A Primer on Using Interlink’s Powerful RADIUS Server Software Developer’s Kit (RADIUS SDK)

Interlink’s RADIUS Server SDK is ideal for customers wishing to customize and enhance the RAD-Series RADIUS Server to meet their specific application requirements. The RADIUS Server SDK provides a set of easy-to-implement, modular tools to develop extensions to the core RADIUS architecture. The tool kit provides APIs (Application Program Interfaces) that make it easy to build custom modules for unique RADIUS authentication, authorization, or accounting methods; modify the internal RADIUS processing engine; set user-based policy; and to customize user interfaces.

With the SDK, you can write capabilities to:

• Authenticate users stored in any data source, including off-the-shelf and proprietary databases
• Track and control usage based on unique billing systems
• Implement highly customized authorization schemes
• Add support for unique network access hardware

RADIUS plug-in modules allow feature enhancements without editing, recompiling, and retesting all of the server code, providing for speedy development of additional functionality. The RADIUS Server SDK functions follow standard ANSI C, so there is no specialized programming or scripting language to learn.

Major system integrator and mobile communication companies throughout the world have used our RADIUS SDK to customize their RADIUS server to meet their specific application needs.

Defining RADIUS Attributes to Create Groups and Services

RADIUS Attribute-Value Pairs are the building blocks of RADIUS. They identify users, specify network components, configure services, and report session details. The RADIUS RFCs define a set of standard attributes such as User-Name, User-Password, NAS-Identifier, Session-Timeout, and Acct-Output-Octets. In addition to the standard RADIUS attributes, RADIUS can be extended with Vendor Specific Attributes (VSAs) to support proprietary features. What service providers and enterprises may not realize is that VSAs are not just for hardware vendors and networking software developers. VSAs can be used by service providers to create new services and by enterprises to gain better control of their networks.

What would I do with a Vendor Specific Attribute if I had one?

Service providers can use their own RADIUS attributes to define multiple levels of service with each at a different price point and each serving a different market segment. Platinum, Gold, and Standard service levels with their associated pricing plans will appeal to different users. By moving past the “one size fits all” approach new markets can be entered and new profits realized.

Another approach to expand the service provider’s sales reach is to sell services ala Carte. RADIUS attributes can be defined for each service component making it possible to enable and sell them independently of each other. RADIUS attributes can be created to access services such as e-mail, priority support areas, special downloads, and to grant toll free access.

In the enterprise, RADIUS attributes can be used to define departments, group memberships, and roles in the organization. For example, only the accounting department should have access to the financial system and only the engineers to the lab environment. Members of the outside sales team are entitled to toll-free remote access while on the road. Only system administrators are permitted access to network administrative consoles.

Vendor Specific Attributes – where do I get mine?

Step One in defining your own VSAs is to get an enterprise number for your organization. These numbers are managed by the Internet Assigned Numbers Authority (IANA) and serve to uniquely identify your VSAs as belonging to your organization. The current list of assigned numbers can be found at

http://www.iana.org/assignments/enterprise-numbers

If your organization does not already have a number than you can apply for a free enterprise number at

http://www.iana.org/cgi-bin/enterprise.pl

Step Two is to configure your organization as a definer of VSAs in the RAD-Series RADIUS Server vendors file. An Internet Service Provider, NewISP has just received an enterprise number of 123456. NewISP will modify its vendors file to add:

#
# New ISP, Inc.
#

NewISP.attr NewISP.value 123456 NewISP

Where:

NewISP.attr will be used to define NewISP’s VSAs in the dictionary

NewISP.value will be used to define values to assign to NewISP’s VSAs

123456 is NewISP’s enterprise number

NewISP is the label specifying support for NewISP VSAs

Step Three is to define in the RADIUS dictionary the VSAs and any special values that they can take. NewISP has decided that it needs a VSA to store the subscribed service plan in each user’s profile. They have defined three levels that are referred to as Platinum, Gold, and Silver. NewISP will modify its RADIUS dictionary to add:

#
# New ISP VSAs
#
NewISP.attr Service-Level 1 Integer (0,0,0)

#
# New ISP Service Levels
#
NewISP.value Service-Level Platinum 1
NewISP.value Service-Level Gold 2
NewISP.value Service-Level Silver 3

Where:

Service-Level is the name of New ISP’s VSA

Integer indicates that the VSA is of type integer

(0,0,0) are the pruning rules indicating that Service-Level is not returned in any RADIUS responses

Platinum
Gold
Silver are the values defined for Service-Level

Step Four is to apply the new RADIUS attributes to the user profiles. For example in the users file:

jsmith Password = JohnsPASSWORD

NewISP:Service-Level = Platinum

Tbrown Password = TomsPassworD

NewISP:Service-Level = Silver

Now that I have my VSAs how do I make them go to work for me?

The power behind these organizational VSAs is the business rules associated with them. These rules are commonly called policy and can be implemented using the RAD-Series RADIUS Server Policy Engine. In our next blog entry, we will discuss how to write the RADIUS policies associated with these Vendor Specific Attributes

Implementing Simultaneous Session Control in a AAA RADIUS Server

One of the most frequently requested features of the RAD-Series RADIUS Server is simultaneous session control. Service Providers selling low cost flat rate Internet access cannot afford the abuse of users sharing accounts. Simultaneous session control addresses this problem by limiting the number of sessions granted to an account at any given time. The RAD-Series RADIUS Server goes beyond a check box implementation by making the number of simultaneous sessions allowed a configurable item on a per user basis.

As an example, let us look at a small ISP that wants to limit its users to two simultaneous sessions, maintains its users list in a Unix password file, and whose users logon as user@isp.com.

There are four configuration steps to restrict simultaneous session use:

1) Simultaneous session control requires the active session management provided by the LAS (Local Authentication Service). Therefore the realm, isp.com must be defined in las.conf as follows:

Realm isp.com
End-Realm

2) The realm must also be configured in the authfile. In this example the realm is configured for Unix password file authentication.

isp.com UNIX-PW

3) The RAD-Series RADIUS Server must load a finite state machine (FSM) table that supports the LAS (has las in its name). If the RADIUS server was installed with the default FSM table, check+policy+las.fsm, then the LAS is already supported.

4) By default, simultaneous use is set to one session when the LAS is enabled. To change this default to two sessions for our example, Simultaneous-Use will be added as a Check-Item to the DEFAULT entry in the users file.

DEFAULT Authentication-Type=Realm, Simultaneous-Use = 2

Simultaneous session control is an example of Authorization, the second A in AAA. As illustrated by this simple example, authorization adds value beyond simple authentication by further defining the conditions and limits of authorized use.