NetOp Policy Manager Configuration Guide

Release 6.1.5 Part Number 1543-CRA 119 1030/1 Uen A

Corporate Headquarters Redback Networks Inc. 100 Headquarters Drive San Jose, CA 95134-1362 USA http://www.redback.com Tel: +1 408 750 5000

 2009, Ericsson AB. All rights reserved. Redback and SmartEdge are trademarks registered at the U.S. Patent & Trademark Office and in other countries. AOS, NetOp, SMS, and User Intelligent Networks are trademarks or service marks of Telefonaktiebolaget LM Ericsson. All other products or services mentioned are the trademarks, service marks, registered trademarks or registered service marks of their respective owners. All rights in copyright are reserved to the copyright owner. Company and product names are trademarks or registered trademarks of their respective owners. Neither the name of any third party software developer nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission of such third party.

Rights and Restrictions

All statements, specifications, recommendations, and technical information contained are current or planned as of the date of publication of this document. They are reliable as of the time of this writing and are presented without warranty of any kind, expressed or implied. In an effort to continuously improve the product and add features, Redback Networks Inc. (Redback) or Ericsson AB (Ericsson) and their affiliate companies reserve the right to change any specifications contained in this document without prior notice of any kind. Neither Redback or Ericsson nor its parent or affiliate companies shall be liable for technical or editorial errors or omissions which may occur in this document. Neither Redback or Ericsson nor its affiliate companies shall be liable for any indirect, special, incidental or consequential damages resulting from the furnishing, performance, or use of this document.

Disclaimer
No part of this document may be reproduced in any form without the written permission of the copyright owner. The contents of this document are subject to revision without notice due to continued progress in methodology, design and manufacturing. Redback or Ericsson shall have no liability for any error or damage of any kind resulting from the use of this document.

Contents

Chapter 1: Initial Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 Configure the NetOp PM Components to Automatically Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 Configure the External DHCP Server to Automatically Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 View SNMP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Modify the Number of SNMP Retries or SNMP Timeout Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 Configure NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 Configure NTP on SmartEdge Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5 Configure NTP on Solaris Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5 Change the IP Address of an Existing NetOp PM Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6 Configure the NetOp PM Components to Use a Remote Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6 Configure the NetOp PM Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7 Start the NetOp PM Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7 Stop the NetOp PM Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8 Configure Communications for the NetOp Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8 Configure Drop-Down Selection Lists for RADIUS Attributes in the NetOp Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10 Add, View, Remove, and Update Node Information in the NetOp PM System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11 Chapter 2: Configure the NetOp PM API Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 Start and Stop the NetOp PM API Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 Start the NetOp PM API Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 Stop the NetOp PM API Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 Change the Default NetOp PM API Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 Manage the NetOp PM API Server Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 Enable and Disable Load Balancing on the NetOp PM API Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 Define the Hosts in a NetOp PM API Server Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 Change the RADIUS Authentication Type for the NetOp PM API Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 Chapter 3: Configure the Node for the NetOp PM System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 Access Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 PPP Circuits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 PPP over L2TP Circuits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Dynamic and Static CLIPS Circuits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 Configure EAP Authentication for Mobile IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 Wireless Authorization for Mobile IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 Configure NAT Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5 Dynamic IP Address Service Attribute Variation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5 IP Redirect Service Attribute Variation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5 Lawful Intercept Service Attribute Variation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6 Bandwidth Service Attribute Variation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6

Contents

iii

Video Service Attribute Variation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6 Volume Service Variation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7 Service Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7 RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7 CoA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9 AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9 Contexts and Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11 External DHCP Server (Dynamic CLIPS or DHCP-Based RFC 1483 Bridged Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15 Border Gateway Protocol (BGP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17 Ports, Cards, and Circuits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-20 ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-25 Forward Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-26 HTTP Redirect Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-27 Hotline Redirect Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-28 SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-29 NAT Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-31 QoS Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-31 IGMP Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-34 Lawful Intercept Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-35 Chapter 4: Configure RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 View Default NetOp PM RADIUS Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 Start the NetOp PM RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3 Stop the NetOp PM RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4 Reinitialize the NetOp PM RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 Change the RADIUS Default Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 Modify the Port Configuration for NetOp PM RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 Modify the Node Configuration for NetOp PM RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6 Change Restart Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7 Configure the RADIUS Server for EAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7 View the List of Supported RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7 Configuring Custom Behavior for RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8 Customize RADIUS Server Hooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8 Customize EAP Hooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-11 Chapter 5: Configure External RADIUS and LDAP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1 Forward RADIUS Requests to External RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1 Configure RADIUS Servers External to the NetOp PM System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 Forward RADIUS Authentication Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Forward RADIUS Accounting Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 Authenticate Subscribers with an External LDAP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5 Configure External LDAP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5 Query External LDAP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6 Change the Algorithm Used When Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7 Configure RADIUS Attributes to Flow Through the NetOp PM System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7 RADIUS Attribute Flow-Through Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8 Add RADIUS Attributes to Flow Through the NetOp PM System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-9 Configure the RB-NPM-Service-Id Attribute to Flow Through the NetOp PM System . . . . . . . . . . . . . . . . . . . . . . 5-10 Configure the Framed-IP-Address Attribute to Flow Through the NetOp PM System . . . . . . . . . . . . . . . . . . . . . . . 5-10 Map External RADIUS or LDAP Attributes to NetOp PM RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-11 Map an External Attribute Name and Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-11 Map an External Attribute Name with Any Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-11 Map Any External Attribute Name and Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-12 Rename an External Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-12

iv

NetOp Policy Manager Configuration Guide

Chapter 6: Manage Policies with External Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1 Manage Policies with External Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Chapter 7: Configure Additional RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 Configure Additional RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 Verify or Add Additional RADIUS Attributes to the dictionary_redback.cfg File . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 NetOp PM API Methods for Managing Additional RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 Add Support for Additional RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6 Retrieve Information About an Additional RADIUS Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7 Modify the Support of an Additional RADIUS Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-8 Remove Support for an Additional RADIUS Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9 Create a New Service Attribute Variation Using the New NAS Type with the NetOp Client . . . . . . . . . . . . . . . . . . . . . . . 7-9 Add Third-Party RADIUS Attributes to the dictionary_redback.cfg File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-10 Add Third-Party RADIUS Attributes to the NetOp PM System Using a SOAP Client . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-11 Apply Services by Configuring Additional RADIUS Attributes and VSAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-11 Calculate Multiple Values to Configure WiMAX Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-11 Redirect a Subscriber using EAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-12 Support for NAS-Filter-Rules Exceeding the Character Limit for an Inline SAV . . . . . . . . . . . . . . . . . . . . . . . . 7-13 Chapter 8: Configuring NetOp PM Third Party Vendor Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1 Add Third-Party Device (NAS) Types Using a SOAP Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1 Add Third-Party Devices to Communicate with the NetOp PM System Using a SOAP Client . . . . . . . . . . . . . . . . . . . . . 8-2 Chapter 9: Service Offerings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1 View Service Offerings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1 Create Service Offerings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1 Create an Access Service Offering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4 Create a Custom Service Offering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5 Modify Service Offerings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5 Delete Service Offerings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6 Make a Service Unavailable to Subscribers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7 Configure the Offering Period to Hide a Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7 Immediately Remove a Service from the List of Available Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7 Chapter 10: Service Attribute Variations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1 View Service Attribute Variations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1 Create Service Attribute Variations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-1 Variation Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4 Define a Single Instance of a Single Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4 Define Multiple Instances of a Single Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4 Define a Single Instance of Multiple Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5 Define Multiple Instances of a Single Type and Multiple Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5 Create and Remove Variation Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-6 Automatic Naming of Location-Specific Service Attribute Variation Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-7 Use Additional RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8 Modify Service Attribute Variations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-9 Delete Service Attribute Variations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-9 Chapter 11: Complex Time and Volume Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1 Scheduled Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-1 Absolute and Relative Times in Scheduled Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-2 Examples: Valid Formats for Absolute and Relative Times . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-4 Create a Scheduled Variation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-5

Contents

Metered Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-7 Tiered Quota Service Bundles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-8 Real-Time Billing Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-9 Tracking Time Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-11 Tracking Volume Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-11 Create a Metered Variation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-13 Create a Quota Exceeded Variation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-14 Tiered Quota Service Bundles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-15 Create Tiered Volume Quota Service Bundles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-16 Chapter 12: Online Charging for Prepaid Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-1 Configure Online Charging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-4 Define Additional AVPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-5 Configure the Diameter Peer Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-5 Configure Communication with the Credit-Control Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-6 Manage the Credit-Control Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-7 Configure the Subscriber For Prepaid Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-7 Configure a Prepaid Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-7 Credit-Control Variations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-8 Configure a Credit-Control Variation with the NetOp Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-9 Configure a Credit-Control Variation with the NetOp PM API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-9 Override RADIUS Attributes with Diameter Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-10 Configure a Prepaid Service Offering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-12 Configure a Prepaid Service Offering with the NetOp Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-12 Configure a Prepaid Service Offering with the NetOp PM API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-13 Credit-Control Service Errors and Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-14 Chapter 13: Configure Admission Control Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configure the Admission Control Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Populate the resource_config Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configure Resource Admission Control Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configure Admission Control for Multicast Video Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 14: Configure NetOp PM to Support Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . NetOp PM EAP Authentication Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configure EAP-Aware Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configure Support for EAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Local EAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Forward EAP Authentication Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EAP TLS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Locally Authenticate EAP TLS Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Forward EAP TLS Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Issue Certificates for EAP TLS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . EAP TTLS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Forward EAP TTLS Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Locally Authenticate Tunneled and Inner Authentication Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Locally Authenticate Outer EAP TTLS Requests and Forward Inner EAP Requests . . . . . . . . . . . . . . . . . . . . EAP-MD5 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Locally Authenticate EAP-MD5 Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Forward EAP-MD5 Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Wireless Authorization Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Wireless Web Login Through a Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Simple IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Deploy a NetOp PM System for Simple IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1 13-1 13-2 13-3 13-3 14-1 14-1 14-2 14-2 14-2 14-3 14-3 14-3 14-3 14-4 14-5 14-5 14-6 14-6 14-7 14-7 14-7 14-7 14-8 14-8 14-9

vi

NetOp Policy Manager Configuration Guide

Mobile IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-10 Mobile IP with Static Keys Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-11 Deploy a NetOp PM System for Mobile IP with Static Keys Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-11 Mobile IP with Dynamic Keys Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-13 Deploy the NetOp PM System for Mobile IP with Dynamic Keys Authorization . . . . . . . . . . . . . . . . . . . . . . 14-13 Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-15 Configure RADIUS Attributes for ASN Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-16 ASN Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-16 Home Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-18 WiMAX Outer Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-18 Configure the NetOp PM System and the ASN Gateway to Authenticate Subscribers with WiMAX Outer Identity . . . 14-19 EAP TLS/TTLS Authentication with WiMAX Outer Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-19 EAP TLS/TTLS Request Routing with WiMAX Outer Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-19 Define a Mobile IP Home Agent Hotline Service Offering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-20 Overview of Redirecting a Mobile IP Subscriber Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-20 Hotline Mobile IP Subscribers at Session Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-22 Configure Support for Mobile IP Third-Party Device Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-24 Chapter 15: Configure the NetOp PM Lightweight Web Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-1 Configure the NetOp PM Lightweight Web Portal After Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-1 Configure the NetOp PM Lightweight Web Portal to Communicate with a Secure NetOp PM API Server . . . . . . . . . . . 15-4 Start the NetOp PM Lightweight Web Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-4 Stop the NetOp PM Lightweight Web Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-5 Change the Language Displayed by the NetOp PM Lightweight Web Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-5 Modify the Service Model Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-6 Enable Web Proxy Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-6 Customizing the NetOp PM Lightweight Web Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-7 Understand the NetOp PM Lightweight Web Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-8 Integrate the NetOp PM System with Your Corporate Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-9 Customize the NetOp PM Lightweight Web Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-10 Modify the NetOp PM Lightweight Web Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-10 Do Not Modify These <input> and <img> Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-12 Customize Sample XSL Stylesheets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-13 Customize the Inactive Account Login Redirect Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-21 Customize the Invalid Location Login Redirect Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-22 Customize the Invalid Login Redirect Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-22 Customize the Quota Exceeded Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-23 Customize the Help Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-23 Chapter 16: Manage Subscribers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-1 View Subscriber Account and Active Session Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-1 View Subscriber Circuit AttributesQoS Hierarchical Node and Node Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-3 View Framed Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-3 View Logon Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-3 View Pre-Authentication Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-4 View Service Order History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-5 View Static Framed IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-5 View Current Subscribed Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-5 Add Subscriber Accounts to the NetOp PM System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-7 Restrict Subscriber Logon Location with Location Lock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-7 Configure Authentication Using DHCP Option 82 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-8 Modify Existing Subscriber Account Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-10 Configure Subscriber Circuit Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16-11

Contents

vii

Hierarchical Nodes and Node Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Add a QoS Reference to a Subscriber Circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Remove a QoS Reference from a Subscriber Circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Add a QoS Reference to a Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Add or Remove Framed Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Add a Framed Route to a Subscriber Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Remove a Framed Route from a Subscriber Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configure Pre-authentication for Subscribers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Pre-authenticate a Subscriber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Remove Pre-authentication from a Subscriber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Change Subscriber Logon Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Change Subscriber Logon Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Remove Subscriber Logon Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Add or Remove Static IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Add Static IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Remove Static IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Add Subscribed Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Remove Subscribed Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Remove Subscriber Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

16-11 16-12 16-13 16-14 16-14 16-14 16-16 16-16 16-16 16-18 16-18 16-18 16-19 16-20 16-20 16-21 16-21 16-22 16-23

viii

NetOp Policy Manager Configuration Guide

Chapter 1

Initial Configuration

This chapter describes how to perform initial basic configuration of the NetOp Policy Manager in the following sections: Configure the NetOp PM Components to Automatically Restart Configure the External DHCP Server to Automatically Restart View SNMP Settings Modify the Number of SNMP Retries or SNMP Timeout Setting Configure NTP Change the IP Address of an Existing NetOp PM Host Configure the NetOp PM Components to Use a Remote Database Configure the NetOp PM Service Manager Configure Communications for the NetOp Client Configure Drop-Down Selection Lists for RADIUS Attributes in the NetOp Client Add, View, Remove, and Update Node Information in the NetOp PM System

Configure the NetOp PM Components to Automatically Restart

By default, the NetOp PM components are configured to restart automatically if the host reboots. You can modify the restart settings for all the NetOp PM components using the config_api.sh, config_db.sh, config_radius.sh, config_service_manager.sh, or config_portal.sh script. To modify the restart settings, run one of the scripts (on the appropriate server) with the -auto_start or -noauto_start option. For example, to modify the restart settings for a NetOp PM API server, perform the following steps on the host where the NetOp PM API server is located: 1. Log on as root. 2. Open a terminal window and navigate to the NetOp PM installation directory: cd /usr/local/npm 3. Run the config_api.sh, script with the -auto_start or -noauto_start option:

Initial Configuration

1-1

Configure the External DHCP Server to Automatically Restart

To activate the automatic restart of the NetOp PM API server when the NetOp PM host reboots: ./config_api.sh -auto_start

To disable the automatic restart of the NetOp PM API server when the NetOp PM host reboots: ./config_api.sh -noauto_start

Table 5-3 on page 5-12 describes the syntax and usage guidelines for this script.

Configure the External DHCP Server to Automatically Restart

Note The external DHCP server is intended for demonstration purposes, not for production deployment.

To configure an external DHCP server to automatically restart if its Solaris host is rebooted, perform the following steps: 1. Log on as root. 2. Open a terminal window and navigate to the /etc directory: cd /etc 3. In a text editor, such as vi, create the /etc/rc3.d/S99npm_dhcpd file. 4. Add the following lines to the file:
#!/bin/ksh # # Automatically start DHCP Server # /usr/sbin/dhcpd <interface-to-router>

5. Save and close the file. 6. Ensure that the script can run by entering the following command: chmod u+rx /etc/rc3.d/S99npm_dhcpd

View SNMP Settings

By default, the sample configurations include all SNMP settings and SNMP object IDs (OIDs) required to work with the NetOp PM software. Refreshing a subscriber session involves sending a single SNMP set to the SmartEdge router. Note For information about the tasks required to configure SNMP, see the SNMP section on page 3-29.

1-2

NetOp Policy Manager Configuration Guide

View SNMP Settings

Table 1-1
Attribute Community

SNMP Attributes Used by NetOp PM

Description SNMP community associated with the subscriber session. IP address of the node to which the SNMP request is sent. SNMP OID. A path through the Management Information Base (MIB) on the node to the subscriber session whose value is set. Operation performed on the subscriber session.

Host IP Address OID OID Value

The following SNMP settings for the SmartEdge router are required to enable SNMP operations:
snmp server snmp community npm_community all-contexts view npm_view read-write

The following SNMP settings for the SmartEdge platform are required to accept SNMP bounce, clear, and reauth operations:
snmp snmp snmp snmp view view view view npm_view npm_view npm_view npm_view rbnSubsBounceSessionId included rbnSubsClearReason included rbnSubsClearSessionId included rbnSubsReauthSessionId included

Caution Risk of communication loss. To reduce the risk of nodes rejecting SNMP requests sent by the NetOp PM software, ensure that the following commands are included in the node configuration files. The following SNMP settings are required to run the synch_npm_with_node.sh script:
snmp snmp snmp snmp snmp snmp view view view view view view npm_view npm_view npm_view npm_view npm_view npm_view rbnSubsActiveAddr included rbnSubsActiveCircuitDescr included rbnSubsActiveResend included sysDescr included sysName included vacmMIBObjects included

The following SNMP settings are required to determine the current volume usage for subscribers on the SmartEdge router:
snmp view npm_view rbnSubsOctetsReceived included snmp view npm_view rbnSubsOctetsSent included

The following SNMP settings are required for the admission control function feature:
snmp view npm_view ifHighSpeed included snmp view npm_view ifName included snmp view npm_view ifType included

Initial Configuration

1-3

Modify the Number of SNMP Retries or SNMP Timeout Setting

The following SNMP setting is required for the admission control function feature to get class volume counter information for a service subscription:
snmp view npm_view rbnQosSubscriberRLClassStatsTable included

When sending an SNMP request, the NetOp PM system attempts to notify the node up to three times. If the SNMP request has not been delivered successfully after three attempts, the system notifies the subscriber that the web logon or service change has failed. For a detailed matrix showing SNMP messages for dynamic clientless IP service selection (CLIPS), static CLIPS, Point-to-Point Protocol (PPP), and RFC 1483 bridged encapsulations on SmartEdge routers and SMS devices, see the Supported Encapsulation Types section on page 1-11 in the NetOp Policy Manager Product Overview.

Modify the Number of SNMP Retries or SNMP Timeout Setting

You can modify the SNMP retry and timeout settings for the NetOp PM system with the config_npm.sh script. To modify the SNMP number of retries or length of timeout, run the config_npm.sh script with the -snmp_retry or the -snmp_timeout option. For example, to change the number of SNMP retries or the length of SNMP timeout for the NetOp PM system, you can run the config_npm.sh script with the following steps: 1. Log on as root. 2. Open a terminal window and navigate to the NetOp PM installation directory: cd /usr/local/npm 3. Run the config_npm.sh script according to the following syntax ./config_npm.sh [-snmp_retry snmp_retries] [-snmp_timeout seconds] where the snmp_retries argument is the maximum number of retransmissions sent by the NetOp PM system to the node, if no acknowledgement is received within this SNMP timeout and the snmp_timeout argument is the maximum amount of time (in seconds) that the NetOp PM system is to wait for a response from the node.

Configure NTP
For time-metering services to function correctly, the time-of-day clock on the Solaris hosts must be synchronized to the clock on the SmartEdge routers. To enable this, we recommend that all hosts and nodes in your network have access to an NTP server that keeps accurate time. You must configure all hosts and nodes to periodically contact the NTP server and adjust their clocks as required to synchronize with the time on the server.

1-4

NetOp Policy Manager Configuration Guide

Configure NTP

Configure NTP on SmartEdge Routers

To configure NTP in your NetOp PM system, enter the following command in global configuration mode: ntp server ip-addr [context ctx-name] [prefer] [source if-name] [version ver-num] For example: ntp server 10.11.168.1 Note For more information about this command for the SmartEdge OS, see the NTP Configuration document in the SmartEdge OS Library.

Configure NTP on Solaris Hosts

To configure Solaris to synchronize with an NTP server or an NTP client, refer to your Solaris documentation for instructions because there are many optional configuration parameters. Also, your NTP server may require advanced configuration options (such as the use of authentication keys), so you should contact your local Solaris administrator for support. The NTP client program, xntpd, that runs on each Solaris host, expects to read configuration parameters from the /etc/inet/ntp.conf file. If this default file does not exist, the NTP client service does not start when the Solaris hosts reboots. To configure NTP on Solaris hosts, perform the following steps: 1. Create a simple ntp.conf file that informs the xntpd program of the NTP server location: a. Log on as root. b. In the Solaris command shell, enter the following command (substituting the name of your own NTP server) to create a one-line configuration file that configures an NTP Client in Solaris 10: cp /etc/inet/ntp.client /etc/inet/ntp.conf svcadm enable svc:/network/ntp Note Alternatively, you could use a text editor, such as vi, to edit the content of this file.

2. Start the xntpd client by entering the following command: /etc/init.d/xntpd start Note The NTP client automatically restarts when the Solaris host reboots, so you do not need to use this command more than once.

After the xntpd client starts, verify that the Solaris time-of-day clock is synchronized between the NTP server and the SmartEdge routers in your network.

Initial Configuration

1-5

Change the IP Address of an Existing NetOp PM Host

Change the IP Address of an Existing NetOp PM Host

Changing the IP address of an existing host is a complex procedure, requiring great care to ensure that communication between components is maintained. The following applications rely on the IP address being correct: Solaris, Oracle, the NetOp PM system, Apache, and Tomcat. Contact your local Redback customer support team for assistance.

Configure the NetOp PM Components to Use a Remote Database

In a medium or large deployment where the NetOp PM database is on a different host, configure the NetOp PM components to operate with a remote database by running the config_npm.sh script. Note The config_npm.sh script is installed in the /usr/local/npm directory and is run by the root user.

To enable the NetOp PM components to use a remotely located database, perform the following steps: 1. On each components host, log on as root. 2. Open a terminal window and navigate to the NetOp PM installation directory: cd /usr/local/npm 3. Run the config_npm.sh script with the following syntax: config_npm.sh -db_host database_host Where the database_host argument is the hostname or IP address of the remote Solaris workstation hosting the NetOp PM database.
Table 1-2
Syntax -db database_name -db_acct database_account_name -db_admin new_database_admin_account_name -db_admin_passwd database_admin_account_password -db_host database_host, [database_host]

Syntax for the config_npm.sh Script

Description Optional. Name of the NetOp PM database. The default value is npm. Optional. Name of the NetOp PM database account. The default value is npmuser. Optional. Name of the NetOp PM database administration account. The default value is npmadmin. Optional. NetOp PM database administration account password. Optional. Host name or IP address and optionally that of the standby database host. Note: Separate multiple IP addresses with commas.

-db_passwd new_database_account_password -encrypt_key new_encryption_decryption_key

Optional. New NetOp PM database account password. Optional. Database encryption and decryption key for subscriber passwords.

1-6

NetOp Policy Manager Configuration Guide

Configure the NetOp PM Service Manager

Table 1-2
Syntax

Syntax for the config_npm.sh Script (continued)

Description Optional. Maximum number of SNMP retries. The default value is three retransmissions. Optional. Maximum SNMP timeout value in seconds. The default value is 10 seconds. Optional. Starts the configuration without prompting the user. Optional. Prints usage information and exits.

-snmp_retry snmp_retries -snmp_timeout snmp_timeout -f -h

For information about configuring the NetOp PM database, see the NetOp Database Administration Guide and the NetOp Policy Manager Database Redundancy and Recovery Guide.

Configure the NetOp PM Service Manager

The NetOp PM Service Manager allows you to configure multiple redundant NetOp PM service managers, one per NetOp PM host, to load-share complex service actions and to ensure continuous processing of service actions even in the event of a server failure. To configure the NetOp PM service manager using the config_service_manager.sh script, perform the following steps: 1. Log on as root. 2. Open a terminal window and navigate to the NetOp PM installation directory: cd /usr/local/npm 3. Run the config_service_manager.sh script according to the following syntax: ./config_service_manager.sh [-auto_start | -noauto_start] [-f]
Table 1-3
Syntax -auto_start

Syntax for the config_service_manager.sh Script

Description Optional. Activates the automatic shutdown and startup of the NetOp PM service manager when the NetOp PM host reboots. This is the default value. Optional. Disables the automatic restart of the NetOp PM service manager when the NetOp PM host reboots. Optional. Configures the NetOp PM service manager without prompting the user. Optional. Prints usage information and exits.

-noauto_start -f -h

Start the NetOp PM Service Manager

The start_service_manager.sh script starts the NetOp PM service manager only on the host where the script is run.

Initial Configuration

1-7

Configure Communications for the NetOp Client

Note

The NetOp PM Service Manager automatically restarts when the Solaris host reboots.

To start the NetOp PM service manager, perform the following steps: 1. Log onto the NetOp PM service manager host as root. 2. Open a terminal window and navigate to the NetOp PM service manager directory: cd /usr/local/npm/service_manager 3. Run the start_service_manager.sh script according to the following syntax: ./start_service_manager.sh [-f] [-h] The following message appears:
NetOp Service Manager Server Database Name: npm Database Server: localhost Do you wish to start the server? [N]:

4. At the prompt, type y and press Enter. A message displays that the startup is complete.

Stop the NetOp PM Service Manager

The stop_service_manager.sh script stops the NetOp PM service manager only on the host where the script is run. To stop the NetOp PM service manager, perform the following steps: 1. Log onto the NetOp PM service manager host as root. 2. Open a terminal window and navigate to the NetOp PM service manager directory: cd /usr/local/npm/service_manager 3. Run the stop_service_manager.sh script according to the following syntax: ./stop_service_manager.sh [-f] [-h]

Configure Communications for the NetOp Client

You configure communications for your NetOp client at initial startup. For procedures to install the NetOp client, see Chapter 9, Install the NetOp Client in the NetOp Policy Manager Installation Guide. To start the NetOp client and configure communications for it, perform the following steps: 1. Start the NetOp client: Using WindowsClick Start > Programs > Redback Networks > NetOp releaseID > NetOp Client releaseID, where releaseID is the release version of the NetOp client software installed; for example, 6.n.n.n.

1-8

NetOp Policy Manager Configuration Guide

Configure Communications for the NetOp Client

Using SolarisLog on to the machine as netop, open a terminal window, navigate to the /opt/Redback/NetOpClt/releaseID directory, and run the NetOpClt.sh script. The NetOp client appears.

2. On the navigation bar, click Tools > Options.

Figure 1-1 Options Dialog BoxNetOp PM Tab

3. Click the Host/IP field and type the hostname or IP address of the NetOp Policy Manager (PM) host running the NetOp PM application programming interface (API) server. If a hostname is used, ensure that it is defined in the /etc/hosts file. The Version field automatically shows the correct version. 4. If the NetOp client communicates with a secure NetOp PM API server that uses SSL, or to require users to log on to the NetOp client with a username and password, click to select the Enable Security check box. Note The NetOp clients security setting must match the setting for the NetOp PM API server; otherwise, the NetOp client is unable to connect to the NetOp PM API server. For example, if the NetOp client is configured with security enabled, the NetOp client is unable to connect to a non-secure NetOp PM API server.

5. Click OK. If security is enabled, the NetOp PM system prompts for the Username and Password.

Initial Configuration

1-9

Configure Drop-Down Selection Lists for RADIUS Attributes in the NetOp Client

If you are logging on to a secure NetOp PM API server, perform the following steps: 1. Click the Username field and type the username that the NetOp client uses to authenticate with the NetOp PM API server. 2. Click the Password field and type the password that the NetOp client uses to authenticate with the NetOp PM API server. 3. Click OK.

Configure Drop-Down Selection Lists for RADIUS Attributes in the NetOp Client
You can create drop-down selection lists for fields in the NetOp Client that are associated with RADIUS attributes. You create drop-down selection lists by using the ConfigRADIUSAttributes XML document to associate the names in the drop-down selection list (called enumerations in the XML document) with the actual values of the RADIUS attributes. When you inject the ConfigRADIUSAttributes XML document containing the enumerations for a specific RADIUS attribute, the enumerations appear in the drop-down selection list in the associated field in the NetOp client. Selecting a value from a drop-down selection list, instead of entering the actual system value, reduces the risk of entering incorrect values when you create service attribute variations. A scenario in which you would use a drop-down selection list: Instead of manually entering the IP address of a node located in a specific city into the required RADIUS attribute field, use the ConfigRADIUSAttributes XML document to associate the IP address with the name of the city. You can then select the city name from the drop-down selection list instead of typing in the IP address. The NetOp PM system still uses the system value of the IP address. The following example displays the ConfigRADIUSAttributes XML document where the enumeration Boston is associated with the IP address 10.10.10.10 and the enumeration New York is associated with the IP address 12.12.12.12:
<Enums> <Enum> <Name>Boston</Name>

1-10

NetOp Policy Manager Configuration Guide

Add, View, Remove, and Update Node Information in the NetOp PM System

<Value>10.10.10.10</Value> </Enum> <Enum> <Name>New York</Name> <Value>12.12.12.12</Value> </Enum> </Enums>

For detailed instructions on how to configure the NetOp PM system using XML documents, see Chapter 4, PERL SOAP Client and XML Documents in the NetOp Policy Manager API Guide.

Add, View, Remove, and Update Node Information in the NetOp PM System
For each node you want to add to the NetOp PM system, use the NASMgmt.addNASXML.pl script. Perform the following steps to add a node to the NetOp PM system: 1. Create an XML file describing the node, in the following format:
<NASRecords> <NAS> <Id>nas-id</Id> <IPAddress>10.192.100.8</IPAddress> <Secret>my-secret</Secret> <SoftwareVersion>ver-num</SoftwareVersion> </NAS> </NASRecords>

This XML structure describes the ID, IP address, password (secret), and software version for the node. 2. To add a new node to the NetOp PM system, run the following script: /usr/local/npm/soap_client/perl/NASMgmt.addNASXML.pl -file sampleNAS.xml Here the sampleNAS argument is the path and filename of the XML file containing the node description. To manage nodes in the NetOp PM system, you can also perform the following tasks: To view a node in the NetOp PM system, run the NasMgmt.getNASXML.pl script. To view a list of nodes in the NetOp PM system, run the NASMgmt.getAIINASXML.pl script. To remove a node from the NetOp PM system, run the NASMgmt.removeNAS.pl script To update the node information in the NetOp PM system, run the NASMgmt.updateNASXML.pl script.

The NAS.xsd file describes the structure for defining how to add and update a node. For information about the XML file, look in the -/user/local/npm/docs directory.

Initial Configuration

1-11

Add, View, Remove, and Update Node Information in the NetOp PM System

1-12

NetOp Policy Manager Configuration Guide

Chapter 2

Configure the NetOp PM API Servers

This section describes how to configure NetOp PM API servers after deployment, in the following topics: Start and Stop the NetOp PM API Server Change the Default NetOp PM API Server Configuration Manage the NetOp PM API Server Load Balancing Change the RADIUS Authentication Type for the NetOp PM API Server

For more information about the components that directly and indirectly interact with the NetOp PM API, the component roles, interrelationships, and flow of information through the NetOp PM API servers, see Chapter 2, NetOp PM Architecture in the NetOp Policy Manager API Guide. For procedures to install multiple NetOp PM API servers, see Chapter 8, Configure, Deploy, and Start the NetOp PM Components in the NetOp Policy Manager Installation Guide. Note To configure the NetOp PM API server in secure mode to use Secure Sockets Layer (SSL), you must perform the following tasks: Use the -secure keyword when you run the deploy_api.sh or config_api.sh script to provide a secure connection between the NetOp PM API server and a Simple Object Access Protocol (SOAP) client. Generate an SSL keystore file.

