12 Setting Up RADIUS Mediation for Authentication and Authorization

This chapter describes the steps required to install, configure, administer, and use Oracle Communications Service Broker to act as a Remote Authentication Dial In Service (RADIUS) Manager and support RADIUS Authentication and Authorization with Oracle Communications Billing and Revenue Management (BRM).

About RADIUS Authentication and Authorization Mediation

Service Broker translates RADIUS authentication and authorization requests to PCP requests that BRM understands.

Figure 12-1 shows the Service Broker components that you need to set up and configure to apply the BRM authentication and authorization services in a network supporting authentication and authorization with RADIUS.

Figure 12-1 Service Broker Components for Authentication and Authorization

Configuring RADIUS Authentication and Authorization

To set up Service Broker to perform RADIUS Authentication and Authorization mediation to PCP, you need to configure the following Service Broker components:

• RADIUS SSU

• RADIUS PCP SSU

• RADUIS Authentication module

Performing RADIUS Authentication and Authorization

See Oracle Communications Billing and Revenue Management RADIUS Manager for information on how authentication and authorization is done in BRM.

Configuration Workflow

To create an end-to-end configuration for RADUIS authentication and authorization:

1. Configure the RADIUS SSU. See "Configuring the RADIUS SSU".

2. Create a set of client profiles and AVP filters for requests and responses. See "Configuring a Client Profile and AVP Filters".

3. Create a set of Proxy Realms. See "Adding Proxy Realms".

4. Add service mappings to define how RADIUS services are mapped to BRM service codes. See "Configuring RADIUS Mediation".

5. Configure the PCP SSU to connect to BRM. See "Connecting to BRM Through PCP".

Configuring the RADIUS SSU

Configure the RADIUS SSU as described in “Configuring the RADIUS SSU” Oracle Communications Service Broker Signaling Domain Configuration Guide. Use the following configuration data, specifically:

1. Create a new incoming routing rule.

2. Set Local Realm to any. This is a case-sensitive field.

3. Set Alias to anything. This is a mandatory field in the configuration but it is not used in the authentication and authorization use case. These requests are always routed to the RADIUS authentication and authorization module.

Configuring a Client Profile and AVP Filters

To create a client profile:

1. In the RADIUS SSU Configuration screen, click the RADIUS tab and then the Client Profile tab, and then the ClientProfile sub tab to define the NAS client profile properties.

2. Click New.

3. In the New window enter:

   In the Client Address field, enter the address or address range for the NAS client to configure. You can define a single IP address or host name, or a group if entered as a regular expression.

   In the Client NAS Identifier field, enter the ID of the client network authentication server (NAS). This can be a fully qualified domain name.

   In the Authentication Shared Secret Key field, enter the key in the credential store that maps to the secret in the credential store that is used to identify authentication requests from the NAS client. For more information about the credential store, see Oracle Communications Service Broker System Administrator's Guide.

   In the accountingSharedSecretKey field, enter the key in the credential store that maps to the secret in the credential store that is used to identify accounting requests from the NAS client.

4. Click OK.

5. Click the Avps to copy from Request to Response tab.

6. Choose the client profile to apply the filter to from the Parent drop-down list. The index of the client profile correlates to the keyId assigned to the client profile.

7. Repeat for each AVP that is present in an incoming request and shall be included in the response:

   1. Click New.

   2. In the New: window enter:

      In the Service field, enter the service ID for an AVP than is included in the request and shall be included in the response.

   3. Click OK.

8. Click OK.

Adding Proxy Realms

To a add a proxy realm to proxy requests to:

1. In the RADIUS SSU Configuration screen, click the RADIUS tab and then the Proxy Realm tab.

2. Click New.

3. In the New window enter:

   In the Name of the proxy realm field, enter a symbolic name for the RADIUS server to proxy requests to.

   In the UsernameMatch Criteria field, enter the user name matching criteria. Enter it as regular expression that matches the realm part of the User-Name attribute in the request. For example, enter isp1.net for any user that belongs to isp1.net.

   In the Authentication Shared Secret Key field, enter a shared secret key used for authentication requests from the NAS client.

