История страницы

1

Add RADIUS server to the list of used servers and switch to its configuration mode.

esr(config)# radius-server host
{ <IP-ADDR> | <IPV6-ADDR> }
[ vrf <VRF> ]

esr(config-radius-server)#

<IP-ADDR> – RADIUS server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of  [0..255];

<IPV6-ADDR> – RADIUS server IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF];

<VRF> – VRF instance name, set by the string of up to 31 characters.

2

Set the password for authentication on remote RADIUS server.

esr(config-radius-server)# key ascii-text
{ <TEXT> | encrypted <ENCRYPTED-TEXT> }

<TEXT> – string of [8..16] ASCII characters; <ENCRYPTED-TEXT> – encrypted password, [8..16] bytes size, set by the string of [16..32] characters.

3

Create AAA profile.

esr(config)# aaa radius-profile <NAME>

<NAME> – server profile name, set by the string of up to 31 characters.

4

Specify RADIUS server in AAA profile.

esr(config-aaa-radius-profile)# radius-server host
{ <IP-ADDR> | <IPV6-ADDR> }

<IP-ADDR> – RADIUS server IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255];

<IPV6-ADDR> – RADIUS server IPv6 address, defined as X:X:X:X::X where each part takes values in hexadecimal format [0..FFFF].

5

Create DAS server.

esr(config)# das-server <NAME>

<NAME> – DAS server name, set by the string of up to 31 characters.

6

Set the password for authentication on remote DAS server.

esr(config-das-server)# key ascii-text
{<TEXT>|encrypted <ENCRYPTED-TEXT> }

<TEXT> – string of [8..16] ASCII characters; <ENCRYPTED-TEXT> – encrypted password, [8..16] bytes size, set by the string of [16..32] characters.

7

Create AAA DAS profile.

esr(config)# aaa das-profile <NAME>

<NAME> – DAS profile name, set by the string of up to 31 characters.

8

Specify DAS server in DAs profile.

esr(config-aaa-das-profile)#  das-server <NAME>

<NAME> – DAS server name, set by the string of up to 31 characters.

9

Configure BRAS.

esr(config)# subscriber-control [ vrf <VRF> ]

<VRF> – VRF instance name, set by the string of up to 31 characters, within which the user control will operate.

10

Select the profile of dynamic authorization servers to which CoS queries from PCRF will be sent.

esr(config-subscriber-control)# aaa das-profile <NAME>

<NAME> – DAS profile name, set by the string of up to 31 characters.

11

Select RADIUS server profile to obtain the user service parameters.

esr(config-subscriber-control)# aaa services-radius-profile
<NAME>

<NAME> – RADIUS server profile name, set by the string of up to 31 characters.

12

Select RADIUS server profile to obtain the user session parameters.

esr(config-subscriber-control)# aaa sessions-radius-profile
<NAME>

<NAME> – RADIUS server profile name, set by the string of up to 31 characters.

13

Set router IP address that will be used as source IP address in transmitted RADIUS packets.

esr(config-subscriber-control)# nas-ip-address <ADDR>

<ADDR> – source IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].

14

Enable session authentication by MAC address (optional).

esr(config-subscriber-control)# session mac-authentication

15

Organize transparent filter-based transmission of administrative traffic (DHCP, DNS and etc.).

esr(config-subscriber-control)# bypass-traffic-a с l <NAME>

<NAME> – name of the ACL being bound, set by the string of up to 31 characters.

16

Switch to the default service configuration mode.

esr(config-subscriber-control)# default-service

17

Bind the specified QoS class to the default service.

esr(config-subscriber-default-service)# class-map <NAME>

<NAME> – name of the class being bound, set by the string of up to 31 characters.

18

Specify a name of the URL list that will be used to filtrate HTTP/HTTPS traffic of non-authenticated users.

esr(config-subscriber-default-service)# filter-name
{ local<LOCAL-NAME> | remote<REMOTE-NAME> }

<LOCAL-NAME> – URL profile name, set by the string of up to 31 characters;

<REMOTE-NAME> – remote server URL list name, set by the string of up to 31 characters.

19

Specify the actions that should be applied for HTTP/HTTPS packets, whose URL is included in the list of URL assigned by the 'filter-name' command.

esr(config-subscriber-default-service)# filter-action<ACT>

<ACT> – allocated action:

• permit – traffic transfer is permitted;
• deny – traffic transfer is denied.

redirect <URL> – redirect to the specified URL will be carried out, set by the string of up to 255 characters.

