This chapter describes how to configure Oracle Communications Billing and Revenue Management (BRM) RADIUS Manager. Anyone who installs, configures, administers, or customizes RADIUS Manager should read this chapter.
Caution:
Only administrators with advanced RADIUS skills should attempt to implement custom configurations.Before configuring RADIUS Manager, you must install BRM:
"Putting Together Your BRM System" in BRM Installation Guide
"Installing BRM" in BRM Installation Guide
Before you begin the configuration process, plan the features of your custom RADIUS implementation. This planning is critical to a successful RADIUS implementation. While each configuration is unique, there are basic questions you must answer for each configuration. Use the following checklist to ensure that these issues are considered in your planning process.
Note:
This chapter assumes that you are already familiar with the RADIUS protocol. If any terms in this checklist are unfamiliar, see RFC 2865: Remote Authentication Dial In User Service (RADIUS) and RFC 2866: RADIUS Accounting.Define the RADIUS Architecture
Which data dictionary do I use? See "Defining the Data Dictionary".
Do I need to merge data dictionaries from multiple Network Access Server (NAS) vendors? See "Editing the Data Dictionary".
How many threads and what queue size are appropriate for my configuration? See "Setting the Number of Threads and the Queue Size for Scalability".
What time zone setting do I use? See "Specifying the Time Zone".
Do I need to set any vendor-specific attributes for my NAS? See "Adding Vendor Specific Attributes to the Data Dictionary".
Authentication and Authorization Methods
Do I need one authentication method for internal users? See "About Local and Remote Authentication Requests".
Do I need multiple authentication methods for remote users? See "About Cascading Authentication".
Do I set up proxying to forward requests from multiple NASs? See "Using the Proxy Module to Forward Incoming Requests to an External RADIUS Server".
Are all of my NASs listed in the client list? See "Defining the RADIUS Client List".
Have I configured the listen ports correctly? See "Setting the IP Port Numbers".
Should I use stop-only accounting to improve performance? See "Specifying How Accounting-On Events Are Handled after a NAS Failure".
Do I turn on debug options? See "Enabling the Debug Option".
At what level do I want to log error messages? See "Setting the Log Level for Application Errors".
Do I create field-delimited log files that can be read by Universal Event (UE) Loader or other applications? See "Creating Custom CDR Log Files".
To configure RADIUS Manager, complete these configuration tasks:
Set the link between RADIUS Manager and BRM in the CM pin.conf file. See "Connecting RADIUS Manager to BRM".
Set the connection between the RADIUS server and BRM in the RADIUS pin.conf file. See "Connecting the RADIUS Manager Client to BRM".
Configure the RADIUS server by editing the RADIUS pin.conf file. See "Configuring RADIUS Implementations".
Start the RADIUS daemon. See "Starting and Stopping the RADIUS Daemon".
Use the CM (Connection Manager) configuration (pin.conf) file to link RADIUS Manager to BRM. This operation is automatic if RADIUS Manager is installed on the computer where the CMs reside. If you are installing RADIUS Manager on a computer that does not have BRM installed, you must make the following changes to the CM configuration file (BRM_home/sys/cm/pin.conf), where BRM_home is the directory in which BRM components are installed.
Solaris, Linux, and HP-UX IA64
cm fm_module ../../lib/fm_term.so fm_term_config - pin cm fm_module ../../lib/fm_term_pol.so fm_term_pol_config - pin
cm fm_module ../../lib/fm_term.a fm_term_config - pin cm fm_module ../../lib/fm_term_pol.a fm_term_pol_config - pin
Use the RADIUS server configuration file (BRM_home/apps/radius/pin.conf) to connect the RADIUS server to BRM. This file contains the standard BRM connection entries and editing instructions.
Use the RADIUS configuration file (BRM_home/apps/radius/config) to define the features of your custom RADIUS implementation. This file has three sections:
$CONFIG: Includes the core server settings ($CORE) as well as global module settings.
$DEFINE: Allows you to define macros that are referenced elsewhere in the configuration file.
$MODULES: Includes settings for each module instance.
Important:
Before you begin customizing RADIUS settings, make a copy of BRM_home/apps/radius/config.tsm, and rename the file. The file name required by the RADIUS server is config.This following sections explain how to configure settings for the $CORE and $DEFINE sections of the RADIUS configuration file. The $MODULES descriptions are in the configuration documentation for each type of module.
Set the IP port numbers to which the RADIUS server listens by defining the listen entry in the $CORE section of the RADIUS configuration file (BRM_home/apps/radius/config). Add one listen entry for each port to which you want the server to listen. You do not need to distinguish between authentication and accounting ports. The RADIUS server can listen to more than two ports. The default authorization port is 1812 and the default accounting port is 1813.
For example:
listen {
port = 1812
}
listen {
port = 1813
}
Optionally, you can specify the host name; for example:
listen {
port = 1812
addr = host_name
}
listen {
port = 1813
addr = host_name
}
Use the log entry in the $CORE section of the RADIUS configuration file (BRM_home/apps/radius/config) to set the file name, path, and log level for logging application-level errors, warnings, and informational messages.
