Cambium RADIUS dictionary for WiFi

Cambium Enterprise access points support several features controlled through a RADIUS server, such as bandwidth quota, VLAN and VLAN pool names. In addition to standard attributes such as Session-Timeout etc, these additional vendor specific attributes help the AP provide very flexible per-user fucntionality in carrier and enterprise networks.

The RADIUS dictionary for these attributes (in a format compatible with freeRADIUS but can be translated to other servers) is:

VENDOR                  CambiumVendor           17713
 
BEGIN-VENDOR    CambiumVendor

ATTRIBUTE       CAMB-Traffic-Quota-Limit-Up             151     integer
ATTRIBUTE       CAMB-Traffic-Quota-Limit-Down           152     integer
ATTRIBUTE       CAMB-Traffic-Quota-Limit-Up-Gigwords    153     integer
ATTRIBUTE       CAMB-Traffic-Quota-Limit-Down-Gigwords  154     integer
ATTRIBUTE       CAMB-Traffic-Quota-Limit-Total          155     integer
ATTRIBUTE       CAMB-Traffic-Quota-Limit-Total-Gigwords 156     integer
ATTRIBUTE       Cambium-Vlan-Pool-Id                    157     string
ATTRIBUTE       CAMB-Authorize-Classes                  158     tlv
ATTRIBUTE       CAMB-Traffic-Classes-Acct               159     tlv
ATTRIBUTE       CAMB-Walled-Garden-State                160     integer

ATTRIBUTE       CAMB-Authorize-Class-Name               158.1   string
ATTRIBUTE       CAMB-Authorize-Bytes-Left               158.2   integer64

ATTRIBUTE       CAMB-Acct-Class-Name                    159.1   string
ATTRIBUTE       CAMB-Acct-Input-Octets                  159.2   integer
ATTRIBUTE       CAMB-Acct-Output-Octets                 159.3   integer
ATTRIBUTE       CAMB-Acct-Input-Packets                 159.4   integer
ATTRIBUTE       CAMB-Acct-Output-Packets                159.4   integer

END-VENDOR      CambiumVendor

 

The QUOTA attribtues relate to allowed bandwidth/usage for clients. The APs already support time based restrictions (standard RADIUS session-timeout attribute) and rate-limit (WBA attribtues covered in a separate KB), these new Cambium attributes enhance that control.

Attribute descriptions:
CAMB-Traffic-Quota-Limit-Up|CAMB-Traffic-Quota-Limit-Down:
These attributes take the Upload/Download limit in Bytes and limit the client ability to Upload/Download the amount of data for that given RADIUS session.
 
CAMB-Traffic-Quota-Limit-Up-Gigwords|CAMB-Traffic-Quota-Limit-Down-Gigwords:
These attributes take the Upload/Download limit in Giga Bytes and limit the client ability to Upload/Download the amount of data for that given RADIUS session. I.e if someone configured 1 and 8 respectively then client would get 1 Giga Bytes of Upload data and 8 Giga Bytes of Download limit.
 
CAMB-Traffic-Quota-Limit-Total:
This attributes defines the total Bytes data limit to be enforced on the client including the upload/download data.
 
CAMB-Traffic-Quota-Limit-Total-Gigwords:
This attributes defines the total Giga Bytes data limit to be enforced on the client including the upload/download data.
 
Cambium-Vlan-Pool-Id:
Define the VLAN Pool name which is defined on the Cambium AP to be used for assigning the VLAN for this client. Cambium AP has a VLAN-Pool configuration which can define range of VLAN to be used client VLAN assignment.
 
CAMB-Walled-Garden-State:
This is used for setting the guest client into wall garden state or provide full access to it. The values are 1 for restricting it to wall garden state and 2 for providing full access. This is supported for Guest Access enabled WLAN which is configured with mac-authentication as fallback mechanism.
Cambium AP also supports traffic class based quota management for Mac Authentication fallback with Guest-Access enabled WLAN clients where customers can define upto three different traffic class on the AP WLAN configuration and define set of domains/IP address/Network for each traffic class which are allowed for that given traffic class.
 
CAMB-Authorize-Class-Name:
Takes the given Traffic class name for which you define the Quota Limits in Bytes.
 
CAMB-Authorize-Bytes-Left:
Takes the Quota Limits in Bytes for corresponding traffic class.
 
The traffic class stats counters are also reported in RADIUS Accounting packets and following attributes are used for the same:
CAMB-Acct-Class-Name
CAMB-Acct-Input-Octets
CAMB-Acct-Output-Octets
CAMB-Acct-Input-Packets
CAMB-Acct-Output-Packets
 
WISPr RADIUS attributes supported:

VENDOR WISPr 14122

Standard attribute

BEGIN-VENDOR WISPr

ATTRIBUTE WISPr-Location-Name 2 string
ATTRIBUTE WISPr-Redirection-URL 4 string
ATTRIBUTE WISPr-Bandwidth-Max-Up 7 integer
ATTRIBUTE WISPr-Bandwidth-Max-Down 8 integer
ATTRIBUTE WISPr-Session-Terminate-Time 9 string

END-VENDOR WISPr

WISPr-Location-Name:
AP has a location configuration which is filled in for this attribute while sending the RADIUS Authentication/Accounting packets to the RADIUS server.
 
WISPr-Redirection-URL:
This attribute is used for supporting Google Captive Portal and provides the redirection URL for the guest clients. This is typically obtained through MAC Authentication response which happens when this Guest client associates in a Google Captive Portal deployment. This is not supported for any other external captive portal types.
 
WISPr-Bandwidth-Max-Up/WISPr-Bandwidth-Max-Down:
This defines custom data rate limit to be enforced on the client and is defined in bps i.e. 1048576 is for 1Mbps
 
WISPr-Session-Terminate-Time:
This can be used along with session time attributes which can define when the session time terminates and let AP calculate how much remaining time it can allocate as session time to the client.
 
Standard RADIUS attribute supported:
RFC 2868
ATTRIBUTE        Tunnel-Private-Group-Id    81  string  has_tag

The above attribute is used to dynamically assign a VLAN to the client.

RFC 2865
ATTRIBUTE Class 25 octets
ATTRIBUTE Session-Timeout 27 integer
ATTRIBUTE Idle-Timeout 28 integer

ATTRIBUTE Acct-Interim-Interval 85 integer

RADIUS COA or dynamic authorization supported RADIUS attributes:

ATTRIBUTE Session-Timeout 27 integer
ATTRIBUTE Acct-Interim-Interval 85 integer
ATTRIBUTE Tunnel-Private-Group-Id 81 string has_tag

COA supports the WISPr as well as Cambium vendor specific attributes which are supported in RADIUS Authentication method
3 Likes

A post was split to a new topic: RADIUS Dictionary for WPA-ENTERPRISE clients