20

Specify the actions that should be applied for HTTP/HTTPS packets, whose URL is not included in the list of URL assigned by the 'filter-name' command.

esr(config-subscriber-default-service)# default -action<ACT>

<ACT> – allocated action:

• permit – traffic transfer is permitted;
• deny – traffic transfer is denied.

redirect <URL> – redirect to the specified URL will be carried out, set by the string of up to 255 characters.

21

Enable user control profile.

esr(config-subscriber-control)# enable

22

Change the identifier of a network interface (physical, sub interface or network bridge) (optional).

esr(config-if)# location <ID>

<ID> – network interface identifier, set by the string of up to 220 characters.

23

Enable user control on the interface.

esr(config-if-gi)# service-subscriber-control
{any| object-group <NAME>}

<NAME> – IP addresses profile name, set by the string of up to 31 characters.

24

Enable iterative query of quota value when it expires for user services with a configured restriction on the amount of traffic or time (optional).

esr(config-subscriber-control)# quota-expired-reauth

25

Enable session authentication by IP address (optional).

esr(config-subscriber-control)# session ip-authentication

26

Enable transparent transmission of backup traffic for BRAS (optional).

esr(config-subscriber-control)# backup traffic-processing
transparent

27

Specify the interval after which currently unused URL lists will be removed (optional).

esr(config)# subscriber-control unused-filters-remove-delay
<DELAY>

<DELAY> – time interval in seconds, takes values of [10800..86400].

28

Specify the interval after which, if a user has not sent any packets, the session is considered to be outdated and is removed from the device (optional).

esr(config-subscriber-default-service)# session-timeout
<SEC>

<SEC> – time interval in seconds, takes values of [120..3600].

29

Specify the VRRP group on the basis of which user control service status is determined (primary/redundant) (optional).

esr(config-subscriber-control)# vrrp-group <GRID>

<GRID> – VRRP router group identifier, takes values in the range of [1..32].

30

Define destination TCP ports from which the traffic will be redirected to the router HTTP Proxy server (optional).

esr(config-subscriber-control)# ip proxy http listen-ports <NAME>

<NAME> – TCP/UDP ports profile name, set by the string of up to 31 characters.

31

Define HTTP Proxy server port on the router (optional).

esr(config-subscriber-control)# ip proxy http redirect-port <PORT>

<PORT> – port number, set in the range of [1..65535].

32

Define destination TCP ports from which the traffic will be redirected to the router HTTPS Proxy server (optional).

esr(config-subscriber-control)# ip proxy https listen-ports <NAME>

<NAME> – TCP/UDP ports profile name, set by the string of up to 31 characters.

33

Define HTTPS Proxy server port on the router (optional).

esr(config-subscriber-control)# ip proxy https redirect-port <PORT>

<PORT> – port number, set in the range of [1..65535].

34

Set router IP address that will be used as source IP address in HTTP/HTTPS packets transmitted by Proxy server (optional).

esr(config-subscriber-control)# ip proxy source-address <ADDR>

<ADDR> – source IP address, defined as AAA.BBB.CCC.DDD where each part takes values of [0..255].

35

Specify URL address of the server providing lists of traffic filtration applications (optional).

esr(config)# subscriber-control apps-server-url <URL>

<URL> – reference address, set by the string from 8 to 255 characters.

36

Enable the application control on the interface (optional).

esr(config-if-gi)# subscriber-control application-filter <NAME>

<NAME> – application profile name, set by the string of up to 31 characters.

37

Set/clear the upper bound of BRAS sessions amount (optional).

esr(config-subscriber-control)# thresholds sessions-number high  <Threshold>

<Threshold> – number of BRAS sessions:

• [0-50000] – for ESR-1700;
• [0-10000] – for ESR-1200/1000/1500/1511/3100/3200 and WLC-3200;
• [0-1000] – for ESR-100/200.

38

Set/clear the lower bound of BRAS sessions amount (optional).

esr(config-subscriber-control)# thresholds sessions-number low   <Threshold>

<Threshold> – number of BRAS sessions:

• [0-50000] – for ESR-1700;
• [0-10000] – for ESR-1200/1000/1500/1511/3100/3200 and WLC-3200;
• [0-1000] – for ESR-100/200.