A RADIUS group is a uniquely named object that defines the authentication and accounting services associated with a group of RADIUS servers. Including a RADIUS group in the VSP configuration allows the ME system (the RADIUS client) to perform user authentication and forward accounting and SIP call detail records to the RADIUS servers.This means that you have flexibility to create as many unique RADIUS groups as you need, and include them with the VSPs of your choice.
The ME allows you to set server priority to influence which server receives authentication requests. To use this feature, set the authentication-mode property in the radius-group object to prioritized. Set the priority for the server with the priority property of the server object. The ME then manages authentication requests using the following logic:
The ME always sends an authentication request to the server with the highest priority. The lower the number, the higher the priority.
If the request times out, the ME sends the request to the next-highest-priority server. This timeout status is applicable for that request only. The ME will forward the next request to the highest priority server.
The ME continues with this action until either a server replies with an Accept or a Reject, or until there are no more configured servers. If there are no more servers to try, the ME rejects the call.
Note that in prioritized mode, the ME does not determine that servers are dead due to consecutive failures. As long as a server is enabled in the configuration, the ME continues to forward requests, regardless of the number of failures.
When configuring for prioritization, it is important to set different priority values for the servers. Otherwise, the ME randomly selects from servers with the same value, negating the effects of prioritized mode. If that should happen, the ME generates an event indicating that multiple servers have the same priority. The following two examples illustrate how the ME forwards requests with multiple servers of the same priority:
Server A has a priority of 1, and servers B and C have a priority of 2. The ME sends all requests to server A, with the highest priority, first. If A does not respond, the ME picks randomly between B and C.
Servers A and B have a priority of 1, and server C has a priority of 2. The ME selects randomly between A and B, and sends all requests to that server first. If that server times out, the ME sends all requests to the other highest-priority server. (For example, if the ME picks A first, and it times out, it then sends requests to B, not C.)
Configures a RADIUS group, to which you add servers using the server object. Setting up a RADIUS group in one or more VSP configurations allows the ME system (the RADIUS client) to perform SIP traffic authentication and to forward accounting and SIP call detail records to the RADIUS servers. (To setup authentication for user access, use the access radius object.)
Specify the new or existing RADIUS group name using up to 16 alphanumeric characters with no blank spaces.
admin: Enables or disables the system RADIUS server group configuration. When enabled, the system forwards SIP call detail records to configured RADIUS group server(s).
Default: enabled
Values: enabled | disabled
Example: set admin disabled
accounting-mode: Sets the RADIUS group accounting operational algorithm.
Default: duplicate
Values: round-robin: If you configure multiple accounting servers in the accounting group, the round robin algorithm performs continued accounting requests to primary and secondary servers until a valid accounting response is received.
duplicate: The duplicate algorithm issues multiple duplicate accounting requests to all servers in the RADIUS accounting group. A duplicate accounting request uses the same client source IP address and source UDP port.
fail-over <retries>: If you configure multiple accounting servers, the failover algorithm forwards accounting requests to secondary servers should the current accounting server fail. You can specify up to 256 failover servers.
Example: set accounting-mode round-robin
authentication-mode: Sets the RADIUS group authentication operational algorithm.
Default: failover 3
Values: round-robin: The round robin algorithm performs continued authentication requests to primary and secondary servers until a valid authentication response is received.
fail-over <retries>: The failover algorithm forwards authentication requests to secondary servers should the current authentication server fail. You can specify up to 256 failover attempts to other servers.
prioritized: The ME forwards authentication requests to the server with the highest assigned priority. If that server does not respond, the system forwards the request to the next highest priority server. Set the priority with the server > priority property. See Setting Server Priority for more information.
Example: set authentication-mode round-robin
type: Sets the type of SIP accounting record to use. Currently, the only valid SIP accounting record type is Cisco.
Default: cisco
Example: set type cisco
include-in-default: Specifies if this RADIUS group is to be included in the default RADIUS authentication and accounting target group.
If set to true, authentication and accounting requests are forwarded to this group if there are no configured policies that govern or redirect RADIUS requests to other servers.
Default: true
Values: true | false
Example: set include-in-default false
digest-attributes-format: Sets the correct Digest authentication attributes format for use with RADIUS.
Default: draft-sterman-aaa-sip-03
Values: draft-sterman-aaa-sip-03: Set to this experimental format if you are using FreeRADIUS.
draft-ietf-radext-digest-auth-05: Set to this early proposed standard if you are using Steel-Belted RADIUS.
rfc-4590: Set to RFC 4590 is you are using the standard RADIUS.
