Introduction to RADIUS VSAs
Remote Authentication Dial-In User Service (RADIUS) provides centralized authentication and authorization for fixed wireless access networks. Additionally, certain configuration parameters called Vendor-Specific Attributes (VSAs) can be passed from the RADIUS server to the RADIUS users (ePMP devices) for configuration and management GUI user authorization.
This document provides high-level descriptions of:
- VSA message flow
- VSA definitions and configuration
- additional details of the Cambium Networks ePMP VSAs included in the ePMP Radius Dictionary file (provided on the ePMP Downloads page).
ePMP RADIUS VSA message flow
VSA transmission from RADIUS server to users
During the EAP-TTLS RADIUS authentication procedure, the RADIUS server sends the configured VSAs (VLAN, Maximum Information Rate, Subscriber Module Priority attributes defined in the ePMP Radius Dictionary file and configured in the RADIUS server users configuration file) to the AP. The AP then parses the VSAs and configures any AP-specific parameters received from the RADIUS server. Finally, the VSAs are sent to the subscribers to be parsed and configured. If any errors are encountered during the VSA messaging, the access point or subscriber will default to locally-configured parameter values.
GUI user authentication by RADIUS
Access Point and Subscriber Module web management interface logins may be centralized in the RADIUS server to simplify management of device login credentials and access permissions. Customization of how GUI user authentication is handled (by RADIUS or locally, including fallback upon link failure) is controlled by the AP Security configuration parameter GUI User Authentication. When GUI User Authentication is set to Remote RADIUS Server Only or Remote RADIUS Server and Fallback to Local), RADIUS server access and authentication is established for each GUI login attempt from the ePMP device (per configuration of parameter GUI User Authentication).
ePMP RADIUS VSA definitions and configuration
To begin using VSAs in your network, verify first that the ePMP Access Point is configured with a Wireless Security mode of RADIUS (this article assumes that the proper certificates and clients have been configured) and that the subscriber is configured with the proper RADIUS credentials.
Usage of RADIUS VSAs to automatically configure ePMP devices or authenticate GUI users consists of the following procedures:
Procedure: Add Cambium VSAs to RADIUS dictionary file
The RADIUS server must first be configured with the VSA attributes and values specific to Cambium ePMP equipment.
- On the RADIUS server, open the [RADIUS-home]/etc/raddb/dictionary file for editing
- Append the Cambium Networks ePMP dictionary file to the end of the RADIUS dictionary file, then save the RADIUS dictionary file.
Note
When editing configuration files in Windows, ensure that no end-of-line characters (for example, ^M) are added to the end of each line. These characters can cause parsing errors in RADIUS servers.
Procedure: Edit RADIUS users file to apply VSA configurations
Now that the RADIUS server is configured with the Cambium VSAs in the RADIUS dictionary file, the VSAs may be applied to subscribers in the RADIUS users file.
- On the RADIUS server, open the [RADIUS-home]/etc/raddb/users file for editing
- For each subscriber, include the VSAs required for configuration. For example, to configure any subscriber with EAP-TTLS Username “subscriber1” (configured with Network Mode of Bridge) with a Data VLAN ID and VLAN Membership Set via VSAs, include the following entry in the RADIUS users file:
subscriber1 Cleartext-Password := "cambium"
Cambium-ePMP-VLIGVID = "2",
Cambium-ePMP-VLANMEMSET = "16777516",
Cambium-ePMP-UserLevel = "2"
With this entry, Cambium-ePMP-VLIGVID configures the Data VLAN ID and Cambium-ePMP-VLANMEMSET is configured to decimal value 16777516 (this decimal value in hex is 0x0100012C. In this case, the first two bytes represent the beginning of the range, 0x0100 - 256 in decimal - and the last two bytes represent the end of the range, 0x012C - 300 in decimal). In addition, the user login “installer” will be authenticated via RADIUS (also based on setting of device configuration parameter GUI User Authentication).
- Save the RADIUS users file
- Restart the RADIUS server process
- Upon network entry, all ePMP devices with EAP-TTLS username “subscriber1” and EAP-TTLS password “cambium” will be configured with the VSA parameters in the RADIUS users file.
For our example, the ePMP subscriber GUI Monitor > Network page reports the following:
ePMP VSA configuration examples
Each ePMP VSA corresponds to a specific configuration parameter on the ePMP subscriber. ePMP subscribers support various Network Mode settings Bridge, NAT, Router and these configurations can also be customized by assigning a separate management IP address or a separate management VLAN configuration.
