Cisco Asr 9000 Series Aggregation Services Router Broadband Network Gateway Configuration Guide - Cisco ASR 9000 Series Configuration Manual

Aggregation services router broadband network gateway

Hide thumbs Also See for ASR 9000 Series:

Command reference manual (1138 pages)

Routing configuration manual (702 pages)

Reference manual (696 pages)

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

page of 328

/ 328
Contents
Table of Contents
Bookmarks

Table of Contents

Configuring Authentication, Authorization, and Accounting Functions

AAA Overview

2865). The RADIUS server manages the AAA process by interacting with BNG, and databases and directories

containing user information.

The RADIUS protocol runs on a distributed client-server system. The RADIUS client runs on BNG (Cisco

ASR 9000 Series Router) that sends authentication requests to a central RADIUS server. The RADIUS server

contains all user authentication and network service access information.

The AAA processes, the role of RADIUS server during these processes, and some BNG restrictions, are

explained in these sections:

Authentication

The authentication process identifies a subscriber on the network, before granting access to the network and

network services. The process of authentication works on a unique set of criteria that each subscriber has for

gaining access to the network. Typically, the RADIUS server performs authentication by matching the

credentials (user name and password) the subscriber enters with those present in the database for that subscriber.

If the credentials match, the subscriber is granted access to the network. Otherwise, the authentication process

fails, and network access is denied.

Authorization

After the authentication process, the subscriber is authorized for performing certain activity. Authorization is

the process that determines what type of activities, resources, or services a subscriber is permitted to use. For

example, after logging into the network, the subscriber may try to access a database, or a restricted website.

The authorization process determines whether the subscriber has the authority to access these network resources.

AAA authorization works by assembling a set of attributes based on the authentication credentials provided

by the subscriber. The RADIUS server compares these attributes, for a given username, with information

contained in a database. The result is returned to BNG to determine the actual capabilities and restrictions

that are to be applied for that subscriber.

Accounting

The accounting keeps track of resources used by the subscriber during network access. Accounting is used

for billing, trend analysis, tracking resource utilization, and capacity planning activities. During the accounting

process, a log is maintained for network usage statistics. The information monitored include, but are not

limited to - subscriber identities, applied configurations on the subscriber, the start and stop times of network

connections, and the number of packets and bytes transferred to, and from, the network.

BNG reports subscriber activity to the RADIUS server in the form of accounting records. Each accounting

record comprises of an accounting attribute value. This value is analyzed and used by the RADIUS server for

network management, client billing, auditing, etc.

The accounting records of the subscriber sessions may timeout if the BNG does not receive acknowledgments

from the RADIUS server. This timeout can be due to RADIUS server being unreachable or due to network

connectivity issues leading to slow performance of the RADIUS server. If the sessions on the BNG are not

acknowledged for their Account-Start request, loss of sessions on route processor fail over (RPFO) and other

critical failures are reported. It is therefore recommended that a RADIUS server deadtime be configured on

the BNG, to avoid loss of sessions. Once this value is configured, and if a particular session is not receiving

an accounting response even after retries, then that particular RADIUS server is considered to be non-working

and further requests are not sent to that server.

The radius-server deadtime limit command can be used to configure the deadtime for RADIUS server. For

details, see

Configuring RADIUS Server Settings, on page

43.