Profiles RADIUS
The RADIUS profile is used to define a cluster of RADIUS servers to be used for authentication of the UNI ports on the OLT. The RADIUS profile also allows a discriminator that is used to define the RADIUS authenticator based on a MAC and mask. This allows sending specific devices such as phones to a different authenticator.
RADIUS Profile Attributes
| Attribute |
Values |
Default |
Req |
Description |
| Discriminator |
|
|
|
Container |
| Aid-selector-list |
|
|
|
List Container |
| Id |
Int32 |
N/A |
Y |
Integer index of the discriminator list.
|
| Aid-first |
String |
N/A |
Y |
Defines a template for port ID information. Typically only set by the EMS. |
| Count |
Int32 |
N/A |
Y |
The number of ports to apply this rule to. |
| Group-type |
Enum |
N/A |
Y |
Bolt – Applies to all the olts
olt-mini – applies to all of olts
ont070 – applies to ONT70
ont120
ont121-w
ont121-wx
ont131-w
ont140
ont140-cl
ont142-r
ont180
ont202
ont203-w
ont205
ont224
ont248
ont248-x
ont701
ont703
ont704
ont705
ont709
ont712
ont729
ont729-gp
ont734
ont742-g
ont742-gr
ontbasic
|
| Rule-priority |
Int32 |
N/A |
N |
The priority to apply to the rule when conflicts in the rule existr. |
| Redundancy-mode |
failover | roundrobin |
failover |
N |
Failover – First server that answers is used until it fails, then move to the next.
roundrobin – Each request is sent to a different server in a round robin fashion.. |
| Server-list |
|
|
|
Container for list of servers. |
| Admin-state |
enabled | disabled |
enabled |
N |
Whether this RADIUS server entry is in use. If disabled, radius server is skipped. |
| Dae-admin-state |
enabled | disabled |
enabled |
N |
Whether dynamic authorization extensions are supported/allowed for this server.. |
| Dae-udp-port |
1..65535 |
3799 |
N |
The port to accept DAE requests on. |
| Nas-udp-port |
1..65535 |
1812 |
N |
The port to send RADIUS requests from.. |
| Server |
String |
N/A |
N |
The IP or hostname of the RADIUS server. |
| Server-udp-port |
1..65535 |
1812 |
N |
Port to use on the server. |
| Shared-key |
ip address | hostname |
N/A |
N |
The server secret key to be used to secure RADIUS communications. |
Note: * = required parameter. The required parameter name does not have to be entered in the command script. The system automatically recognizes the entered parameters by their placement.
- Command Path – tolt>profiles>radius-profiles>
- Module – tolt
- Container – profiles
- *Name – The name of the radius profile.
- Types –
- Container – radius-profile
- *Name – The name of the DSCP profile.
- Printable string (default N/A)
- Container – discriminator
- Container – Selector-list
- *id – Integer index of the discriminator list.
- *aid-first – The AID of the first port to apply this to.
- *Count – The number of ports to apply this rule to.
- *group-type – Bolt – Applies to all of the olt, olt-mini – applies to all of olt, ont070 – applies to ONT70, ont120, ont121-w, ont121-wx, ont131-w, ont140, ont140-cl ont142-r, ont180, ont202, ont203-w, ont205, ont224, ont248, ont248-x, ont701, ont703, ont704, ont705, ont709, ont712, ont729, ont729-gp, ont734, ont742-g, ont742-gr, ontbasic
- *Rule-priority – The priority to apply to the rule when conflicts in the rule exist.
- *Redundancy-mode –Failover – First server that answers is used until it fails, then move to the next.
roundrobin – Each request is sent to a different server in a round robin fashion.
- failover | roundrobin (default Failover)
- Container – oui-mac-discriminator
- *Index – Entry index in the table.
- mac-address
- num-mask-bits
- Container – server-list .
- Admin-state – Whether this RADIUS server entry is in use. If disabled, radius server is skipped.
- enabled | disabled (default enabled)
- Dae-admin-state – Whether dynamic authorization extensions are supported/allowed for this server.
- enabled | disabled (default enabled)
- Dae-udp-port – The port to accept DAE requests on..
- Nas-udp-port – The DSCP code point at layer three.
- Server – The L2 pbit marking to associate with this DSCP code point. All DSCP code points without a map are assumed to be zero.
- ip address | hostname (default N/A)
- Server-udp-port – Port to use on the server.