This section gives examples of VSA applications in various subscriber networking configurations. For a full listing of which attributes are applicable in each network mode and to which configuration parameter VSAs apply, see section ePMP VSA additional details.
ePMP subscriber in Bridge mode
The following example demonstrates how a Bridge-mode subscriber module receives configuration via RADIUS VSAs for Maximum Information Rate (MIR) and various VLAN parameters.
ePMP subscriber in NAT mode
The following example demonstrates how a NAT-mode (or Router-mode) subscriber module receives configuration via RADIUS VSAs for Maximum Information Rate (MIR) and various VLAN parameters.
ePMP VSA additional details
The ePMP RADIUS Dictionary file defines all of the ePMP Vendor-specific Attributes that can be utilized in the radio network. This file must be stored on the RADIUS server to be able to provision RADIUS users and clients with VSA configurations or to control administrator login credentials and privileges.
Attribute Name |
Number[1] |
Bridge Mode |
NAT / Router Mode |
GUI Analogue |
Valid Values Usage Examples |
Cambium-ePMP-VLIGVID |
26.17713.21 |
Applicable |
Not Applicable |
Data VLAN ID |
1-4094 |
Cambium-ePMP-VLMGVID |
26.17713.22 |
Applicable |
Applicable |
AP or SM in Bridge Mode: Management VLAN ID |
1-4094 |
SM in NAT or Router Mode with Separate Management IP Enabled: VLAN (Data) -> VLAN ID SM in NAT or Router Mode with Separate Management IP Disabled: VLAN (Management + Data) -> VLAN ID |
|||||
Cambium-ePMP-ULMIR |
26.17713.26 |
Applicable |
Applicable |
Uplink Maximum Information Rate (MIR) |
100-1000000 (kbps) |
Cambium-ePMP-DLMIR |
26.17713.27 |
Applicable |
Applicable |
Downlink Maximum Information Rate (MIR) |
100-1000000 (kbps) |
Cambium-ePMP-UserLevel |
26.17713.50 |
Applicable |
Applicable |
Section Account Management |
2-5 2 – Installer (permission to read and write parameters applicable to unit installation and monitoring) 3 – Admininstrator (full read and write permission) 4 – User (permission only to access pertinent information for support purposes) 5 – Readonly (permission to only view the Monitor page) |
Cambium-ePMP-STAPRI |
26.17713.51 |
Applicable |
Applicable |
Subscriber Module Priority |
0-2 0 – Normal 1 – High 2 - Low |
Cambium-ePMP-VLANMEMSET |
26.17713.52 |
Applicable |
Not Applicable |
Membership VLANs table |
1-4094 (for each VLAN ID in the range) Example: To set a VLAN Membership range from VLAN ID 256 (Begin) to VLAN ID 300 (End), in the RADIUS users file set: Cambium-ePMP-VLANMEMSET = "16777516" This decimal value in hex is 0x0100012C. In this case, the first two bytes represent the beginning of the range, 0x0100 (256 in decimal) and the last two bytes represent the end of the range, 0x012C (300 in decimal). |
Cambium-ePMP-VLManagPVID |
26.17713.53 |
Applicable |
Applicable |
AP or SM in Bridge Mode: Management VLAN Priority |
0-7 |
SM in NAT or Router Mode with Separate Management IP Enabled: VLAN (Data) -> VLAN Priority SM in NAT or Router Mode with Separate Management IP Disabled: VLAN (Management + Data) -> VLAN Priority |
|||||
Cambium-ePMP-VLDataPVID |
26.17713.54 |
Applicable |
Not Applicable |
Data VLAN Priority |
0-7 |
Cambium-ePMP-VLMG2VID |
26.17713.55 |
Not Applicable |
Applicable |
Separate Management VLAN -> VLAN ID |
1-4094 |
Cambium-ePMP-VLMG2PVID |
26.17713.56 |
Not Applicable |
Applicable |
Separate Management VLAN -> VLAN Priority |
0-7 |
Cambium-ePMP-VLMultiCastVID |
26.17713.57 |
Applicable |
Not Applicable |
Multicast VLAN ID |
1-4094 |
Cambium-ePMP-VLMAPPING |
26.17713.58 |
Applicable |
Not Applicable |
VLAN Mapping table |
1-4094 (for each VLAN ID in the range) Example: To map C-VLAN 23 to S-VLAN 400, in the RADIUS users file set: Cambium-ePMP-VLMAPPING = "1507728" This decimal value in hex is 0x00170190. In this case, the first two bytes represent the C-VLAN value 0x0017 (23 in decimal) and the last two bytes represent the S-VLAN value 0x0190 (400 in decimal). |
[1] 26 connotes Vendor-specific Attribute, per RFC 2865