The default log file path is /var/portal/7.5/radius.pinlog and the default log level is 2.
Log level 1 logs error messages only. Log level 2 logs error and warning messages. Log level 3 logs error, warning, and informational messages.
For example:
log {
file=/var/portal/7.5/radius/radius.pinlog
level=2
}
Use the debug entry in the $CORE section of the RADIUS configuration file (BRM_home/apps/radius/config) to enable the debug option and log output to stdout. Only all is supported. Enabling this option allows you to see which flists the CM and the pin_radiusd utility are using to communicate.
If you use the start_radius script, messages are logged to the debug log file /var/portal/7.5/radius/radius.log.
For example:
debug {
#all
}
Use the following procedure to select a data dictionary:
Choose one of the supplied dictionaries and copy it to the BRM_home/apps/radius directory.
Two dictionaries ship with RADIUS Manager:
dictionary-RFC2865 is an RFC-compliant dictionary.
dictionary-ascend-4.5 works with Ascend 4.5.
Note:
If you use two or more NAS vendors, see "Selecting a Data Dictionary When Using Different NAS Vendors".
If all of the NASs are RFC2865 compliant, you can use dictionary RFC2865. This is the preferred solution. Don't forget to update the dictionary file with any vendor-specific attributes associated with the NAS.
If your NAS is not RFC28652865 compliant, you can merge data dictionary files. See "Editing the Data Dictionary" for instructions.
Set the file name and path of the RADIUS dictionary file with the dictionary entry in the $CORE section of the RADIUS configuration file (BRM_home/apps/radius/config):
dictionary=/opt/portal/7.5/apps/radius/dictionary_name
where dictionary_name is the dictionary file you copied in step 0.
Important:
Ensure that you specify the same dictionary file for the NAS and RADIUS Manager.(Optional) Modify these dictionary files. See "Editing the Data Dictionary".
If you must use NAS from different vendors, you have these options:
If all of the NAS are RFC 2865 compliant then you can use dictionary RFC2865. This is the preferred solution. Don't forget to update the dictionary file with any vendor-specific attributes associated with the NAS.
If your NAS is not RFC 2865 compliant, you can merge data dictionary files. For instructions, see "Editing the Data Dictionary".
Use the pidfile entry in the $CORE section of the RADIUS configuration file (BRM_home/apps/radius/config) to set the file name and path of the file containing the process ID of the currently running RADIUS server. The default name and location is /var/portal/7.5/radius/radiusd.pid.
For example:
pidfile=/var/portal/7.5/radius/pin_radiusd.pid
You use the stop_radius script to stop the RADIUS daemon. To use the script, you must change three parameters.
Open the stop_radius script (BRM_home/bin/stop_radius) with a plain text editor.
Change the default values for the following parameters:
RADIUS_HOST= host_name RADIUS_PORT= port_number RADIUS_SECRET = secret
See "pin_radiusd_sig".
Close the file.
Note:
For information on how to use this script, see "Starting and Stopping the RADIUS Daemon".The number of selected threads is a major scalability factor. Usually, increasing the number of threads increases performance. Setting the number of threads too low decreases throughput. Setting the number too high wastes memory and causes unnecessary context switching to manage the extraneous processes.
There is no one criterion for setting the number of threads. Many factors impact the number of threads required, such as the cache size of each CPU, memory size, and swap size. Systems can handle as many as eight threads per CPU. On production systems, set these values higher.
Use the n_threads entry in the $CORE section of the RADIUS configuration file (BRM_home/apps/radius/config) to set the number of threads used by the RADIUS server to service incoming requests. Set the number of threads to process requests.
For example:
n_threads=4
Note:
Set the value of the dm_trans_be_max entry in your BRM database Data Manager pin.conf file to match the value of the n_threads entry. The number must match the num_connects entry in the RADIUS pin.conf file.See "Determining the Required Number of Back Ends" in BRM System Administrator's Guide.
Use the client entry in the $CORE section of the RADIUS configuration file (BRM_home/apps/radius/config) to define the list of RADIUS clients that are permitted to connect to the server. You can have multiple client entries. Make sure the NAS is listed in the client list.
For example:
client {
addr = nas1
addr = nas2
}
The secret entry is a common password shared between the RADIUS server and the NAS. It is used by the RADIUS protocol for security. Use the secret entry in the RADIUS configuration file (BRM_home/apps/radius/config) to set the password shared between the client NAS and RADIUS Manager.
Important:
The secret entry must be included with each NAS listing in the client section of the RADIUS configuration file. This entry must match on the NAS and RADIUS Manager.For example:
client {
addr = nas1
secret = testing123
}
Use the fdlimit entry in the $CORE section of the RADIUS configuration file (BRM_home/apps/radius/config) to set the process limit on the number of files handles. See UNIX man page setrlimit(2) for more information.