Example: set digest-attributes-format rfc-4590
send-session-id: Specifies whether the system correlates RADIUS access requests with accounting requests. When true, the system sends the Acct-Session-ID attribute in its RADIUS auth-requests. When false, this attribute is sent only in accounting messages.
Default: true
Values: true | false
Example: set send-session-id false
include-digest-domain-in-user-name: Specifies whether to append the user's domain name to the RADIUS User-Name attribute. Enable this property if the RADIUS server requires the domain name to be included in the attribute. If the User-Name attribute already contains a domain name, the system does not take any action.
Default: disabled
Values: enabled | disabled
Example: set include-digest-domain-in-user-name enabled
send-user-agent: Specifies whether to include the User-Agent header value in the RADIUS Auth-Request message. If set to true, the ME includes the User-Agent header in the Connect-Info RADIUS attribute.
Default: false
Values: true | false
Example: set send-user-agent true
service-type: Maps a RADIUS service type to a SIP message type. If the system authenticates a message type that has a mapped service type, it will include that Service-Type attribute in the RADIUS request. If a service type has not been mapped to the message type the system is authenticating, but there is a mapping for the message type OTHER, the system includes the OTHER service type in the request. If there is no mapping for the actual or the OTHER method, then the system does not include any Service-Type attribute in the request.
Default: There is no default setting
Example: set service-type other
application: Enables or disables this normalization plan. When enabled, the system provides normalization for matching SIP messages. When disabled, you can configure the plan properties but the system does not apply it.
Default: authentication
Values: authentication: Use SIP authentication
routing: Use Oracle SIP routing
Example: set application routing
custom-accounting: Enables or disables free-form accounting services for this VSP. When enabled, free-form accounting is used. When disabled, the ME uses existing, predefined CDRs.
Default: disabled
Values: enabled | disabled
Example: set custom-accounting enabled
Identifies and configures the RADIUS servers that are part of this RADIUS group. Enter a host name or IP address to identify the server.
admin: Enables or disables the system RADIUS authentication and accounting server configuration. When enabled, authentication and SIP call accounting records are forwarded to the specified server IP address and port numbers.
Default: enabled
Values: enabled | disabled
Example: set admin disabled
authentication-port: Sets the UDP port over which the system RADIUS client sends authentication requests to the RADIUS server.
Default: 1812
Values: Min: 1 / Max: 65535
Example: set authentication-port 1800
authentication-sockets: Sets the number of sockets reserved for request IDs on a server. With one socket, the default, the 8-bit number space allows up to 255 outstanding requests per server. Assign additional sockets if you have a high-volume application that requires sending many requests at one time. Each additional socket increases capacity by 255 requests.
Default: 1 Values: Min: 1 / Max: 8
Example: set association-min-lifetime 25000
accounting-port: Sets the UDP port number over which the system RADIUS client sends accounting requests to the RADIUS server.
Default: 1813
Values: Min: 1 / Max: 65535
Example: set accounting-port 1801
secret-tag: Specifies the shared secret used to authenticate transactions between the system RADIUS client and the RADIUS server. See Understanding Passwords and Tags for information on the ME two-part password mechanism. Enter up to 32 alphanumeric characters.
Default: There is no default setting
Example: set secret-tag abc123xyz
timeout: Specifies the time (in milliseconds) to elapse before an accounting or authentication request to a RADIUS server times out. If the request times out, the system retries the request for the specified number of attempts before the request is forwarded to the next RADIUS server in the configuration.
Default: 1000
Values: Min: 1 / Max: 65535
Example: set to-user strip-off-to 10
retries: Sets the number of times the system retransmits an accounting or authentication request if the RADIUS server does not respond.
Default: 3
Values: Min: 2 / Max: 5
Example: set retries 4
window: Sets the maximum number of simultaneous requests the system client can send to the RADIUS server. Note that if you set multiple sockets with the authentication-socket property, this window value is a per-socket allowance.
Default: 64
Values: Min: 8 / Max: 255
Example: set window 255
priority: Configures a priority for the server. Set this property if the authentication-mode property of the radius-group object is set to prioritized. The lower the value, the higher the priority. Note that each server in a RADIUS group must have a different priority for prioritization to work correctly. See Setting Server Priority for more information.
Default: 1
Values: Min: 1 / Max: 99
Example: set priority 5