The secure mode of the NetOp PM API server uses an SSL keystore to provide public key encryption between SOAP clients and the NetOp PM API server. The NetOp PM software includes a sample.keystore file already installed that you can use. However, to ensure a more secure system, we recommend that you generate your own keystore file before production deployment. For instructions on generating your own keystore file, see the Generate an SSL Keystore File section on page 3-8 in the NetOp Policy Manager API Guide.

Start and Stop the NetOp PM API Server

This section describes how to start and stop the NetOp PM API server in the following topics: Start the NetOp PM API Server Stop the NetOp PM API Server

Configure the NetOp PM API Servers

2-1

Change the Default NetOp PM API Server Configuration

Start the NetOp PM API Server

The start_api.sh script starts the NetOp PM API server only on the host where the script is run. Note The NetOp PM API server automatically restarts when the Solaris host reboots.

To start the NetOp PM API server, perform the following steps: 1. Log onto the NetOp PM API server host as root. 2. Open a terminal window and navigate to the NetOp PM API server directory: cd /usr/local/npm/api 3. Run the start_api.sh script according to the following syntax: ./start_api.sh [-h] If you include the optional -h keyword, the script prints usage information and exits. If you do not include it, the script starts the NetOp PM API server, and a message displays indicating that the startup is complete.

Stop the NetOp PM API Server

The stop_api.sh script stops the NetOp PM API server only on the host where the script is run. To stop the NetOp PM API server, perform the following steps: 1. Log onto the NetOp PM API server host as root. 2. Navigate to the directory that contains the script for stopping the NetOp PM API server: cd /usr/local/npm/api 3. Run the stop_api.sh script according to the following syntax: ./stop_api.sh [-h] If you include the optional -h keyword, the script prints usage information and exits. If you do not include it, the script stops the NetOp PM API server.

Change the Default NetOp PM API Server Configuration

Use the config_api.sh script to change the default configuration of NetOp PM API servers. Using this script, you can set NetOp PM API servers to run in secure or non-secure mode, enable or disable load balancing, modify the restart settings, and change the Remote Authentication Dial-In User Service (RADIUS) authentication type.

2-2

NetOp Policy Manager Configuration Guide

Change the Default NetOp PM API Server Configuration

Note

For specific instructions on how to use this script to enable and disable load balancing on groups of NetOp PM API servers, see the Enable and Disable Load Balancing on the NetOp PM API Servers section on page 2-4. For instructions on modifying the default restart settings, see the Configure the NetOp PM Components to Automatically Restart section on page 1-1 and the Configure the External DHCP Server to Automatically Restart section on page 1-2. For instructions on modifying the default SNMP retry and timeout settings, see the View SNMP Settings section on page 1-2 and the Modify the Number of SNMP Retries or SNMP Timeout Setting section on page 1-4.

Note

To configure a NetOp PM API server during installation, run the deploy_api.sh script; see Chapter 8, Configure, Deploy, and Start the NetOp PM Components in the NetOp Policy Manager Installation Guide. The deploy_api.sh script is used the first time you install; thereafter use the config_api.sh script.

On the Solaris servers on which the NetOp PM API servers are installed, perform the following steps: 1. Stop the NetOp PM API server; see the Start and Stop the NetOp PM API Server section on page 2-1. 2. Navigate to the NetOp PM installation directory: cd /usr/local/npm 3. Run the config_api.sh script; see Table 2-1 on page 2-3 for the full script syntax: ./config_api.sh The NetOp PM API server is installed into the /usr/local/apache-tomcat-n.n.n directory, where n.n.n is the latest release of the Tomcat software. 4. Start the NetOp PM API server; see the Start the NetOp PM API Server section on page 2-2. The full syntax for the config_api.sh script is: config_api.sh [-auto_start | -noauto_start] [-db_charset character_set] [-f] [-h] [-load_balance | -noload_balance] [-radius_auth auth_type] [-secure | -nosecure] Table 2-1 describes the syntax and usage guidelines for the config_api.sh and deploy_api.sh scripts; for the procedure to run the deploy_api.sh script, see Chapter 8, Configure, Deploy, and Start the NetOp PM Components in the NetOp Policy Manager Installation Guide.
Table 2-1
Syntax -auto_start

Syntax for the config_api.sh and deploy_api.sh Scripts

Description Optional. Activates the automatic shutdown and startup of the NetOp PM API server when the NetOp PM host reboots. The default value is this keyword. Optional. Disables the automatic restart of the NetOp PM API server when the NetOp PM host reboots. Optional. Character set that tells the NetOp PM system how to interpret service offering names in the NetOp PM database. The character_set argument is defined by Multi-Purpose Internet Mail Extensions (MIME). Enter the none keyword for no encoding. The default value is none.

-noauto_start -db_charset character_set

Configure the NetOp PM API Servers

2-3

Manage the NetOp PM API Server Load Balancing

Table 2-1
Syntax -f -h

Syntax for the config_api.sh and deploy_api.sh Scripts (continued)

Description Optional. Starts the configuration without prompting the user. Optional. Prints usage information and exits. Optional. Enables load balancing for groups of NetOp PM API servers (by default, NetOp PM API servers are not configured for load balancing). Optional. Disables load balancing for groups of NetOp PM API servers. Optional. Type of RADIUS authentication (PAP, CHAP, MSCHAP, or MSCHAPV2) between the NetOp PM API server and the external RADIUS server. Optional. Deploys a secure API server using SSL and password authentication. Optional. Configures the NetOp PM API server to be insecure, meaning that SOAP clients do not require authentication, and HTTP connections do not use SSL to provide a secure connection between the NetOp PM API server and the SOAP client (by default, the NetOp PM API server is insecure).

-load_balance

-noload_balance -radius_auth auth_type

-secure -nosecure

Manage the NetOp PM API Server Load Balancing

For high availability of service and system scalability, you can install high-availability NetOp PM API servers and enable load balancing among the group of API servers. You can either install multiple high-availability API servers that are configured for load balancing when you initially install the system, or you can install a standalone API server and later install multiple API servers and configure them for load balancing. For information about installing NetOp PM API servers using the deploy_api.sh script see Chapter 8, Configure, Deploy, and Start the NetOp PM Components in the NetOp Policy Manager Installation Guide. This section assumes that you have already installed multiple NetOp PM API servers using the deploy_api.sh script. It describes how to configure the new servers for load balancing and define the hosts in a group of API servers. To manage load balancing, perform the following tasks: Enable and Disable Load Balancing on the NetOp PM API Servers Define the Hosts in a NetOp PM API Server Group

Enable and Disable Load Balancing on the NetOp PM API Servers

To enable load balancing, on each NetOp PM host running a NetOp PM API server, perform the following steps: 1. Log on as root.

2-4

NetOp Policy Manager Configuration Guide

Change the RADIUS Authentication Type for the NetOp PM API Server

2. Open a terminal window and navigate to the NetOp PM installation directory: cd /usr/local/npm 3. Run the config_api.sh script according to the following syntax: ./config_api.sh [-load_balance | -noload_balance] Use the -load_balance keyword to enable load balancing. To disable load balancing, use the -noload_balance keyword. For complete syntax of the config_api.sh script, see Table 2-1 on page 2-3.

Define the Hosts in a NetOp PM API Server Group

To define the hosts in a group of NetOp PM API servers, perform the following steps: 1. On each NetOp PM host running a NetOp PM API server, log on as root. 2. Open a terminal window and navigate to the NetOp PM installation directory: cd /usr/local/npm 3. Run the config_api_load_balance.sh script according to the following syntax: ./config_api_load_balance.sh [-f] [-h] [-hosts hostname,hostname[,hostname,hostname...]] The hostname arguments should be the names of the NetOp PM hosts running the NetOp PM API servers except the one on which you are running the script. Table 2-2 describes the syntax and usage guidelines for this script.
Table 2-2
Syntax -f -h -hosts hostname

Syntax for the config_api_load_balance.sh Script

Description Optional. Starts the configuration without prompting the user. Optional. Prints usage information and exits. Optional. List of NetOp PM API servers to be load balanced, separated with commas. Do not include the host on which you are running the script. Each hostname must be a hostname listed in the /etc/hosts file or in DNS. To specify additional hostnames, use the optional hostname,hostname arguments, with no spaces between the hostnames and commas.

Change the RADIUS Authentication Type for the NetOp PM API Server
By default, the NetOp PM API server uses the Password Authentication Protocol (PAP) to communicate with all external RADIUS servers. The NetOp PM API server uses the same RADIUS authentication type in communicating with all external RADIUS servers, regardless of their realm; use the config_api.sh script to change this authentication type.

Configure the NetOp PM API Servers

2-5

Change the RADIUS Authentication Type for the NetOp PM API Server

Note

This script does not change the authentication type used by the NetOp PM RADIUS server. The NetOp PM RADIUS server supports PAP, CHAP, MSCHAP, and MSCHAPV2 simultaneously.

To change the RADIUS authentication type for the NetOp PM API server perform the following steps: 1. Log on as root. 2. Open a terminal window and navigate to the NetOp PM installation directory by entering the following command: cd /usr/local/npm 3. Run the config_api.sh script according to the following syntax: ./config_api.sh -radius_auth {PAP | CHAP | MSCHAP | MSCHAPV2} Table 2-3 describes the syntax and usage guidelines for this script.
Table 2-3
Syntax -radius_auth PAP -radius_auth CHAP -radius_auth MSCHAP -radius_auth MSCHAPV2

Syntax for the config_api.sh Script for RADIUS Authentication

Description Specifies Password Authentication Protocol as the authentication type. Specifies Challenge Handshake Authentication Protocol as the authentication type. Specifies Version 1 of Microsofts extensions to CHAP as the authentication type. Specifies Version 2 of Microsofts extensions to CHAP as the authentication type.

For information on modifying the default restart or SNMP settings for the NetOp PM API servers, see the Modify the Number of SNMP Retries or SNMP Timeout Setting section on page 1-4.

2-6

NetOp Policy Manager Configuration Guide

Chapter 3

Configure the Node for the NetOp PM System

This chapter describes the tasks used to configure a SmartEdge router to support the NetOp PM software, including the root command, configuration mode, and an example from the sample configurations for each task. To modify and install a sample configuration file, see the Modify the Node Configuration for NetOp PM RADIUS Servers section on page 4-6. Note In this guide, the term node refers to a SmartEdge router.

The following node configurations must be completed to enable the following NetOp PM services and service attribute variations: Access Services Dynamic IP Address Service Attribute Variation IP Redirect Service Attribute Variation Lawful Intercept Service Attribute Variation Bandwidth Service Attribute Variation Volume Service Variation Video Service Attribute Variation

See the following sections for the tasks to configure nodes to support NetOp PM service offerings: Service Options RADIUS CoA AAA Contexts and Interfaces External DHCP Server (Dynamic CLIPS or DHCP-Based RFC 1483 Bridged Only) Border Gateway Protocol (BGP) Ports, Cards, and Circuits ACLs

Configure the Node for the NetOp PM System

3-1

Access Services

Forward Policies HTTP Redirect Profiles Hotline Redirect Profiles SNMP NAT Policies QoS Policies IGMP Profiles Lawful Intercept Profiles Note For complete syntax descriptions and usage guidelines for the commands used, see the SmartEdge OS documentation.

Access Services
When you create Access service offerings, you can use the various types of service attribute variations. All subscribers must have at least one Access service offering and can have other types of service offerings as well. You must configure your SmartEdge routers for subscriber access. To enable PPP, PPP over L2TP, CLIPS, third-party vendor circuits, and EAP authentication and wireless authorization, complete the configurations listed in the following sections: PPP Circuits PPP over L2TP Circuits Dynamic and Static CLIPS Circuits Configure EAP Authentication for Mobile IP Wireless Authorization for Mobile IP Configure NAT Policies Note Optional. To identify subscribers locations for the Location Lock feature, you can enable the Calling-Station-Id attribute to be sent in RADIUS access requests. You can also use the Nas-Port-Id attribute for this purpose, but you do not need to enable it; it is sent by default. Do not change the format or separator used by these attributes. For the command to enable the Calling-Station-Id attribute, see the RADIUS section on page 3-7.

PPP Circuits
To enable PPP access, complete the following configurations: In each context where subscribers will be bound, define an interface to which PPP subscribers are bound. Configure ports and circuits on which PPP traffic arrives.

3-2

NetOp Policy Manager Configuration Guide

Access Services

Enable contexts to be advertised for use by PPP clients. In each context to be used for PPP subscribers, advertise the context to PPP clients with the domain command in context configuration mode. Enable RADIUS to manage subscriber reauthorization events. Enable notification of PPP reauthorization events to the NetOp PM system.

PPP over L2TP Circuits

To enable PPP over L2TP access, perform the tasks to enable PPP, then complete the following configurations: To configure an LNS, perform the following configurations: Required. Globally, configure AAA authentication and accounting for L2TP sessions in the local context. Optional. In the local context, enable AAA L2TP accounting. Define a loopback interface that is used for L2TP. Define an interface between the LNS and the LAC. Define a route to the LAC. Define an L2TP tunnel to the LAC. Configure an Ethernet port to the LAC with interface binding. To configure an LAC, perform the following configurations: Required. Globally, configure AAA authentication and accounting for L2TP sessions in the local context. Optional. In the local context, enable AAA L2TP accounting. Define a loopback interface that is used for L2TP. Define an interface between the LAC and the LNS. Define a route to the LNS. Define an L2TP tunnel to the LNS. Configure an Ethernet port to the LNS with interface binding. Note For static PPP over L2TP, to support static IP addresses for tunneled subscribers, you must configure a dedicated interface on both the LAC and the LNS having the same IP subnet address. The static IP address configured for each subscriber session must have a value in the same subnet as the two interfaces. In addition, to provide connectivity between the subscriber and the web server host, dynamic routing (such as Routing Information Protocol [RIP]) must be enabled on the LAC, LNS and NetOp PM web server host. This enables the NetOp PM system to route the subscriber IP packets back to the LAC or LNS depending on whether the user is tunneled or not.

Configure the Node for the NetOp PM System

3-3

Access Services

Dynamic and Static CLIPS Circuits

To enable CLIPS access, complete the following configurations: Configure ports or circuits on which CLIPS traffic arrives. Configure static and dynamic CLIPS and, optionally, dynamic CLIPS groups. In the contexts to which CLIPS subscribers will be bound, define an interface each to where static and dynamic CLIPS subscribers are bound. If you plan to have subscriber sessions change contexts, configure the following Border Gateway Protocol (BGP) functions: Enable multicontext services for distributing subscriber routes between contexts using BGP. In each context, define an interface to receive CLIPS subscribers from other contexts. Define IP routes to allow the distribution of subscriber routes across context using BGP. Enable BGP intercontext routing. Identify the location of Dynamic Host Configuration Protocol (DHCP) proxy on interfaces used by dynamic CLIPS subscribers. In the local context, define an interface that will accept the responses from the external DHCP server. In all contexts, identify the location of the external DHCP server. Enable notification to the NetOp PM system of the IP addresses that have been assigned to a subscriber session via CLIPS (aaa global accounting event dhcp command in global configuration mode). Note Alternatively you can configure an internal DHCP server on an SMS device or SmartEdge router. If you configure the internal DHCP server on a SmartEdge router, it is not necessary to include the BGP configurations. For more information, see the Configuring DHCP document in the SmartEdge OS Library.

Configure EAP Authentication for Mobile IP

The SmartEdge router does not require configuration for EAP authentication.

Wireless Authorization for Mobile IP

To configure the SmartEdge router for Mobile IP as either a home agent or a foreign agent, follow the procedure described in the Configuring Mobile IP for a Foreign Agent document in the SmartEdge OS Library. To configure the NetOp PM system for Mobile IP, follow the procedure described in the Configure an MN Subscriber and in the Configure AAA for MN Subscribers sections in the Configuring Mobile IP for a Foreign Agent document in the SmartEdge OS Library.

3-4

NetOp Policy Manager Configuration Guide

Dynamic IP Address Service Attribute Variation

Configure NAT Policies

You can also configure Network Address Translation (NAT) policies to be applied to subscriber sessions for PPP, PPP over L2TP, and dynamic and static CLIPS circuit access types. To configure a NAT policy, perform the following tasks; for details, see the NAT Policies section on page 3-31: Define an ACL to pass all private traffic to the NetOp PM lightweight web portal untranslated. Define a pool of public IP addresses for the NAT_DYNAMIC_PRIVATE_IP configuration. Define a NAT policy with dynamic translation and ignore action for traffic destined for the NetOp PM lightweight web portal.

Dynamic IP Address Service Attribute Variation

The dynamic IP address service attribute variation dynamically assigns IP addresses to dynamic CLIPS, static CLIPS, PPP over ATM (PPPoA), and PPP over Ethernet (PPPoE) circuits. You must define a dynamic IP address service attribute variation for each circuit type you support. Use this service attribute variation to: Specify IP address pools to provide IP addresses to subscribers Define an internal DHCP server to assign IP addresses to subscribers Define IP routes, for example, to the NetOp PM components or to the Internet Specify a traffic class to count.

IP Redirect Service Attribute Variation

This service attribute variation redirects subscriber traffic to a different path than it would otherwise take; it can be used to direct subscriber traffic to: Captive portalA portal for branded wireless access points (APs) URL filtering with and without the use of L2TP tunnels Servers providing intrusion detection or stateful firewalls Web pages communicating an Account Registration, Invalid Login, Invalid Location, or Inactive Account error or offering new services Quota Exceeded web page that indicates to subscribers that they need to top up their subscription Usage page, from which subscribers access top up pages for adding time and volume quota

Enable this NetOp PM system service by completing the following configuration on the node: Forward policies to control subscriber traffic; for example, to force subscribers to the NetOp PM lightweight web portal to log on.

Configure the Node for the NetOp PM System

3-5

Lawful Intercept Service Attribute Variation

ACLs to limit classes of traffic; for example, to permit DNS and DHCP traffic, and subscriber traffic, but deny other traffic. HTTP redirect profiles leading to the URLs where subscribers are directed. Hotline redirect profiles leading to the URLS where subscribers are directed. Enable PPP over L2TP circuits for the L2TP URL Filtering service offering; see the Access Services section on page 3-2.

Lawful Intercept Service Attribute Variation

When instructed by law enforcement agencies to send subscriber account access information to a mediation device, you can do so by subscribing specific subscriber accounts to a lawful intercept service offering. Before you can create a Lawful Intercept service attribute variation or a Lawful Intercept service offering, you must configure a Lawful Intercept profile. This profile allows administrators with lawful intercept privileges to subscribe a subscriber account to the LEA Lawful Intercept service offering.

Bandwidth Service Attribute Variation

Bandwidth service attribute variations provide varying bandwidth rates that subscribers can add to an existing Access service. To enable this service you must configure a set of quality of service (QoS) policies with a range of bandwidths. For information on configuring QoS policies, see the documents about QoS in the SmartEdge OS Library. To enable the use of the RB-Qos-Rate-Inbound and RB-Qos-Rate-Outbound RADIUS vendor-specific attributes (VSAs) (which support bandwidth guarantees), you must have the following QoS policies in your node configuration: InboundPolicing or priority weighted fair queuing (PWFQ) policy OutboundMetering or PWFQ policy

The metering and policing policies must include the rate command in metering or policing policy configuration mode, and they must specify values for the rate kbps and optionally for the burst bytes and excess-burst bytes constructs, which identify the burst tolerance and excess burst tolerance, respectively. The PWFQ policies must include the rate kbps command in PWFQ policy configuration mode.

Video Service Attribute Variation

Video service attribute variations deliver multicast video services over supported circuits. To enable this service, you must complete the following configurations on the node: Configure multicast on the interfaces leading to the multicast video server. In the contexts for subscribers using Video services, configure at least one interface leading to the multicast video server.

3-6

NetOp Policy Manager Configuration Guide

Volume Service Variation

Define an Internet Group Management Protocol (IGMP) profile, which allows subscribers access to the multicast video server. Define the rendezvous point, which has been configured for the entire multicast network.

Volume Service Variation

Volume service variations enable you to create service offerings that allow access for a specific volume of traffic, informing you when the quota has been reached and over-quota action occurs. To enable these service offerings, you must configure the node to generate an interim update when a session volume quota has been reached. For volume service attribute variations, configure the SmartEdge router to send Acct-Alive when the traffic limit threshold is reached. This ensures the SmartEdge router will not terminate the circuit, but let the NetOp PM system manage what to do next based on the service definition. The command line interface is as follows:
subscriber default session-action traffic-limit acct-alive

Service Options
This section describes how to configure service options required for the node to work with the NetOp PM software. It describes how to enable multiple contexts for all configurations. For syntax and usage guidelines for the SmartEdge OS commands used, see the Configuring Contexts and Interfaces, Configuring PPP and PPPoE, and Configuring Basic IP Routing documents in the SmartEdge OS Library.
Table 3-1
Task Configure the node to allow the creation of multiple contexts. Dynamic CLIPS only (if you plan to have subscriber sessions change contexts). Enable distributing subscriber routes between contexts using BGP.

Tasks to Configure Services

Root Command service service Configuration Mode global global Example from Sample Configurations service multiple-contexts service inter-context routing

RADIUS
Required. In the local context, configure RADIUS on each SmartEdge router to interoperate with the NetOp PM system. RADIUS configuration is the same for PPP or CLIPS. For complete syntax and usage guidelines for the SmartEdge OS commands used, see the Configuring RADIUS document in the SmartEdge OS Library.

Configure the Node for the NetOp PM System

3-7

RADIUS

Caution Risk of function loss. Do not modify the default format of the NAS-Port-Id attribute. By default, SmartEdge routers generate both the physical and logical specifications for a circuit, and send the NAS-Port-Id attribute in the RADIUS Access-Request and Accounting-Request. To maintain the functionality of the NetOp PM system, do not use the radius attribute nas-port-id format physical command because it truncates the logical specifications from the NAS-Port-Id attribute and returns only the physical specifications for the circuit. To prevent this, do not change the default format; leave it as all.
Table 3-2
Task In the local context, enable the NAS-IP-Address attribute to be included in the RADIUS Access-Request and Accounting-Request. In the local context, enable the Account-Session-Id attribute in the RADIUS Access-Request. Optional. In the local context, enable the Calling-Station-Id attribute in the RADIUS Access-Request. Note: Do not change the separator used by the attribute. In the local context, configure the round-robin load balancing algorithm for sending RADIUS packets to authorization and accounting servers. radius algorithm radius accounting algorithm radius context context radius algorithm round-robin radius accounting algorithm round-robin

Tasks to Configure RADIUS

Root Command radius attribute Configuration Mode context Example from Sample Configurations radius attribute nas-ip-address interface server radius attribute acct-session-id access-request radius attribute calling-station-id

radius attribute radius attribute

context context

In the local context, enable flow control between the node and the RADIUS servers, and minimize the number of unnecessary retransmissions from the node. In the local context, configure the RADIUS authentication servers.1 The sample configuration files include the IP addresses and port numbers in the example.

radius max-outstanding 20 radius accounting max-outstanding 20

radius server

context

radius server 10.192.100.10 key my-secret port 1812 radius server10.192.100.11 key my-secret port 1812 radius server 10.192.100.10 key my-secret port 1814 radius server 10.192.100.11 key my-secret port 1814 radius server 10.192.100.10 key my-secret port 1816

In the local context, configure the RADIUS accounting servers.1 The sample configuration files include the IP addresses and port numbers given in the example.

radius accounting server

context

radius accounting server 10.192.100.10 key my-secret port 1813 radius accounting server 10.192.100.11 key my-secret port 1813 radius accounting server 10.192.100.10 key my-secret port 1815 radius accounting server 10.192.100.11 key my-secret port 1815 radius accounting server 10.192.100.11 key my-secret port 1817

1. For maximum performance and reliability, we recommend that you configure five authentication servers and five accounting servers on at least two NetOp PM hosts. In the sample configuration files, the UDP ports for RADIUS authorization and accounting servers default to the standard RADIUS ports, 1812 and 1813, and must be unique on the same NetOp PM host.

3-8

NetOp Policy Manager Configuration Guide

Configure the Node for the NetOp PM System 3-9

CoA
Optional. You can use RADIUS Change of Authorization (CoA) to reauthorize subscriber sessions. RADIUS CoA supports change of service requests for PPP, DHCP CLIPS, Simple IP, and Mobile IP circuit types. For PPP, DHCP, and Simple IP circuit types, RADIUS CoA requires SmartEdge OS, Release 5.0.7.1 or later. For Mobile IP circuit types, you must use SmartEdge OS, Release 6.1.1.2 or later. By default, if you do not configure CoA, the NetOp PM system uses SNMP to communicate with the node. Note The NetOp Policy Manager Lawful Intercept and Hotlining features function only when RADIUS CoA is used. If NetOp Policy Manager is configured for SNMP communication, CoA-dependent features fail, and do not generate an explicit error message.

RADIUS CoA can be used to apply basic tiered bandwidth services, as well as Time- or Volume-metered and Scheduled services for PPP, DHCP CLIPS, and Simple IP circuit types. You can configure RADIUS CoA for Simple IP or Mobile IP circuit types. For more information, see the Simple IP section on page 14-8 and the Mobile IP section on page 14-10. To enable CoA so the node can accept CoA and Disconnect requests from the NetOp PM system, verify that a CoA server is enabled on the node by configuring an IP address, a CoA server port number, and CoA server password. The CoA port number and CoA password must match the one used in the NAS definition on the NetOp PM system.
Table 3-3
Task Enable the RADIUS CoA server in the local context.

Tasks to Configure CoA Server

Root Command radius coa server Configuration Mode context Example from Sample Configurations radius coa server 10.192.100.11 key my-secret port 3799

AAA
Required. Configure AAA to enable subscriber access, accounting, and authorization. For complete syntax and usage guidelines for the SmartEdge OS commands used, see Configuring AAA in the SmartEdge OS Library.

CoA

3-10 NetOp Policy Manager Configuration Guide

AAA

Table 3-4
Task

Tasks to Configure AAA

Root Command aaa global authentication subscriber aaa global accounting subscriber aaa global accounting reauthorization subscriber aaa global accounting event global Configuration Mode global Example from Sample Configurations aaa global authentication subscriber radius context local aaa global accounting subscriber radius context local aaa global accounting reauthorization subscriber radius context local

Configure AAA globally to use the RADIUS servers configured in the local context. Configure AAA globally to use the RADIUS servers configured in the local context for reauthorization accounting. Dynamic CLIPS and DHCP-based Bridged 1483 only. Enable notifying the NetOp PM system of the IP addresses that have been assigned to a subscriber session using DHCP. Enable notifying the NetOp PM system of reauthorization events. Enable AAA accounting in RADIUS In the local context. Enable AAA authentication In each context. Enable the Framed-IP-Netmask attribute for PPPoE subscribers in each context. Enable the default subscriber profile to send Accounting-Alive RADIUS messages when the traffic limit is reached by adding the following configuration in all contexts. By default, the SmartEdge router drops the subscriber session when the quota allocation is exceeded. If you use this command to configure the SmartEdge router to generate an Accounting Alive message instead of dropping the subscriber session, the NetOp PM system handles the over-quota action. Optional. PPP over L2TP only (both LAC and LNS). Configure AAA authentication and accounting for L2TP sessions in the local context.

global

aaa global accounting event dhcp

aaa global accounting event aaa accounting subscriber aaa authentication subscriber aaa provision route subscriber session-action

global context context context context subscriber

aaa global accounting event reauthorization aaa accounting subscriber radius aaa authentication subscriber global aaa provision route ip-netmask encapsulation ppp pppoe subscriber default session-action traffic-limit acct-alive

aaa global accounting l2tp-session

global

aaa global accounting l2tp-session radius context local

Table 3-4
Task

Tasks to Configure AAA (continued)

Root Command aaa accounting l2tp Configuration Mode context Example from Sample Configurations aaa accounting l2tp session radius

Configure the Node for the NetOp PM System 3-11

Optional. PPP over L2TP only (both LAC and LNS). Enable AAA L2TP accounting in the local context.

Contexts and Interfaces

Required. To support subscribers using the NetOp PM system, create contexts to group subscribers, which can be divided in various ways. For example, you can group the services they are using by context, such as the BASIC or SECURE access in the sample configurations, or by their ISPs or corporations if you are wholesaling Broadband residential service. For more information on contexts on the SmartEdge platform, see Configuring Contexts and Interfaces in the SmartEdge OS Library. Required. In each context, configure interfaces with IP addresses leading to the components in your network. Enable multicast in the interfaces that may be used by subscribers using the video server. Also, add IP pools and IP routes to interfaces as necessary. For examples, see the tables in this section, which describe the tasks to configure the three contexts in the sample configurations; all tasks apply to all circuit types except where noted otherwise: Table 3-5 on page 3-12 summarizes the tasks to configure the local context and its interfaces. Table 3-6 on page 3-12 summarizes the tasks to configure the SECURE context and its interfaces. Table 3-7 on page 3-13 summarizes the tasks to configure the BASIC context and its interfaces.

For complete syntax and usage guidelines for the SmartEdge OS commands used, see the following documents in the SmartEdge OS Library: Configuring Contexts and Interfaces Configuring L2TP Configuring DHCP
Contexts and Interfaces

Configuring Basic IP Routing Configuring IP Multicast

For the IP addresses used in the sample configurations, see Table 3-2 on page 3-4.

3-12 NetOp Policy Manager Configuration Guide

Contexts and Interfaces

Table 3-5
Task

Tasks to Configure the local Context

Root Command context interface ip address Configuration Mode global context interface Example from Sample Configurations context local interface server ip address 10.192.100.4/24

Access the local context. Add an interface leading to the NetOp PM RADIUS server. Add an IP address for the interface. Ensure the hostname and IP address is configured in the NetOp PM system; see Chapter 4, PERL SOAP Client and XML Documents in the NetOp Policy Manager API Guide.

Table 3-6
Task

Tasks to Configure the SECURE Context

Root Command context domain interface ip address interface ip address ip arp arpa ip route interface ip address dhcp server dhcp server interface ip address Configuration Mode global context context interface context interface interface context context interface interface context context interface Example from Sample Configurations context SECURE domain SECURE_PPP interface server ip address 10.192.100.5 /24 interface internet ip address 10.192.200.3/24 ip arp arpa ip route 0.0.0.0/0 10.192.200.20 interface pool_clips multibind ip address 10.192.44.1/24 dhcp server interface dhcp server policy interface pool_ppp multibind ip address 10.192.44.1/24

Create the SECURE context. PPP only. Advertise the context for PPP clients. Add an interface leading to the NetOp PM lightweight web portal. Add an IP address for the interface. Add an interface leading to the URL Filtering service server host. Add an IP address for the interface. Configure ARP for the interface. Define a default route to the Internet via the URL Filtering service server. Dynamic CLIPS only. Add an interface to which dynamic CLIPS subscribers are bound, and that provides IP addresses to subscribers. Dynamic CLIPS only. Add an IP address for the interface. Dynamic CLIPS and DHCP-based Bridged 1483 only. Enable the use of the internal DHCP server. Dynamic CLIPS and DHCP-based Bridged 1483 only. Configure the internal DHCP server. PPP only. Add an interface to which PPP subscribers are bound. PPP only. Add an IP address for the interface.

