This chapter explains how to use Oracle Communications Billing and Revenue Management (BRM) RADIUS Manager with iPass roaming services. Before implementing support for iPass roaming services, you should be familiar with:
RADIUS Manager supports both local and remote iPass authentication and accounting. A typical iPass roaming solution:
Performs all local and remote iPass tasks.
Uses online accounting.
Uses local authentication by BRM.
Uses local accounting by BRM.
Before you configure RADIUS Manager to support iPass roaming, you must perform these tasks:
Obtain the iPass NetServer software and an Internet service provider (ISP) account number from iPass.
Install and set up the NetServer software per the instructions included with the software. The NetServer software package contains the RoamServer software (VNAS) and iPass-enabled RADIUS software.
In most installations, requests for iPass roaming can't be immediately identified. Because there are no attribute patterns in the request packet that allow RADIUS Manager to identify the request as an iPass request, this procedure is used:
The pin_radiusd server forwards the request to an iPass-enabled RADIUS server.
The iPass-enabled RADIUS server uses the mod_proxy module to forward the request to the iPass central server.
For iPass roaming requests to be processed:
The login name must include an @ symbol. The mod_proxy module must be configured to check for this symbol.
Any authentication modules configured in the module chain that precede the BRM authentication module, mod_pin, must not authenticate the user. To satisfy this criteria, all authentication modules that precede mod_proxy in the chain must use the Ignore-No-Entry option. Setting the Ignore-No-Entry option allows the request to pass on to the next module instead of returning a NAK (not acknowledged).
The mod_proxy module should be the last authentication module in the chain.
After the authentication request is passed to the iPass-enabled RADIUS server, the NAS (network access server) sends the corresponding accounting requests to signal the start and end of the session. Use the send option to append the Class = "ipass" attribute-value pair in the auth_accept reply to the NAS and check for the appropriate Class attribute value.
You must configure mod_proxy to forward the requests to the iPass-enabled RADIUS server.
This example shows how to set the destination of the iPass-enabled RADIUS server in the $CORE section of the RADIUS configuration file (BRM_home/apps/radius/config, where BRM_home is the directory in which BRM components are installed):
$CORE {
...
mod_proxy {
server {
name = ipass_proxy_auth
addr = 10.15.210.14
port = 1812
secret = testing123
timeout = 30
}
server {
name = ipass_proxy_acct
addr = 10.15.210.14
port = 1813
secret = testing123
timeout = 30
}
...
}
...
}
This example shows how to configure the $MODULES section of the RADIUS configuration file (BRM_home/apps/radius/config) to forward requests to iPass:
ipass_auth {
type = mod_proxy
check {
Pseudo-Request-Type = Access-Request
}
send {
Class="ipass"
}
dest=ipass_proxy_auth
options=Ignore-No-Response
}
ipass_acct {
type = mod_proxy
check {
Pseudo-Request-Type = Accounting-Request
Class="ipass"
}
dest=ipass_proxy_acct
options=pass_through
}
All locally serviced iPass sessions are recorded as /event/service/dialup event objects and stored in the ipass account class. Locally serviced iPass sessions are identified by the class attribute-value pair, Class = "ipass". Put the mod_pin module immediately after the mod_proxy module.
Note:
The iPass account must already exist and contain at least one /service/ip account object prior to implementing the recording functions.This example shows the syntax in the RADIUS configuration file for iPass sessions:
serviced_ipass_session {
type = mod_pin
check {
Pseudo-Request-Type = Accounting-Request
Acct-Status-Type = Stop
Class="ipass"
}
login="ipass"
desc="%u"
options=Ignore-No-Entry
}
Remote authentication requests forwarded from iPass through the Virtual Network Access Server (VNAS) daemon are handled by the mod_pin module. This module handles both remote authentication and accounting requests. You must configure the check parameter to handle these requests.
This example shows how to configure the check parameter in the mod_pin module in the $MODULES section of the RADIUS configuration file (BRM_home/apps/radius/config):
ipass_remote {
type = mod_pin
check {
NAS-Identifier = "I-PASS VNAS"
}
}
Note:
The VNAS always sets the NAS-Identifier parameter to I-PASS VNAS for identification.