- *Shared-key – The server secret key to be used to secure RADIUS communications.
RADIUS Profile Creation Example
The following command will create a radius cluster.
- Command Path – tolt>profiles>radius-profiles>
- Module – tolt
- Container – profiles
- Types – Example Parameters
- Container – radius-profiles
- *Name – basic-radius-profile
- Container – server-list 1
- admin-state enabled
- ip-address 10.20.30.100 s
- server-udp-port 1812
- shared-key super-secret-key
- Container – server-list 2
- admin-state disabled
- dae-admin-state enabled
- dae-udp-port 3799 ip-address 10.20.30.100
- nas-udp-port 1812
- shared-key super-secret-key
- From the MDS1-ESUA<config># command line, input tolt profiles radius-profiles basic-radius-profile, and press Enter.
- From the MDS1-ESUA<config-radius-profiles-basic-radius-profile)# command line, input server-list 1 and press Enter.
- From the MDS1-ESUA<config-server-list-1># command line, input admin-state enabled ip-address 10.20.30.100 server-udp-port 1812 shared-key super-secret-key and press Enter.
- From the MDS1-ESUA<config-server-list-1># command line, input exit and press Enter.
- From the MDS1-ESUA<config-radius-profiles-basic-radius-profile># command line, input server-list 2 and press Enter.
- From the MDS1-ESUA<config-server-list-2># command line, input admin-state disabled dae-admin-state enabled dae-udp-port 3799 ip-address 10.20.30.100 nas-udp-port 1812 shared-key super-secret-key and press Enter.
- Input commit and press Enter. Outputs similar to the following are displayed:
MDS1-ESUA<config># tolt profiles radius-profiles basic-radius-profile <enter>
MDS1-ESUA<config-radius-profiles-basic-radius-profile># server-list 1 <enter>
MDS1-ESUA<config-server-list-1># admin-state enabled ip-address 10.20.30.100 server-udp-port 1812 shared-key super-secret-key <enter>
MDS1-ESUA<config-server-list-1># exit <enter>
MDS1-ESUA<config-radius-profiles-basic-radius-profile># server-list 1 <enter>
MDS1-ESUA<config-server-list-2># admin-state disabled dae-admin-state enabled dae-udp-port 3799 ip-address 10.20.30.100 nas-udp-port 1812 shared-key super-secret-key <enter>
MDS1-ESUA(config-server-list-2># commit <enter>
Commit complete.
MDS1-ESUA<config-server-list-2># exit <enter>
MDS1-ESUA<config-radius-profiles-basic-radius-profile># exit <enter>
MDS1-ESUA<config>#_
|
RADIUS Profile Delete
The following command will delete a radius cluster.
- Command Path – no>tolt>profiles>radius-profiles>basic-radius-profile>
- Command – no
- Module – tolt
- Container – profiles
- Types – Example Parameters
- Container – radius-profiles
- *Name – basic-radius-profile
- From the MDS1-ESUA<config># command line, input no tolt profiles radius-profiles basic-radius-profile, and press Enter.
- From the MDS1-ESUA<config># command line, input commit and press Enter.
- Outputs similar to the following are displayed:
MDS1-ESUA<config># no tolt profiles radius-profiles basic-radius-profile <enter>
MDS1-ESUA<config># commit <enter>
Commit complete.
MDS1-ESUA<config>#_
|
RADIUS Profile Assignment
One or more RADIUS Profiles are assigned to a PAE profile. If more than one radius profile is assigned to the PAE profile, it must have a discriminator to allow the user to determine which RADIUS profile should be used.
- Command Path – tolt>profiles>pae-profiles>
- Module – tolt
- Container – profiles
- Container – pae-profiles
- Type – Example Parameter
- *Name – basic-pae
- radius-profile-list my-radius-cluster
- From the MDS1-ESUA<config># command line, input tolt profiles pae-profiles basic-pae radius-profile-list my-radius-cluster, and press Enter.
- Input commit and press Enter. Outputs similar to the following are displayed:
MDS1-ESUA<config># tolt profiles pae-profiles basic-pae admin-state enabled radius-profile-list radius-cluster <enter>
MDS1-ESUA<config-pae-profiles basic-pae># commit <enter>
Commit Complete
MDS1-ESUA<config-pae-profiles basic-pae># exit <enter>
MDS1-ESUA<config>#
|