Using RADIUS Attributes to Implement Services in the RADIUS Server

A policy is a set of business rules concerning access to network resources. It can be as simple as a list of who has access to what resources written in plain English. Because Interlink RADIUS server policies are implemented in text-based Decision Files, they are easy to create from a list of business rules, easy to read, and easy to understand at a later time.

Much like a computer language is used to implement an algorithm as a computer program, RADIUS Server Decision Files are used to implement business rules that are centrally enforced by the RAD-Series RADIUS Server Advanced Policy Engine.

Using RADIUS Attributes to Implement Services

Defining RADIUS Attributes using Vendor Specific Attributes (VSAs) for use in policies is a flexible and powerful way for service providers to enhance their services and enterprises to better manage their networks.

Service providers can use their own RADIUS attributes to define multiple levels of service with each at a different price point and each serving a different market segment. Platinum, Gold, and Standard service levels with their associated pricing plans will appeal to different users. By moving past the “one size fits all” approach, new markets can be entered and new profits realized.

Another approach to expand the service provider’s sales reach is to sell services a la carte. RADIUS attributes can be defined for each service component making it possible to enable and sell them independently of each other. RADIUS attributes can be created to access services such as e-mail, priority support areas, special downloads, and to grant toll free access.

In the enterprise, RADIUS attributes can be used to define departments, group memberships, and roles in the organization. For example, only the accounting department should have access to the financial system and only the engineers to the lab environment. Members of the outside sales team are entitled to toll-free remote access while on the road. Only system administrators are permitted access to network administrative consoles.

Our last RADIUS blog entry walked through the steps of defining RADIUS VSAs to define new services. This month we will complete the project by writing the RADIUS policies that give the services their meaning.

What is a Policy?

A policy is a set of business rules concerning access to network resources. This does not have to be a highly technical exercise. It can be as simple as a list of who has access to what resources written in plain English. Because Interlink RADIUS policies are implemented in text based Decision Files, they are easy to create from a list of business rules, easy to read, and easy to understand at a later time. Much like a computer language is used to implement an algorithm as a computer program, Decision Files are used to implement business rules that are centrally enforced by the Interlink Networks RAD-Series RADIUS Server Advanced Policy Engine.

Implementing Levels of Service for a Service Provider

In our last RADIUS Server blog entry, our fictitious service provider, NewISP, defined a RADIUS Vendor Specific Attribute named Service-Level with three levels of service: Platinum, Gold, and Silver. Having laid that groundwork, NewISP is now ready to establish its service level business rules as a policy managed by the RAD-Series RADIUS Server Advanced Policy Engine.

Step One is to establish the business rules in plain English. NewISP’s product management team has decided upon the following service offerings.

Platinum level gets

• Internet browsing and email
• Access to premium services and downloads from the NewISP web site
• Unlimited length of sessions
• Access to the NewISP toll free number, 800-555-1000

Gold level gets

• Internet browsing and email
• Sessions up to 4 hours

Silver level gets

• Internet browsing and email
• Sessions up to 1 hour during business hours (M-F, 8 am – 5 pm)
• Sessions up to 4 hours during evenings and weekends

The standard Internet and email access is defined with an IP filter named StandardArea. The standard Internet and email access plus the premium service area is defined with an IP filter named PremiumArea.

Step Two is to write the business rules in Decision File format. A Decision File is made up of a series of Groups. Each Group consists of a set of conditions and a set of replies if the conditions are fully met. Both the conditions and the replies are defined in terms of RADIUS attributes including Vendor Specific Attributes. The RADIUS Advanced Policy Engine searches the policy until it finds the first Group for which the RADIUS Attribute-Value pairs (AV-pairs) in the request satisfy all of the conditions. Then the AV-pairs in the Reply section are added to the RADIUS response for the purpose of configuring the session at the NAS.

NewISP’s business rules now take the following form in a Decision File.

# Platinum accounts are unlimited with access to the
# premium services.
Group Platinum {
Condition {
Service-Level = Platinum
}
Reply {
Decision = ACK
Filter-Id = PremiumArea
}
}

# Gold accounts get standard services for up to 4 hours.
# Toll free access is restricted.

Group Gold {
Condition {
(Service-Level = Gold) &&
(Called-Station-Id != "800-555-1000")
}
Reply {
Decision = ACK
Filter-Id = StandardArea
Session-Timeout = 14400
}
}

# Silver accounts get standard services for up to 1 hour
# during business hours. Toll free access is restricted.

Group Silver-Primetime {
Condition {
(Service-Level = Silver) &&
(Called-Station-Id != "800-555-1000") &&
(Day-Of-Week >= Monday) &&
(Day-Of-Week <= Friday) && (Time-Of-Day >= 8:00 ) && (Time-Of-Day <= 17:00)
}
Reply {
Decision = ACK
Filter-Id = StandardArea
Session-Timeout = 3600
}
}

# Silver accounts get standard services for up to 4 hours
# during off hours. Toll free access is restricted.

Group Silver-Offtime {
Condition {
(Service-Level = Silver) &&
(Called-Station-Id != "800-555-1000") &&
((Day-Of-Week < style=""> (Day-Of-Week > Friday) ||
(Time-Of-Day < style=""> (Time-Of-Day > 17:00))
}
Reply {
Decision = ACK
Filter-Id = StandardArea
Session-Timeout = 14400
}
}