The Ignore-No-Entry option is not set in this example because the check against BRM could be the final authentication check.
The iPass model offers two methods of handling accounting information: online and batch. These methods require different configurations.
Caution:
Online and batch accounting should never be used concurrently with iPass. Changing from one method to the other may cause double billing.iPass sessions are often rated differently from local dial-up sessions. If this is the case, modify the PCM_OP_TERM_POL_ACCOUNTING policy opcode to rate the sessions differently.
When the policy is activated by an iPass remote Accounting-Off request, the PIN_FLD_TERMSERV_ID field contains I-PASS VNAS. The policy opcode can use this field in the iPass sessions to rate sessions differently.
Most iPass member ISPs use online accounting, which works well with the BRM billing model. When an iPass session is finished, the accounting records are forwarded in real time from the remote ISP to the home ISP of the roaming user. When you use online accounting, sessions are recorded as /event/session/dialup objects.
Call detail report (CDR) files support batch accounting. The pin_ipass_loader utility loads batch accounting records from CDR files. When you use batch accounting, sessions are recorded as /event/session objects. See "Using the pin_ipass_loader Utility for Batch Accounting".
Note:
The PIN_FLD_DESCR field for the /event/session is a concatenation of the Description, Billing Code, GMT Time, Session charge per hour, and Dollar charge from iPass to home ISP fields from the CDR.To support batch accounting, all accounting packets forwarded from VNAS must be discarded or logged to a log file. To discard them, add this module configuration to the RADIUS configuration file (BRM_home/apps/radius/config):
discard_vnas_acct {
type=mod_null
check {
Pseudo-Request-Type = Accounting-Request
NAS-Identifier = "I-PASS VNAS"
}
action = ack
}
Sessions are loaded into /event/session objects from the iPass CDR file.
To log the accounting packets to a log file, add this module configuration to the RADIUS configuration file (BRM_home/apps/radius/config):
log_vnas_acct {
type=mod_logging
dest=ipass_acct.log
check {
Pseudo-Request-Type = Accounting-Request
NAS-Identifier = "I-PASS VNAS"
}
}
discard_vnas_acct {
type=mod_null
check {
Pseudo-Request-Type = Accounting-Request
NAS-Identifier = "I-PASS VNAS"
}
action = ack
}
Note:
The mod_null module is required to ACK the requests properly because mod_logging only records the session and then passes on the request.A CDR file is an ASCII file containing one record per connection. Records are comma-delimited, and character strings are surrounded by double quotation marks. Numeric fields can include a decimal point.
Table 13-1 shows the CDR values with reference to BRM.
| Field | Meaning | Stored in BRM As |
|---|---|---|
|
Transaction ID |
The unique ID for a transaction. |
PIN_FLD_EVENT_NO |
|
Billing Code |
Code used by iPass, but ignored by pin_ipass_loader. |
PIN_FLD_DESCR |
|
Login |
User ID for this session. |
PIN_FLD_SERVICE_OBJ |
|
Domain |
Added to Login when -u is specified. |
PIN_FLD_SERVICE_OBJ |
|
Description |
Normally the remote location. Can also be used for "Monthly Fee". |
PIN_FLD_DESCR |
|
GMT Time |
Ignored by pin_ipass_loader. |
PIN_FLD_DESCR |
|
Local Time |
Indicates the session end time. |
PIN_FLD_END_T |
|
Session Length |
Can be used in rating calculations. Subtracted from Local Time to determine the session start time. |
PIN_FLD_START_T |
|
Session charge per hour |
Session rate used by iPass, but ignored by pin_ipass_loader. |
PIN_FLD_DESCR |
|
Dollar charge from iPass to home ISP |
Can be used in rating calculation and to calculate a balance impact. |
PIN_FLD_DESCR |
Note:
Currency in a CDR file must be US dollars (USD).
The EVENT_ID field in the /event object checks for uniqueness against the trans-id field in the CDR file. A session with the same transaction ID is loaded only once into the database.
To add to the amount charged by iPass, rate by cost of session.
To pass the monthly fee to the subscriber, use the monthly fee option with pin_ipass_loader.
