IMG 1010 - RADIUS - Overview

 

The IMG uses Remote Authentication Dial In User Service (RADIUS) for streaming Call Detail Records (CDR's). The implementation is compliant with RFC 2865 - Remote Authentication Dial-In User Service (RADIUS) and RFC 2866 RADIUS Accounting. When RADIUS is configured on the IMG and an inbound call requires a RADIUS lookup, the IMG will generate an ACCESS Request message to the RADIUS Server as well as an Accounting-START and Accounting-STOP Request as required. The Requests will be populated with any associated data that came in the incoming or outgoing message. The IMG supports the Dialogic RADIUS format, which includes attributes defined by both RFC 2865, RFC 2866, and any supported Dialogic Vendor Specific Attributes (VSA). Refer to the information below for an overview of what is supported on the IMG when configuring RADIUS.

Supported RADIUS Scenarios

The IMG supports RADIUS Authentication, Accounting, or combination of both when communicating with a RADIUS Server. The user has the option of choosing one of the following scenarios when configuring the 2020 IMG:

Authentication and Accounting

In the first scenario, the IMG is configured as a RADIUS Client and the RADIUS Server configured will require the IMG first be Authenticated before starting and Accounting session. Refer to Call Flow diagram below.

Accounting Only

In the Accounting only scenario, the RADIUS server that is configured is being used for Accounting purposes only. No Authentication is needed. Refer to Call Flow diagram below.

Authentication Only

In the Authentication only scenario, the RADIUS server that is configured is being used to authenticate users. No Accounting is required. Refer to call flow diagram below.

Basic RADIUS call flow

Below is call flow displaying the messages generated to a RADIUS Server that is configured for Accounting and Authorization.

Supported Packet Types

Access-Request (Sent to the RADIUS server)- Conveys information used to determine whether a user is allowed access to a specific Network Access Server (NAS) and any special services requested for that user.

Access-Accept (Sent by the RADIUS server)- Provides specific configuration information necessary to begin delivery of service to the user.

Access-Reject (Sent by the RADIUS Server)- Sent if any value of the received attributes are not acceptable.

Accounting-Start- Sent at the start of service delivery, the type of service being delivered and to whom it is being delivered to.

Accounting-Stop- Describes the type of service being delivered and displays optional statistics, such as elapsed time, input and output octets, and input and output packets.

RADIUS Server Debug Mode

The IMG can be configured so that calls will be completed whether the RADIUS server is active or not. The IMG will not require authentication for the RADIUS server to complete a call and no billing information will be logged. The RADIUS Debug Mode is configured through the RADIUS Client screen. Refer to the topic for more information on configuring debug mode

RADIUS Server Failure Alarm

The IMG provides automatic alarming notification when a Radius Server has changed states and can no longer be accessed. The alarm, reported in ClientView, will include the RADIUS Server Type (Access, Accounting), the Server ID, the mode of the Radius Server (normal, debug), the state of the Radius Server and the IP address of failed RADIUS server.

RADIUS Server Redundancy

The IMG supports a Primary(Active)/Secondary(Standby) redundancy scheme. Redundancy logic is independent for Authentication and Accounting Servers. When configuring RADIUS servers, they are created with an initial priority preference. The IMG will begin using the primary RADIUS server which is initially the active server. When detecting a communication failure with the primary server, a switchover to the Standby will occur. The Secondary will now become the active server and all future Radius messages will flow to the new active server. If an error is detected in trying to send a RADIUS message to the new active server, the IMG will attempt to switch back to the Primary server (Initial active server). This behavior is repeated, until a working server is detected. If the IMG fails to connect to a RADIUS Server an alarm is then sent. The alarms can be monitored using the EventView application.

Typically, when a RADIUS message needs to be sent to a server it is assembled and passed to the OS for transport to the active server. These servers are configured to send the message, wait 2 seconds, and then retry sending the message an additional three times. Therefore a RADIUS message will be sent a total of four times, each at two second intervals. If the message has been sent four times with no success, a switchover to the next server will occur. The switchover behavior is coupled to the message type. Therefore, an Accounting Server switchover is independent of an Authentication Server switchover.

Under typical call loads it will take some time for the switchover to complete since the IMG may have many RADIUS messages queued up to the failed server. Each of these messages must fail and be retried on the newly active server following notification of the send failure.

Note: A negative response does not constitute a server failure.

Additional Information

  • As per RFC 2865 and RFC 2866, port 1812 is used for Authentication and port 1813 is used for Accounting. If a port number other than 1812 or 1813 is needed the port number being used can be modified through the object in the ClientView application

  • If implementing both Authentication and Accounting, the Authentication process can be run on one RADIUS Server and the Accounting process can be run on a separate RADIUS Server -or- both Authentication and Accounting processes can be run on one RADIUS Server. Verify the RADIUS Servers are all configured correctly. Refer to the object for more information on setting up Authentication and Accounting on one or more RADIUS Servers.

  • The RADIUS attributes and VSA’s included in the RADIUS messages will vary based on the following:

    • The Protocol utilized.

    • What leg of the call the protocol is used on.

    • Whether the protocol is TDM (SS7 or ISDN) or IP (SIP).

  • The User name and Password values configured for the Authentication Server used will be included in the user name and password attributes in the Access-Request message sent from the IMG. 

See IMG 1010 - Configure RADIUS topic for more information on how to configure RADIUS on the IMG.

Return to Documentation Home I Return to Sangoma Support