For example:
fdlimit=64
You must define which attributes are returned from the RADIUS server to the NAS in the authentication packet. These return attributes are set in the $DEFINE section in the RADIUS configuration file (BRM_home/apps/radius/config). To add or modify entries in the reply packet, edit the send section.
For example:
...
$DEFINE {
send {
Service-Type=Framed
Framed-IP-Netmask=255.255.255.0
Framed-IP-Address=255.255.255.254
}
}
...
To avoid repeating common elements, use the $DEFINE section of the RADIUS configuration file (BRM_home/apps/radius/config) to define entries that serve as configuration macros for the RADIUS configuration file. This portion of the $DEFINE section shows the preset elements available with RADIUS Manager:
$DEFINE {
basic-ip-settings {
send {
Service-Type=Framed
Framed-IP-Netmask=255.255.255.0
Framed-IP-Address=255.255.255.254
}
}
}
You can gather internal statistics on the performance of queues and connections. This data is exported at specified intervals to a log file. Use the instrumentation section of the RADIUS configuration file (BRM_home/apps/radius/config) to enable this feature.
To enable or disable the instrumentation feature, use the status entry.
To specify the name of the log file, use the file entry.
To specify in seconds the interval at which performance data is written to the log file, use the interval entry.
Instrumentation{
#status = disabled
#status = enabled
file = radius.statlog
interval = 10
instrument {
queue
##threads
##packets
##performance
##request
##response
##fd
##module
connections
##clients
##proxy
}
}
===================================================== Logging Queue Stats. (Wed Jul 11 16:00:21 2001) ===================================================== current Active = 0 current Size = 1 current Waiting = 1 high Size = 1 low Size = 0 max Size = 300 high Active = 0 high Waiting = 1 average Size = 1 duplicates detected = 0 queue overflows = 0 last request spent 0ms in queue average time requests spent in queue = 0ms updated queue stats 1 times this interval logging interval = 10 seconds =====================================================
Sample Log File for Connections
===================================================== Logging Connections Stats. (Wed Jul 11 16:00:21 2001) ===================================================== current Active = 0 current Connects = 4 current Dead = 0 current Free = 4 max Active = 0 max Connects = 4 max Dead = 0 max Free = 4 updated connection stats 1 times logging interval = 10 seconds =====================================================
You configure the following IP options for a customer account in Customer Center:
The protocol the customer will use (PPP or SLIP).
The IP address of the customer's host machine (xxx.xxx.xxx.xxx).
Whether or not header compression should be used.
Any protocol extensions (attribute-value pairs that control the IP connection).
This example shows sample settings for the $DEFINE and $CONFIG sections of the RADIUS configuration file (BRM_home/apps/radius/config):
$DEFINE {
basic-ip-settings {
send {
Service-Type=Framed
Framed-IP-Netmask=255.255.255.0
Framed-IP-Address=255.255.255.254
}
}
}
$CONFIG {
$CORE {
listen {
port = 1812
}
listen {
port = 1813
}
log {
file=/var/portal/__VERSION__/radius/radius.pinlog
level=2
}
debug {
#all
}
dictionary=/opt/portal/__VERSION__/apps/radius/dictionary
pidfile=/var/portal/__VERSION__/radius/pin_radiusd.pid
n_threads=4
req_queue=40
fdlimit=64
client {
addr = nas1
secret = testing123
}
#options = Ignore-Acct-Auth
}
}
Note:
You normally stop and start the RADIUS daemon to activate changes you made to the RADIUS configuration file (BRM_home/apps/radius/config). Some configuration changes can be activated dynamically (without restarting the RADIUS daemon). See "Reconfiguring Your RADIUS Server without Stopping Operation".To start or stop the RADIUS daemon:
Important:
Ensure that the RADIUS configuration file and dictionary file are in the BRM_home/apps/radius directory.To start the RADIUS daemon, run the BRM_home/bin/start_radius script.
To stop the RADIUS daemon, run the BRM_home/bin/stop_radius script.
Important:
If this is the first time you are running the stop_radius script, ensure that the parameters in the script are configured for your system. See "Configuring the stop_radius Script".Use the pin_radiusd_sig utility to reconfigure many RADIUS server functions without stopping operation. RADIUS server reconfiguration is implemented by making changes to the configuration file and then sending a reconfiguration event to the server. See "pin_radiusd_sig".
pin_radiusd_sig reconfigures RADIUS server functions while the server is running, extracts status information about the RADIUS server, and restarts the RADIUS server. pin_radiusd_sig reconfigures the following RADIUS server functions:
Log file and log level.
Debugging on/off.
Number of threads.
Size of the request queue.
Listening ports.
NAS clients and secrets.
The following RADIUS server features cannot be dynamically reconfigured:
The data dictionary.
Modules incorporated into the server.
mod_pin configuration parameters:
timezone
network
charge-on-reboot
CM connection information
After you configure the core settings and define configuration macros in the $CORE and $DEFINE modules of the RADIUS configuration file, you need to configure the modules used by RADIUS Manager for handling RADIUS requests. See "Understanding RADIUS Manager Modules".