Table 3-6
Task

Tasks to Configure the SECURE Context (continued)

Root Command ip pool interface Configuration Mode interface context Example from Sample Configurations ip pool 10.192.44.0/24 interface pool_static_clips multibind

Configure the Node for the NetOp PM System 3-13

PPP only. Add an IP address pool from which subscribers are assigned IP addresses. Static CLIPS only. Add an interface to which static CLIPS subscribers are bound. Static CLIPS only. Add an IP address for the interface. Static CLIPS only. Add an IP address pool from which subscribers are assigned IP addresses. Static CLIPS only. Add an interface to bind static CLIPS circuits that got their IP address from the BASIC context; required to support change of context for static CLIPS circuits. Static CLIPS only. Add an IP address for the interface

ip address ip pool interface

interface interface context

ip address 10.192.44.1/24 ip pool 10.192.44.0/24 interface static_clips_from_BASIC multibind

ip address

interface

ip address 10.192.45.1/24

Table 3-7
Task

Tasks to Configure the BASIC Context

Root Command context domain interface ip address pim interface ip address ip arp arpa ip route interface ip address Configuration Mode global context context interface interface context interface interface context context interface Example from Sample Configurations context BASIC domain BASIC_PPP interface server ip address 10.192.100.6/24 pim sparse-model interface internet ip address 10.192.200.4/24 ip arp arpa ip route 0.0.0.0/0 10.192.200.10 interface l2tp_if loopback ip address 20.20.20.20/24

Create the BASIC context. PPP only. Advertise the context for PPP clients. Add an interface that leads to the NetOp PM lightweight web portal. Add an IP address for the interface. Enable multicast traffic through the interface. Add an interface that has access to the Internet directly and through the URL Filtering service server host. Add an IP address for the interface. Enable ARP on the interface. Define a default route to the Internet directly. PPP over L2TP only (LNS). Define a loopback interface to be used for the LNS. Add an IP address for the interface.

Contexts and Interfaces

Table 3-7
Task

Tasks to Configure the BASIC Context (continued)

Root Command interface ip address ip route l2tp-peer session-auth function local-name session-auth function local-name L2TP peer L2TP peer L2TP peer Configuration Mode context interface context context Example from Sample Configurations interface lns-to-lac ip address 100.2.2.2/24 ip route 10.10.10.0/24 100.2.2.1 l2tp-peer name lac media udp-ip remote ip 10.10.10.10 local 20.20.20.20 session-auth chap pap context BASIC function lns-only local-name lns

3-14 NetOp Policy Manager Configuration Guide

Contexts and Interfaces

PPP over L2TP only (LNS). Define an interface to the LAC. Add an IP address for the interface. Define a route to the LAC. PPP over L2TP only (LNS). Define the tunnel to the LAC with CHAP PAP authentication.

PPP over L2TP only (LAC). Define a loopback interface to be used for the LAC. Add an IP address for the interface. PPP over L2TP only (LAC). Define an interface to the LNS. Add an IP address for the interface. Define a route to the LNS. PPP over L2TP only (LAC). Define the tunnel to the LNS with CHAP PAP authentication.

interface ip address interface ip address ip route l2tp-peer session-auth function local-name

context interface context interface context context L2TP peer L2TP peer L2TP peer context interface interface interface interface context

interface l2tp_if loopback ip address 10.10.10.10/24 interface lac-to-lns ip address 100.2.2.1/24 ip route 20.20.20.0/24 100.2.2.2 l2tp-peer name lns media udp-ip remote ip 20.20.20.20 local 10.10.10.10 session-auth chap pap context BASIC function lac-only local-name lac interface pool_clips multibindip address 10.192.45.1/24 interface pim sparse-mode passive dhcp server policy interface pool_ppp multibind

Dynamic CLIPS only. Add an interface to which dynamic CLIPS subscribers are bound, that provides IP addresses for subscribers. Dynamic CLIPS and DHCP-based Bridged 1483 only. Enable the use of internal DHCP server. CLIPS only. Enable multicast traffic through the interface. CLIPS only. Configure the internal DHCP server. PPP only. Add an interface to which PPP subscribers are bound.

interfaceip address dhcp server pim dhcp server interface

Table 3-7
Task

Tasks to Configure the BASIC Context (continued)

Root Command ip address ip pool pim interface ip address ip pool pim interface Configuration Mode interface interface interface context interface interface interface context Example from Sample Configurations ip address 10.192.45.1/24 ip pool 10.192.45.0/24 pim sparse-mode passive interface pool_static_clips multibind

Configure the Node for the NetOp PM System 3-15

PPP only. Add an IP address for the interface. PPP only. Add an IP address pool from which IP addresses are assigned to subscribers. PPP only. Enable multicast on the interface. Static CLIPS only. Add an interface to which static CLIPS subscribers are bound. Static CLIPS only. Add an IP address for the interface. Static CLIPS only. Add an IP address pool from which IP addresses are assigned to subscribers. Static CLIPS only. Enable multicast on the interface. Static CLIPS only. Add an interface to bind static CLIPS circuits that got their IP address from the SECURE context; required to support change of context for static CLIPS circuits. Static CLIPS only. Add an IP address for the interface.

External DHCP Server (Dynamic CLIPS or DHCP-Based RFC 1483 Bridged Only)

ip address 10.192.45.1/24 ip pool 10.192.45.0/24 pim sparse-mode passive interface static_clips_from _SECURE multibind

ip address

interface

ip address 10.192.44.1/24

External DHCP Server (Dynamic CLIPS or DHCP-Based RFC 1483 Bridged Only)
Optional. By default, the NetOp PM is configured to use the internal DHCP server present in the node. Alternatively, you can configure the system to use an external DHCP server. Use an external DHCP server when: A DHCP server already exists in your network. Your deployment requires that subscribers are allowed to change from one context to another.

For examples, see the tables in this section that summarize the tasks required to configure the use of a external DHCP server in the following contexts: Table 3-8 summarizes the tasks to configure an external DHCP server in the local context. Table 3-9 summarizes the tasks to configure an external DHCP server in the SECURE context.

Table 3-10 summarizes the tasks to configure an external DHCP server in the BASIC context. Note The subnet assigned to the multibind pool interfaces must be the same for all contexts if subscribers are allowed to switch between contexts.

3-16
Table 3-8
Task

External DHCP Server (Dynamic CLIPS or DHCP-Based RFC 1483 Bridged Only)

Tasks to Configure an External DHCP Server in the local Context

Root Command context interface ip address dhcp proxy Configuration Mode global global interface interface Example from Sample Configuration context local interface server ip address 10.192.100.4/24 dhcp proxy 65535

Access the local context. Add an interface leading to the NetOp PM RADIUS server. Add an IP address for the interface. Enable the interface to act as a proxy between subscribers and the external DHCP server. Set the number of IP addresses allowed on the interface to the maximum (65,535). Ensure the hostname and IP address are configured in the NetOp PM system. Add an interface that will accept responses from the external DHCP server. Add an IP address for the interface. Enable the interface to act as a proxy between subscribers and the external DHCP server; set the number of IP addresses allowed on the interface to the maximum (66,535). Identify the location of the external DHCP server.

interface ip address dhcp proxy

Interface context interface

interface pool loopback ip address 10.192.43.1/24 dhcp proxy 65535

dhcp relay server

context

dhcp relay server 10.192.100.30

NetOp Policy Manager Configuration Guide

Table 3-9
Task

Tasks to Configure an External DHCP Server in the SECURE Context

Root Command context interface ip address dhcp proxy Configuration Mode global context interface interface Example from Sample Configurations context SECURE interface pool_clips multibind ip address 10.192.43.1/24 dhcp proxy 65535

Access the SECURE context. Add an interface to which dynamic CLIPS subscribers are bound and that provides IP addresses to subscribers. Add an IP address to the interface. Enable the interface to act as a proxy between subscribers and the external DHCP server; set the number of IP addresses allowed on the interface to the maximum (65,535). Identify the location of the external DHCP server.

dhcp relay server

context

dhcp relay server 10.192.100.30

Configure the Node for the NetOp PM System 3-17

Table 3-10
Task

Tasks to Configure an External DHCP Server in the BASIC Context

Root Command context interface ip address dhcp proxy Configuration Mode global context interface interface Example from Sample Configurations context BASIC interface pool_clips multibind ip address 10.192.43.1/24 dhcp proxy 65535

Create the BASIC context. Add an interface to which dynamic CLIPS subscribers are bound and that provides IP addresses to subscribers Add an IP address for the interface. Enable the interface to act as a proxy between subscribers and the external DHCP server; set the number of IP addresses allowed on the interface to the maximum (65,535). Identify the location of the external DHCP server.

dhcp relay server

context

dhcp relay server 10.192.100.30

For complete syntax and usage guidelines for the commands used, see Configuring DHCP in the SmartEdge OS Library.

Border Gateway Protocol (BGP)

Border Gateway Protocol (BGP) is configured in the NetOp PM system to enable distribution of subscriber routes among the contexts. This configuration is required for dynamic CLIPS and DHCP-based Bridged 1483 if you plan to have subscriber sessions change contexts, and you are using an external DHCP server. This configuration is required for all circuit types if you plan to consolidate the traffic from the SmartEdge router to the NetOp PM hosts through a single Gigabit Ethernet (GE) port. For examples, see the tables in this section, which describe the tasks to configure BGP, with examples from the sample configurations: Table 3-11 on page 3-17 summarizes the tasks to configure BGP in the local context. Table 3-12 on page 3-18 summarizes the tasks to configure BGP in the SECURE context. Table 3-13 on page 3-19 summarizes the tasks to configure BGP in the BASIC context.
Border Gateway Protocol (BGP)

For complete syntax and usage guidelines for these SmartEdge OS commands, see the Configuring BGP document in the SmartEdge OS Library.
Table 3-11
Task Enable distribution of subscriber routes between contexts using BGP.

Tasks to Configure BGP in the local Context

Root Command service Configuration Mode global Example from Sample Configurations service inter-context routing

Table 3-11
Task

Tasks to Configure BGP in the local Context (continued)

Root Command interface ip address router bgp address-family redistribute Configuration Mode context interface context BGP router BGP router BGP router BGP router BGP router BGP router BGP router BGP router BGP router BGP router BGP router BGP router BGP router BGP router context context Example from Sample Configurations interface BGPIF loopback ip address 1.1.1.1/32 router bgp 64512 address-family ipv4 unicast redistribute subscriber neighbor 2.2.2.2 external remote-as 64513 advertisement-interval 1 ebgp-multihop 3 update-source BGPIF address-family ipv4 unicast neighbor 3.3.3.3 external remote-as 64514 advertisement-interval 1 ebgp-multihop 3 update-source BGPIF address-family ipv4 unicast ip route 2.2.2.2/32 context BASIC ip route 3.3.3.3/32 context SECURE

3-18 NetOp Policy Manager Configuration Guide

Border Gateway Protocol (BGP)

Add an interface in the local context to receive subscriber routes from other contexts. Add an IP address for the interface. Configure BGP to distribute subscriber routes in the preceding interface.

Configure BGP routing to distribute subscriber routes to the BASIC context.

neighbor remote-as advertisement ebgp-multihop update-source address-family

Configure BGP routing to distribute subscriber routes to the SECURE context.

neighbor remote-as advertisement ebgp-multihop update-source address-family

Enable the distribution of routes via BGP across contexts.

ip route ip route

Table 3-12
Task

Tasks to Configure BGP in the SECURE Context

Root Command interface Configuration Mode context Example from Sample Configurations interface BGPIF loopback

Add an interface to receive subscriber routes from other contexts.

Add an IP address for the interface. In the interface above, configure BGP to distribute subscriber routes.

ip address router bgp address-family redistribute

interface context BGP router BGP router

ip address 3.3.3.3/32 router bgp 64514 address-family ipv4 unicast redistribute subscriber

Table 3-12
Task

Tasks to Configure BGP in the SECURE Context (continued)

Root Command neighbor remote-as advertisement ebgp-multihop update-source address-family Configuration Mode BGP router BGP router BGP router BGP router BGP router BGP router BGP router BGP router BGP router BGP router BGP router BGP router context context context Example from Sample Configurations neighbor 1.1.1.1 external remote-as 64512 advertisement-interval 1 ebgp-multihop 3 update-source BGPIF address-family ipv4 unicast neighbor 2.2.2.2 external remote-as 64513 advertisement-interval 1 ebgp-multihop 3 update-source BGPIF address-family ipv4 unicast ip route 1.1.1.1/32 context local ip route 2.2.2.2/32 context BASIC ip route 10.192.100.0/24 context local

Configure the Node for the NetOp PM System 3-19

Configure BGP routing to distribute subscriber routes to the local context.

Configure BGP routing to distribute subscriber routes to the BASIC context.

neighbor remote-as advertisement ebgp-multihop update-source address-family

Enable the distribution of routes via BGP across contexts.

ip route ip route

Enable the distribution of routes to the local context if consolidating the traffic from the node to the NetOp PM hosts through a single Gigabit Ethernet port.

ip route

Table 3-13
Task

Tasks to Configure BGP in the BASIC Context

Root Command interface ip address router bgp address-family redistribute Configuration Mode context interface context BGP router BGP router BGP router BGP router BGP router BGP router BGP router BGP router Example from Sample Configurations interface BGPIF loopback

Add an interface to receive subscriber routes from other contexts. Add an IP address for the interface. In the interface above, configure BGP to distribute subscriber routes.

Border Gateway Protocol (BGP)

ip address 2.2.2.2/32 router bgp 64513 address-family ipv4 unicast redistribute subscriber neighbor 1.1.1.1 external remote-as 64512 advertisement-interval 1 ebgp-multihop 3 update-source BGPIF address-family ipv4 unicast

Configure BGP routing to distribute subscriber routes to the local context.

neighbor remote-as advertisement ebgp-multihop update-source address-family

Table 3-13
Task

Tasks to Configure BGP in the BASIC Context (continued)

Root Command neighbor remote-as advertisement ebgp-multihop update-source address-family Configuration Mode BGP router BGP router BGP router BGP router BGP router BGP router context context context Example from Sample Configurations neighbor 3.3.3.3 external remote-as 64514 advertisement-interval 1 ebgp-multihop 3 update-source BGPIF address-family ipv4 unicast ip route 1.1.1.1/32 context local ip route 3.3.3.3/32 context SECURE ip route 10.192.100.0/24 context local

3-20 NetOp Policy Manager Configuration Guide

Ports, Cards, and Circuits

Configure BGP routing to distribute subscriber routes to the SECURE context.

Enable the distribution of routes via BGP across contexts.

ip route ip route

Enable the distribution of routes to the local context if consolidating the traffic from the node to the NetOp PM hosts through a single Gigabit Ethernet port.

ip route

Ports, Cards, and Circuits

Required. Configure the cards, ports, and circuits on your SmartEdge router to inter operate with the NetOp PM system. Table 3-14 describes the port and circuit types supported by the NetOp PM software (by encapsulation type). This guide covers configurations for PPP, dynamic and static CLIPS circuits, and wireless authorization.
Table 3-14 Supported Port and Circuit Types by Encapsulation Type
Port or Circuit Type Ethernet Port 802.1Q VLAN Static CLIPS Ethernet Port 802.1Q PVC PPPoA PPPoE ATM PVC ATM PVC Ethernet Port 802.1Q VLAN PPP over L2TP L2TP tunnel

Encapsulation Type Dynamic CLIPS

Table 3-14

Supported Port and Circuit Types by Encapsulation Type (continued)

Port or Circuit Type ATM PVC ATM PVC Ethernet Port

Configure the Node for the NetOp PM System 3-21

Encapsulation Type DHCP-based RFC 1483 bridged Static RFC 1483 bridged Mobile IP

For examples, see the tables in this section, which summarize the tasks to configure ATM and Ethernet ports and circuits, with examples from the sample configurations: Table 3-15 on page 3-22 summarizes the tasks to configure ATM profiles, ports, and circuits for PPP access. Table 3-16 on page 3-22 summarizes the tasks to configure Ethernet ports for PPP access. Table 3-17 on page 3-22 summarizes the tasks to configure Ethernet ports for PPP access using L2TP tunnels. Table 3-18 on page 3-23 summarizes the tasks to configure Ethernet ports for static CLIPS circuits. Table 3-19 on page 3-23 summarizes the tasks to configure Ethernet ports for dynamic CLIPS circuits. Table 3-20 on page 3-23 summarizes the tasks to configure Ethernet media interface cards (MICs) on SmartEdge 100 routers. Table 3-21 on page 3-24 summarizes the tasks to configure Ethernet ports that lead to NetOp PM components.

For syntax descriptions and usage guidelines for the SmartEdge OS commands used, see the following documents in the SmartEdge OS Library: Configuring ATM Ethernet and POS Ports Configuring Circuits Configuring CLIPS Note Starting in SmartEdge OS, Release 4.0.7, you can create CLIPS groups, or groups of ports and PVCs on which dynamic CLIPS circuits are created. These CLIPS groups provide port and PVC redundancy for the subscriber sessions initiated on those ports and PVCs. For information about configuring CLIPS groups for redundancy for the SmartEdge OS, see Configuring CLIPS in the SmartEdge OS Library.

Ports, Cards, and Circuits

3-22 NetOp Policy Manager Configuration Guide

Ports, Cards, and Circuits

Table 3-15
Task

Tasks to Configure ATM Profiles, Cards, Ports, and Circuits for PPP
Root Command atm profile shaping ubr Configuration Mode global ATM profile global global port ATM PVC ATM PVC Example from Sample Configurations atm profile profile-ubr shaping ubr card atm-oc12-1-port 6 port atm 6/1 no shutdown atm pvc explicit 1:31 through 1:100 profile profile-ubr encapsulation pppoe bind authentication pap chap context BASIC maximum 5

Define an ATM profile with no specified bit rate (UBR shaping).

Configure an ATM card. Configure an ATM port to be operational, and configure a range of static ATM PVCs on the port on which PPP traffic arrives. Specify the ATM profile you previously created with PPPoE encapsulation. Bind the circuit to the BASIC context with authentication binding and set the maximum number of sessions in a single ATM PVC to 5.

card atm port atm no shutdown atm pvc explicit bind authentication

Table 3-16
Task

Tasks to Configure Ethernet Ports for PPP

Root Command card port ethernet no shutdown encapsulation bind authentication Configuration Mode global global port port port Example from Sample Configurations card ether-12-port 12 port ethernet 12/2 no shutdown encapsulation pppoe bind authentication chap pap context BASIC maximum 8000

Configure an Ethernet card. Configure an Ethernet port on which PPPoE traffic arrives, configure it to be operational, and specify it to use PPPoE encapsulation. Bind the port to the BASIC context with authentication binding, and set the maximum number of PPP circuits to be bound to port 8,000.

Table 3-17
Task

Tasks to Configure Ethernet Ports for PPP over L2TP

Root Command port ethernet no shutdown bind interface port ethernet no shutdown bind interface Configuration Mode global port port global port port Example from Sample Configurations port ethernet 12/8 no shutdown bind interface lns-to-lac BASIC port ethernet 12/8 no shutdown bind interface lac-to-lns BASIC

For an LNS, configure an Ethernet port to the LAC. Set the port to be operational. Bind the port with interface binding to the interface to the LAC. For a LAC, configure an Ethernet port to the LNS. Set the port to be operational. Bind the port with interface binding to the interface to the LNS.

Configure the Node for the NetOp PM System 3-23

Table 3-18
Task

Tasks to Configure Ethernet Ports for Static CLIPS

Root Command card port ethernet no shutdown service clips Configuration Mode global global port port Example from Sample Configurations card ether-12-port 12 port ethernet 12/1 no shutdown service clips

Configure an Ethernet card (optional). Configure an Ethernet port on which CLIPS traffic arrives. Set the port to be operational. Enable static CLIPS on the Ethernet port to use DHCP with subscribers authenticated in the local context; to configure only static CLIPS, do not include the dhcp keyword. Configure a range of static CLIPS circuits. Bind the circuits with auto-subscriber binding.1 This automatically generates a bind subscriber command with a unique subscriber name for each CLIPS static circuit in the range. The auto-subscriber binding appends the static CLIPS circuit number to the end of the subscriber name template.

clips pvc bind auto-subscriber

port CLIPS PVC

clips pvc 1 through 5 bind auto-subscriber ser-1_12_1_ BASIC

1. The subscriber name must be globally unique in the NetOp PM system. We recommend formatting the subscriber names as follows: node_name_card num_port num_circuit-num

Table 3-19
Task

Tasks to Configure Ethernet Ports for Dynamic CLIPS

Root Command card port ethernet no shutdown service clips Configuration Mode global global port port Example from Sample Configurations card ether-12-port 12 port ethernet 12/1 no shutdown service clips dhcp context local

Configure an Ethernet card (optional). Configure an Ethernet port on which CLIPS traffic arrives, and configure the port to be operational. Enable dynamic CLIPS on the port. Include the dhcp keyword. The context specified is the context where subscribers are authenticated.

Table 3-20
Task

Tasks to Configure Ethernet MICs on SmartEdge 100 Routers

Root Command card mic Configuration Mode global card Example from Sample Configurations card carrier 2 mic 1 fe-12-port

Ports, Cards, and Circuits

Configure an Ethernet card. Configure an Ethernet MIC port on which traffic arrives.

3-24 NetOp Policy Manager Configuration Guide

Ports, Cards, and Circuits

Table 3-21
Task

Tasks to Configure Ethernet Ports Leading to the NetOp PM Components

Root Command port ethernet no shutdown bind interface Configuration Mode global port port global port ethernet no shutdown bind interface port port Example from Sample Configurations port ethernet 12/3 no shutdown bind interface server local

Configure an Ethernet port leading to the RADIUS server. Configure the port to be operational. Bind it to the server interface in the local context, with interface binding. Optional if using BGP to consolidate a single port leading to the NetOp PM components. Configure an Ethernet port leading to the NetOp PM lightweight web portal server (in this example, for BASIC service). Configure the port to be operational. Bind it to the server interface in the BASIC context, with interface binding.

port ethernet 12/4 no shutdown bind interface server BASIC

Configure an Ethernet port to the Internet gateway server and URL Filtering Service server (in this example, for BASIC service). Configure the port to be operational. Bind it to the Internet interface in the BASIC context, with interface binding. Optional if using BGP to consolidate a single port leading to the NetOp PM components. Configure an Ethernet port to the NetOp PM lightweight web portal server (in this example, for SECURE service). Configure the port to be operational. Bind it to the Internet interface in the SECURE context, with interface binding.

port ethernet no shutdown bind interface

global port port

port ethernet 12/5 no shutdown bind interface internet BASIC

port ethernet no shutdown bind interface

global port port global port port

port ethernet 12/6 no shutdown bind interface server SECURE port ethernet 12/7 no shutdown bind interface internet SECURE

Configure an Ethernet port to the Internet via the URL Filtering service server (for the SECURE service). Configure the port to be operational. Bind it to the Internet interface in the SECURE context, with interface binding.

port ethernet no shutdown bind interface

ACLs
Required to classify subscriber traffic. Configure access control lists (ACLs) in the BASIC context (required by the IP Redirect service attribute variation and optional with the Video service attribute variation). All bandwidth service attribute variations (SAV) require the default_traffic_acl. Table 3-22 summarizes the tasks to configure ACLs for subscriber web portal traffic, with examples from the sample configurations; all tasks are for all circuit types except where otherwise noted. Table 3-23 summarizes the tasks to configure ACLs for subscriber URL filtering traffic, with examples from the sample configurations; all tasks are for all circuit types except where otherwise noted. Table 3-24 summarizes the tasks to configure ACLs for subscriber multicast video traffic, with examples from the sample configurations; all tasks are for all circuit types except where otherwise noted. Note ACLs are for classification purposes only. You cannot use them for redirection.

Configure the Node for the NetOp PM System 3-25

For syntax and usage guidelines for the commands used, see Configuring ACLs in the SmartEdge OS Library.
Table 3-22
Task Add an ACL for subscriber web logon traffic sent to the web portal. Dynamic CLIPS and DHCP-based Bridged 1483. Permit DHCP traffic to flow from the subscriber to the router; required so that the router can receive a DHCP release for a subscriber who has not used web logon. Permit DNS traffic to flow from the subscriber to the router; required so that the browser can resolve web site names. Permit HTTP packets to access the URL specified in the http-redirect profile prof-name command in context configuration. The IP address is the address of the network web server host hosting the URL. Permit HTTP traffic to flow from subscriber to the web portal. Classify all other IP traffic to drop it.

Tasks to Configure ACLs for Subscriber Web Portal Traffic

Root Command policy access-list permit Configuration Mode context access control list Example from Sample Configurations policy access-list captiveportalacl seq 10 permit udp any any eq bootps class BOOTPS

permit permit permit permit permit

access control list access control list

seq 20 permit udp any any eq domain class DNS seq 30 permit udp any any eq netbios-ns class DNS seq 35 permit tcp any host 10.192.100.20 eq www class WEB seq 40 permit tcp any any eq www class CAPTIVE_PORTAL seq 60 permit ip any class IP

access control list access control list access control list

ACLs

3-26 NetOp Policy Manager Configuration Guide

Forward Policies

Table 3-23
Task

Tasks to Configure ACLs for Subscriber URL Filtering Traffic

Root Command policy access-list permit Configuration Mode context access control list Example from Sample Configurations policy access-list urlfilteracl seq 10 permit udp any any eq bootps class BOOTPS seq 20 permit udp any any eq domain class DNS seq 30 permit udp any any eq netbios-ns class DNS permit permit permit permit access control list access control list access control list access control list seq 40 permit tcp any host 10.192.100.20 class CAPTIVEPORTAL seq 50 permit tcp any any eq www class URLFILTER

Define an ACL for web traffic sent to a URL Filtering service server host. Dynamic CLIPS and DHCP-based Bridged 1483. Permit DHCP traffic to flow from the subscriber to the router; required so that the router can receive a DHCP release for a subscriber who is redirected to the URL Filtering service server host. Permit DNS traffic to flow from subscriber to the router; required so the browser can resolve domain names. Do not redirect traffic that should go to the captive portal. Classify all web (port 80) traffic sent to the URL filtering server host.

Table 3-24
Task

Tasks to Configure ACLs for Subscriber Multicast Video Traffic

Root Command ip access-list permit deny Configuration Mode context access control list access control list Example from Sample Configurations ip access-list multicastvideo_igmp_acl seq 10 permit ip host 224.10.1.1 seq 20 deny ip any any

Add an ACL that permits a subscriber access to the multicast video server. Restrict subscriber membership to this multicast group.

Table 3-25
Task

Tasks to Configure ACLs for Traffic Classification

Root Command policy access-list Configuration Mode context BASIC context Example from Sample Configurations policy access-list default_traffic_acl seq 10 permit udp any any range 16384 32767 class VOIP seq 20 permit ip host 224.10.1.1 class VIDEO seq 30 permit any any class DATA

Define an ACL that classifies VoIP, video, and data traffic.

Forward Policies
Required by the IP Redirect service attribute variation. Forward policies are defined in conjunction with ACLs. The ACLs are used to classify the different types of subscriber traffic, and the forward policies redirect or drop each of the different classes of traffic. Configure forward policies that will support the NetOp PM software in redirecting subscriber traffic.

For syntax and usage guidelines for the SmartEdge OS commands used, see Configuring Forward Policies in the SmartEdge OS Library.
Table 3-26
Task Add a forward policy that forces a subscribers browser traffic to the web portal server. The HTTP packets are redirected locally to the HTTP server running on the controller card and then to the URL for the web portal server specified in the HTTP redirect profile with the name matching the profile name received from VSA 107, RB-HTTP-Redirect-Profile-Name.

Configure the Node for the NetOp PM System 3-27

Tasks to Configure Forward Policies

Root Command forward policy access-group class redirect destination local class drop Configuration Mode global forward policy policy ACL policy ACL class policy ACL policy ACL class global forward policy policy ACL policy ACL class Example from the Sample Configurations forward policy captiveportal access-group captiveportalacl BASIC class CAPTIVE_PORTAL redirect destination local class IP drop forward policy urlfilter access-group urlfilteracl BASIC class URLFILTER redirect destination next-hop 10.192.200.20

Add a forward policy that forces subscribers browser traffic to the URL Filtering service server (except for traffic to the captive portal).

forward policy access-group class redirect destination next-hop

HTTP Redirect Profiles

Required for prepaid Access service offerings and IP Redirect service attribute variations. In the BASIC context, configure a set of HTTP redirect profiles and globally enable the HTTP redirect server. These configurations allow the NetOp PM software to direct subscriber IP traffic to a different path than it would otherwise take, such as to the Account Registration, Inactive Account Login, Invalid Location Login, Invalid Login, Quota Exceeded, Top Up, and Web Logon Redirect pages (required by the IP Redirect service attribute variation). Required for Tiered Quota service bundles. In the BASIC context, configure an HTTP redirect profile to allow subscribers to top up their bandwidth when their quotas are exceeded. For more information, see Chapter 7, Service Subscription Attribute Overrides in the NetOp Policy Manager API Guide. Required for the Location-specific portal feature. In the BASIC context, configure an HTTP redirect profile for each chain of stores that have wireless access points (APs) from which customers will access the Internet. For more information about creating service attribute variations for location specific redirects, see the Services and Service Profiles chapter in the NetOp Policy Manager Product Overview. For an example of how to configure an HTTP redirect profile, see Table 3-27. For syntax descriptions and usage guidelines for the SmartEdge OS commands used, see the Configuring HTTP Redirect document in the SmartEdge OS Library.

HTTP Redirect Profiles

3-28 NetOp Policy Manager Configuration Guide

Hotline Redirect Profiles

Table 3-27
Task

Tasks to Configure HTTP Redirect Profiles

Root Command http-redirect profile url http-redirect profile url http-redirect profile url http-redirect profile url http-redirect profile url http-redirect profile url http-redirect profile url http-redirect server Configuration Mode context HTTP redirect profile context HTTP redirect profile context HTTP redirect profile context HTTP redirect profile context HTTP redirect profile context HTTP redirect profile context HTTP redirect profile global Example from the Sample Configurations http-redirect profile inactive_account_redirect url http://10.192.100.20/NPM-6.n.n.n/inactive_account.php http-redirect profile invalid_location_redirect url http://10.192.100.20/NPM-6.n.n.n/invalid_location.php http-redirect profile invalid_login_redirect url http://10.192.100.20/NPM-6.n.n.n/invalid_login.php http-redirect profile quota_exceeded_redirect url http://10.192.100.20/NPM-6.n.n.n/quota_exceeded.php http-redirect profile top_up_redirect url http://10.192.100.20/NPM-6.n.n.n/usage.php http-redirect profile web_login_redirect url http://10.192.100.20/NPM-6.n.n.n/portal.php http-redirect profile wireless_web_login_redirect url http://10.192.100.20/NPM-6.n.n.n/wireless.php http-redirect server

In the BASIC context, add an HTTP redirect profile to direct subscribers (who attempt to log on to inactive accounts) to the Inactive Account Login page. In the BASIC context, add an HTTP redirect profile to direct subscribers (who attempt to log on from the wrong location) to the Invalid Location Login page. PPP only. In the BASIC context, add an HTTP redirect profile to direct subscribers (who attempt to log on with the wrong username or password) to the Invalid Login page. In the BASIC context, add an HTTP redirect profile to direct subscribers (whose service has expired) to the Quota Exceeded page. In the BASIC context, add an HTTP redirect profile to direct subscribers to the Usage page where they can top up quota. In the BASIC context, add an HTTP redirect profile to direct subscribers (who have not yet been authenticated) to the portal to log on. In the BASIC context, for each chain of stores to which you want to redirect subscribers, add an HTTP redirect profile to direct subscribers to the chains portal.1 Globally, enable the HTTP redirect server running on the XCRP controller card and listening on port 80 (by default).

