Understanding Per-Vrf Aaa Function; Radius Double-Dip Feature; Additional References - Cisco ASR 9000 Series Configuration Manual

Understanding Per-VRF AAA Function

Web Logon with RADIUS Based CoA
To support Web Logon, a set of Policy Rule Events need to be configured in an ordered manner. These events
are as follows:
• session-start:
• account-logon — The Web portal collects the user credentials such as username and password and
• timer expiry — When the timer expires, the subscriber session is disconnected based on the configuration.
Understanding Per-VRF AAA Function
The Per VRF AAA function allows authentication, authorization, and accounting (AAA) on the basis of virtual
routing and forwarding (VRF) instances. This feature permits the Provider Edge (PE) or Virtual Home Gateway
(VHG) to communicate directly with the customer's RADIUS server, (which is associated with the customer's
Virtual Private Network (VPN)), without having to go through a RADIUS proxy.
ISPs must be able to define operational parameters such as AAA server groups, method lists, system accounting,
and protocol-specific parameters, and associate those parameters to a particular VRF instance.
The Per VRF AAA feature is supported with VRF extensions to server-group, RADIUS, and system accounting
commands. The list of servers in server groups is extended to include definitions of private servers, in addition
to references to the hosts in the global configuration. This allows simultaneous access to both customer servers
and global service provider servers. The syntax for the command used to configure per-vrf AAA globally is:
radius source-interface subinterface-name [vrf vrf-name]

RADIUS Double-Dip Feature

BNG supports the RADIUS double-dip feature, where BNG sends the first authentication or authorization
request to a service provider's RADIUS server, which in turn responds with the correct VRF associated with
the subscriber session. Subsequently, the BNG redirects the original request, and sends it as a second request,
to the correct RADIUS server that is associated with the designated VRF.

Additional References

These sections provide references related to implementing RADIUS.
Cisco ASR 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide,
Release 4.2.x
40
• On the start of a session, a subscriber is setup to get internet connectivity. The service is activated
to redirect HTTP traffic to a Web portal for web-based logon.
• Start the timer with duration for the maximum waiting period for authentication.
triggers a CoA account-logon command. When this event is triggered, subscriber username and password
are authenticated by the RADIUS server. Once the authentication is successful, the HTTP redirect service
is deactivated, granting user access to already connected internet setup. Also, the timer established in
session-start must be stopped. However, if the authentication fails during account-logon, BNG sends a
NAK CoA request, allowing for further authentication attempts to take place.
Configuring Authentication, Authorization, and Accounting Functions
OL-26148-02