Dafault Auth Reply
Cholleti, Hanumantha
Hanumantha.Cholleti at viasat.com
Thu May 23 02:02:06 CEST 2013
Scenario/Problem:
==============
Upon successful authentication of a user, have to send default WiMAX attribute (Initial Service Flow [ISF]) as part of "Access-Accept"; Only if specific WiMax attributes (user specific service flows) are *not* defined for the user in radreply;
Example:
=======
Let's assume our default ISF response should be:
WiMAX-Packet-Data-Flow-Id 1
WiMAX-Service-Data-Flow-Id 1
WiMAX-Direction 2
WiMAX-Activation-Trigger 4
WiMAX-Transport-Type 1
WiMAX-Downlink-QOS-Id 1
WiMAX-Downlink-Classifier permit in any src any dst any
WiMAX-QoS-Id 1
WiMAX-Schedule-Type 2
WiMAX-Traffic-Priority 1
WiMAX-Maximum-Sustained-Traffic-Rate 2200000
WiMAX-Minimum-Reserved-Traffic-Rate 1000
WiMAX-Transmission-Policy 208
And User "ABC" is configured to have below service flow response (in radreply), which is different from default ISF:
WiMAX-Packet-Data-Flow-Id 111
WiMAX-Service-Data-Flow-Id 101
WiMAX-Direction 1
WiMAX-Activation-Trigger 4
WiMAX-Transport-Type 1
WiMAX-Uplink-QOS-Id 111
WiMAX-Uplink-Classifier permit in ip src any dst any 0-66 priority 3
WiMAX-Uplink-Classifier permit in ip src any dst any 69-65535 priority 3
WiMAX-QoS-Id 111
WiMAX-Schedule-Type 5
WiMAX-Traffic-Priority 1
WiMAX-Maximum-Sustained-Traffic-Rate 5500000
WiMAX-Minimum-Reserved-Traffic-Rate 0
WiMAX-Tolerated-Jitter 1000
WiMAX-Maximum-Latency 1000
WiMAX-Unsolicited-Grant-Interval 40
WiMAX-Transmission-Policy 211
Expected Response
===============
1) If User "ABC" successfully authenticates -> want to send only service flow configured above for "ABC".
2) If User other than ABC (say XYZ, 123, etc... for whom no service flow is configured in radreply) authenticates successfully (with default auth-type set to eap) -> want to send default IFS.
Approach we took
==============
1) Added an entry in "radusergroup" table with username and groupname as "DEFAULT-IFS"
+-------------+-------------+----------+
| username | groupname | priority |
+-------------+-------------+----------+
| DEFAULT-ISF | DEFAULT-ISF | 1 |
+-------------+-------------+----------+
2) Added Default-IFS WiMAX attribute entries in "radgroupreply" table with groupname = "DEFAULT-IFS"
3) updated group_membership_query in dialup.conf file
From:
group_membership_query = "SELECT groupname \
FROM ${usergroup_table} \
WHERE username = '%{SQL-User-Name}' \
ORDER BY priority"
To:
group_membership_query = "SELECT groupname \
FROM ${usergroup_table} \
WHERE username = '%{SQL-User-Name}' \
OR (NOT EXISTS (select 1 from radreply where username='%{SQL-User-Name}') \
AND username='DEFAULT-ISF') \
ORDER BY priority"
Question
=======
The above approach works and provided the access-accept response we expected, but want to confirm if this is the correct approach to the scenario we described or is there a better way to handle this?
Sorry for the long email, wanted to provide as much background as possible
Thanks
-Hanu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130523/4f522f44/attachment-0001.html>
More information about the Freeradius-Users
mailing list