1. The example redirects subscribers to the wireless page in the sample NetOp PM lightweight web portal.

Hotline Redirect Profiles

Required. For service providers who want to redirect IP traffic for subscriber Mobile IP sessions to a different path than they would otherwise take, such as to the Account Registration, Inactive Account Login, Invalid Location Login, Quota Exceeded, Top Up web pages (required by the IP Redirect service attribute variation). A RADIUS service profile, together with a forward policy and its policy ACL, must be defined on the node. The radius service profile must contain the profile id string, which should match the Hotline-Profile-ID field defined in the NetOp PM service attribute variation to hotline a subscriber session. Table 3-28 summarizes the tasks to configure redirect IP traffic for at session startup, with examples from the sample configurations. All tasks are for Mobile-IP circuit types only.

Configure the Node for the NetOp PM System 3-29

Table 3-28
Task

Tasks to Configure Hotline Support

Root Command radius service profile Configuration Mode context Example from the Sample Configurations radius service profile mobile_account_registration_redirect accounting in circuit accounting out circuit seq 10 attribute Forward-Policy in captiveportal seq 20 attribute HTTP-Redirect-url http://10.192.100.238/NPM-6.n.n.n/newaccount.htm

In the BASIC context, add a hotline-profile-id to direct subscribers who are hotlined to the account redirect web page, if appropriate.

In the BASIC context, add a hotline-profile-id to direct subscribers who are hotlined to the account login web page, if appropriate.

radius service profile

context

radius service profile mobile_inactive_account_redirect accounting in circuit accounting out circuit seq 10 attribute Forward-Policy in captiveportal seq 20 attribute HTTP-Redirect-url http://10.192.100.10/NPM-6.1.4.2/inactive_account.php

SNMP
Required. By default, the sample configurations include the Simple Network Management Protocol (SNMP) objects required to work with the NetOp PM system. To enable SNMP so that the node can accept SNMP messages from the NetOp PM system verify that the SNMP server is enabled and that the configuration includes an snmp view command for each SNMP object listed in Table 3-29. This table summarizes the tasks to configure SNMP and provides examples from the sample configurations. For syntax descriptions and usage guidelines for the SmartEdge OS commands used, see the Configuring RMON and SNMP document in the SmartEdge OS Library. For SNMP attributes used by the NetOp PM software, see the section View SNMP Settings on page 1-2.
Table 3-29
Task Enable SNMP so that the SmartEdge router can accept SNMP bounce, reauth, and clear objects from the NetOp PM system. Used to query the node for a list of all the active subscriber sessions present in a configured context on the SmartEdge router.

Tasks to Configure SNMP

Root Command snmp server Configuration Mode global Example from Sample Configurations snmp server

snmp view

global

snmp view npm_view rbnSubsActiveAddr included

SNMP

Table 3-29
Task

Tasks to Configure SNMP (continued)

Root Command snmp view snmp view snmp view snmp view Configuration Mode global global global global Example from Sample Configurations snmp view npm_view rbnSubsActiveCircuitDescr included snmp view npm_view rbnSubsActiveResend included snmp view npm_view rbnSubsBounceSessionId included snmp view npm_view rbnSubsClearReason included

3-30 NetOp Policy Manager Configuration Guide

SNMP

Used to query the node for all active subscriber sessions in a context configured on the SmartEdge router. Tells the SmartEdge router to resend an accounting start for a specific subscriber session. Tells the SmartEdge router to bounce the specified subscriber session. Tells the SmartEdge router the reason that the NetOp PM software is clearing the specified subscriber session. Tells the SmartEdge router to clear the specified subscriber session. Retrieves the inbound traffic statistics. Retrieves the outbound traffic statistics. Retrieves the system description from a SmartEdge router. Retrieves the hostname from a SmartEdge router. Retrieves the list of contexts configured on the SmartEdge router. Provides an estimate of the interface's current bandwidth in units of 1,000,000 bits per second. Provides the name of the interface. Provides the type of interface, distinguished according to the physical/link protocols immediately below the network layer in the protocol stack. Retrieves the class counters, policy type, policy name, and class id from a SmartEdge router. Create a community string to permit access to Management Information Base (MIB) objects. Use the all-contexts keyword to trigger automatic generation of community names for all managed contexts. Allow the community read-write access to the MIB objects.

snmp view snmp view snmp view snmp view snmp view snmp view snmp view snmp view snmp view

global global global global global global global global global

snmp view npm_view rbnSubsClearSessionId included snmp view npm_view rbnSubsOctetsReceived included snmp view npm_view rbnSubsOctetsSent included snmp view npm_view sysDescr included snmp view npm_view sysName included snmp view npm_view vacmMIBObjects included snmp view npm_view ifHighSpeed included snmp view npm_view ifName included snmp view npm_view ifType included

snmp view snmp

global global

snmp view npm_view rbnQosSubscriberRLClassStatsTable included snmp community npm_community all-contexts view

community

npm_view read-write

NAT Policies
Optional. You can use NAT to map a set of private IP addresses to one or more public-routable IP addresses. NAT is also used by Dynamic IP Address service attribute variations. See Table 3-30 for the tasks to configure a NAT policy. For syntax descriptions and usage guidelines for the SmartEdge OS commands used, see Configuring NAT Policies and Configuring ACLs in the SmartEdge OS Library.
Table 3-30
Task In both the BASIC and SECURE contexts, add an ACL to pass all private traffic to the NetOp PM portal untranslated. In both the BASIC and SECURE contexts, define a NAT pool of public IP addresses for the NAT_DYNAMIC_PRIVATE_IP configuration and assign a range of IP addresses to the pool. In both the BASIC and SECURE contexts, define a NAT policy with dynamic translation.

Configure the Node for the NetOp PM System 3-31

Tasks to Configure a NAT Policy

Root Command policy access list permit ip nat pool address Configuration Mode context access control list context NAT pool Example from Sample Configurations policy access-list WEB_PORTAL_PASSTHRU_ACL seq 10 permit tcp any host 10.192.100.20 eq www class WEB_PORTAL ip nat pool PUBLIC_IP_ADDRESSES napt multibind address 10.192.49.10 to 10.192.49.20

nat policy pool access-group class

context NAT policy NAT policy policy ACL policy ACL class

nat policy NAT_DYNAMIC_PRIVATE_IP pool PUBLIC_IP_ADDRESSES BASIC access-group WEB_PORTAL_PASSTHRU_ACL class WEB_PORTAL ignore

Traffic destined for the NetOp PM portal remains untranslated.

ignore

QoS Policies
Required for Bandwidth service attribute variations. Globally configure a set of QoS metering and policing policies which will control the bandwidth of traffic being sent to the subscriber circuit. For more information on the defining Bandwidth service offerings, see Create Service Offerings on page 9-1.

NAT Policies

3-32
Table 3-31
Task

QoS Policies

Note

The NetOp PM software also supports priority queueing (PQ) policies, enhanced deficit round-robin (EDRR) policies, ATM weighted fair queueing (ATMWFQ) policies, and priority weighted fair queueing (PWFQ) policies, although they are not included in the sample configurations used in this guide. For more information about configuring QoS on the SmartEdge platform, see the Configuring Circuits for QoS document in the SmartEdge OS Library. For examples of PWFQ policies documented in Table 3-33, see the sample-ser.cfg (merged) sample configuration file in the /usr/local/npm/config directory.

Table 3-31 summarizes the tasks to configure QoS metering and policing policies, with examples from the sample configurations; all tasks apply to all circuit types except where otherwise noted. Table 3-32 summarizes the tasks to configure QoS metering, policing, and PWFQ policies to support the RB-Qos-Rate-Inbound and RB-Qos-Rate-Outbound RADIUS VSAs. Table 3-33 summarizes the tasks to configure QoS PWFQ policies; all tasks apply to all circuit types except where otherwise noted. QoS PWFQ policies are only supported on Gigabit Ethernet 3 cards. For syntax descriptions and usage guidelines for the SmartEdge OS commands used, see Configuring Circuits for QoS in the SmartEdge OS Library.
Tasks to Configure QoS Metering and Policing Policies
Root Command qos policy metering rate Define a policing policy that restricts the bandwidth of traffic being received from the subscriber circuit to the lowest tier. qos policy policing rate global policing policy qos policy default_qos_policing_policy policing Configuration Mode global metering policy Example from Sample Configurations qos policy default_qos_metering_policy metering

NetOp Policy Manager Configuration Guide

Define a metering policy that restricts the bandwidth of traffic being sent to the subscriber circuit with default values for traffic classes.

Configure the Node for the NetOp PM System 3-33

Table 3-32
Task

QoS Policies to Support the RB-Qos-Rate-Inbound and RB-Qos-Rate-Outbound RADIUS VSAs

Root Commands For inbound policies, use one of the following commands: qos policy pol-name policing qos policy pol-name pwfq For QoS metering policies: rate kbps [burst bytes] [excess-burst bytes] For QoS PWFQ queueing policies: rate num-queues kbps {minimum | maximum} num PWFQ policy metering policy global qos policy bronze_qos_policing_policy policing rate 128 burst 100000 or qos policy triple_play_queuing_policy pwfq num-queues 4 rate maximum 20000 Configuration Mode global Example From Sample Configurations

Enable the use of the RB-Qos-Rate-Inbound RADIUS VSA, configure policing or PWFQ policies in your SmartEdge router configuration. Add a QoS metering or PWFQ policy rate.

Enable the use of the RB-QoS-Rate-Outbound RADIUS VSA, configure metering or PWFQ policies in your SmartEdge router configuration. Add a QoS policing or PWFQ policy.

For outbound policies, use one of the following commands: qos policy pol-name metering qos policy pol-name pwfq For QoS policing policies: rate kbps [burst bytes] [excess-burst bytes] For QoS PWFQ queueing policies: rate {minimum | maximum} kbps num-queues num PWFQ policy policing policy global global qos policy bronze_qos_policing_policy policing rate 128 burst 100000 or qos policy triple_play_queuing_policy pwfq num-queues 4 rate maximum 20000

Table 3-33
Task

Tasks to Configure QoS Priority Weighted Fair Queueing Policies

Root Command Configuration Mode Example from Sample Configurations

To support triple-play traffic on a subscriber circuit for voice over IP, in conjunction with video and data traffic, create a QoS PWFQ policy by following these steps. Create the policy name and access PWFQ policy configuration mode. Optional. Specify the number of queues for the policy; the value in the example is 4. The default is 8. Optional. Set the rate and burst tolerance for traffic on the circuit, port, or subscriber record to which the policy is attached. qos policy pwfq num-queues rate global PWFQ policy PWFQ policy qos policy triple_play_queuing_policy pwfq num-queues 4 rate maximum 20000

QoS Policies

Table 3-33
Task

Tasks to Configure QoS Priority Weighted Fair Queueing Policies (continued)

Root Command queue priority queue priority queue priority queue priority Configuration Mode PWFQ policy PWFQ policy PWFQ policy PWFQ policy Example from Sample Configurations queue 0 priority 0 weight 60 queue 1 priority 0 weight 40 queue 2 priority 1 weight 90 queue 3 priority 1 weight 10

3-34 NetOp Policy Manager Configuration Guide

IGMP Profiles

Optional. Assign a priority and relative weight to each queue. In the queue priority command, the weights specify the traffic share for each queue.

To support the RB-QoS-Reference RADIUS attribute associated with access services, add two Qos PWFQ policies following these steps. Define the first QoS PWFQ policy: Create the policy name and access PWFQ policy configuration mode. Set the rate and burst tolerance for traffic on the circuit, port, or subscriber record to which the policy is attached. Specify the number of queues for the policy; the value in the example is 2. The default is 8. Assign a priority and relative weight to each queue. In the queue priority command, the weights specify the traffic share for each queue. qos policy pwfq rate rate num-queues queue priority queue priority queue priority Define the second QoS PWFQ policy: Create the policy name and access PWFQ policy configuration mode. Set the rate and burst tolerance for traffic on the circuit, port, or subscriber record to which the policy is attached. Specify the number of queues for the policy; in the example, 4, the default is 8. Assign a priority and relative weight to each queue. In the queue priority command, the weights specify the traffic share for each queue. qos policy pwfq rate num-queues PWFQ policy queue priority queue priority queue priority queue priority queue priority PWFQ policy PWFQ policy PWFQ policy PWFQ policy PWFQ policy queue 0 priority 0 weight 33 queue 1 priority 0 weight 33 queue 2 priority 0 weight 33 queue 3 priority 1 weight 100 queue priority 0 rate 5000 num-queues 4 global PWFQ policy qos policy 4q pwfq rate maximum 6000 global PWFQ policy PWFQ policy PWFQ policy PWFQ policy PWFQ policy PWFQ policy qos policy 2q-1 pwfq rate maximum 450000 rate minimum 400000 num-queues 2 queue 0 priority 0 weight 100 queue 1 priority 1 weight 100 queue priority 0 rate 400000 exceed

IGMP Profiles
Required by the Video service attribute variation. Configure an IGMP profile, which allows subscriber access to the multicast video server. For syntax descriptions and usage guidelines for the SmartEdge OS commands used, see the Configuring IP Multicast document in the SmartEdge OS Library.

Configure the Node for the NetOp PM System 3-35

Table 3-34
Task

Tasks to Configure IGMP Profiles

Root Command igmp service-profile access-group pim Configuration Mode context IGMP service profile context Example from the Sample Configurations igmp service-profile multicastvideo_igmp_profile access-group multicastvideo_igmp_acl pim rp-address 10.192.100.6

In the BASIC context, add an IGMP profile, which allows subscribers access to the multicast video server.

Define the rendezvous point that has been configured for the entire multicast network. The sample configuration arbitrarily uses the multicast server-facing interface as the rendezvous point.

Lawful Intercept Profiles

Required by the Lawful Intercept service attribute variation. Configure a Lawful Intercept profile, which allows subscriber access to the LEA Lawful Intercept service offering. For syntax descriptions and usage guidelines for the SmartEdge OS commands used, see the Configuring Lawful Intercept document in the SmartEdge OS Library.
Table 3-35
Task Configure the software license for lawful intercept.

Tasks to Configure Lawful Intercept Profiles

Root Command software license Configuration Mode global Example from the Sample Configurations See the Configuring Lawful Intercept document in the SmartEdge OS Library. lawful-intercept password my-license-password1 lawful-intercept license context local administrator administrator administrator global li-profile li-profile li-profile li-profile li-profile li-profile administrator my-li-user password my-password privilege start 15 privilege max 15 command-access li-admin li-profile li_lea_md transport udp destination 10.1.1.2 4000 context local source 10.1.1.1 400 header seq-no header li-id header session-id header label Redback SER type ip-datagrams

Log on as an administrative user. In the local context, create an account with lawful intercept privileges.

administrator privilege privilege command-access

Lawful Intercept Profiles

Configure the lawful intercept profile.

li-profile transport header header header header type

Table 3-35
Task

Tasks to Configure Lawful Intercept Profiles (continued)

Root Command interface ip address Configuration Mode context local interface Example from the Sample Configurations interface to_lea_md ip address 10.1.1.1/24

3-36 NetOp Policy Manager Configuration Guide

Lawful Intercept Profiles

Define an interface to the law enforcement agency (LEA) mediation device (MD) and connect to it. Complete the connection to the MD through context local. In this example, the MD device has an IP address of 10.1.1.2 and is connected to context local through the interface to_lea_md.

1. Use the no form to disable the software license for LI features and functions.

Lawful Intercept Profiles

Configure the Node for the NetOp PM System

3-37

Lawful Intercept Profiles

3-38

NetOp Policy Manager Configuration Guide

Chapter 4

Configure RADIUS

By configuring communication with multiple NetOp PM RADIUS servers, the NetOp PM system can provide load balancing, redundancy, and scalability as the number of nodes in the network increases. The NetOp PM RADIUS servers support both of the following authentication models: Can authenticate RADIUS messages locally or forward them to an external RADIUS server. Can locally authenticate or forward EAP authentication messages to an external EAP-aware RADIUS server.

Load-sharing RADIUS servers can detect RADIUS requests through a single authentication port (1812) and single accounting port (1813) for each Solaris host. This chapter includes the following RADIUS configuration topics: View Default NetOp PM RADIUS Server Settings Start the NetOp PM RADIUS Servers Stop the NetOp PM RADIUS Servers Reinitialize the NetOp PM RADIUS Server Change the RADIUS Default Configuration Configure the RADIUS Server for EAP Authentication View the List of Supported RADIUS Attributes Configuring Custom Behavior for RADIUS Note All references to realm refer to the part of the users logon name that follows the far right @ character, also known as context or domain in the SmartEdge OS documentation. This RADIUS definition of realm should not be confused with the definition of security realm in the context of the NetOp PM API security.

View Default NetOp PM RADIUS Server Settings

By default, the sample configuration files include the commands used to configure SmartEdge router access to the NetOp PM RADIUS servers. For procedures to configure node communications with the NetOp PM RADIUS servers, see the RADIUS section on page 3-7.

Configure RADIUS

4-1

View Default NetOp PM RADIUS Server Settings

To view the default NetOp PM RADIUS server settings in the sample configuration files, perform the following steps: 1. Log on as root. 2. Open a terminal window and navigate to the NetOp PM configuration directory: cd /usr/local/npm/config 3. Open a sample configuration file; for example, the sample-ser-ppp.cfg file. 4. Find the RADIUS configuration section, which begins with the line shown in the following excerpt:
! ! Configure radius ! radius attribute nas-ip-address interface server radius attribute acct-session-id access-request

These commands enable the NAS-IP-Address and Acct-Session-ID attributes to be included in the RADIUS Access-Request and Accounting-Request. 5. Find the section to configure the RADIUS servers, which begins with the line shown in the following excerpt:
! Configure the RADIUS authentication servers. ! radius server 10.192.100.10 key my-secret port 1812 radius server 10.192.100.11 key my-secret port 1812 ! ! Configure the RADIUS accounting servers. ! radius accounting server 10.192.100.10 key my-secret port 1813 radius accounting server 10.192.100.11 key my-secret port 1813 !

Note

These commands configure the RADIUS servers to use the specified IP addresses and listening ports. To modify the IP addresses or port numbers, see the Modify the Node Configuration for NetOp PM RADIUS Servers section on page 4-6.

4-2

NetOp Policy Manager Configuration Guide

Start the NetOp PM RADIUS Servers

Note

The NetOp PM system enables you to define service offerings differently for each realm by specifying the Realm attribute in the service definition. When a subscriber logs on with the username@realm form, the NetOp PM system searches the services for that realm and returns those service attributes only to subscribers with that realm. Services configured with the Realm attribute set to ALL are available to all realms. If no realm is specified in the subscriber username, subscribers receive service attributes configured with the Realm attribute set to ALL. If you want to define service offerings that use different RADIUS attributes for various realms, ensure that the command radius strip-domain is not specified in your node configuration because it will remove the realm when the node sends the username@realm to the NetOp PM system. To determine if the command is present and, if so, to disable it, perform the following steps: 1. Start a command-line interface (CLI) session for the SmartEdge OS software. 2. Enter the show configuration command in any mode. In the resulting display, scan for the radius strip-domain command. 3. If the command is present in the configuration, to disable it enter the no radius strip-domain command in context configuration mode (in the context where it is enabled). 4. Enter the save configuration url command in exec (10) mode, where the url argument is the path to and filename of the node configuration file. For syntax and usage guidelines for these commands and for detailed information on loading a file into a node and saving the configuration, see the Managing Files document in the SmartEdge OS Library.

Start the NetOp PM RADIUS Servers

Use the start_radius.sh script to start the NetOp PM RADIUS accounting and authentication servers. Note The NetOp PM RADIUS server automatically restarts when the Solaris host reboots.

To start the NetOp PM RADIUS server, perform the following steps: 1. Log onto the NetOp PM RADIUS server host as root. 2. Navigate to the NetOp PM RADIUS directory: cd /usr/local/npm/radius 3. Run the start_radius.sh script according to the following syntax: ./start_radius.sh [-f] [-fg] [-h]

Configure RADIUS

4-3

Stop the NetOp PM RADIUS Servers

Table 4-1
Syntax

Syntax for the start_radius.sh Script

Description Optional. Port for accounting messages; by default, port 1813. If you do not specify any ports when you run the start_radius.sh script, defaults to the ports configured when you ran the config_radius.sh script. To specify additional ports, use the optional port2 and port3 arguments, with no spaces between the port numbers and commas. Optional. Port for authentication messages; by default, port 1812. If you do not specify any ports when you run the start_radius.sh script, defaults to the ports configured when you ran the config_radius.sh script. To specify additional ports, use the optional port2 and port3 arguments, with no spaces between the port numbers and commas. Optional. Starts the server without prompting the user. Optional. Starts the server in the foreground. Optional. Prints usage information and exits.

-acct_port port

-auth_port port

-f -fg -h

Note

By default, the config_radius.sh script configures the NetOp PM RADIUS server to automatically restart if the NetOp PM host reboots. To modify this behavior, see the Change Restart Settings section on page 4-7.

By default, the authentication port is 1812 and the accounting port is 1813. You can redefine the RADIUS authentication and accounting ports when you run the config_radius.sh script with the -auth_port and -acct_port keywords.

Stop the NetOp PM RADIUS Servers

To stop the NetOp PM RADIUS servers, perform the following steps: 1. Log onto the NetOp PM RADIUS server host as root. 2. Navigate to the location of the NetOp PM RADIUS directories: cd /usr/local/npm/radius 3. Run the stop_radius.sh script, according to the following syntax: ./stop_radius.sh [-f] [-h]
Table 4-2
Syntax -f -h

Syntax for the stop_radius.sh Script

Description Optional. Stops the server without prompting the user. Optional. Prints usage information and exits.

4-4

NetOp Policy Manager Configuration Guide

Reinitialize the NetOp PM RADIUS Server

Reinitialize the NetOp PM RADIUS Server

Running the reinit_radius.sh script reinitializes the NetOp PM RADIUS server and performs the following: Rereads the NetOp PM RADIUS dictionary (dictionary_redback.cfg). Rereads the npm_radiator_env.cfg file. Resets the NetOp PM RADIUS server statistics.

Resetting the server statistics enables you to start monitoring the server statistics from a particular point onward. To reinitialize the NetOp PM RADIUS servers, perform the following steps: 1. On each NetOp PM RADIUS server host, log on as root. 2. Open a terminal window and navigate to the NetOp PM RADIUS directory: cd /usr/local/npm/radius 3. Run the reinit_radius.sh script according to the following syntax: ./reinit_radius.sh [-f] [-h]
Table 4-3
Syntax -f -h

Syntax for the reinit_radius.sh Script

Description Optional. Reinitializes the server without prompting the user. Optional. Prints usage information and exits.

Change the RADIUS Default Configuration

The config_radius.sh script enables you to change the default configuration for the NetOp PM RADIUS servers. Note To use EAP authentication, you need to purchase the NetOp PM EAP Support license.

Modify the Port Configuration for NetOp PM RADIUS Servers

The NetOp PM RADIUS servers can be configured to locally authenticate and forward RADIUS and EAP requests. To configure the NetOp PM RADIUS servers, perform the following steps on each NetOp PM host where you are deploying RADIUS: 1. Log on as root. 2. Navigate to the NetOp PM installation directory: cd /usr/local/npm

Configure RADIUS

4-5

Change the RADIUS Default Configuration

3. Run the config_radius.sh script according to the following syntax: ./config_radius.sh [-acct_port port[,port2]] [-auth_port port[,port2]] [-auto_start | -noauto_start] [-f] [-h] Use the -acct_port port,port2,port3 and -auth_port port,port2,port3 constructs to assign ports for RADIUS and optionally EAP authentication and accounting requests. All ports must be unique on the same host with no spaces between port numbers and commas. The ports you configure for RADIUS authentication must match those configured in the node configuration files. The ports you configure using the config_radius.sh script are used, by default, by the start_radius.sh, stop_radius.sh, reinit_radius.sh, show_radius.sh, and test_radius.sh scripts.
Table 4-4
Syntax -acct_port port

Syntax for the config_radius.sh Script

Description Optional. Port for accounting messages; by default, port 1813. For RADIUS accounting, the specified ports should match those configured in the sample configuration files; for EAP accounting, the ports should match those configured on the wireless AP. To specify additional RADIUS ports, use the optional port2 and port3 arguments, with no spaces between the port numbers and commas. Optional. Port for authentication messages; by default, port 1812. For RADIUS authentication, the specified ports should match those configured in the sample configuration files. To specify additional RADIUS ports, use the optional port2 and port3 arguments, with no spaces between the port numbers and commas. Optional. Activates the automatic shutdown and startup of the NetOp PM RADIUS server when the NetOp PM host reboots. This is the default. Optional. Disables the automatic restart of the NetOp PM RADIUS server when the NetOp PM host reboots. Optional. Configures the NetOp PM RADIUS server without prompting the user. Optional. Prints usage information and exits.

-auth_port port

-auto_start -noauto_start -f -h

Modify the Node Configuration for NetOp PM RADIUS Servers

The node sample configuration files assume that the NetOp PM RADIUS servers use the standard 1812 and 1813 RADIUS ports. To modify the NetOp PM RADIUS server configuration in the sample configuration files, perform the following steps on the NetOp PM host: 1. Open a sample configuration in a text editor; for example, the sample-ser-ppp.cfg file. 2. Locate the appropriate lines, as shown in the following excerpt:
! Configure the Radius authentication servers ! radius server 10.192.100.10 key my-secret port 1812 radius server 10.192.100.11 key my-secret port 1812 ! ! Configure the RADIUS accounting servers. ! radius accounting server 10.192.100.10 key my-secret port 1813 radius accounting server 10.192.100.11 key my-secret port 1813

4-6

NetOp Policy Manager Configuration Guide

Configure the RADIUS Server for EAP Authentication

3. In the sample configuration file, modify the commands, using the appropriate port numbers, according to the following syntax: radius server {ip-addr | hostname} key key [oldports | port udp-port] radius accounting server {ip-addr | hostname} key key [oldports | port udp-port] where the ip-addr or hostname argument is IP address or hostname of the NetOp PM RADIUS server, the key key construct sets a password shared by the NetOp PM RADIUS server and the node, and the port udp-port construct sets the port for the RADIUS authentication or accounting server. Note For more information about these commands for the SmartEdge OS, see the Configure RADIUS document in the SmartEdge OS Library.

Change Restart Settings

The config_radius.sh script enables you to change the restart behavior of the NetOp PM RADIUS server. To modify the default behavior, see the Modify the Node Configuration for NetOp PM RADIUS Servers section on page 4-6.

Configure the RADIUS Server for EAP Authentication

You can configure the NetOp PM RADIUS server to authenticate the following types of EAP requests: EAP TLS EAP TTLS EAP-MSCHAPv2 and MSCHAPv2 EAP-MD5

To authenticate these types of EAP requests using the NetOp PM RADIUS servers, see the Configure Support for EAP Authentication section on page 14-2.

View the List of Supported RADIUS Attributes

A configuration file is provided with the NetOp PM software that lists the RADIUS attributes used by the SmartEdge platform. To view this list, perform the following steps: 1. Log on as root. 2. Open a terminal window and navigate to the NetOp PM RADIUS directory: cd /usr/local/npm/radius 3. Open the dictionary_redback.cfg file.

Configure RADIUS

4-7

Configuring Custom Behavior for RADIUS

Caution Risk of communication loss. Modifying attribute names impacts the NetOp PM system functionality. To reduce the risk, do not modify the names of these attributes.

For definitions of attributes supported by the SmartEdge OS, see the RADIUS Attributes document in the SmartEdge OS Library. The NetOp PM software supports a subset of the node-supported vendor-specific attributes (VSAs). For the mapping between the NetOp PM-supported RADIUS attributes and the corresponding columns in the NetOp PM database, as well as attribute descriptions and valid values by node type, see Chapter 1, Filtering Attribute and RADIUS Attribute Descriptions in the NetOp Policy Manager Reference. You can add additional RADIUS attributes to the NetOp PM system using the NetOp PM application programming interface (API) through a Simple Object Access Protocol (SOAP) client; for procedures, see the Configure Additional RADIUS Attributes section on page 7-1.

Configuring Custom Behavior for RADIUS

To customize RADIUS behavior, you can: Customize RADIUS Server Hooks Customize EAP Hooks

Customize RADIUS Server Hooks

Note Modifying the radiatorhooks.pm module is not recommended as it poses problems when upgrading to newer versions of the NetOp PM software.

