RADIUS Server Application Blog

This RADIUS server application blog is about RADIUS servers in general and Interlink's RAD-Series RADIUS Server specifically. Our goal here is to discuss how different RADIUS server applications can be extended to build unique, differentiated offerings for Carriers and ISPs.

Monday, July 2, 2007

Defining RADIUS Attributes to Create Groups and Services

RADIUS Attribute-Value Pairs are the building blocks of RADIUS. They identify users, specify network components, configure services, and report session details. The RADIUS RFCs define a set of standard attributes such as User-Name, User-Password, NAS-Identifier, Session-Timeout, and Acct-Output-Octets. In addition to the standard RADIUS attributes, RADIUS can be extended with Vendor Specific Attributes (VSAs) to support proprietary features. What service providers and enterprises may not realize is that VSAs are not just for hardware vendors and networking software developers. VSAs can be used by service providers to create new services and by enterprises to gain better control of their networks.


What would I do with a Vendor Specific Attribute if I had one?

Service providers can use their own RADIUS attributes to define multiple levels of service with each at a different price point and each serving a different market segment. Platinum, Gold, and Standard service levels with their associated pricing plans will appeal to different users. By moving past the “one size fits all” approach new markets can be entered and new profits realized.

Another approach to expand the service provider’s sales reach is to sell services ala Carte. RADIUS attributes can be defined for each service component making it possible to enable and sell them independently of each other. RADIUS attributes can be created to access services such as e-mail, priority support areas, special downloads, and to grant toll free access.

In the enterprise, RADIUS attributes can be used to define departments, group memberships, and roles in the organization. For example, only the accounting department should have access to the financial system and only the engineers to the lab environment. Members of the outside sales team are entitled to toll-free remote access while on the road. Only system administrators are permitted access to network administrative consoles.


Vendor Specific Attributes – where do I get mine?

Step One in defining your own VSAs is to get an enterprise number for your organization. These numbers are managed by the Internet Assigned Numbers Authority (IANA) and serve to uniquely identify your VSAs as belonging to your organization. The current list of assigned numbers can be found at

http://www.iana.org/assignments/enterprise-numbers

If your organization does not already have a number than you can apply for a free enterprise number at

http://www.iana.org/cgi-bin/enterprise.pl

Step Two is to configure your organization as a definer of VSAs in the RAD-Series RADIUS Server vendors file. An Internet Service Provider, NewISP has just received an enterprise number of 123456. NewISP will modify its vendors file to add:

#
# New ISP, Inc.
#

NewISP.attr NewISP.value 123456 NewISP

Where:

NewISP.attr will be used to define NewISP’s VSAs in the dictionary

NewISP.value will be used to define values to assign to NewISP’s VSAs

123456 is NewISP’s enterprise number

NewISP is the label specifying support for NewISP VSAs

Step Three is to define in the RADIUS dictionary the VSAs and any special values that they can take. NewISP has decided that it needs a VSA to store the subscribed service plan in each user’s profile. They have defined three levels that are referred to as Platinum, Gold, and Silver. NewISP will modify its RADIUS dictionary to add:

#
# New ISP VSAs
#
NewISP.attr Service-Level 1 Integer (0,0,0)

#
# New ISP Service Levels
#
NewISP.value Service-Level Platinum 1
NewISP.value Service-Level Gold 2
NewISP.value Service-Level Silver 3

Where:

Service-Level is the name of New ISP’s VSA

Integer indicates that the VSA is of type integer

(0,0,0) are the pruning rules indicating that Service-Level is not returned in any RADIUS responses

Platinum
Gold
Silver are the values defined for Service-Level

Step Four is to apply the new RADIUS attributes to the user profiles. For example in the users file:

jsmith Password = JohnsPASSWORD

NewISP:Service-Level = Platinum

Tbrown Password = TomsPassworD

NewISP:Service-Level = Silver

Now that I have my VSAs how do I make them go to work for me?

The power behind these organizational VSAs is the business rules associated with them. These rules are commonly called policy and can be implemented using the RAD-Series RADIUS Server Policy Engine. In our next blog entry, we will discuss how to write the RADIUS policies associated with these Vendor Specific Attributes

Labels: , , , ,

posted by RADIUS Server Blogger @ 12:47 PM   0 Comments