RADIUS - Overview

The IMG uses Remote Authentication Dial In User Service (RADIUS) for streaming Call Detail Records (CDR's). The implementation is compliant with RFC 2865 - Remote Authentication Dial-In User Service (RADIUS) and RFC 2866 RADIUS Accounting. When RADIUS is configured on the IMG and an inbound call requires a RADIUS lookup, the IMG will generate an ACCESS Request message to the RADIUS Server as well as an Accounting-START and Accounting-STOP Request as required. The Requests will be populated with any associated data that came in the incoming or outgoing message. The IMG supports the Dialogic RADIUS format, which includes attributes defined by both RFC 2865, RFC 2866, and any supported Dialogic Vendor Specific Attributes (VSA). Refer to the information below for an overview of what is supported on the IMG when configuring RADIUS.

 

Supported RADIUS Scenarios

The IMG supports RADIUS Authentication, Accounting, or combination of both when communicating with a RADIUS Server. The user has the option of choosing one of the following scenarios when configuring the 2020 IMG:

Authentication and Accounting

In the first scenario, the IMG is configured as a RADIUS Client and the RADIUS Server configured will require the IMG first be Authenticated before starting and Accounting session. Refer to Call Flow diagram below.

cf_radius_act-auth.png

 

Accounting Only

In the Accounting only scenario, the RADIUS server that is configured is being used for Accounting purposes only. No Authentication is needed. Refer to Call Flow diagram below.

cf_radius_act-only.png

 

Authentication Only

In the Authentication only scenario, the RADIUS server that is configured is being used to authenticate users. No Accounting is required. Refer to call flow diagram below.

cf_radius_auth-only.png

 

Basic RADIUS call flow

Below is call flow displaying the messages generated to a RADIUS Server that is configured for Accounting and Authorization.

cf_radius_ss7_sip.png

 

Supported Packet Types

Access-Request (Sent to the RADIUS server) - Conveys information used to determine whether a user is allowed access to a specific Network Access Server (NAS) and any special services requested for that user.

Access-Accept (Sent by the RADIUS server) - Provides specific configuration information necessary to begin delivery of service to the user.

Access-Reject (Sent by the RADIUS Server) - Sent if any value of the received attributes are not acceptable.

Accounting-Start - Sent at the start of service delivery, the type of service being delivered and to whom it is being delivered to.

Accounting-Stop - Describes the type of service being delivered and displays optional statistics, such as elapsed time, input and output octets, and input and output packets.

 

RADIUS Server Debug Mode

The IMG can be configured so that calls will be completed whether the RADIUS server is active or not. The IMG will not require authentication for the RADIUS server to complete a call and no billing information will be logged. The RADIUS Debug Mode is configured through the RADIUS Client screen. Refer to the RADIUS Client topic for more information on configuring debug mode

 

RADIUS Server Failure Alarm

The IMG provides automatic alarming notification when a Radius Server has changed states and can no longer be accessed. The alarm, reported in ClientView, will include the RADIUS Server Type (Access, Accounting), the Server ID, the mode of the Radius Server (normal, debug), the state of the Radius Server and the IP address of failed RADIUS server.

 

RADIUS Server Redundancy

The IMG supports a Primary(Active)/Secondary(Standby) redundancy scheme. Redundancy logic is independent for Authentication and Accounting Servers. When configuring RADIUS servers, they are created with an initial priority preference. The IMG will begin using the primary RADIUS server which is initially the active server. When detecting a communication failure with the primary server, a switchover to the Standby will occur. The Secondary will now become the active server and all future Radius messages will flow to the new active server. If an error is detected in trying to send a RADIUS message to the new active server, the IMG will attempt to switch back to the Primary server (Initial active server). This behavior is repeated, until a working server is detected. If the IMG fails to connect to a RADIUS Server an alarm is then sent. The alarms can be monitored using the EventView application.

Typically, when a RADIUS message needs to be sent to a server it is assembled and passed to the OS for transport to the active server. These servers are configured to send the message, wait 2 seconds, and then retry sending the message an additional three times. Therefore a RADIUS message will be sent a total of four times, each at two second intervals. If the message has been sent four times with no success, a switchover to the next server will occur. The switchover behavior is coupled to the message type. Therefore, an Accounting Server switchover is independent of an Authentication Server switchover.

Under typical call loads it will take some time for the switchover to complete since the IMG may have many RADIUS messages queued up to the failed server. Each of these messages must fail and be retried on the newly active server following notification of the send failure.

Note: A negative response does not constitute a server failure.

 

Additional Information

    1. The Protocol utilized.
    2. What leg of the call the protocol is used on.
    3. Whether the protocol is TDM (SS7 or ISDN) or IP (SIP).

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Configuring RADIUS topic for more information on how to configure RADIUS on the IMG.