To specify your own site-specific processing without modifying the standard NetOp PM Radiator code, you create the customhooks.pm file and place it in the /usr/local/npm/radius directory. For a sample customhooks.pm file, see the /usr/local/npm/radius/sample-customhooks.pm file. When customizing Radiator hooks, use the following guidelines: Custom hooks take the same parameters as standard hooks. Compilation errors in your hook code are reported to the log file at startup time. Runtime errors in your hook are reported to the log file when your hook is run. The hook names in the customhooks.pm file is important, but their placement in the file is not. Arguments preceded by \ are passed by reference. You must de-reference them to get at the actual parameter. It is done this way, instead of just passing a handle to the object, to enable switching the object it points to. For example, to reference the first argument in the PreClientHook hook, refer to it as ${$_[0]}, and to reference the second argument, refer to it as ${$_[1]}. To get an attribute from the request in the PreClientHook hook, you would use code similar to the following example:
my $modtype = ${$_[0]}->get_attr(USR-Modulation-Type);

4-8

NetOp Policy Manager Configuration Guide

Configuring Custom Behavior for RADIUS

Table 4-5
Hook Name

Hooks Available for Custom Behavior in the customhooks.pm File

Description Called after loading the node information (from the database), but before the NetOp PM software uses the information. This hook is advanced and is not present in the sample-customhooks.pm file; for more information on its usage, consult your local Redback technical support team. Called before the NetOp PM RADIUS server startup and restart. Called after NetOp PM RADIUS server startup and restart. Called after receiving a SIGTERM prior to the NetOp PM RADIUS server shutdown processing. Called after receiving a SIGTERM and after the NetOp PM RADIUS server shutdown processing, but prior to exiting. Called before the NetOp PM behavior that decides how a packet is routed (for example, authenticated locally, authenticated externally, stored in the NetOp PM database, and so forth). Called after the NetOp PM behavior that decided how a packet is routed. Called before the NetOp PM behavior that processes a packet prior to it being authenticated. Called after the NetOp PM behavior that processes a packet prior to it being authenticated. Called before the NetOp PM behavior that processes a packet after it has been authenticated. Called after the NetOp PM behavior that processes a packet after it has been authenticated. Called before the NetOp PM behaviorafter a reply is received from the remote RADIUS server and before the replay is relayed back to the network access server (NAS). Called after the NetOp PM behaviorafter a reply is received from the remote RADIUS server and before the reply is relayed back to the NAS. Called before the NetOp PM behaviorafter the Lightweight Directory Access Protocol (LDAP) search results have been received and before the reply is relayed back to the NAS. Called after the NetOp PM behaviorafter the LDAP search results have been received and before the reply is relayed back to the NAS. Called before the NetOp PM behaviorfor each request, after all authentication methods have been called and before the reply is relayed back to the NAS. Called after the NetOp PM behaviorfor each request after all authentication methods have been called and before the reply is relayed back to the NAS. Called after loading the flow-through attributes from the database, but before the NetOp PM software uses the attributes. Called after the proxy configuration from the database that controls which packets the NetOp PM software wants to forward to external RADIUS servers, but before the NetOp PM software uses the configuration. Called after loading the node software version from the database, but before the NetOp PM software uses the version number.

nas_info_loaded

pre_startup_hook post_startup_hook pre_shutdown_hook post_shutdown_hook pre_pre_client_hook

post_pre_client_hook pre_pre_auth_hook post_pre_auth_hook pre_post_auth_hook post_post_auth_hook pre_radius_reply_hook

post_radius_reply_hook pre_ldap_reply_hook

post_ldap_reply_hook pre_ldap_post_processing_hook

post_ldap_post_processing_hook

flow_through_radius_attributes_loaded proxy_configuration_loaded

nas_software_version_loaded

Configure RADIUS

4-9

Configuring Custom Behavior for RADIUS

Table 4-5
Hook Name

Hooks Available for Custom Behavior in the customhooks.pm File (continued)

Description Called after loading the attribute mapping details from the database, but before the NetOp PM software uses the rules. Called if the NetOp PM system is unable to determine automatically the circuit type associated with a subscriber session.

proxy_attribute_mappings_loaded session_circuit_type_hook

In the following example, an external RADIUS server does not support accounting session IDs with more than 20 characters. To inter-operate with the external RADIUS server, the NetOp PM software must truncate the SmartEdge accounting session ID to 20 characters. To customize the accounting session ID, perform the following steps: 1. Copy the /usr/local/npm/radius/sample-customhooks.pm file to the /usr/local/npm/radius/customhooks.pm file. 2. Open the file in a text editor. 3. Choose the appropriate point in the processing of the RADIUS packet to modify the contents of the accounting session ID. The post_pre_auth_hook is a good point since the NetOp PM behavior is still able to use the unmodified accounting session ID, however the RADIUS packet has not yet been sent to the external RADIUS server. 4. Add the following code to the file:
sub post_pre_auth_hook { my $request = ${$_[0]}; my $reply = ${$_[1]}; my $acct_session_id = $request->get_attr('Acct-Session-Id'); my $acct_session_id_len = length($acct_session_id); # # Truncate the accounting session id down to 20 characters so it can # be stored in the external server. # if ($acct_session_id_len > 20) { $acct_session_id = substr($acct_session_id, $acct_session_id_len - 20); $request->change_attr('Acct-Session-Id', $acct_session_id); } }

5. Save the file. 6. Shut down and restart the NetOp PM RADIUS server to incorporate the new code.

4-10

NetOp Policy Manager Configuration Guide

Configuring Custom Behavior for RADIUS

Customize EAP Hooks

This chapter describes the new sample-customeaphooks.pm module that is provided with the NetOp PM software. The sample-customeaphooks.pm module allows you to introduce custom behavior during an EAP conversation between the NetOp PM RADIUS server and a wireless access point (AP).
Table 4-6 EAP Hooks Available in the sample-customeaphooks.pm Module
Description Called before the NetOp PM behavior that decides how an EAP RADIUS request is routed; for example, authenticated locally, authenticated externally, or stored in the NetOp PM database. Called after the NetOp PM behavior that decides how an EAP RADIUS request is routed. Called before the NetOp PM behavior for each EAP RADIUS request that is passed to an inner EAP tunneled handler. Called after the NetOp PM behavior for each EAP RADIUS request that is passed to an inner EAP tunneled handler. Called before the NetOp PM behavior that processes an EAP packet before it is authenticated. Called after the NetOp PM behavior that processes an EAP RADIUS request before it is authenticated. Called before the NetOp PM behavior that processes an EAP RADIUS request after is has been authenticated. Called after the NetOp PM behavior that processes an EAP RADIUS request after it has been authenticated. Called before the NetOp PM behavior after an EAP RADIUS reply is received from the remote EAP server and before the reply is relayed back to the access point (AP). Called after the NetOp PM behavior after an EAP RADIUS reply is received from the remote EAP server and before the reply is relayed back to the AP.

EAP Hook Name pre_pre_eap_client_hook

post_pre_eap_client_hook pre_pre_eap_pre_handler_hook post_pre_eap_pre_handler_hook pre_eap_auth_hook post_pre_eap_auth_hook pre_post_eap_auth_hook post_post_eap_auth_hook pre_radius_reply_hook

post_radius_reply_hook

In this example, a carrier wants to change the realm for subscribers accessing the NetOp PM system from a particular wireless AP. To customize the realm, perform the following steps: 1. Copy the /usr/local/npm/radius/sample-customeaphooks.pm file to the /usr/local/npm/radius/customeaphooks.pm file. 2. Open the file in a text editor. 3. Choose the appropriate point in the processing of the RADIUS packet to modify the contents of the NAS-Identifier attribute in the Access-Request. The sub pre_pre_eap_client_hook is a good point, since the NetOp PM behavior is still able to use the unmodified NAS-Identifier. 4. Add the following code to the file:
sub pre_pre_eap_client_hook { my $request = ${$_[0]};

Configure RADIUS

4-11

Configuring Custom Behavior for RADIUS

my $code = $request->code; if ($code eq 'Access-Request') { my $nas_id = $request->get_attr('NAS-Identifier'); if ($nas_id eq 'mycoffeeshop') { my $user_name = $request->get_attr('User-Name'); # # Remove current realm name. $user_name ~= s/^(.*?)\@.*$/$1/; $new_user_name = $user_name . " mycoffeeshop.com"; $request->change_attr('User-Name', $new_user_name); } } }

5. Save the file. 6. Shut down and restart the NetOp PM RADIUS server to incorporate the new code.

4-12

NetOp Policy Manager Configuration Guide

Chapter 5

Configure External RADIUS and LDAP Servers

This chapter provides an overview of NetOp Policy Manager (PM) billing using Remote Authentication Dial-In User Service (RADIUS) and describes how to configure the external RADIUS servers for the NetOp PM system. It describes how to view the complete list of supported RADIUS attributes, and how to configure the NetOp PM RADIUS servers (including how to change the RADIUS authentication type and default settings), how to forward RADIUS requests to external RADIUS servers, and how to configure Extensible Authentication Protocol (EAP) authentication. It describes how to configure the NetOp PM system to query external LDAP servers and how to convert forwarded RADIUS or LDAP attributes to NetOp PM RADIUS attributes. It describes how to configure RADIUS attributes to flow through the NetOp PM system and how to change the algorithm used when forwarding. This chapter includes the following topics: Forward RADIUS Requests to External RADIUS Servers Authenticate Subscribers with an External LDAP Server Change the Algorithm Used When Forwarding Configure RADIUS Attributes to Flow Through the NetOp PM System Map External RADIUS or LDAP Attributes to NetOp PM RADIUS Attributes

For other RADIUS-related procedures, see the Configuring RADIUS document in the SmartEdge OS Library. For information on how to configure node communications with the NetOp PM RADIUS servers, see the RADIUS section on page 3-7.

Forward RADIUS Requests to External RADIUS Servers

You can configure communication with RADIUS servers external to the NetOp PM system. RADIUS requests are forwarded to different external RADIUS servers based on the realm specified in the subscriber username; that is, the realm with which the subscriber logs on determines what the NetOp PM RADIUS server does with RADIUS requests. To enable forwarding EAP authentication requests to external RADIUS servers, see Chapter 1, Installation Overview, and the Configure the RADIUS Server for EAP Authentication section on page 4-7.

Configure External RADIUS and LDAP Servers

5-1

Forward RADIUS Requests to External RADIUS Servers

Note

For details on querying external LDAP servers, see the Authenticate Subscribers with an External LDAP Server section on page 5-5.

The NetOp PM system can forward RADIUS requests for all supported circuit types; for the complete list of circuit and encapsulation types, see Appendix A, Subscriber Management Processes in the NetOp Policy Manager Product Overview. When forwarding RADIUS requests, the NetOp PM system attempts to simulate the Point-to-Point Protocol (PPP) model for all circuit types on SmartEdge routers. Note The NetOp PM software does not attempt to simulate the PPP model for Dynamic CLIPS on the SMS platform.

The NetOp PM system generates the RADIUS requests where the User-Name and User-Password attributes are populated with the subscriber accounts name and password. The NetOp PM system mediates the RADIUS requests, and creates the illusion that all subscribers are using PPP clients, even though they may be using other circuit types. When sending Access-Requests to external RADIUS servers, the NetOp PM system simulates the PPP model by replacing the circuit name with the subscriber account name. This correlation between the circuit name and the subscriber account name is helpful to carriers whose RADIUS servers are PPP-based. For subscriber web logon, the Captive Portal service is hidden, and the system does not forward requests related to the Captive Portal service. This section includes the following topics: Configure RADIUS Servers External to the NetOp PM System Forward RADIUS Authentication Requests Forward RADIUS Accounting Requests Note To change the algorithm used when forwarding RADIUS requests, see the Change the Algorithm Used When Forwarding section on page 5-7. To configure RADIUS attributes to flow through the NetOp PM system, see the Configure RADIUS Attributes to Flow Through the NetOp PM System section on page 5-7.

Configure RADIUS Servers External to the NetOp PM System

You can configure the NetOp PM system to communicate with external RADIUS servers, such as ISPs or carriers RADIUS servers. The NetOp PM system determines which external authentication or accounting server to use based on the realm attached to the subscribers username. You can configure a particular realm to communicate with one or multiple external RADIUS servers. To configure an external RADIUS server, modify the values in the radius_proxy_server table of the NetOp PM database by performing the following steps: 1. To define an external RADIUS server for a particular realm, change the realm column in the radius_proxy_server table. For example, requests for the isp.com realm would be forwarded to the external RADIUS server of isp.com. If you want to use a single set of external RADIUS servers across all realms then configure the realm, default. 2. In the sequence column, type a number to specify the order in which the NetOp PM system attempts to communicate with the external RADIUS server.

5-2

NetOp Policy Manager Configuration Guide

Forward RADIUS Requests to External RADIUS Servers

3. In the host column, type the IP address or hostname of the machine running the external RADIUS server. Note If you use a hostname, ensure that either it is configured in the /etc/hosts file or you have a centralized naming service configured such as Network Information System (NIS), Network Information System Plus (NIS+), LDAP, or Domain Name Server (DNS).

4. In the secret column, specify the shared secretthe authentication key that must be shared with the external RADIUS server. 5. In the auth_port column, type the authentication port number that will receive authentication requests sent to the external RADIUS server. 6. In the acct_port column, type the accounting port number that will receive accounting requests sent to the external RADIUS server. 7. Optional. Change the value in the retries column to configure the maximum number of retriesthe number of retransmissions sent by the NetOp PM system if a RADIUS server sends no acknowledgment within the specified interval. 8. Optional. Change the value in the retry_timeout column to set the maximum amount of time the NetOp PM system is to wait for a response from a RADIUS server before assuming that either a packet is lost, or that the RADIUS server is unreachable (the default is 10 seconds). Note Configure each of the external RADIUS servers specified to accept RADIUS requests from the IP address or hostname of the Solaris server on which the NetOp PM API servers and the NetOp PM RADIUS servers are running.

Forward RADIUS Authentication Requests

You can configure the NetOp PM API server and the NetOp PM RADIUS server to use one or multiple external RADIUS servers for RADIUS authentication, instead of local authentication through the NetOp PM system. The NetOp PM system provides per-realm control of RADIUS request forwarding; that is, you can specify the realm for which RADIUS authentication requests are forwarded. You can specify whether an authentication for a logon or service change should be forwarded. To forward RADIUS authentication requests to a RADIUS server external to the NetOp PM system, make the following changes to the NetOp PM database: 1. Change the following columns in the proxy_config table: a. Optional. To forward RADIUS authentication requests for a particular realm, change the realm column. If you do not specify the realm associated with this proxy configuration, the realm is set to default and RADIUS authentication requests are distributed across all realms and are not limited to a specific realm. b. Ensure that the access_request_proxy_type is RADIUS.

Configure External RADIUS and LDAP Servers

5-3

Forward RADIUS Requests to External RADIUS Servers

c. Change the value in the proxy_login_access_request column to Y to indicate that an authentication for a logon should be forwarded. If you change the value to Y, the NetOp PM RADIUS server forwards Access-Requests to a RADIUS server external to the NetOp PM system, instead of authenticating them with the NetOp PM system. Also, the NetOp PM API server forwards all web logon authentication to the external RADIUS server. d. Change the value in the proxy_srvc_chng_access_request column to Y to indicate that an authentication for a service change should be forwarded. If you change the value to Y, the NetOp PM API server or the NetOp PM RADIUS server forwards access requests for a service change to a RADIUS server external to the NetOp PM system. e. Optional. Change the value in the double_access_suppression column to N to disable the suppression of a second Access-Requests from the NetOp PM system to the external RADIUS server when a subscriber logs on through the web portal. Double Access-Request suppression must be disabled to allow flow-through attributes in the NetOp PM system; for more information, see the Configure RADIUS Attributes to Flow Through the NetOp PM System section on page 5-7. 2. Modify the radius_proxy_server table in the NetOp PM database; for details, see the Configure RADIUS Servers External to the NetOp PM System section on page 5-2. Note Access-Request requests associated with Captive Portal sessions are not forwarded to external RADIUS servers regardless of the settings in the proxy_config table.

Forward RADIUS Accounting Requests

You can configure the NetOp PM RADIUS server to forward all or individual RADIUS accounting requests, to a RADIUS accounting server external to the NetOp PM system. The NetOp PM system provides per-realm control of RADIUS request forwarding and storage; that is, you can specify the realm for which RADIUS accounting requests are forwarded and then configure the system so that forwarded accounting requests are not stored locally in the NetOp PM database. For example, you can configure the forwarding of specific RADIUS requestssuch as Accounting-Start, Accounting-Stop, or Accounting-Aliveto one or multiple external RADIUS servers for a specific realm, and also specify whether the records are stored locally in the NetOp PM database. To forward RADIUS accounting requests to a RADIUS server external to the NetOp PM system, perform the following steps: 1. Make the following changes to the proxy_config table of the NetOp PM database: a. Specify the realm for which RADIUS accounting requests are forwarded. If you do not specify a realm, the realm is set to default and this proxy configuration is applied across all realms, and it is not limited to a specific realm. b. Ensure that the access_request_proxy_type value is RADIUS. c. Change the proxy_accounting values to specify exactly which RADIUS requests are forwarded to the external RADIUS server. By default, RADIUS requests are not forwarded. d. Optional. In the proxy_config table, change the store_accounting values to specify exactly which accounting records are stored locally in the NetOp PM database. By default, RADIUS requests are stored in the NetOp PM database.

5-4

NetOp Policy Manager Configuration Guide

Authenticate Subscribers with an External LDAP Server

Note

Accounting requests associated with Invalid Redirected sessions are not forwarded to external RADIUS servers regardless of the settings in the proxy_config table. For example, requests such as an Acct-Start request associated with a PPP session that is not yet logged in or an Acct-Stop request sent for bringing down a CLIPS session that is not yet logged in are not forwarded.

2. Modify the radius_proxy_server table in the NetOp PM database; for details, see the Configure RADIUS Servers External to the NetOp PM System section on page 5-2.

Authenticate Subscribers with an External LDAP Server

You can configure the NetOp PM system to query an external LDAP server. The NetOp PM system then determines which external LDAP server to use based on the realm attached to the subscribers username. You can configure a realm to communicate with one or multiple external LDAP servers. The NetOp PM system can query LDAP servers for all supported circuit types; for the complete list of circuit and encapsulation types, see Table 3-14 on page 3-20. Note When the NetOp PM system is configured to query an external LDAP server, do not configure the node with the bind authentication chap command; the subscriber logon attempt will fail, even if the username and password are correct; for more information, see Chapter 2, Troubleshoot the NetOp PM System in the NetOp Policy Manager Troubleshooting Guide.

This section includes the following topics: Configure External LDAP Servers Query External LDAP Servers

Configure External LDAP Servers

You can configure the NetOp PM system to query an external LDAP server. The NetOp PM system then determines which external LDAP server to use based on the realm attached to the subscribers username. You can configure a particular realm to query one or multiple external LDAP servers. If you do not specify a realm for an external LDAP server, the realm is set to default and the server is used across all realms that are configured to authenticate subscribers using an external LDAP server. If you specify a realm for an external LDAP server, then the server is used only for the specified realm. To configure an external LDAP server, modify the values in the ldap_proxy_server table of the NetOp PM database by performing the following steps: 1. Define an external LDAP server for a particular realm by changing the realm column in the ldap_proxy_server table. If you do not specify the realm associated with this external LDAP server, this external LDAP server can be used by all realms, and is not limited to a specific realm. 2. In the sequence column, type a number to specify the order in which the NetOp PM system will attempt to communicate with the external LDAP server. 3. In the host column, type the IP address or hostname of the machine running the external LDAP server.

Configure External RADIUS and LDAP Servers

5-5

Authenticate Subscribers with an External LDAP Server

Note

If you use a hostname, ensure that either it is configured in the /etc/hosts file or you have a centralized naming service configured such as NIS, NIS+, LDAP, or DNS.

4. In the auth_port column, change the port number on which the external LDAP server is listening for bind requests. 5. In the base_dn column, enter the base distinguished name (DN) where searches are initiated. 6. In the username_attr column, enter the name of the LDAP attribute that contains the subscriber username. 7. Change the value in the retries column to configure the maximum number of retriesthe number of additional attempts the NetOp PM system makes to connect to the LDAP server. 8. Change the value in the retry_timeout column to set the maximum amount of time the NetOp PM system is to wait for a response from an LDAP server before assuming that the LDAP server is unreachable (the default is 10 seconds).

Query External LDAP Servers

You can configure the NetOp PM API server and the NetOp PM RADIUS server to use one or multiple external LDAP servers for LDAP authentication, instead of local authentication. The NetOp PM system provides per-realm control of LDAP server queries. You can specify whether the NetOp PM system sends a query when an authentication for a logon or service change is received. To configure the NetOp PM system to query an external LDAP server, make the following changes to the NetOp PM database: 1. Change the following columns in the proxy_config table: a. Configure a particular realm to query an external LDAP server by changing the realm column. Note If you do not specify the realm associated with this configuration, all realms use LDAP to authenticate all access requests.

b. Change the access_request_proxy_type value to LDAP. c. Change the value in the proxy_login_access_request column to Y to indicate that a query should be performed when an authentication for a logon is received. If you change the value to Y, the NetOp PM RADIUS server queries the external LDAP server instead of authenticating with the local NetOp PM database. Also, the NetOp PM API server queries an external LDAP server for all web logon authentications. d. Change the value in the proxy_srvc_chng_access_request column to Y to indicate that a query should be performed when an authentication for a service change is received. If you change the value to Y, the NetOp PM API server or the NetOp PM RADIUS server queries an external LDAP server when a service change is requested.

5-6

NetOp Policy Manager Configuration Guide

Change the Algorithm Used When Forwarding

e. To forward accounting requests to an external RADIUS server, change all proxy_accounting_* fields to Y and define a RADIUS server for the specified realm; see the Configure RADIUS Servers External to the NetOp PM System section on page 5-2. If the proxy_accounting_* fields are set to N, no accounting requests are forwarded. 2. Modify the ldap_proxy_server table in the NetOp PM database; see the Configure External LDAP Servers section on page 5-5.

Change the Algorithm Used When Forwarding

Note For the purposes of this section, and for LDAP requests only, proxying refers to the NetOp PM system querying an external LDAP server; for RADIUS requests only, proxying (or forwarding) refers to the NetOp PM system forwarding RADIUS requests to an external RADIUS server.

You can configure the algorithm that the NetOp PM API server and the NetOp PM RADIUS servers use for distributing RADIUS or LDAP requests to external RADIUS servers or external LDAP servers. The NetOp PM software supports two algorithms when proxying: Strict priority(the default value for both the NetOp PM API server and the NetOp PM RADIUS server). Requests are always sent first to the specified RADIUS or LDAP server, then if the request fails, it is sent to the next server after that, and so on. Round-robin priorityRequests are sent to the next RADIUS or LDAP server following the one where the last request was sent. If the NetOp PM software receives no response from the server, it sends the request to the next server after that, and so on. Using this algorithm, the NetOp PM RADIUS server is able to distribute RADIUS or LDAP requests across all of the external RADIUS or LDAP servers specified for each realm.

To change the algorithm used when proxying, change the following columns in the proxy_config table of the NetOp PM database: 1. In the realm column, specify the realm associated with this algorithm configuration (algorithms are configured per realm). The NetOp PM RADIUS server and NetOp PM API server use the @realm construct to determine to which set of external servers they should forward request. 2. Change the value in the proxy_algorithm column to either round_robin or first.

Configure RADIUS Attributes to Flow Through the NetOp PM System

This section describes how to configure RADIUS attributes to flow through the NetOp PM system in the following topics: RADIUS Attribute Flow-Through Overview

Configure External RADIUS and LDAP Servers

5-7

Configure RADIUS Attributes to Flow Through the NetOp PM System

Add RADIUS Attributes to Flow Through the NetOp PM System Configure the RB-NPM-Service-Id Attribute to Flow Through the NetOp PM System Configure the Framed-IP-Address Attribute to Flow Through the NetOp PM System

RADIUS Attribute Flow-Through Overview

For each realm, you can configure the NetOp PM system to copy one or more RADIUS attributes in an ISPs Access-Accept packet, and send them to the SmartEdge routers. This ability to configure the attributes that are permitted to flow through the NetOp PM system enables wholesale carriers to control their business agreements with ISPs by controlling the information that an ISP can change. Note Double Access-Request suppression must be disabled to use flow-through attributes for subscriber web logon or change of services. To disable the suppression of double Access-Requests, ensure that the double_access_suppression column in the proxy_config table is set to N.

Note

External RADIUS and LDAP attributes that are mapped are automatically permitted to pass to the node. For more information, see the Map External RADIUS or LDAP Attributes to NetOp PM RADIUS Attributes section on page 5-11.

Note

Configure every RADIUS attribute that you want to pass to the node in the radius_proxy_attributes table for a specific realm; for procedures, see the Add RADIUS Attributes to Flow Through the NetOp PM System section on page 5-9. By default, with no entries in the radius_proxy_attributes table for a specific realm, the NetOp PM system does not forward RADIUS attributes received from the external RADIUS server.

For example, an external authentication server might return the RB-NPM-Service-Id attribute in its response to a forwarded authentication request. If this VSA is in an authentication response, it is used by the ISP to inform the NetOp PM system what service to apply to a subscribers circuit. The NetOp PM system removes this attribute from the Access-Accept packet and inserts the appropriate attributes for the specified service. It enables a wholesale carrier to control the service offerings permitted for each ISP, and it gives ISPs the flexibility to specify the services they want. When an ISPs external RADIUS server returns an instance of the RB-NPM-Service-Id attribute in the Access-Accept packet, each instance represents a service ID in the wholesale carriers NetOp PM system. Because the wholesale carrier has complete control over the definitions of service offerings in the NetOp PM system, the carrier can configure which service offerings a specific ISP can apply to subscriber sessions, and which RADIUS attributes are required to implement that service offering on the node types and circuit types supported by the carrier. The service offerings are realm-based, so if an ISP attempts to return an RB-NPM-Service-Id value that has not been enabled for its realm, the service ID is not applied to the subscriber session. If an ISP returns one or more RB-NPM-Service-Id values that have been enabled for its realm, the NetOp PM system merges all the RADIUS attributes associated with each of the service offerings before returning the dynamically constructed list of RADIUS attributes in the Access-Accept packet to the SmartEdge router. If no service ID attribute is returned in an authentication response, the NetOp PM system applies the realms default service to the subscribers circuit. For more details on how the NetOp PM system handles the RB-NPM-Service-Id attribute, see the Configure the RB-NPM-Service-Id Attribute to Flow Through the NetOp PM System section on page 5-10.

5-8

NetOp Policy Manager Configuration Guide

Configure RADIUS Attributes to Flow Through the NetOp PM System

In addition to (or instead of) the service ID the external authentication server might return individual parameters (policy attributes) to be applied to the subscribers circuit; for example, an access control list (ACL) or filter that the ISP sends to the NetOp PM system, and that the NetOp PM system then sends to the node. Another example is that the ISP might send the Framed-IP-Address attribute in a response so the ISP can be responsible for controlling IP addresses. For more details on how the NetOp PM system handles the Framed-IP-Address attribute, see the Configure the Framed-IP-Address Attribute to Flow Through the NetOp PM System section on page 5-10. The flow-through RADIUS attribute capability is available in the EAP authentication scenarios for wireless clients. By default, the State and Class attributes are added for all flow-through requests. For EAP conversations, the NetOp PM system also flows through the EAP-Message, Message-Authenticator and Microsoft Vendor specific attributes.

Add RADIUS Attributes to Flow Through the NetOp PM System

Every RADIUS attribute that you want to pass to the node must be configured in the radius_proxy_attributes table for a specific realm. By default, if there is no entry for a RADIUS attribute for a specific realm in the radius_proxy_attributes table, the NetOp PM system does not forward that RADIUS attribute received from the external RADIUS server. Note The NetOp PM system does not validate that the node can actually support the RADIUS attribute received from the ISP.

For the list of supported attributes, see the View the List of Supported RADIUS Attributes section on page 4-7. For more information on wholesale and retail services, and the default service by realm, see Chapter 3, Services in the NetOp Policy Manager Product Overview. To add RADIUS attributes to flow through the NetOp PM system to the node using the radius_proxy_attributes table of the NetOp PM database, change the following columns in the table: 1. In the realm column, specify the realm associated with the RADIUS attribute. Using the realm default defines that the attributes should flow through the NetOp PM system when no subscriber realm is specified. When forwarding EAP authentications, add the prefix eap_ to the realm name to define the realm for which the RADIUS attribute should flow through the NetOp PM system during the EAP conversation. Or, use the eap_default realm when the RADIUS attribute should flow through the NetOp PM system when no subscriber realm is specified in the EAP conversation. 2. In the radius_attribute_name column, specify the name of the RADIUS attribute that is permitted to flow through the NetOp PM system. 3. Repeat for each attribute that is permitted to flow through the NetOp PM system.

Configure External RADIUS and LDAP Servers

5-9

Configure RADIUS Attributes to Flow Through the NetOp PM System

Configure the RB-NPM-Service-Id Attribute to Flow Through the NetOp PM System

If you configure the RB-NPM-Service-Id RADIUS attribute to flow through the NetOp PM system, one of the following scenarios applies: If the subscriber account has a retail service, and the external RADIUS server responds with a retail service, the NetOp PM system removes the previous retail service from the subscriber account and adds the retail service received from the external RADIUS server. For example, if an account subscribes to the Retail-A service, and the external RADIUS server responds with the Retail-B service, the NetOp PM system updates the accounts subscriptions to include only the Retail-B service. Also, if an account subscribes to the Retail-A service, and the external RADIUS server does not respond with any value for the RB-NPM-Service-Id RADIUS attribute, the NetOp PM system deletes the Retail-A service from the account. If no service exists for an account, and the external RADIUS server does not respond with a service, the NetOp PM system automatically adds a default service subscription to the account. If an account subscribes to multiple services, the NetOp PM system uses the priority setting of the services to determine which service to apply first.

Configure the Framed-IP-Address Attribute to Flow Through the NetOp PM System

The Framed-IP-Address attribute is populated in one of the following ways: If the NetOp PM system has been configured with a static IP address, then this IP address is passed to the node. If no static IP address is configured in the NetOp PM system and you configured the Framed-IP-Address attribute to flow through the NetOp PM system, when the external RADIUS server returns the Framed-IP-Address attribute, the NetOp PM system forwards it to the node. If no static IP address is configured in the NetOp PM system and you did not configure the Framed-IP-Address attribute to flow through the NetOp PM system, the NetOp PM system asks the node to dynamically allocate an IP address to the subscriber session.

For example, if you configure the Framed-IP-Address attribute to flow through the NetOp PM system, and the external RADIUS server returns the Framed-IP-Address attribute with a value of 210.22.33.11, if the NetOp PM system has a static IP address of 10.192.45.23, the NetOp PM system sends 10.192.45.23 to the node. However, if no static IP address is configured, the NetOp PM system sends 210.22.33.11 to the node.

5-10

NetOp Policy Manager Configuration Guide

Map External RADIUS or LDAP Attributes to NetOp PM RADIUS Attributes

Map External RADIUS or LDAP Attributes to NetOp PM RADIUS Attributes

If the external RADIUS server returns an Access-Accept packet containing RADIUS attributes, or an external LDAP server returns a record containing LDAP attributes, the NetOp PM software uses rules defined in the NetOp PM system to map the attributes to NetOp PM RADIUS attributes. Rules are defined per realm, therefore a single external attribute can be mapped differently for several different realms. Using the realm default for a rule defines that the rule should be applied when no subscriber realm is specified. When forwarding EAP authentications, add the prefix eap_ to the realm name to define realm-specific rules for the EAP conversation, or use the eap_default realm in cases when the rule should be applied but no subscriber realm is specified in the EAP conversation. When an attribute matching the from_attribute_name field of the proxy_attribute_mapping table is present in the response, the NetOp PM system maps the attribute name and value (from_attribute_name and from_attribute_value) to the corresponding NetOp PM RADIUS attribute name and value (to_attribute_name and to_attribute_value) defined in the rule. You can configure the priority of a mapping rule. By configuring a mapping rule with a higher priority, you instruct the NetOp PM system to apply that rule in the event that an external attribute matches two or more rules. Only the higher-priority rule is applied; lower-priority rules are ignored. A higher number (99, for example) assigns a lower priority; a lower number (0, for example) assigns a higher priority. When more than one mapping rule with overlapping attributes has the same priority, the NetOp PM system applies only the rule created earliest; no error checking is performed. The following examples display the types of rules you can define: Map an External Attribute Name and Value Map an External Attribute Name with Any Value Map Any External Attribute Name and Value Rename an External Attribute

Map an External Attribute Name and Value

The most common form of mapping is to convert a specific attribute name and value into a particular NetOp PM Service ID. In the attribute mapping rule defined in Table 5-1, when the NetOp PM system receives a response from an external authentication server containing the Tunnel-Type attribute with a value of Layer 2 Tunneling Protocol (L2TP), the NetOp PM system applies the properties of the URLFiltering service ID to the subscriber session.
Table 5-1
# 1.

Example of an Attribute Name and Value Mapping Rule

from_attribute_name Tunnel-Type from_attribute_value 0:L2TP to_attribute_name RB-NPM-Service-Id to_attribute_value URLFiltering

Map an External Attribute Name with Any Value

The next most common form of mapping is to convert a specific attribute name regardless of its value into a particular NetOp PM Service ID.

Configure External RADIUS and LDAP Servers

5-11

Map External RADIUS or LDAP Attributes to NetOp PM RADIUS Attributes

To map an attribute for which any value is received, create a rule where the from_attribute_name is defined (not NULL), but the from_attribute_value is NULL. This NULL value is treated like a wildcard and matches any external attribute value. Based on the rule defined in Table 5-2, for example, when a response arrives with new-attribute as the attribute, the attribute is mapped to RB-NPM-Service-Id Secure.
Table 5-2
priority 2

Example of an Attribute Name with Any Value Mapping Rule

from_attribute_name new-attribute from_attribute_value to_attribute_name RB-NPM-Service-Id to_attribute_value Secure

Map Any External Attribute Name and Value

Attributes for which no mapping rule is defined are not able to pass through the NetOp PM system to the node, so it may be preferable to define a rule that maps any attribute and value to a default NetOp PM RADIUS attribute. In this case, we recommend that you define a lower-priority default rule where the from_attribute_name field is NULL. The NULL name is treated like a wildcard and matches any external attribute name. This rule is used when no other rules defined in the proxy_attribute_mapping table match the attribute received from the external authentication server. Table 5-3 defines an example of a rule that translates any received attribute to a NetOp PM attribute.
Table 5-3
priority 9

Example of Any Attribute Name and Value Mapping Rule

from_attribute_name from_attribute_value to_attribute_name RB-NPM-Service-Id to_attribute_value Basic

Note

When defining a wildcard for the attribute name, a wildcard for the attribute value is assumed.

