-555-1000") &&
((Day-Of-Week < style=""> (Day-Of-Week > Friday) ||
 (Time-Of-Day < style=""> (Time-Of-Day > 17:00))
 }
 Reply {
 Decision = ACK
 Filter-Id = StandardArea
 Session-Timeout = 14400
 }
}

# Other requests such as gold or Silver accounts calling
# the toll-free number are rejected.

Group Invalid-Use {
Reply {
Decision = NAK
Reply-Message = "Access denied - restricted number"
}
}

Step Three is to plug the Decision File into the RADIUS Authentication and Authorization process by creating a pointer to it in the Finite State Machine table, radius.fsm. The pointer is the optional Xstring parameter used in conjunction with the POLICY action. NewISP has saved its policy in a Decision File named service-level. The FSM table would be changed to include:

Chkdny:
*.*.ACK POLICY AUTHwait Xstring=decisionfile:service-level
*.*.NAK REPLY Hold

NewISP now has its levels of service in place. The Decision File format gives the best of all worlds. It is read by the RADIUS Advanced Policy Engine and cached in memory where it delivers high speed, scalable performance. The text-based Decision File also documents the policy in a form that is easy to review and understand. Because the policy is managed centrally, it is easy to update as the companies requirements and business rules change. Only the one Decision File needs to be modified and then reloaded by the RADIUS Server in order to change products and policies throughout the entire network.

Labels: , , ,

posted by RADIUS Server Blogger @ 3:49 PM  

0 Comments:

Post a Comment

<< Home