# Other requests such as gold or Silver accounts calling
# the toll-free number are rejected.

Group Invalid-Use {
Reply {
Decision = NAK
Reply-Message = "Access denied - restricted number"
}
}

Step Three is to plug the Decision File into the RADIUS Authentication and Authorization process by creating a pointer to it in the Finite State Machine table, radius.fsm. The pointer is the optional Xstring parameter used in conjunction with the POLICY action. NewISP has saved its policy in a Decision File named service-level. The FSM table would be changed to include:

Chkdny:
*.*.ACK POLICY AUTHwait Xstring=decisionfile:service-level
*.*.NAK REPLY Hold

NewISP now has its levels of service in place. The Decision File format gives the best of all worlds. It is read by the RADIUS Advanced Policy Engine and cached in memory where it delivers high speed, scalable performance. The text-based Decision File also documents the policy in a form that is easy to review and understand. Because the policy is managed centrally, it is easy to update as the companies requirements and business rules change. Only the one Decision File needs to be modified and then reloaded by the RADIUS Server in order to change products and policies throughout the entire network.

Defining RADIUS Attributes to Create Groups and Services

RADIUS Attribute-Value Pairs are the building blocks of RADIUS. They identify users, specify network components, configure services, and report session details. The RADIUS RFCs define a set of standard attributes such as User-Name, User-Password, NAS-Identifier, Session-Timeout, and Acct-Output-Octets. In addition to the standard RADIUS attributes, RADIUS can be extended with Vendor Specific Attributes (VSAs) to support proprietary features. What service providers and enterprises may not realize is that VSAs are not just for hardware vendors and networking software developers. VSAs can be used by service providers to create new services and by enterprises to gain better control of their networks.

What would I do with a Vendor Specific Attribute if I had one?

Service providers can use their own RADIUS attributes to define multiple levels of service with each at a different price point and each serving a different market segment. Platinum, Gold, and Standard service levels with their associated pricing plans will appeal to different users. By moving past the “one size fits all” approach new markets can be entered and new profits realized.

Another approach to expand the service provider’s sales reach is to sell services ala Carte. RADIUS attributes can be defined for each service component making it possible to enable and sell them independently of each other. RADIUS attributes can be created to access services such as e-mail, priority support areas, special downloads, and to grant toll free access.

In the enterprise, RADIUS attributes can be used to define departments, group memberships, and roles in the organization. For example, only the accounting department should have access to the financial system and only the engineers to the lab environment. Members of the outside sales team are entitled to toll-free remote access while on the road. Only system administrators are permitted access to network administrative consoles.

Vendor Specific Attributes – where do I get mine?

Step One in defining your own VSAs is to get an enterprise number for your organization. These numbers are managed by the Internet Assigned Numbers Authority (IANA) and serve to uniquely identify your VSAs as belonging to your organization. The current list of assigned numbers can be found at

http://www.iana.org/assignments/enterprise-numbers

If your organization does not already have a number than you can apply for a free enterprise number at

http://www.iana.org/cgi-bin/enterprise.pl

Step Two is to configure your organization as a definer of VSAs in the RAD-Series RADIUS Server vendors file. An Internet Service Provider, NewISP has just received an enterprise number of 123456. NewISP will modify its vendors file to add:

#
# New ISP, Inc.
#

NewISP.attr NewISP.value 123456 NewISP

Where:

NewISP.attr will be used to define NewISP’s VSAs in the dictionary

NewISP.value will be used to define values to assign to NewISP’s VSAs

123456 is NewISP’s enterprise number

NewISP is the label specifying support for NewISP VSAs

Step Three is to define in the RADIUS dictionary the VSAs and any special values that they can take. NewISP has decided that it needs a VSA to store the subscribed service plan in each user’s profile. They have defined three levels that are referred to as Platinum, Gold, and Silver. NewISP will modify its RADIUS dictionary to add:

#
# New ISP VSAs
#
NewISP.attr Service-Level 1 Integer (0,0,0)

#
# New ISP Service Levels
#
NewISP.value Service-Level Platinum 1
NewISP.value Service-Level Gold 2
NewISP.value Service-Level Silver 3

Where:

Service-Level is the name of New ISP’s VSA

Integer indicates that the VSA is of type integer

(0,0,0) are the pruning rules indicating that Service-Level is not returned in any RADIUS responses

Platinum
Gold
Silver are the values defined for Service-Level

Step Four is to apply the new RADIUS attributes to the user profiles. For example in the users file:

jsmith Password = JohnsPASSWORD

NewISP:Service-Level = Platinum

Tbrown Password = TomsPassworD

NewISP:Service-Level = Silver

Now that I have my VSAs how do I make them go to work for me?

The power behind these organizational VSAs is the business rules associated with them. These rules are commonly called policy and can be implemented using the RAD-Series RADIUS Server Policy Engine. In our next blog entry, we will discuss how to write the RADIUS policies associated with these Vendor Specific Attributes