If the NetOp PM system receives a response with the xyz attribute name and the abc attribute value, and only the rules present in Table 5-1 and Table 5-3 are defined, the NetOp PM system applies the rule defined in Table 5-3, mapping the xyz attribute name to the Basic service offering. Note If the Access-Accept packet contains both attributes Tunnel-Type=L2TP and xyz=abc, only the rule defined in Table 5-1 would be applied because it has a higher priority; the rule defined in Table 5-3 would be ignored.

Rename an External Attribute

On rare occasions, you may need to rename an external attribute to an attribute supported by the device on which the session is authenticated. This form of mapping is generally device-specific and circuit-specific. To rename an attribute received without changing the attribute value, create a rule for the attribute name in which both from_attribute_value and to_attribute_value values are defined as NULL. These NULL values are treated like wildcards and match any external attribute values. Because the to_attribute_value is also defined as a wildcard, the value remains unchanged. Using the rule defined in Table 5-4, when the Port-Limit attribute is received in the response, the attribute is renamed to RB-Rate-Limit-Rate.

5-12

NetOp Policy Manager Configuration Guide

Map External RADIUS or LDAP Attributes to NetOp PM RADIUS Attributes

Table 5-4
priority 10

Example of Renaming an Attribute

from_attribute_name Port-Limit from_attribute_value to_attribute_name RB-Rate-Limit-Rate to_attribute_value

Configure External RADIUS and LDAP Servers

5-13

Map External RADIUS or LDAP Attributes to NetOp PM RADIUS Attributes

5-14

NetOp Policy Manager Configuration Guide

Chapter 6

Manage Policies with External Authentication

The NetOp PM software supports the ability to provide subscriber services to subscriber sessions that have not been authenticated by the NetOp PM system. This feature is for PPP circuit types. You enable this feature by configuring the NetOp PM system to use the SmartEdge multiservice edge routers two-stage accounting feature. In this configuration, when a subscriber activates a session, the SmartEdge router sends an access request and an accounting start to the carriers RADIUS server. The NetOp PM system receives information about the subscriber session when the SmartEdge router sends a duplicate accounting start message to the NetOp PM RADIUS server. When the NetOp PM system is deployed in this configuration, the service providers operating support system (OSS) acts as a SOAP client and associates the subscriber account with the subscriber session. Once this binding is performed, the NetOp PM system manages the subscriber session in the same way it manages subscribers that are authenticated by the NetOp PM system. The NetOp PM system must use RADIUS Change of Authorization (CoA) authentication to manage subscriber policies in this configuration. For more information on CoA, see the CoA section on page 3-9. The NetOp PM system provides API methods to enable subscriber policy management using a SOAP client. These methods associate a subscriber account to a subscriber session based on an IP address, PPP username, or CLIPS MAC address.

Manage Policies with External Authentication

6-1

Manage Policies with External Authentication

To use the NetOp PM system with the SmartEdge router in scenarios where the NetOp PM system is not the authentication server you must configure the SmartEdge router for two-stage accounting. The primary authentication server is configured on the local context and the NetOp PM server is configured to receive RADIUS accounting messages from a secondary context.
Table 6-1
Task 1 Enable accounting messages for subscriber sessions in all contexts to be sent to the service providers RADIUS accounting servers in the local context. Enable global subscriber authentication through the service providers RADIUS servers in the local context. Configure the IP address of the service providers RADIUS authentication server. Configure the IP address of the service providers.

6-2 NetOp Policy Manager Configuration Guide

Manage Policies with External Authentication

Tasks to Configure the SmartEdge Router for Two-Stage Accounting

Root Command aaa.global accounting subscriber Configuration Mode global Context Name N/A Example from Sample Configurations aaa global accounting subscriber radius context local

aaa.global authentication subscriber radius server

global

N/A

aaa global authentication subscriber radius context local

context

local

radius server 10.192.100.10 key my-secret port 1812 radius server10.192.100.11 key my-secret port 1812

radius accounting server

context

local

radius accounting server 10.192.100.10 key my-secret port 1813 radius accounting server 10.192.100.11 key my-secret port 1813

Authenticate subscribers through the SmartEdge OS configuration or through the service providers RADIUS server. Enable accounting messages for subscriber sessions in the context BASIC to be sent to the NetOp PM RADIUS accounting servers. Enable accounting messages for reauthorization events for subscriber sessions in the BASIC context to be sent to the NetOp PM accounting servers. Configure the IP address of the NetOp PM RADIUS accounting servers in the BASIC context.

aaa authentication subscriber aaa accounting subscriber aaa global accounting event

context

BASIC

aaa authentication subscriber global

context

BASIC

aaa accounting subscriber radius

context

BASIC

aaa global accounting event reauthorization

radius accounting server

context

BASIC

radius accounting server 10.192.100.10 key my-secret port 1813 radius accounting server 10.192.100.11 key my-secret port 1813 radius accounting server 10.192.100.10 key my-secret port 1815 radius accounting server 10.192.100.11 key my-secret port 1815 radius accounting server 10.192.100.11 key my-secret port 1817

Table 6-1
Task 1

Tasks to Configure the SmartEdge Router for Two-Stage Accounting (continued)

Root Command radius coa server Configuration Mode context Context Name BASIC Example from Sample Configurations radius coa server 10.192.100.10 key my-secret port 3799 radius coa server 10.192.100.11 key my-secret port 3799

6-3 NetOp Policy Manager Configuration Guide

Manage Policies with External Authentication

Enable the RADIUS CoA server.

1. These tasks assume that you use AAA for authentication.

For detailed information about Configuring RADIUS document in the SmartEdge OS Library. In addition, the NetOp PM system must use RADIUS CoA authentication to manage subscriber policies in this configuration. For more information, see the CoA section on page 3-9. The NetOp PM system automatically creates session records for sessions discovered through RADIUS accounting messages. When the NetOp PM system receives RADIUS accounting messages, it creates a subscriber session record. In a normal scenario where the NetOp PM system is configured as the authentication server, the NetOp PM system matches the subscriber session against the subscriber account. In this scenario where the NetOp PM system is not the authentication server, there is no account to match the session to. Therefore the subscriber session is manually associated with a subscriber account. The following methods associate the subscriber session with the subscriber account in the scenario where the NetOp PM system is not the authentication server: bindSubscriberToSession (String ipAddr, String subAcctName) bindSubscriberToSessionAndApplyServices(String ipAddr, String subAcctName) bindSubscriberToNASUser(String nasUser, String subAcctName) bindSubscriberToNASUserAndApplyServices(String nasUser, String subAcctName)

Manage Policies with External Authentication

6-4

NetOp Policy Manager Configuration Guide

Chapter 7

Configure Additional RADIUS Attributes

See the following topics on configuring additional RADIUS attributes: Configure Additional RADIUS Attributes Create a New Service Attribute Variation Using the New NAS Type with the NetOp Client Add Third-Party RADIUS Attributes to the dictionary_redback.cfg File Add Third-Party RADIUS Attributes to the NetOp PM System Using a SOAP Client Apply Services by Configuring Additional RADIUS Attributes and VSAs

Configure Additional RADIUS Attributes

The NetOp PM software supports a subset of the Redback VSAs and standard RADIUS attributes that are used in service attribute variations. This section describes how to enable and configure support for additional RADIUS attributes that are not natively supported by the NetOp PM software Note This section assumes that you are familiar with RADIUS and using a SOAP client to configure the NetOp PM API. For more information about using SOAP clients, see the NetOp Policy Manager API Guide.

Overview
Support for additional RADIUS attributes can be added to the NetOp PM system using the NetOp PM API through a SOAP client. You can also view information about the RADIUS attributes, modify their support, and remove support for them. After you add support for new RADIUS attributes to the system using the NetOp PM API, they are available in the NetOp client to add to service attribute variations. Note Because adding and removing support for additional RADIUS attributes affects database tables, we recommend that you configure support for additional RADIUS attributes during off-peak hours.

Configure Additional RADIUS Attributes

7-1

Configure Additional RADIUS Attributes

Note

For more information on the Redback VSAs and standard RADIUS attributes supported by the SmartEdge router, see the Configuring RADIUS document in the SmartEdge OS Library.

Table 7-1
# 1.

Tasks for Adding Support for Additional RADIUS Attributes

Performer System administrator Task Note: Any attributes added to the dictionary_redback.cfg must be added again after an upgrade of the NetOp PM system. You must complete the following tasks: Verify that the RADIUS attribute is present in the dictionary_redback.cfg file on all NetOp PM hosts. If it is not in the file, use a text editor to add it. Copy the changed file to all NetOp PM hosts.

2.

System administrator

Create an XML file specifying the following elements: The service attribute variation that best fits the concept being deployed by the RADIUS attribute. For example, if the RADIUS attribute controls the bandwidth of a subscriber session, then it should be associated with the Bandwidth service attribute variation. The node types that support the RADIUS attribute. The circuit types that support the RADIUS attribute; see NetOp PM API Methods for Managing Additional RADIUS Attributes on page 7-3. Use a SOAP client to pass the XML file in to the NetOp PM API. For details, see the Add Support for Additional RADIUS Attributes section on page 7-6. The system adds support for the RADIUS attribute to the service attribute variation, with the specified values and display parameters.

3.

Service definer

Use the NetOp client to select the service attribute variation and set the value for the additional RADIUS attribute. If you are viewing a service attribute variation when support for an additional RADIUS attribute is added to the system, click Refresh to update the NetOp client.

4.

Subscriber Joe and the NetOp PM system response

Bring the session up and the NetOp PM system performs the following: The NetOp PM RADIUS server automatically retrieves the NetOp PM specified attributes and the additional RADIUS attributes for the service attribute variation. The NetOp PM RADIUS server sends the RADIUS attributes to the node. When NetOp PM RADIUS server receives the RADIUS Accounting-Request from the node, the additional RADIUS attributes are recorded in the Accounting table in the NetOp PM database.

Table 7-2
# 1. 2.

Tasks for Removing Support for Additional RADIUS Attributes

Performer Service definer System administrator Task Edit all service attribute variations to remove any values defined for the additional RADIUS attributes. Use a SOAP client with the NetOp PM API to remove the new RADIUS attribute from the service attribute variation by passing the name of the attribute to be removed to the removeRADIUSAttributeXML(String radiusAttributeName) method. For details see the Remove Support for an Additional RADIUS Attribute section on page 7-9.

3.

Service definer

Use the NetOp client to select the service attribute variation. The NetOp client automatically updates the service attribute variation display with the additional RADIUS attribute removed.

4.

Subscriber Joe and the NetOp PM system response

When Joe brings a session up, the NetOp PM RADIUS server retrieves both the NetOp PM and additional RADIUS attributes, and finds that the additional RADIUS attribute was removed.

7-2

NetOp Policy Manager Configuration Guide

Configure Additional RADIUS Attributes

Verify or Add Additional RADIUS Attributes to the dictionary_redback.cfg File

Before you can configure support for an additional RADIUS attribute, it must be present in the dictionary_redback.cfg file and all copies of the file in the NetOp PM system must be identical. In most cases, it is present in the file. Note When you upgrade your NetOp PM system, you must add the RADIUS attributes to the dictionary_redback.cfg file again.

To verify the RADIUS attribute is present, or to add a new RADIUS attribute to the file if it is not present, perform the following steps: 1. Open the /usr/local/npm/radius/dictionary_redback.cfg file in a text editor. 2. Verify that the RADIUS attribute you want to support in your NetOp PM system is present in the file. 3. If it is not present, add it to the dictionary_redback.cfg file, including the information about the attribute in Table 7-3, with the attributes names and numbers on one row.
Table 7-3 dictionary_redback.cfg File Structure
Attribute Name Attribute Name; for example Service-Type Attribute the value modifies; for example Service-Type Attribute Number or Value Name Attribute number; for example, 6 Value name; for example, Login-User Attribute Type or Value number Attribute type; for example integer Value number; for example, 1

Attribute or Value ATTRIBUTE VALUE

4. Save and close the file. 5. Copy the file to the /usr/local/npm/radius directory on each NetOp PM host. 6. Reinitialize the NetOp PM RADIUS server.

NetOp PM API Methods for Managing Additional RADIUS Attributes

The NetOp PM system provides API methods that enable you to manage additional RADIUS attributes using a SOAP client. The API methods expect the name of the new RADIUS attribute or a string containing the XML structure of the additional RADIUS attributes. The XML file must comply with the NetOp PM XML schema (see the /usr/local/npm/docs/RADIUSAttribute.xsd file). Use the following methods to manage additional RADIUS attributes: addRADIUSAttributeXML()Adds a single or multiple RADIUS attributes; expects an XML document containing the attributes to be added. The RADIUS attributes cannot already exist in the NetOp PM database. getRADIUSAttributeXML(String radiusAttributeName)Expects the RADIUS attribute name; retrieves an XML representation of the specified additional RADIUS attributes.

Configure Additional RADIUS Attributes

7-3

Configure Additional RADIUS Attributes

getAllRADIUSAttributesXML()Retrieves an XML representation of the all the additional RADIUS attributes in the NetOp PM deployment. updateRADIUSAttributeXML(String radiusAttributeXML)Expects an XML document containing the RADIUS attributes, with new parameters; updates the RADIUS attributes. removeRADIUSAttribute(String radiusAttributeName)Expects the RADIUS attribute name; removes the specified additional RADIUS attributes from the NetOp PM system.

There are five types of additional RADIUS attributes: StringRADIUSAttribute IntegerRADIUSAttribute Integer64RADIUSAttribute IPRADIUSAttribute HexadecimalRADIUSAttribute Note The preceding RADIUS attribute types control the format of the values that can be specified in the service attribute variations. These types do not need to exactly match the RADIUS attribute types defined in the dictionary.

Table 7-4

Additional RADIUS Attribute XML Element Descriptions

Description Supported Types String Integer X IP Field X

RADIUS Attribute Parameters

Name

Name of the RADIUS attribute in the dictionary_redback.cfg file; up to 50 characters. Vendor ID of the RADIUS attribute; one of the following attributes: Standard RADIUS attributesNot specified Redback VSA2352

VendorId

AttributeNumber

Number of the RADIUS attribute in the dictionary_redback.cfg file; valid values are 1 to 255. Parent element of the service attribute variation element. Service attribute variation that a RADIUS attribute should be used with; can be one or more of the following service attribute variation types: Bandwidth Custom DynamicIPAddress IPRedirect Video

Association SAV

X X

X X

X X

MaxOccurs

Maximum number of values that can be specified for a RADIUS attribute. Value can be 1 to 16.

7-4

NetOp Policy Manager Configuration Guide

Configure Additional RADIUS Attributes

Table 7-4

Additional RADIUS Attribute XML Element Descriptions (continued)

Description Supported Types String Integer X IP Field X

RADIUS Attribute Parameters

NASType

The RADIUS attribute is supported by the specified NASType (name must start with an alphabetic character or underscore and cannot exceed 10 characters). Circuit types for which the RADIUS attribute is supported on the supporting SmartEdge routers or the SMS devices; can be one or more of the following circuit types: For SmartEdge routers: ALL BRIDGED_1483 CLIPS MOBILE_IP PPP STATIC_CLIPS For SMS devices: ALL BRIDGED_1483 CLIPS PPP For third-party devices: ALL BRIDGED_1483 CLIPS EAP MOBILE_IP PPP

CircuitTypes

DBColumn

Database column name that is created in the NetOp PM database; can be up to 30 characters. Display label that is used in the NetOp client; if it is not specified, the RADIUS attribute name is used as the display label; can be up to 50 characters. Tool tip text that is shown in the NetOp client when the mouse cursor passes over the text box; can be up to 255 characters. Minimum value allowed for this RADIUS attribute. Maximum value allowed for this RADIUS attribute. Maximum number of characters allowed for this RADIUS attribute. Regular expressions that govern which pattern of values are allowed for this RADIUS attribute; one or more regular expression can be specified; can be up to 255 characters. Particular set of values that are allowed to be entered for this RADIUS attribute.

DisplayLabel

ToolTipText

Min Max MaxLength RegularExpressions

X X X X

Enums

Configure Additional RADIUS Attributes

7-5

Configure Additional RADIUS Attributes

Add Support for Additional RADIUS Attributes

Note RADIUS attributes added using the addRADIUSAttributeXML() method must not already exist in the NetOp PM system.

To add support for additional RADIUS attributes to the NetOp PM system, perform the following steps: 1. Create an XML document specifying the additional RADIUS attributes. Table 7-4 describes the elements in the RADIUS attribute XML structures and the types they support. For example, the following XML code displays the elements required to add a RADIUS VSA for a third-party device to the NetOp PM system:
<StringRADIUSAttribute> <Name>vsa-name</Name> <VendorId>vendor-id</VendorId> <AttributeNumber>attr-num</AttributeNumber> <DBColumn>db-col-name</DBColumn> <MaxOccurs>15</MaxOccurs> <Association> <SAV> <DynamicIPAddress> <NASTypes> <NASType> <Name>nas-name</Name> <CircuitTypes> <CircuitType>circuit-type</CircuitType> </CircuitTypes> </NASType> </NASTypes> </DynamicIPAddress> </SAV> </Association> <DisplayLabel>display-label</DisplayLabel> <MaxLength>max-length</MaxLength> </StringRADIUSAttribute>

The following example configures the RB-Source-Validation attribute to be supported by all circuit types on the SmartEdge platform. Also, the RB-Source-Validation attribute is added to the Custom and DynamicIPAddress Service Attribute Variation panels in the NetOp client:
<IntegerRADIUSAttribute> <Name>RB-Source-Validation</Name> <VendorId>2352</VendorId> <AttributeNumber>14</AttributeNumber> <DBColumn>source_validation</DBColumn> <MaxOccurs>1</MaxOccurs> <Association> <SAV> <DynamicIPAddress> <NASTypes>

7-6

NetOp Policy Manager Configuration Guide

Configure Additional RADIUS Attributes

<NASType> <Name>SER</Name> <CircuitTypes> <CircuitType>ALL</CircuitType> </CircuitTypes> </NASType> </NASTypes> </DynamicIPAddress> </SAV> </Association> <DisplayLabel>RB-Source-Validation</DisplayLabel> <Enums> <Enum <Name>Enabled</Name> <Value>1</Value> </Enum> <Enum <Name>Disabled</Name> <Value>2</Value> </Enum> </Enums> </IntegerRADIUSAttribute>

To add multiple RADIUS attributes, create an XML document containing a sequence of RADIUS attributes. 2. To pass the XML file to the addRADIUSAttributeXML() API method, run the ConfigRADIUSAttribute.addRADIUSAttributeXML.pl script (in the /usr/local/npm/soap_client/perl/ directory), using the following syntax: ./ConfigRADIUSAttribute.sampleRADIUSAttributeXML.pl -username npmadmin -password redback -file RADIUSAttribute.xml Here, the RADIUSAttribute.xml file is the XML file you previously created. Specify the -username npmadmin -password redback construct only if secure API is enabled. Note If the RADIUS attribute already exists in the NetOp PM system, you will receive an error message, similar to the following example:
A RADIUS attribute with name: theName, vendor id: theVendorId, attribute number: theAttrNum already exists

Retrieve Information About an Additional RADIUS Attribute

To retrieve information about an additional RADIUS attribute, pass the attribute name to the getRADIUSAttributeXML method, using the ConfigRADIUSAttribute.getRADIUSAttributeXML.pl script (in the /usr/local/npm/soap_client/perl/ directory). For example, to retrieve details about the RB-Source-Validation RADIUS attribute, use the script according to the following syntax: ./ConfigRADIUSAttribute.getRADIUSAttributeXML.pl -username npmadmin -password redback RB-Source-Validation

Configure Additional RADIUS Attributes

7-7

Configure Additional RADIUS Attributes

Specify the -username npmadmin -password redback construct only if secure API is enabled. The output displays the resulting XML of the RB-Source-Validation RADIUS attribute:
<?xml version="1.0" encoding="UTF-8"?> <IntegerRADIUSAttribute> <Name>RB-Source-Validation</Name> <VendorId>2352</VendorId> <AttributeNumber>14</AttributeNumber> <DBColumn>source_validation</DBColumn> <Association> <SAV> <DynamicIPAddress> <NASTypes> <NASType> <Name>SER></Name> <CircuitTypes> <CircuitType>ALL</CircuitType> </CircuitTypes> </NASType> </NASTypes> </DynamicIPAddress> </SAV> </Association> <DisplayLabel>RB-Source-Validation</DisplayLabel> <Enums> <Enum <Name>Enabled</Name> <Value>1</Value> </Enum> <Enum <Name>Disabled</Name> <Value>2</Value> </Enum> </Enums> </IntegerRADIUSAttribute>

For definitions of the XML elements, see Table 7-4 on page 7-4.

Modify the Support of an Additional RADIUS Attribute

To modify one or more additional RADIUS attributes, pass an XML file to the updateRADIUSAttributeXML(String radiusAttributeXML) method using the following steps: 1. Create an XML file, specifying the changed additional RADIUS attributes. For an example of the XML file, see the Add Support for Additional RADIUS Attributes section on page 7-6.

7-8

NetOp Policy Manager Configuration Guide

Create a New Service Attribute Variation Using the New NAS Type with the NetOp Client

2. Pass the XML file to the NetOp PM API by running the ConfigRADIUSAttribute.updateRADIUSAttributeXML.pl script according to the following syntax: ./ConfigRADIUSAttribute.updateRADIUSAttributeXML.pl -username npmadmin -password redback -file RADIUSAttribute.xml Specify the -username npmadmin -password redback construct only if secure API is enabled.

Remove Support for an Additional RADIUS Attribute

To remove support for an additional RADIUS attribute from the NetOp PM system, pass the name of the attribute to be removed to the removeRADIUSAttributeXML(String radiusAttributeName) method using the /usr/local/npm/soap_client/perl/ConfigRADIUSAttribute.removeRADIUSAttributeXML.pl script. For example, remove the RB-Source-Validation RADIUS attribute, in the script with the following syntax: ./ConfigRADIUSAttribute.removeRADIUSAttributeXML.pl -username npmadmin -password redback RB-Source-Validation Specify the -username npmadmin -password redback construct only if secure API is enabled.

Create a New Service Attribute Variation Using the New NAS Type with the NetOp Client
After enabling the third-party devices and their VSAs in the NetOp PM system, you need to create service attribute variations using the NetOp client. For information about defining service attribute variations, see Chapter 10, Service Attribute Variations. You can create a referenced service attribute variation or you can define an inline service attribute variation. For details on defining a service attribute variation inline and referencing an existing service attribute variation when creating service offerings, see the Create Service Offerings section on page 9-1. After you add the new NAS type to the system, described in the section Add Third-Party Device (NAS) Types Using a SOAP Client on page 8-1, it is displayed on the Service Attribute Variation Properties panels. It is also displayed when defining a new service offering using the variations you have defined. To view the new NAS type, click on the NAS type folder. Third-party RADIUS attributes added by the administrator appear on the NetOp client under the RADIUS attributes that are natively supported by the NetOp PM system. These attributes are also referred to as additional RADIUS attributes. See NetOp PM API Methods for Managing Additional RADIUS Attributes on page 7-3 for information about which third-party circuit types are supported. The label displayed on the NetOp client for individual RADIUS attributes defaults to the name of the RADIUS attribute, though it can be specified at the time of definition. The vendor-specific attributes appear in the list of RADIUS attributes grouped with Additional RADIUS Attributes if you have first added an additional RADIUS attribute for the NAS-type to the NetOp PM system; see Figure 7-1. Note When creating an access service to be used by an EAP-based subscriber, ensure that the service is an explicit login service. The explicit login option ensures that with each new connection, the EAP authentication takes place.

Configure Additional RADIUS Attributes

7-9

Add Third-Party RADIUS Attributes to the dictionary_redback.cfg File

Figure 7-1

NetOp Client Service Attribute Variation: VoIP BandwidthProperties Panel

To define service attribute variations that you can add to service offerings, define filtering criteria and enter values for the device-specific RADIUS attribute. For procedures to use the NetOp client to create service attribute variations, see the Create Service Attribute Variations section on page 10-1. Note When subscribers (who are logged on through third-party devices) change services, they must reconnect to pick up the changed services.

Add Third-Party RADIUS Attributes to the dictionary_redback.cfg File

Before you can configure support for third-party RADIUS attributes, you must add them to the dictionary_redback.cfg file and copy the modified file to all NetOp PM hosts.

7-10

NetOp Policy Manager Configuration Guide

Add Third-Party RADIUS Attributes to the NetOp PM System Using a SOAP Client

For the procedure to add third-party RADIUS vendor support attributes (VSAs) to the file, see the Verify or Add Additional RADIUS Attributes to the dictionary_redback.cfg File section on page 7-3. Note You must reinitialize the NetOp PM RADIUS servers to register these changes. Any attributes added to the dictionary_redback.cfg file must be added again after an upgrade of the NetOp PM system.

Add Third-Party RADIUS Attributes to the NetOp PM System Using a SOAP Client
Before you can use third-party RADIUS VSAs in service attribute variations, which can be applied to subscriber sessions, you must add the third-party VSAs to the NetOp PM system using a SOAP API method. To do so, inject an XML file describing the third-party VSAs into the NetOp PM system using the ConfigRADIUSAttribute.addRADIUSAttributeXML method; for more information, see the Configure Additional RADIUS Attributes section on page 7-1: 1. Create an XML file to describe the RADIUS VSA; for an example, see the Configure Additional RADIUS Attributes section on page 7-1. The XML document must conform to the XML schema as published in the RADIUSAttribute.xsd file in the /usr/local/npm/docs directory. 2. To pass the XML file to the addRADIUSAttributeXML() API method, run the ConfigRADIUSAttribute.addRADIUSAttributeXML.pl script (in the /usr/local/npm/soap_client/perl/ directory) according to the following syntax: ./ConfigRADIUSAttribute.addRADIUSAttributeXML.pl -username npmadmin -password redback -file thirdPartyVSA.xml where the thirdPartyVSA.xml file is the XML file you previously created. Specify the -username npmadmin -password redback constructs only if secure API is enabled.

Apply Services by Configuring Additional RADIUS Attributes and VSAs

You can configure additional RADIUS attributes and vendor-specific attributes (VSA) to apply services when you inject additional RADIUS attributes into the NetOp PM system.

Calculate Multiple Values to Configure WiMAX Attributes

You are required to manually calculate and enter multiple values in the GUI to configure RADIUS attributes that have no sub-TLV processing support. The NetOp PM system supports multiple values for WiMAX attributes, including packet flow descriptors (PFD), WiMAX-QoS-Descriptor, and WiMAX-Time-Of-Day-Time.

Configure Additional RADIUS Attributes

7-11

Apply Services by Configuring Additional RADIUS Attributes and VSAs

To calculate multiple values: 1. Calculate each sub-TLV value and encode in hexadecimal according to type and length. 2. Concatenate the sub-TLV values in the hexadecimal string to form one attribute value. 3. Repeat steps 1 and 2 for each attribute value, and then enter multiple attribute values. The following examples show how to calculate a value for a WiMAX attribute: For a Wimax-Packet-Flow-Descriptor with sub-TLV values PacketDataFLowID=1, ServiceProfileID=1, Direction=3, Activation Trigger=7, TransportType=1Each sub-TLV is encoded in hexadecimal according to its type and length:
PacketFlowID: 01040001 (type 01, length 04, value 0001); ServiceProfileID: 030600000001 (type 03, length 06, value 00000001); Direction: 040303 (type 04, length 06, value 03- bidirectional); ActivationTrigger: 050307 (type 05, length 03, value 07 Provisioned|Admit|Activate); TransportType: 060301 (type 06, length 03, value 01 - IPv4-CS)

The concatenated hexadecimal string is:

01040001030600000001040303050307060301

For a WiMAX-QoS-Descriptor with sub-TLV values QoSID=1, ScheduleType=2Each sub-TLV is encoded as follows:
QoSID: 010301(type 01, length 03, value 01); Schedule Type: 040302 (type 04, length 03, value 02-Best Effort);

The concatenated hexadecimal string is:

010301040302

For a WiMAX Time-Of-Day-Time value with sub-TLV values Hour=1, Minute =2, UTCOffset=1:
Hour: 010301 (type 01, length 03, value 01); Minute: 020302 (type 02, length 03, value 02); UTCOffset: 030600000001 (type 03, length 06, value 00000001

The hexidecimal string is:

010301020302030600000001

Redirect a Subscriber using EAP

You can use EAP redirect for a subscriber that has value-added services. You cannot currently use midsession hotlining. To hotline a subscriber using EAP redirect: 1. Ensure that the subscriber is provisioned for value-added redirect. 2. Under the ASNGW-EAP IP Redirect SAV, configure appropriate values for the NAS-Filter-Rule and HTTP-Redirection-Rule.

7-12

NetOp Policy Manager Configuration Guide

Apply Services by Configuring Additional RADIUS Attributes and VSAs

Note

The NetOp PM system does not validate or check if redirection has been applied. Ensure that your values match the appropriate ASNGWs and FAs.

3. Click Apply.

Support for NAS-Filter-Rules Exceeding the Character Limit for an Inline SAV
For strings exceeding 252 characters in a single rule row for a NAS-Filter-Rule, you can use the backslash key (\). When a string exceeds 252 characters: 1. Mouse over the entry field for NAS-Filter-Rule to see the tooltip. 2. Type the string. 3. When your string exceeds 252 characters, type \ as the 253rd character. 4. Continue typing the rest of the string in the next line. 5. Press the Enter key to type another string. You can enter up to 16 strings in the entry field.

Configure Additional RADIUS Attributes

7-13

Apply Services by Configuring Additional RADIUS Attributes and VSAs

7-14

NetOp Policy Manager Configuration Guide

Chapter 8

Configuring NetOp PM Third-Party Vendor Support

Third-party devices must point to the host and the RADIUS server port configured in the NetOp PM system. Third-party session support is added for third-party vendor device types and EAP authentication supported by third-party vendors. EAP authentication comes preconfigured to support third-party vendors in the NetOp PM Release 6.1.4.n software. Third-party session support includes node configurations for the following: Add Third-Party Device (NAS) Types Using a SOAP Client Add Third-Party Devices to Communicate with the NetOp PM System Using a SOAP Client

Add Third-Party Device (NAS) Types Using a SOAP Client

To enable the NetOp PM system to communicate with third-party devices, use the ConfigNASType.addNASTypeXML SOAP call to add a new network access server (NAS) type to the NetOp PM system. SOAP methods also exist to retrieve information about the NAS type or all NAS types (including SmartEdge routers), and to remove or update the NAS type. Note You can enable one or multiple device types.

You can use the following SOAP API methods to add, retrieve, remove, or update NAS types in the NetOp PM system: ConfigNASType.addNASTypeXML ConfigNASType.getAllNASTypesXML ConfigNASType.getNASTypeXML ConfigNASType.removeNASType ConfigNASType.updateNASTypeXML

To enable support for a third-party NAS type using XML documents with a SOAP client, perform the following steps: 1. Create an XML document defining the NAS type to add to the NetOp PM system, similar to the following:

Configuring NetOp PM Third-Party Vendor Support

8-1

Add Third-Party Devices to Communicate with the NetOp PM System Using a SOAP Client

<NASType> <Name>nas-type-name</Name> <CircuitTypes> <CircuitType>circuit-type</CircuitType> </CircuitTypes> </NASType>

Here the required NASType name is the unique name of the third-party device that you are inserting into the NetOp PM system, and the CircuitTypes element contains the circuits supported by the device. The nas-type-name variable must start with an alphabetic character or underscore, and cannot exceed 10 characters. You can specify the BRIDGED_1483, CLIPS, EAP, MOBILE_IP (wireless authorization), or PPP circuit types. You can add up to five circuit types in repeated CircuitType elements. The XML document must conform to the XML schema as published in the NASType.xsd file in the /usr/local/npm/docs directory. 2. Make the addNASTypeXML SOAP call specifying the location of the XML document. The NetOp PM software includes sample Perl SOAP scripts you can use to invoke the API method. The scripts are in the /usr/local/npm/soap_client/perl directory. For usage guidelines on any of the sample scripts, run the script with the -help keyword: ./script-name -help For example, to add NAS type information to the NetOp PM system with the NAS type defined in the XMLFile.xml document, run the addNASTypeXML.pl script as follows: /usr/local/npm/soap_client/perl/ConfigNASType.addNASTypeXML.pl -static -file newNASType.xml Here the -file newNASType.xml construct specifies the XML file that defines the new NAS type.