   In the Authentication Shared Secret Key field, enter the key in the credential store that maps to the secret in the credential store that is used to identify authentication requests from the NAS client. For more information about the credential store, see Oracle Communications Service Broker System Administrator's Guide.

   In the Accounting Shared Secret Key field, enter the key in the credential store that maps to the secret in the credential store that is used to identify accounting requests from the NAS client.

   In the Request Timeout field, enter the number of seconds to wait for a response time before a request is considered to have timed out and the request is retried.

   In the Number of Retries field, enter the number of times to retry to forward a request before it is considered to have failed.

4. Click OK.

Connecting to BRM Through PCP

To connect Service Broker to Oracle Communications BRM:

1. Create BRM connection pools in the PCP SSU, as described in "Defining Connection Pools" in the chapter "Configuring the PCP Signaling Server Unit" in Oracle Communications Service Broker Signaling Domain Configuration Guide.

   See also "About Connection Pooling" in Oracle Communications Billing and Revenue Management System Administrator's Guide.

2. Secure the BRM connection pools that you created in step 1, as described in "Securing Connection Pools" in the chapter "Configuring the PCP Signaling Server Unit" in Oracle Communications Service Broker Signaling Domain Configuration Guide.

   In the Administration Console:

   1. In the navigation tree, expand the OCSB node, and then the Signaling Tier node.

   2. Select the SSU PCP node.

   3. In the PCP tab, select the Credential Store tab.

   4. In the Password area, in the Key field, enter the ID of the connection pool that you want to secure. This should be the Pool ID that you assigned to the connection pool when you created the connection pool in step 1.

   5. In the Password area, in the Password field, enter the password of the Oracle Communications BRM client application account used by the connection pool to access the BRM. This should be the password of the account that you configured in the BRM CM Login ID field when you initially defined the connection pool.

   6. In the Password area, uncheck the one-way checkbox.

   7. In the Password area, click the Set Password button.

   8. Repeat steps d through d for each connection pool that you want to secure.

3. Define destination BRM applications, as described in "Defining PCP Network Entities" in the chapter "Configuring the PCP Signaling Server Unit" in Oracle Communications Service Broker Signaling Domain Configuration Guide.

Configuring RADIUS Mediation

This section describes how to configure RADUIS Mediation using the Service Broker Administration Console.

To access the RADIUS Mediation Configuration screen:

1. In the domain navigation pane, expand OCSB.

2. Expand Processing Tier.

3. Click RADIUS Mediation.

The Radius Mediation configuration pane contains the subtabs described in Table 12-1.

Table 12-1 RadiusAthentication Configuration Subtabs

Subtab	Description
General	Enables you to define time-out value for authentication requests and how to treat accounting requests when Service Broker operates in degraded mode. See "Configuring General Parameters"
Service Type	Enables you to define mapping between RADIUS application IDs and BRM service IDs. See "Configuring Service Type Parameters".

Configuring General Parameters

The General tab enables you to set up how the Authentication application treats authentication requests that time out. Table 12-2 describes configuration parameters in the General subtab.

Table 12-2 Authentication Application General Parameters

Name	Type	Description
auth-timeout	Integer	The time to allow for an authentication requests to execute before it is considered to have timed out. Given in seconds.
degraded-mode-behavior	Enumeration, drop-down menu	Defines how authentication requests that times out are handled. Choose: accept to treat the requests as accepted. discard to discard the requests. reject to reject the request.

Configuring Service Type Parameters

The ServiceType tab enables you to set up a mapping between RADIUS application IDs and BRM service types. Table 12-3 describes configuration parameters in the ServiceType subtab.

Table 12-3 Authentication Application Service Type Parameters

Name	Type	Description
Id	Integer	The RADIUS application ID to be mapped to a BRM service type.
type	String	The BRM service type to use for the corresponding RADIUS application ID. For example: service/ip
default	Boolean	Set to: true if to use this as a default value. false to not use it as a default value.

Extending Authentication and Authorization Support

You can extend the authentication and authorization functionality by adding support for custom RADIUS AVPs. You do that by adding custom AVPs to the RADIUS dictionary in the RADIUS SSU. See “Configuring the RADIUS SSU” in Oracle Communications Service Broker Signaling Domain Configuration Guide for more information.