This example shows how to configure the RADIUS configuration file (BRM_home/apps/radius/config) to support a typical iPass roaming solution:
$CORE {
...
mod_proxy {
server {
name = ipass_proxy_auth
addr = 10.15.210.14 #proxy ip address
port = 1812
secret = testing123
timeout = 30
}
server {
name = ipass_proxy_acct
addr = 10.15.210.14 #proxy ip address
port = 1813
secret = testing123
timeout = 30
}
...
}
...
}
$MODULE {
ipass_remote {
type = mod_pin
check {
NAS-Identifier = "I-PASS VNAS"
}
}
pin_local_auth {
type = mod_pin
check {
Pseudo-Request-Type = Access-Request
}
option = Ignore-No-Entry
send {
Class = "PIN"
}
}
pin_local_acct {
type = mod_pin
check {
Pseudo-Request-Type = Accounting-Request
Class = "PIN"
}
option = Ignore-No-Entry
}
ipass_auth {
type = mod_proxy
check {
Pseudo-Request-Type = Access-Request
}
send {
Class="ipass"
}
dest=ipass_proxy_auth
options=Ignore-No-Response
}
ipass_acct {
type = mod_proxy
check {
Pseudo-Request-Type = Accounting-Request
Class="ipass"
}
dest=ipass_proxy_acct
options=Pass-Through
}
serviced_ipass_session {
type = mod_pin
check {
Pseudo-Request-Type = Accounting-Request
Acct-Status-Type = Stop
Class="ipass"
}
login="ipass"
desc="%u"
options=Ignore-No-Entry
}
terminator {
type = mod_null
action = nak
}
}
The pin_ipass_loader utility loads the iPass CDRs into the BRM database. This utility reads and processes the specified CDR files line by line. For each line, the utility checks that the transaction ID does not already exist in the database and then applies the charges to the database.
The utility logs any errors to the default.pinlog file and moves to the next record. When processing is complete, the utility prints statistics for the batch and then indicates whether any errors occurred.
See "pin_ipass_loader" for parameter definitions and "iPass Call Detail Record File Definition".
To run pin_ipass_loader, use this command:
pin_ipass_loader -f input_file
The following example shows a CDR file with a single call.
"db4:2448","0","userb","anynet.com","Korea","02-Nov-2001 02:50:48","02-Nov-2001 02:50:48","600","1.00", "5.00"
See "pin_ipass_loader".
The pin_ipass_loader utility provides two possible ways to rate a session: based on session length or dollar charge from iPass. Either or both parameters can be used.
The optional parameters -s, -c, -u and -m determine the specific behavior of pin_ipass_loader as follows:
To rate based on session length, specify the rate name after the -s option. The default is ip/dialup/async/hourly. BRM silently ignores this part of the charge if it cannot be rated.
To rate based on session cost, specify the rate name after the -c option. The default is no rate name. BRM cannot rate a charge without a rate name. If you don't specify a rate for the -c option, BRM silently ignores all dollar charges in the CDR file.
To rate based on a monthly charge, specify the rate name after the -m option. The default is to print an error. iPass indicates "monthly charges" as charges with a session length of zero. BRM will rate the session. BRM silently ignores this part of the charge if it cannot be rated. To ignore monthly charges, specify a dummy string along with the -m option.
pin_ipass_loader processes one line at a time. If an error occurs, details are recorded to the problem file and the next record is processed. When processing completes, a message prints if any errors occurred. A line error occurs in following circumstances:
The line fails to parse, possibly due to an incorrect number of fields, bad syntax, or invalid values. Only limited data guarding is performed because the CDR file is computer generated.
The transaction ID is already in the database. This prevents loading the same record multiple times.
The user is not found in the database. Checks that the unqualified/qualified options are appropriately specified.
A monthly charge (when session_length_rate is set to 0) is found and the -m option was not specified.
The PCM_OP_ACT_LOAD_SESSION opcode returns an error.
Note:
pin_ipass_loader silently fails if BRM cannot rate the session. This can happen if an unknown rate name is used with the -s, -c, or -m option, or if no -c option is specified and the user wants to capture the US dollar (USD) charge from iPass.