Add Third-Party Devices to Communicate with the NetOp PM System Using a SOAP Client
To add a third-party device to the NetOp PM system, you must add it to the NetOp PM system using the NASMgmt.addNASXML.pl SOAP client. To add a third-party device to the NetOp PM system, perform the following steps: 1. Create an XML file describing the third-party device, in the following format:
<NASRecords> <NAS> <Id>nas-id</Id> <IPAddress>10.192.100.8</IPAddress> <Secret>my-secret</Secret> <SoftwareVersion>ver-num</SoftwareVersion> <Type>nas-type</Type>

8-2

NetOp Policy Manager Configuration Guide

Add Third-Party Devices to Communicate with the NetOp PM System Using a SOAP Client

</NAS> </NASRecords>

This XML describes the name, IP address radius secret, password (secret), software version, and NAS type for the device. 2. To inject a new third-party device into the NetOp PM system, run the following script: /usr/local/npm/soap_client/perl/NASMgmt.addNASXML.pl -file thirdPartyDevice.xml Here the thirdPartyDevice argument is the path and filename of the XML file containing the NAS description.

Configuring NetOp PM Third-Party Vendor Support

8-3

Add Third-Party Devices to Communicate with the NetOp PM System Using a SOAP Client

8-4

NetOp Policy Manager Configuration Guide

Chapter 9

Service Offerings

This chapter describes how to view, create, modify, and delete service offerings.

View Service Offerings

To view an existing service offering: 1. On the network navigator, click Service Offering to display a list of service offerings on the object navigator. 2. Click one of the following service offering types to narrow the list of service offerings: Access Offering, Bandwidth Offering, Custom Offering, IP Redirect Offering, or Video Offering. 3. On the object navigator, select the service offering to view. 4. On the management view launch bar, click Properties to display the service definition navigator and the service offering details on the Service Offering Properties panel. 5. Click any service attribute variation component with a selected option button to view service attribute variation details. Grayed-out service attribute variations contain no details.

Create Service Offerings

Note This procedure describes only fields common to all service offering types. For descriptions of the fields unique to the Access and Custom service offering types, see the Create an Access Service Offering section on page 9-4 and the Create a Custom Service Offering section on page 9-5.

To create a new service offering, perform the following steps: 1. On the network navigator, click Service Offering and click one of the following service offering types: Access Offering, Bandwidth Offering, Custom Offering, IP Redirect Offering, Lawful Intercept Offering, or Video Offering. 2. On the management view launch bar, click Properties. 3. On the Properties panel toolbar, click Add Service Offering.

Service Offerings

9-1

Create Service Offerings

4. Click the Adding Service Offering of type field and select the type of service offering to add. To create a service offering based on an existing service offering, view the service offering to replicate, click Add Service Offering, and on the Adding Service Offering of type dialog box, click to select the Use data from currently displayed service check box. You can only use this check box to create the same type of service offering as you are viewing. The ID and name of the service offering must be unique. When you duplicate a service offering with overrides, the overrides are not duplicated. 5. Click OK. The Adding Service Offering of type dialog box appears with an exclamation icon next to the objects that require information. 6. Type the ID and Name of the service offering. The ID and Name must be unique across the NetOp PM system. The web portal displays the Name to the subscriber. 7. Optional. Type a Description of the service offering. 8. Click the Priority field and type a number from 1 to 999. A lower number assigns a higher priority. By configuring a service offering with a higher priority, you instruct the NetOp PM system to apply that service offering to the subscriber session before applying any service offering with a lower priority; conflicting attributes from the lower-priority service offering are ignored. This is especially useful when conflicting attributes are defined in two or more services. When more than one service with conflicting attributes has the same priority, the NetOp PM Remote Authentication Dial-In User Service (RADIUS) server logs the conflict in the NetOp PM RADIUS server log file and selects one of the parameters over the other. Note Any service that increases the subscribers bandwidth must have a higher priority than the underlying access service.

9. Click the Retail field and select Y or N to specify the service offering as a retail or wholesale service. A value of Y indicates that the service offering is a retail service, and the service is provided by the owner of the subscriber account; a value of N indicates that the service offering is a wholesale service, and the service is provided by the equipment owner. In a wholesale model, retail services are controlled by the proxy ISP RADIUS server, and wholesale services are permanently associated with the subscriber account. In a non-wholesale model, all services should be defined as Retail and are controlled by the carrier. For details on wholesale versus retail services in the NetOp PM system, see the Retail and Wholesale Deployment section on page 1-5 in the NetOp Policy Manager Product Overview.

9-2

NetOp Policy Manager Configuration Guide

Create Service Offerings

10. Click the Show In List field and select Y or N to specify whether the service should appear on the portal services page for subscriber selection. A service that is unavailable for subscriber selection can still be applied through the application programming interface (API). You cannot explicitly configure a service to be shown for one encapsulation type and not for another; that is, you cannot show a service for clientless IP service selection (CLIPS) circuits, and hide the service for Point-to-Point Protocol (PPP) circuits. During service development and testing phases, you can make a service unavailable to subscribers so that the service cannot be inadvertently selected by a subscriber before the service is fully tested. When the service is fully tested and you want to make the service available for subscribers through the web portal services page, ensure that the value of the Show In List field is Y. Note The Captive Portal and Invalid Login services should never be available to subscribers; the Show In List field should always be N for these services. These services are not offered to subscribers, but are used by the NetOp PM RADIUS server.

11. Optional. Click to select the Offered From check box and type the start date when the service is available for selection to the subscriber through the web portal. If not specified, the service is offered immediately. 12. Optional. Click to select the Offered Until check box and type the end date when the service is no longer available for selection to the subscriber through the web portal. The Offered Until date should not be earlier than the Offered From date. If not specified, the service is always offered. For detailed field descriptions, see Table 4-3 on page 4-3 in the NetOp Policy Manager Reference. Note The Access and Custom service offering types require you to define additional fields; for information, see the Create an Access Service Offering section on page 9-4 and the Create a Custom Service Offering section on page 9-5.

13. Optional. With the exception of Lawful Intercept services, you can create complex services by defining a time or volume variation for any service offering. Access services cannot have a scheduled variation. See Chapter 11, Complex Time and Volume Services. You need to purchase a license to enable the complex services feature. You can create a prepaid service with real-time credit control by defining a credit-control variation for any Access service offering; see Chapter 12, Online Charging for Prepaid Services. You need to purchase a license to enable credit control. 14. Most service offerings require that at least one type of service attribute variation be configured to specify how the service offering should behave. Table 9-1 lists the required and optional service attribute variation types for each service offering type. In defining a service offering, you can: Reference a service attribute variation Double-click to select a service attribute variation type and select Referenced Variation. Browse to the service attribute variation you want to reference and click OK.

Service Offerings

9-3

Create Service Offerings

Define a service attribute variation inline Define any applicable service attribute variations by activating the primary instance and typing the appropriate information for any required and optional filtering attributes or RADIUS attributes. For a list of valid attributes for each service attribute variation type, see Chapter 2, Service Attributes Descriptions in the NetOp Policy Manager Reference. For instructions on creating service attribute variations and instances of services attribute variations, see the Create Service Attribute Variations section on page 10-1.

Note

Service attribute variations defined inline cannot be reused by other service offerings. To use a service attribute variation for more than one service offering, create a service attribute variation and reference the variation from the service offering. For more information, see the Create Service Attribute Variations section on page 10-1.
Required and Optional Service Attribute Variations
Required Service Attribute Variation Dynamic IP Address Bandwidth IP Redirect Bandwidth Dynamic IP Address Optional Service Attribute Variation Bandwidth

Table 9-1

Service Offering Type Access Bandwidth IP Redirect

Lawful Intercept Video

Lawful Intercept Video Bandwidth IP Redirect

Custom

Bandwidth Dynamic IP Address IP Redirect Lawful Intercept Video

Create an Access Service Offering

Access service offerings require definition of some fields not available for other service offering types. This section describes how to define the fields unique to Access service offerings. For descriptions of the fields common to all service offering types, see the Create Service Offerings section on page 9-1. To create an Access service offering, perform the following steps: 1. Create a new service offering, selecting Access Offering as the service offering type. Define the service offering as described in the Create Service Offerings section on page 9-1. 2. Click the Explicit Logon field and select Y or N to specify whether the service requires explicit or implicit logon. A value of Y indicates that the service offering requires that the subscriber be authenticated each time the subscriber circuit is created (for example, each time the subscriber turns on the PC); a value of N indicates that after the subscriber is authenticated once, the subscriber does not need to be authenticated again until the subscriber logs off using the web portal.

9-4

NetOp Policy Manager Configuration Guide

Modify Service Offerings

Note

The Explicit Logon field does not apply to subscribers authenticated through native PPP logon or 802.1x Extensible Authentication Protocol (EAP) logon.

3. Click the Max. Sessions field and type the number of simultaneous active sessions permitted for the subscriber account name and password. This setting represents the total logons permitted by a subscriber account, through web logon or native PPP logon. Note The Max. Sessions field must be set to 1 if you are assigning static IP addresses to subscriber accounts.

4. Click the Log Off Session on Limit field and select Y or N to specify whether to log off the oldest subscriber session when the session limit is exceeded. If the Log Off Session on Limit field is configured as Y, the NetOp PM system checks the number of active logons per subscriber account when the subscriber logs on and, if the aggregate number of subscriber account logons on all circuit types exceeds the configured Max. Sessions for the service, the NetOp PM system automatically logs off the oldest session.

Create a Custom Service Offering

If the service offering type templates provided with the NetOp PM software do not correspond to the type of service offering you want to create, you can define a custom service offering using the Custom service offering type. All fields described in the Create Service Offerings section on page 9-1 and the Create an Access Service Offering section on page 9-4 are available in the custom service offering template. Note The NetOp PM system does not check for valid combinations of service attribute variations in the custom service offering type. You should ensure that the values defined are valid combinations.

Modify Service Offerings

To modify a service offering, perform the following steps: 1. View a service offering; see the View Service Offerings section on page 9-1. 2. Modify service offering and service attribute variation details as appropriate. 3. Click Apply to save the service offering.

Service Offerings

9-5

Delete Service Offerings

Delete Service Offerings

Note If you remove sample service offerings or sample service attribute variations and want to add them back to your system, consult your Redback Networks support representative or send an e-mail message to [email protected] for guidance.

Before you delete service offerings, it is important to be aware of the following: Attempting to delete a service offering that has been configured as a default service offering results in the following error in the NetOp PM Service Offering user interface: Failed to remove Service Offering Unable to remove Service Offering [XXXXX]; referenced in service order history. Attempting to delete a service offering to which a subscriber is currently subscribed causes the following error in the NetOp PM Service Offering user interface: Failed to remove Service Offering Unable to remove Service Offering [XXXXX]; because it is currently being used by subscriptions Instead of deleting the service, remove the service from the list of available services to prevent new subscribers from selecting the service, effectively hiding the service. For more information, see the Make a Service Unavailable to Subscribers section on page 9-7. Attempting to delete a service offering to which a subscriber has ever subscribed causes the following error in the NetOp PM Service Offering user interface: Failed to remove Service Offering Unable to remove Service Offering [XXXXX]; referenced in service order history Use the archive_n_purge.sh- history command to archive and purge all service order history entries for your subscriber accounts. This service offering is no longer referred to and you can now delete it. If no subscribers are subscribed to a service offering, you can delete the service offering. To delete a service offering, perform the following steps: 1. View a service offering; see the View Service Offerings section on page 9-1. 2. Ensure that the service offering you want to delete is unavailable to subscribers. Service offerings that are unavailable to subscribers have a value of N in the Show In List field. 3. On the Properties panel toolbar, click Remove Service Offering. A confirmation dialog box appears. 4. Click Yes to remove the service offering.

9-6

NetOp Policy Manager Configuration Guide

Make a Service Unavailable to Subscribers

Make a Service Unavailable to Subscribers

You can remove a service offering from the list of available services and continue to provide the service to existing subscribers by hiding the service. You can hide services in either of the following ways: Configure the Offering Period to Hide a Service Immediately Remove a Service from the List of Available Services

Configure the Offering Period to Hide a Service

You can configure a service offering to be removed from the list of available services at a predetermined date in the future, but continue to provide the service to existing subscribers by hiding the service using the Offered Until field. To hide a service using the offering period settings, perform the following steps: 1. View an existing service offering; see the View Service Offerings section on page 9-1. 2. Click the Offered Until field and type a date (YYYY-MM-DD hh:mm) to specify a future point in time to make the service unavailable for selection. 3. Click OK to modify the service offering and close the window, or click Apply to apply changes to an existing service.

Immediately Remove a Service from the List of Available Services

If you did not configure a specific end date for the services offering period, and you want to make the service unavailable for selection immediately, perform the following steps: 1. View a service offering; see the View Service Offerings section on page 9-1. 2. Click the Show In List field and select N to remove the service from the list of services in the web portal. 3. Click Apply. Note The NetOp client Subscriber Account Properties panel, Subscribed Services tab enables you to add services that are not available to the subscriber on the web portal services page; see the Add Subscribed Services section on page 16-22.

Service Offerings

9-7

Make a Service Unavailable to Subscribers

9-8

NetOp Policy Manager Configuration Guide

Chapter 10

Service Attribute Variations

This chapter describes how to view, create, modify, and delete service attribute variations.

View Service Attribute Variations

To view an existing service attribute variation, perform the following steps: 1. On the network navigator, click Service Attribute Variation to display a list of service attribute variations on the object navigator. 2. Click one of the following service attribute variation types to narrow the list of variations: Bandwidth Variation, Custom Variation, Dynamic IP Address Variation, IP Redirect Variation, or Video Variation. 3. On the object navigator, select the service attribute variation you want to view. 4. On the management view launch bar, click Properties to display the service definition navigator on the Service Attribute Variation Properties panel. 5. Click a node type or encapsulation type to view service variation details. Note Additional RADIUS attributes added by the administrator appear on the NetOp client below RADIUS attributes natively supported by the NetOp PM system. They appear as a list grouped under Additional RADIUS Attributes. You can define additional RADIUS attributes using the NetOp PM API. The label displayed on the NetOp client for individual RADIUS attributes defaults to the name of the RADIUS attribute, though it can be determined at the time of definition. For information on configuring additional RADIUS attributes, see Chapter 7, Configure Additional RADIUS Attributes and the Chapter 3, Configure the Node for the NetOp PM System. For information on the API methods used to define additional RADIUS attributes, see Chapter 5, Configure Support for Additional RADIUS Attributes in the NetOp Policy Manager API Guide. For more information about additional RADIUS attributes, see the Use Additional RADIUS Attributes section on page 10-8.

Create Service Attribute Variations

To create a service attribute variation, perform the following steps:

Service Attribute Variations

10-1

Create Service Attribute Variations

1. On the network navigator, click Service Attribute Variation. 2. Click one of the following service attribute variation types: Bandwidth Variation, Custom Variation, Dynamic IP Address Variation, IP Redirect Variation, or Video Variation. 3. On the management view launch bar, click Properties. 4. On the Properties panel toolbar, click Add Service Attribute Variation to open the Add Service Attribute Variation dialog box. 5. Click the Adding Attribute Variation of type field and select the type of service attribute variation to add. Note To create a service attribute variation based on an existing service attribute variation, view the service attribute variation you want to replicate (see the View Service Attribute Variations section on page 10-1), click Add Service Attribute Variation, and on the Add Service Attribute Variation dialog box, click to select the Use data from currently displayed variation check box. You can only use this check box to create the same type of service attribute variation as you are viewing.

6. Click OK. An exclamation icon appears next to the objects that require information. 7. Click the service attribute variation type on the service definition navigator; for example, click Bandwidth. 8. Click the ID field and type the ID of the new service attribute variation. The ID must be unique across the NetOp PM system. 9. Click the Name field and type the name of the service attribute variation. The name must be unique across the NetOp PM system. 10. Optional. Click to select the Description check box and type a description of the service attribute variation. 11. Optional. If you are licensed to use the NetOp PM admission control function feature, click to select the Requested Inbound Bandwidth check box and type the amount of inbound bandwidth required, in kbps, to guarantee or conditionally guarantee bandwidth service quality for bandwidth-dependant services, such as Video On Demand and Video On Demand Soft Reservations. For information on Bandwidth service offerings, see Chapter 9, Create Service Offerings. 12. Optional. If you are licensed to use the NetOp PM admission control function feature, click to select the Requested Outbound Bandwidth check box and type the amount of outbound bandwidth required, in kbps, to guarantee or conditionally guarantee bandwidth service quality.

10-2

NetOp Policy Manager Configuration Guide

Create Service Attribute Variations

13. Optional. At this point you can decide whether you want hard reservations (guaranteed bandwidth) or soft reservations (conditionally guaranteed bandwidth) for this service offering. You must set the bandwidth (see steps 11 or 12) before you can designate a soft reservation. If you want this service attribute variation to guarantee bandwidth, leave the check box empty or select N in the Soft Reservation field. This is a hard reservation. If you want this service attribute variation to conditionally guarantee bandwidth, click to select the Soft Reservation check box and select Y from the drop-down list. Click to select the Class of Service check box and from the drop-down list choose the class of service you want monitored if the congestion points become overloaded. Click to select the Activity Threshold check box and enter the activity threshold. This is a soft reservation service attribute. Note It is very important that you use unique names when naming your Class of Service because the NetOp PM system does not track the correlation between Class of Service and policy names, and QoS policy deployed for a particular subscription may not be known.

For more information about soft reservations, see the Hard and Soft Bandwidth Reservations section on page 6-3 in the NetOp Policy Manager Product Overview. For detailed field descriptions, see Table 4-1 on page 4-1 in the NetOp Policy Manager Reference. 14. Define any applicable service attribute variations by activating the primary instance and typing the appropriate information in each field. Activate one or more of the primary instances of the service attribute variation by double-clicking the instance to select the check box, or right-clicking the instance, and clicking Activate. The NetOp client enables you to define multiple instances of service attribute variations, meaning you can specify RADIUS attributes differently based on one or more of the filtering attributes. For example, you can define two instances of a bandwidth variation for the SmartEdge router where the realm is ALL for one instance and ABC for the second. You can then specify a different bandwidth for the ABC realm instance. For more information, see the Variation Instances section on page 10-4. Instances of a service attribute variation appear under the service attribute variation type on the service definition navigator. Depending on the type of service attribute variation, instances are applied based on node type (SER, SMS), or node type and encapsulation type (SER_BRIDGED_1483, SER_CLIPS, and so on). 15. Optional. For unicast (VoD) and multicast (IPTV) service, specify the type of congestion points subject to admission control in the last mile. For unicast service, click to select the Congestion Point check box, and select Default (all) from drop-down list. For multicast service, click to select the Congestion Point check box, and select RG from the drop-down list. 16. Create or remove instances, as appropriate; see the Create and Remove Variation Instances section on page 10-6. For more information on instances, see the Variation Instances section on page 10-4 and the Automatic Naming of Location-Specific Service Attribute Variation Instances section on page 10-7.

Service Attribute Variations

10-3

Variation Instances

17. For each instance, type the appropriate information for any required filtering attributes or RADIUS attributes. For optional fields, click to select the check box and type the appropriate information. Some attributes allow multiple values. You can either create additional instances of attributes to enter multiple values, or enter multiple values on separate lines in a single text field. If you enter multiple values on separate lines, the NetOp PM software will convert the separate line entries to create multiple instances. 18. Click OK to save the service attribute variation. Note Existing service attribute variations can be referenced when you create service offerings; see the Create Service Offerings section on page 9-1.

Table 10-1 provides information on related topics.

Table 10-1 References for Information Related to Service Attribute Variations
See... Chapter 2, Service Attributes Descriptions in the NetOp Policy Manager Reference Guide Chapter 3, Services in the NetOp Policy Manager Product Overview Chapter 9, Service Offerings. Chapter 1, Filtering Attribute and RADIUS Attribute Descriptions in the NetOp Policy Manager Reference Guide Chapter 12, Online Charging for Prepaid Services

For information on... Valid attributes for each service attribute variation type A description of each service attribute variation type A list of the sample service attribute variations, and a matrix of sample service attribute variations by type Descriptions and valid values of the supported RADIUS attributes and filtering attributes Configuring Diameter overrides to RADIUS attributes for credit-control services

Variation Instances
The NetOp client provides a high degree of flexibility in defining variations. Depending on the type of service you intend to create, you can define instances of the service attribute variation based on node type (SER, SMS), or node type and encapsulation type (SER_BRIDGED_1483, SER_CLIPS, SER_MOBILE_IP, and so on). Credit-control variations and some attributes within service attribute variations also allow multiple instances to be created. The following scenarios describe variation instance creation for service attribute variations only.

Define a Single Instance of a Single Type

If you are running only SmartEdge routers and use only one encapsulation type, for example PPP, you can define variations based on a single instance of the SER variation type where the Encapsulation Type is defined as PPP. Similarly, if you are running only SmartEdge routers and use PPP and CLIPS encapsulation types, and want the same service offerings and RADIUS attributes for PPP subscribers and CLIPS subscribers, you can define variations based on a single instance of the SER variation type where the Encapsulation Type is defined as ALL.

10-4

NetOp Policy Manager Configuration Guide

Variation Instances

Define Multiple Instances of a Single Type

If you are running only SmartEdge routers and use only one encapsulation type, for example PPP, and you need to support one configuration for most subscribers, but a different configuration for subscribers in the ABC realm, and a third configuration for subscribers in the XYZ realm, you can define variations based on the following instances: SER_PPP where Realm is ALL SER_PPP where Realm is ABC SER_PPP where Realm is XYZ

Define a Single Instance of Multiple Types

If you are running only SmartEdge routers and use PPP and CLIPS encapsulation types, but want to define different attributes for PPP subscribers and CLIPS subscribers, you can define variations based on a single instance of SER_CLIPS and a single instance of SER_PPP. Furthermore, if you are running only SmartEdge routers and use PPP and CLIPS encapsulation types, and want to define different attributes for PPP subscribers and CLIPS subscribers, and you need to support one configuration for most subscribers, but a different configuration for subscribers in the ABC realm, you can define variations based on the following instances: SER where Encapsulation Type is ALL and Realm is ALL SER_CLIPS where Realm is ABC SER_PPP where Realm is ABC

In this example, the configuration for the SER instance applies to all subscribers except those in the ABC realm. For subscribers in the ABC realm, the attributes specified in the SER_CLIPS and SER_PPP instances override those specified in the SER instance.

Define Multiple Instances of a Single Type and Multiple Types

If you are running only SmartEdge routers and use PPP and CLIPS encapsulation types, and want to define different attributes for PPP subscribers and CLIPS subscribers, and you need to support one configuration for most subscribers, but a different configuration for CLIPS subscribers in the ABC realm, you can define variations based on the following instances: SER_CLIPS where Realm is ALL SER_CLIPS where Realm is ABC SER_PPP where Realm is ALL

Figure 10-1 illustrates this scenario. Note Unique naming is applied to the different instance automatically after the variation is created. For more information on automatic naming, see the Automatic Naming of Location-Specific Service Attribute Variation Instances section on page 10-7.

Service Attribute Variations

10-5

Create and Remove Variation Instances

Figure 10-1

Multiple Instances of a Single Type and Multiple Types

Create and Remove Variation Instances

To create multiple instances of a service attribute variation or credit-control variation, you must first activate the primary instance by selecting the check box, or by right-clicking the instance, and clicking Activate. To create multiple instances of a variation, perform the following steps: 1. Right-click an activated variation instance; for example, under Bandwidth variation, right-click SER.

2. Click New Instance. A new instance of the node type or encapsulation type appears.

10-6

NetOp Policy Manager Configuration Guide

Automatic Naming of Location-Specific Service Attribute Variation Instances

3. In each field, type the appropriate information. For each instance of a single type, at least one of the following fields must be unique: Note Encapsulation Type Port Type Medium Type Software Version Realm You cannot remove the last instance of a variation. The last instance must be deactivated. To deactivate an instance, right-click the instance, and click Deactivate. If you deactivate the primary instance, that is, the instance with the selected check box, the selected check box moves to the next instance, making this instance the new primary instance.

To remove an instance of a variation: 1. Right-click an existing activated instance of a service attribute variation. 2. Click Remove.

Automatic Naming of Location-Specific Service Attribute Variation Instances

To assist service providers in creating several location-specific service attribute variations, and to help service providers distinguish between large numbers of similar instances, the NetOp PM system automatically names instances of service attribute variations based on the filtering attributes specified for the instance. The format of the automatic name is as follows:
Node Type-Encapsulation Type-Realm-Medium Type-Port Type-Calling Station Id-NAS Identifier-NAS Port Id

Note

Each instance of a service attribute variation must have a unique value for at least one filtering attribute.

For filtering attributes specified as ALL, the NetOp PM system inserts an asterisk (*) character; for example, an instance for the SmartEdge router where all other filtering attributes are specified as ALL, appears as SER-*-*-*-*-*-*-* in the service definition navigator. Note The Software Version filtering attribute is never included in the automatic name.

An instance of an IP redirect variation for the SmartEdge router with a NAS-Identifier value of ser-1 and a NAS-Port-Id value of 12/8 vlan-id 2, where all other filtering attributes are specified as ALL, appears as SER-*-*-*-*-*-ser-1-12/8 vlan-id 2 in the service definition navigator. Similarly, an

Service Attribute Variations

10-7

Use Additional RADIUS Attributes

instance of the same IP redirect variation for the SmartEdge router with a NAS-Identifier value of ser-1 and a NAS-Port-Id value of 12/12 vlan-id 3, where all other filtering attributes are specified as ALL, appears as SER-*-*-*-*-*-ser-1-12/12 vlan-id 3 in the service definition navigator. In contrast, an instance of the same IP redirect variation for the SmartEdge router with a Calling-Station-Id value of 00:0E, where all other filtering attributes are specified as ALL, appears as SER-*-*-*-*-00:0E-*-* in the service definition navigator. Figure 10-2 illustrates the automatic naming applied for multiple instances.
Figure 10-2 Automatic Naming for Multiple Instances

Use Additional RADIUS Attributes

Occasionally, the services you want to offer may require RADIUS attributes that are not natively supported by the NetOp PM software. The NetOp PM system enables administrators to extend support for additional RADIUS attributes in service attribute variation definitions, enabling you to specify values for those RADIUS attributes during service creation, and thereby apply the characteristics associated with the RADIUS attribute to the subscriber circuit. For more information on defining additional RADIUS attributes, see Chapter 5, Configure External RADIUS and LDAP Servers. For a description of the methods used to define additional RADIUS attributes, see Chapter 5, Configure Support for Additional RADIUS Attributes in the NetOp Policy Manager API Guide. Additional RADIUS attributes defined by the administrator appear on the management view panel for the service attribute variation types specified in the RADIUS attributes definition. The additional attributes appear below the RADIUS attributes natively supported in the NetOp PM system, and are grouped under the title, Additional RADIUS Attributes. For example, if the administrator defines support for a RADIUS attribute named Qos-Rate-Inbound that is valid only for the bandwidth service attribute variation type for CLIPS-encapsulated circuits on the SmartEdge router, the Qos-Rate-Inbound attribute appears after the RB-Qos-Queuing-Profile-Name attribute when you select the SER-CLIPS instance of a bandwidth service attribute variation. Based on the example definition, the Qos-Rate-Inbound RADIUS attribute will not appear on the management view panel for the SER-PPP instance of the bandwidth service attribute variation, or for any of the SMS instances of the bandwidth service attribute variation. Similarly, the Qos-Rate-Inbound RADIUS attribute will not appear on the management view panel for any IP redirect service attribute variations. If the NetOp client is running when the administrator adds or removes support for a RADIUS attribute, the RADIUS attribute will not appear on or disappear from the management view panel until you refresh the NetOp client by clicking the Refresh button on the Service Attribute Variation Properties panel. If a RADIUS attribute is removed by an administrator and the NetOp client is not refreshed, you will receive an error message if you try to specify the removed attribute. If an administrator wants to remove support for an additional RADIUS attribute, the administrator must first ensure that no service attribute variation makes use of the RADIUS attribute.

10-8

NetOp Policy Manager Configuration Guide

Modify Service Attribute Variations

Note

You might need to wait up to 30 seconds for the refresh after the NetOp client is updated.

Modify Service Attribute Variations

To modify a service attribute variation, perform the following steps: 1. View a service attribute variation; see the View Service Attribute Variations section on page 10-1. 2. Modify service attribute variation details as appropriate. 3. Click Apply to save the service attribute variation.

Delete Service Attribute Variations

Note You cannot delete the dynamic IP address service attribute variations provided with the NetOp PM software.

You may want to delete a service attribute variation from the database; for example, if a realm variation is no longer supported, or if an encapsulation type, software version, port type, or medium type is no longer required. To delete a service attribute variation, perform the following steps: 1. View a service attribute variation; see the View Service Attribute Variations section on page 10-1. 2. On the Properties panel toolbar, click Remove Service Attribute Variation. A confirmation dialog box appears. 3. Click Yes to remove the service attribute variation. Note If a service attribute variation is being referenced by a service offering, an attempt to delete the service attribute variation fails.

Service Attribute Variations

10-9

Delete Service Attribute Variations

10-10

NetOp Policy Manager Configuration Guide

Chap ter 11

Complex Time and Volume Services

With the exception of Lawful Intercept services, you can create complex services by defining a time or volume variation for any service offering; you can specify the variation as scheduled or metered. Access services cannot have a scheduled variation. Note To define and manage NetOp PM complex services, which includes quota metering, you must have a license for the complex services feature.

The NetOp PM software supports two types of complex time and volume service offering variations: Scheduled Services Metered Services

Metered services includes time-metered and volume-metered services.

Scheduled Services
Scheduled services start or stop at a particular time, or after a configured amount of time elapses. You can configure a scheduled service to start or stop at a specified time; for example, a video multicast of a specific event. Alternatively, you can configure the service to start at a specific time and last for a specified duration. Another type of scheduled service is a turbo-button service, which starts immediately on subscription and lasts for a specific duration. For example, you can configure a bandwidth-boost service where the subscriber temporarily has a higher rate of bandwidth for a short amount of time; when the specified amount of time elapses, the bandwidth reverts to the subscribers original bandwidth. The following concepts apply to scheduled service offerings: Active serviceA subscribed service whose RADIUS attributes are applied to the subscribers session. ActivateTime at which the NetOp PM software applies RADIUS attributes to the subscriber session. This value can be absolute or relative. DeactivateTime at which the NetOp PM software removes RADIUS attributes from the subscriber session. The service remains subscribed. The value can only be relative and cannot be a value prior to the activation time.

Complex Time and Volume Services

11-1

Scheduled Services

ExpiresTime at which the NetOp PM software removes RADIUS attributes from the subscriber session and unsubscribes the subscriber from the service. The value can be absolute or relative and cannot be a value prior to the activation time. OccursFrequency with which the service becomes active. The default value is Once.

For possible values for each of these settings, see Chapter 4, NetOp Client Panel Descriptions in the NetOp Policy Manager Reference. Note Access services cannot be defined as scheduled services.

Absolute and Relative Times in Scheduled Services

To support scheduled services, the NetOp PM software employs the concepts of absolute and relative time. If you specify an absolute time, the service becomes active or inactive on a particular date at a particular time of day. If the Activate field is defined as 2007-03-01 11:00, the service becomes active on March 1, 2007, at 11:00 a.m. if the subscriber adds the service before that time or immediately if the subscriber adds the service after March 1, 2007, at 11:00 a.m. and it is before the deactivation or expiry date and time. If you specify a relative time, the service becomes active at a point in time relative to the subscriber selecting the service or inactive at a point in time relative to the service becoming active. You can specify relative time in the following ways: Use a plus (+) sign. If you specify a time using the + sign, you indicate an amount of time relative to a particular moment. For example, if the Deactivate field is +3:00 and the service is activated at 11:00 a.m., the service becomes inactive at 2:00 p.m., 3 hours after service activation. To indicate an amount of time equal to or greater than one day, use the ddd notation to indicate the number of days from a particular moment; for example, a time of +364 23:59 in the Deactivate field indicates that the service will become inactive 364 days, 23 hours, and 59 minutes after the service is activated. Similarly, a time of +30 in the Deactivate field indicates that the service becomes deactivated 30 days after the service is activated. Do not use a + sign. If you specify a time without a + sign, you indicate a time of day relative to the moment of selection or activation. For example, if the Activate field is 3:00 and the subscriber selects the service at 11:00 a.m., the service becomes active at 3:00 a.m. the next day. Similarly, if the Deactivate field is 5:00, the service becomes deactivated at 5:00 a.m. on the same day the service was activated. If the subscriber selects the service between 3:00 a.m. and 5:00 a.m., the service is activated immediately and deactivated at 5:00 a.m. If the subscriber selects the service outside of the active service period (3:00 a.m. to 5:00 a.m.), the service is activated at the next 3:00 a.m. and deactivated at the next 5:00 a.m.; that is, the service is activated on the same day it is selected if the service is selected after 12:00 a.m., or the next day if the service is selected before 12:00 a.m. For the next activation cycle (the next day, week, or month), the activation time is 3:00 a.m. and deactivation is 5:00 a.m. You can also specify a day of the week to indicate a relative time. For example, if the Activate field is Monday 3:00 and the subscriber selects the service on Tuesday at 9:00 a.m., the service becomes active on the next Monday at 3:00 a.m. If the subscriber selects the service during the active service period, for example on Monday at 5:00 a.m., the service is activated immediately. Note The service becomes active at the time specified according to the time zone of the NetOp PM database.

11-2

NetOp Policy Manager Configuration Guide

Scheduled Services

For details on the sample scheduled service offerings provided with the NetOp PM software, see Chapter 3, Sample Service Descriptions in the NetOp Policy Manager Reference. Table 11-1 The following table describes the valid absolute and relative time specifications, and the formats supported for each time-related scheduled service field.
Table 11-1
Field Activate

Valid Absolute and Relative Time Specifications

Absolute Time IMMEDIATE Note: IMMEDIATE must be specified in uppercase letters. YYYY-MM-DD hh:mm, where hh:mm is a time on a 24-hour clock from 00:00 (midnight) to 23:59 (11:59 p.m.) Relative Time +ddd [hh:mm] where ddd is a number of days from 1 to 365 and hh:mm is an amount of time from 0:00 to 23:59, relative to the time when the subscriber adds the service +hh:mm where hh:mm is an amount of time from 0:00 to 23:59, relative to the time when the subscriber adds the service hh:mm where hh:mm is a time on a 24-hour clock from 0:00 (midnight) to 23:59 (11:59 p.m.); the service is activated on the next occurrence of hh:mm after the moment the subscriber adds the service day_of_week hh:mm where day_of_week is one of the following days: Monday Tuesday Wednesday Thursday Friday Saturday Sunday

Deactivate

+ddd [hh:mm] where ddd is a number of days from 1 to 365 and hh:mm is an amount of time from 0:00 to 23:59, relative to the time when the service is activated +hh:mm where hh:mm is an amount of time from 0:00 to 23:59, relative to the time when the service is activated hh:mm where hh:mm is a time on a 24-hour clock from 0:00 (midnight) to 23:59 (11:59 p.m.); the service is deactivated on the next occurrence of hh:mm after the moment the service is activated day_of_week hh:mm

Expires

NEVER Note: NEVER must be specified in uppercase letters. YYYY-MM-DD hh:mm

+ddd [hh:mm] where ddd is a number of days from 1 to 365 and hh:mm is an amount of time from 0:00 to 23:59, relative to the time when the service is activated +hh:mm where hh:mm is an amount of time from 0:00 to 23:59, relative to the time when the service is activated hh:mm where hh:mm is a time on a 24-hour clock from 0:00 (midnight) to 23:59 (11:59 p.m.); the service is deactivated on the next occurrence of hh:mm after the moment the service is activated day_of_week hh:mm

Complex Time and Volume Services

11-3

Scheduled Services

Examples: Valid Formats for Absolute and Relative Times

To demonstrate the use of absolute and relative formats, consider the following examples: Daily Service Valid Formats:
Activate: 08:00 Deactivate: 18:00 Expires: NEVER Occurs: Daily

An example of a daily service is a daily bandwidth boost during peak hours. The services attributes are applied to the subscribers session at 8:00 a.m. on the first day the subscriber adds the service. The service remains active until 6:00 p.m. on the same day. During the services offering period, the bandwidth boost is listed in the subscribers subscribed services, but the service offerings attributes are only applied to the subscriber session daily at 8:00 a.m. and remain active on the session until 6:00 p.m. The service repeats daily for as long as the subscriber remains subscribed to the service. The service never expires, meaning the service is not removed from the subscribers list of services until the subscriber explicitly removes it. Single Occurrence Service Valid Formats:
Activate: IMMEDIATE Deactivate: Expires: NEVER Occurs: Once

An example of a single occurrence service is a Basic Internet Access service. The services attributes are applied to the subscribers session immediately when the subscriber adds the service. The service never expires, meaning the service offerings attributes are applied to the subscriber session and the service remains in the subscribers list of services until the subscriber explicitly removes it. Note Do not specify a value for the Deactivate field for single occurrence services where the Occurs field is set to Once.

Weekly Service Valid Formats:

Activate: Monday 19:00 Deactivate: +2:00 Expires: 2007-04-30 Occurs: Weekly

An example of a weekly service is a pay per view subscription to a TV series. The services attributes are applied to the subscribers session on the first Monday at 7:00 p.m. after the subscriber adds the service. That is, if the subscriber adds the service on a Monday at 6:00 p.m., the services attributes are applied on the same Monday, one hour later; if the subscriber adds the service on a Monday at 9:00 p.m., the services attributes are applied on the following Monday at 7:00 p.m. During the services offering period, the TV

11-4

NetOp Policy Manager Configuration Guide

Scheduled Services

series is listed in the subscribers subscribed services, but the service offerings attributes are only applied to the subscriber session every Monday at 7:00 p.m. and remain active on the session until 9:00 p.m. on the same Monday. The service repeats weekly, meaning the services attributes are active every Monday from 7:00 to 9:00 p.m. until the services expiry on April 30, 2007. At the end of April, when the TV series is over, the service is removed from the list of subscribed services.

Create a Scheduled Variation

The NetOp PM software does not support having a scheduled service as a default service. Do not assign a service offering with a scheduled time variation as a default service. To create a service offering as a scheduled service, perform the following steps: 1. Create a service offering as described in the Create Service Offerings section on page 9-1. 2. On the service definition navigator, double-click to select the Time/Volume Variation check box; the Scheduled Variation option is selected by default. 3. Click Scheduled Variation to define the details of the variation. 4. Click the Activate field and type the time when the service offerings attributes are applied to the subscriber session. The value can be absolute or relative. If you specify an absolute time, the service becomes active at a particular date and time of day. For example, if the Activate field is 2007-03-01 11:00, the service becomes active on March 1, 2007, at 11.00 a.m., or immediately if the subscriber adds the service after 2007-03-01 11:00. For a more detailed description of absolute and relative times, see Table 11-1 on page 11-3 and the Absolute and Relative Times in Scheduled Services section on page 11-2. Note Access services cannot be defined as scheduled services.

5. Optional. Click to select the Deactivate check box and type the time when the service offerings attributes are removed from the subscriber session, relative to activation. The service remains subscribed, even if it is deactivated. The value can only be relative, and cannot be a value prior to the activation time. When you specify a relative time, the service becomes inactive at a point in time relative to the services activation. For example, if the Deactivate field is +3:00 and the service is activated at 11:00 a.m., the service becomes inactive at 2:00 p.m., 3 hours after service activation. Similarly, if the Deactivate field is 03:00 and the service is activated at 11:00 a.m., the service becomes inactive at 3:00 a.m. the next day. Note Do not specify a value for the Deactivate field for non-recurring services, where the Occurs field is set to Once.

Complex Time and Volume Services

11-5

Scheduled Services

6. Optional. Click to select the Expires check box and type a time. The Expires field indicates when the service offerings attributes are removed from the subscriber session, relative to activation, and the NetOp PM software removes the service from the subscribers subscribed services. The value can be absolute or relative, and cannot be a value prior to the activation time. An example of a service offering that uses both the Expires and Deactivate fields is a pay per view subscription to a TV miniseries, which lasts for one month. During the month, the TV miniseries is listed in the subscribers subscribed services, but the service offerings attributes are only applied to the subscriber session every Monday at 7:00 p.m. (Offered From = 2007-04-01 00:00, Activate = Monday 19:00, Occurs = Weekly) for a two-hour period (Deactivate = +02:00). After one month, when the TV miniseries is over, the service is removed from the list of subscribed services (Expires = 2007-04-30 21:00:00). An example of a service offering that uses only the Deactivate field and not the Expires field is a daily bandwidth boost during peak hours. In this case, the service becomes active at 8:00 a.m. on the first day the subscriber adds the service (Activate = 08:00). The service remains active until 6:00 p.m. on the same day, or until 8:00 a.m. the next day if the service is selected after 18:00 (Deactivate=18:00). The 8:00 a.m. activation and 6:00 p.m. deactivation repeats daily for as long as the subscriber remains subscribed to the service (Occurs = Daily). The following example demonstrates the difference between the Offered Until date and the Expires date for a scheduled service. To offer a subscription for a season of Major League Baseball games for a favorite team, you can offer two services: Full Season and Half Season. For this example, assume the baseball season runs from April 3 to October 2 and the World Series runs from October 3 to the end of October. Subscribers who sign up during the first half of the season (to June 30) subscribe to the Full Season service. After June 30, the Full Season service is no longer offered to subscribers on the web portal, but those who subscribed to the service continue to receive the service until its expiry at the end of the World Series. Subscribers who sign up in the last half of the season (after June 30) subscribe to the Half Season service. The Half Season service is offered until the end of the regular season on October 2. After October 2, the Half Season service is no longer offered to subscribers on the web portal, but those who subscribed to the service continue to receive the service until its expiry at the end of the World Series. The Expires date is the same for both services: the last day of the World Series; the Offered Until date is different: June 30 for the Full Season package and October 2 for the Half Season package. 7. Optional. Click to select the Occurs check box and select the frequency with which the service becomes active. Note For non-recurring services, where the Occurs field is set to Once, do not specify a value for the Deactivate field.

8. If all other required information has been defined for the service offering, click OK to create the service offering and close the window, or click Apply to apply changes to an existing service. For detailed field descriptions, see Table 4-4 on page 4-4 in the NetOp Policy Manager Reference. Table 4-5 on page 4-5 in the NetOp Policy Manager Reference describes the valid absolute and relative time specifications and the formats supported for each time-related field.

11-6

NetOp Policy Manager Configuration Guide

Metered Services

Metered Services
Metered services charge the subscriber for the amount of time or bytes (volume) used. For volume-based services, upstream and downstream traffic can be metered separately. Note SMS devices do not support metered services.

One application of metered services is prepaid services. The NetOp PM system can support prepaid scenarios in two modes. In stand-alone deployment scenarios, NetOp PMs service manager handles all time- and volume-metering functions and can redirect a subscribers session when the balance remaining is zero. In an integrated deployment scenario, the NetOp PM system coordinates with an external credit control server. This section describes metered services in stand-alone deployment scenarios using the NetOp PM service manager. For information on prepaid services in an integrated deployment scenario, see Chapter 12, Online Charging for Prepaid Services. The following concepts apply to time-metered and volume-metered service offerings: Active serviceA subscribed service whose RADIUS attributes are applied to the subscribers session. Time quotaAmount of time the subscriber can actively use the service. The default time quota in the service offering definition can be modified for each subscriber at the point of subscription using service subscription overrides; see Chapter 7, Service Subscription Attribute Overrides in the NetOp Policy Manager API Guide for information. Incoming traffic quotaNumber of KB the subscriber can receive. The default incoming traffic quota can be modified for each subscriber at the point of subscription using service subscription overrides; see Chapter 7, Service Subscription Attribute Overrides in the NetOp Policy Manager API Guide for information. Outgoing traffic quotaNumber of KB the subscriber can send. The default outgoing traffic quota can be modified for each subscriber at the point of subscription using service subscription overrides; see Chapter 7, Service Subscription Attribute Overrides in the NetOp Policy Manager API Guide for information. When quota exceededApplies only to the standalone deployment scenario. The action that the NetOp PM system should perform when the subscribers quota is exceeded. You can chose from the following options: Expire Subscription (this is the default) Deactivate Subscription Replace Variation Do Nothing For descriptions of these options, see Chapter 3, Sample Service Descriptions in the NetOp Policy Manager Reference. Reset OccursApplies only to the standalone deployment scenario. Frequency with which the quota is reset. The default value is None. Reset TimeOptional. Applies only to the standalone deployment scenario. The date and time at which the service subscription is reset.

Complex Time and Volume Services

11-7

Metered Services

For possible values for each of these settings, see Chapter 4, NetOp Client Panel Descriptions in the NetOp Policy Manager Reference. Time and volume metering continues until the subscriber logs off or exceeds the subscribed quota. In the case of an implicit logon service, the subscriber must explicitly log off or the DHCP lease must expire; in the case of an explicit logon service, there is no issue because the NetOp PM system logs the subscriber off automatically. For subscribers who are logged on and have been assigned to a captive portalfor example, quota exceeded notificationtime and volume quotas continue to be consumed.

Tiered Quota Service Bundles

Tiered Quota service bundles enable service providers to offer a service that is modified as the subscriber crosses various usage thresholds. For subscribers who have exceeded their service volume quota, service providers can redirect them to a Top Up page where subscribers can purchase more time or volume. Table 11-2 shows a Sample Tiered Monthly Volume Quota service bundle, which describes an application of a Tiered Quota servicea monthly two-stepped service offering, which defaults to a Basic Access service at a low connection rate when the quota is exhausted.
Table 11-2 Sample Tiered Monthly Volume Quota Service Bundle
Priority Set To 60 Quota Exceeded Action Set To Deactivated Result when Quota Is Exceeded This service is deactivated and Tiered MonthlyNext 1 GB Silver service offering starts. See Basic Access service offering. Subscriber sent to captive portal Usage web page and Top Up redirect page where more service can be purchased. Subscriber uses a non-metered service offering that offers a lower bandwidth access service for the remainder of the month.

Sample Service Offering Tiered MonthlyFirst 1 GB Gold Tiered MonthlyNext 1 GB Silver

70

Deactivated Replace Variation (with Top Up Redirect)

Basic Access

99

Not applicable

In the NetOp PM system, all services that make up a Tiered Quota service are applied to the subscriber session. Then, all active subscriptions are charged with session volume usage simultaneously. Therefore, while the subscription consumes the first GB from the first service offeringin the example shown in Table 11-2, Tiered MonthlyFirst 1 GB Goldit is also consuming 1 GB of the next service offeringin the example, Tiered MonthlyNext 1 GB Silver. If the Tiered Quota service bundle has a third tier, it would need to be created with more than 2 GB of volume quota. In the example, there is no third tierthe subscriber uses the Basic Access service offering, which is not a volume metered service. You must set the Priority for each tier to ensure the correct tier service attributes as indicated in Table 11-2 in the Priority column. As shown, the fastest bandwidth (Tiered MonthlyFirst 1 GB Gold) requires the highest priority. For information about setting priorities for service offerings, see the Create Service Offerings section on page 9-1. Based on the example in Table 11-2, when the quota for the Tiered MonthlyFirst 1 GB Gold service is consumed, the NetOp PM system continues consuming the Tiered MonthlyNext 1 GB Silver service offering. Following the example, when the quota for the Tiered MonthlyNext 1 GB Silver service offering is consumed, the subscriber either continues using the Basic Access service offering at a reduced

11-8

NetOp Policy Manager Configuration Guide

Metered Services

bandwidth or is redirected to the Usage web page where more and faster service can be purchased using the Top Up redirect page. See Chapter 7, Service Subscription Attribute Overrides in the NetOp Policy Manager API Guide for more details about these configurations. The decision to provide lower bandwidth or redirect subscribers who exceed their volume quotas to a Usage page is based on how you set the Replace Variation attribute on the Metered Variation pane. Figure 11-1 illustrates what happens as the month progresses to the Tiered Quota service bundle example described in Table 11-2. This monthly volume service bundle is made up of a Tiered MonthlyFirst 1GB Gold service offering, a Tiered MonthlyNext 1GB Silver service offering, and a Basic Internet Access service offering.
Figure 11-1 Example of a Tiered Monthly Volume Quota Service Bundle

Real-Time Billing Support

The NetOp PM software supports real-time billing reconciliation for metered services. In real-time billing reconciliation, information on a subscribers usage is maintained and updated after each session. Subscribers can use the web portal to open the Usage web page and see how much time or volume has been consumed at any point in the billing period. You can define services to support two payment models: PrepaidThe subscriber prepurchases a block of bytes or minutes for Internet service. The subscriber can connect to the Internet multiple times; after each session, the bytes or minutes used for that session are subtracted from the remaining bytes or minutes. When the remaining amount reaches zero, the subscriber is no longer allowed to access the Internet service. For time-metered services, the subscriber is redirected to the Quota Exceeded web page when the remaining minutes reach zero. For

Complex Time and Volume Services

11-9

Metered Services

volume-metered services, the session is terminated immediately by default when the quota is reached. To enable the NetOp PM software to keep the circuit up and not terminate the session, add the following configuration in all contexts (in subscriber configuration mode): subscriber default session-action traffic-limit acct-alive The NetOp PM software provides two sample service offerings to illustrate the prepaid payment model; for details, see the Prepaid Internet1 GB Service Offering section on page 3-23 and the Prepaid Internet20 Hours Service Offering section on page 3-24 in the NetOp Policy Manager Reference. Recurring Quota SubscriptionThe subscriber signs up for a recurring daily, weekly, or monthly subscription. The subscriber is entitled to a quota of bytes or minutes for each daily, weekly, or monthly quota period. Any unused bytes or minutes are discarded at the end of each quota period; they are not carried over to the next period. Note Specify the subscription period using the Reset Occurs field.

The service provider has a number of options for managing subscribers who exceed quotas. The service provider can redirect the subscriber to a custom captive portal web page to inform the subscriber that the quota has been exceeded and to make a selection about how to continue. Depending on the configuration, the custom captive portal page could offer one or more of the following actions for those subscribers who exceed the assigned quota: Continue at a reduced access rate (for example, 64 kbps) at no extra charge. Continue at full-access rate where over-quota bytes are billed at a premium pay-as-you-go rate. Redirect the subscriber to purchase more prepaid quota (for example, another 10 GB) and continue at full-access rate.

11-10

NetOp Policy Manager Configuration Guide

Metered Services

Terminate access for the rest of the day, week, or month; at the start of the next day, week, or month, the subscribers account is reset with a new full quota at full-access rate. The service provider can enable the subscriber to purchase more prepaid quota using the NetOp PM softwares top up feature. Subscribers can top up the time quota, and incoming and outgoing traffic quotas for a particular service subscription through the NetOp PM API. The NetOp PM system recognizes quota top ups as quota overrides and continues to provide the subscriber Internet service even though the service offerings predefined quotas have been exceeded. By default, the quota top up remains in effect for the remainder of the current quota period (day, week, or month). The actual quota values applied to a specific service subscription are displayed on the Subscribed Services tab of the Subscriber Account panel. For more information on quota top up, see Chapter 7, Service Subscription Attribute Overrides of the NetOp Policy Manager API Guide. The NetOp PM software includes a sample web page to demonstrate how a subscriber can supplement time and volume quotas for metered services. For information on how to customize this sample web page, see Chapter 15, Configure the NetOp PM Lightweight Web Portal. To bill the subscriber for usage, you can use the generated RADIUS accounting messages, generate a report from the NetOp PM service order usage tables, or query for up-to-the-second accurate usage information using the NetOp PM SOAP API. The external system can use the NetOp PM API to query the subscriber usage at the appropriate point in the billing cycle. For recurring subscriptions, in addition to enabling you to reset subscriber quotas automatically on a daily, weekly, or monthly basis, the NetOp PM software includes scripts that you can use to reset time and volume quotas manually at custom intervals. To reset quotas manually, the value of the Reset Occurs field must be Custom. For instructions on running the reset scripts, see the NetOp Database Administration Guide.

Tracking Time Usage

In a standalone deployment scenario, when a subscriber logs on and is subscribed to a time-metered service, the NetOp PM software monitors the subscribers allotted time quota and the subscribers time usage to date. When the time quota expires, the NetOp PM system can take an automatic predefined action and can change the attributes of the service, if necessary. Time metering continues until the subscriber explicitly logs off. In an integrated deployment scenario, the NetOp PM system and the credit-control server monitor time usage together.

Tracking Volume Usage

When a subscriber logs on and is subscribed to a volume-based service, the NetOp PM software calculates the session traffic limit based on the configured incoming traffic quota and outgoing traffic quota, and the subscribers usage to date, and sends this information to the SmartEdge router in the RB-Session-Traffic-Limit RADIUS attribute. The SmartEdge router then starts to monitor traffic usage for the session and reports the current traffic usage to the NetOp PM software through the RB-Acct-Input-Octets-64 and RB-Acct-Output-Octets-64 RADIUS attributes received in an Accounting-Alive or Accounting-Stop packet. The NetOp PM software uses this information to update the NetOp PM database with the running total for the subscribers usage.

Complex Time and Volume Services

11-11

Metered Services

Subscribers can start and stop sessions as often as they want; the NetOp PM software tracks subscriber usage across multiple sessions and sets the limits for each new session. Subscribers can obtain their current traffic usage through the Usage web page, described in Chapter 7, Service Subscription Attribute Overrides of the NetOp Policy Manager API Guide. The NetOp PM software tracks two usage types: Per sessionThe NetOp PM software tracks subscriber traffic usage per session. The NetOp PM software then uses this information to determine the per-subscriber usage. Per serviceA NetOp PM current usage record exists for each service subscription. The NetOp PM service manager compares the value of the current usage record to the incoming traffic quota and outgoing traffic quota configured on the Service Offering view when a session starts. If the subscribers current subscription usage does not exceed the quota, a new traffic limit is calculated and sent to the SmartEdge router in the RB-Session-Traffic-Limit attribute. You can configure the NetOp PM software to take one of the following actions if the quota is reached: Expire the servicethe service does not appear as a subscribed service Change the RADIUS attributes for the service; service remains subscribed Note For time-metered services, the change in RADIUS attributes is made immediately when the quota is reached. For volume-metered services, by default the session is dropped and the new attributes are applied when the subscriber restarts the session. To enable the NetOp PM system to not drop the session, add the following configuration in all contexts (in subscriber configuration mode): subscriber default session-action traffic-limit acct-alive This command enables the default subscriber profile to send Accounting-Alive RADIUS messages when the traffic limit is reached. Deactivate the servicethe services attributes are removed from the subscriber but the service remains subscribed Replace variationthe service stays up and based on what you set as the Quota Exceeded Variation, you determine the action the system takes. If set to Quota Exceeded Redirect, the subscriber is redirected to a Quota Exceeded web page that provides contact information for continuing subscriber service when quota is exceeded. If set to Top Up Redirect, the subscriber is redirected to the Usage web page where more time or volume can be purchased using the Top Up redirect page. Do nothingthe service remains subscribed and the attributes continue to be applied to the subscriber The SmartEdge router monitors subscriber session usage when it receives a quota from the NetOp PM software. The SmartEdge router has no knowledge of the overall quota for a subscriber; it is aware only of traffic limits on a particular session. Depending on the SmartEdge router configuration, when a session limit is reached the SmartEdge router drops the session or generates an Accounting-Alive message; the accounting packets permit the NetOp PM software to recognize that the quota has been exceeded and performs the action defined for the service.

11-12

NetOp Policy Manager Configuration Guide

Metered Services

Create a Metered Variation

Note SMS devices do not support metered services.

To create a service offering as a metered service, perform the following steps: 1. Create a service offering; see the Create Service Offerings section on page 9-1. 2. On the service definition navigator, double-click to select the Time/Volume Variation check box and then double-click the Metered Variation option. 3. Optional. Click to select the Time Quota check box and type the amount of time the subscriber can actively use the service, using one of the following formats: ddd [hh:mm[:ss]] where ddd is a number of days from 0 to 365 and hh:mm:ss is an amount of time from 0:00:00 to 23:59:59 hh:mm[:ss]

4. Optional. Click to select the Incoming Traffic Quota check box and type the number of kilobytes the subscriber can receive. The maximum quota is 2,147,483,647. 5. Optional. Click to select the Outgoing Traffic Quota check box and type the number of kilobytes the subscriber can send. The maximum quota is 2,147,483,647. You can update or top off the time quota, and incoming and outgoing traffic quotas for a particular service subscription through the NetOp PM API. As a result, the applied quotas for a subscriber session may not be the same as the predefined quotas. The applied values in effect for a specific service subscription are displayed on the Subscribed Services tab of the Subscriber Account panel; see the View Current Subscribed Services section on page 16-6. For more information on quota updates and top-ups, see Chapter 7, Service Subscription Attribute Overrides, and Chapter 6, Define Services Using the NetOp PM API of the NetOp Policy Manager API Guide. 6. Click the When Quota Exceeded field and select the action that the NetOp PM system should perform when the subscribers quota is exceeded. You can choose from the following options: Expire Subscription (this is the default) Deactivate Subscription Replace Variation Do Nothing

For descriptions of these options, see the Metered Variation Field Descriptions section on page 4-5 in the NetOp Policy Manager Reference. You can specify only one action if both time and volume quotas are defined. When either the time quota or volume quota is reached, the specified action is performed. Note For Access service offerings configured with a time or volume quota, you cannot configure the subscription to expire or deactivate. For services configured to reset (daily, weekly, monthly, or custom), you cannot configure the subscription to expire.

Complex Time and Volume Services

11-13

Metered Services

Note

If you select Replace Variation, you must define at least one variation to apply to the subscriber session when the quota is exceeded; for details, see the Create a Quota Exceeded Variation section on page 11-14.

7. Optional. Click to select the Reset Occurs check box and select the frequency with which the quota gets reset. If you set the Reset Occurs field to Custom, the administrator should use the reset APIs provided with the NetOp PM software to control the frequency of the reset. If you set the Reset Occurs field to None, Daily, Weekly, or Monthly, the reset scripts cannot be used to control the frequency of the reset. For more information, see the section on resetting time and volume quotas for recurring services in the NetOp Administration Guide. By default, the quota top-up remains in effect for the remainder of the current quota period (day, week, or month). For more information on quota top-up, see Chapter 7, Service Subscription Attribute Overrides, in the NetOp Policy Manager API Guide. 8. Optional. Click to select the Reset Time check box and enter the date and time at which the service subscription will be reset. 9. If all other required information has been defined for the service offering, click OK to create the service offering and close the window, or click Apply to apply changes to an existing service. Note If the value in the Max. Sessions field for the service offering is greater than one, each session receives the same quota; that is, if the subscriber sessions are long-lived, the effective quota for the subscriber could be multiplied by the maximum number of sessions.

Note

Time and volume metering continues until the subscriber logs off, or until the subscriber shuts down the session. In the case of an implicit logon service, the subscriber must explicitly log off, or until the subscriber shuts down the session; in the case of an explicit logon service, there is no issue because the NetOp PM system automatically logs off the subscriber. For subscribers who are logged on and have been assigned to a captive portal, for example, quota exceeded notification, time and volume quotas are consumed.

For detailed field descriptions, see Table 4-4 on page 4-4 in the NetOp Policy Manager Reference, which describes the valid absolute and relative time specifications and their formats supported for each time- and volume-related field.

Create a Quota Exceeded Variation

For metered variations, if the value in the When Quota Exceeded field is Replace Variation, you must create a Quota Exceeded Variation to instruct the NetOp PM system with the service attribute variation to substitute when the subscribers quota is exceeded. To create a quota exceeded variation for a service offering, perform the following steps: 1. Create a service attribute variation; see the Create Service Attribute Variations section on page 10-1. 2. Click the Metered Variation turnkey icon to expand the variation. 3. Double-click to select the Quota Exceeded Variation check box.

11-14

NetOp Policy Manager Configuration Guide

Metered Services

4. Click to select the relevant variation name check boxes and browse to the name of an existing service attribute variation. For instructions, see the Create Service Attribute Variations section on page 10-1. If the When Quota Exceeded field for the metered variation is set to Replace Variation, you must specify at least one of the fields on the Quota Exceeded Variation panel. By default, you have two options for the IP Redirect variation: Quota Exceeded RedirectSends subscribers to the Quota Exceeded redirect page, which instructs them to contact their service provider. Top Up RedirectSends subscribers who have exceeded their quota to the Usage web page, where they can open the Top Up redirect page to purchase more time or volume.

By default, you have several options for Bandwidth, such as: 128 Kbps bandwidth 512 Kbps bandwidth 1 Mbps bandwidth

When a replacement variation is applied, attributes from the original service offering are permanently removed from the subscriber session and only the attributes specified by the Quota Exceeded Variation are applied. If no replacement is specified for the Dynamic IP Address Variation, the subscriber session may drop when the quota is exceeded. If you reference a particular variation in the main definition of the service offering and want the same variation to apply in the replacement variation, you must explicitly reference the variation again in the Quota Exceeded Variation definition. Note For Access service offerings configured with a time or volume quota, you cannot set the When Quota Exceeded field to Expire Subscription or Deactivate Subscription.

5. If all other required information has been defined for the service offering, click OK to create the service offering and close the window, or click Apply to apply changes to an existing service.

Tiered Quota Service Bundles

Tiered quota service bundles enable service providers to offer a service that is modified as the subscriber crosses various usage thresholds. Tiered Quota service bundles are defined using a service bundle. The highest priority service offering in the bundle defines the first tier of the service. The next priority service offering in the bundle defines the next tier of the service. The lowest priority service offering in the bundle defines the lowest tier and defines the final action to be performed when all quota has been consumed in the service bundle. When a service bundle is initially assigned to a subscriber account, all service subscriptions are active. As each tier is consumed, the corresponding service subscription becomes deactivated. When the final tier is consumed, the quota exceeded action is performed. Subscribers who exceed their quota can be handled as follows: Redirect to a Top Up page where to purchase more time or volume Continue with basic access services for the rest of the month

Complex Time and Volume Services

11-15

Metered Services

Redirect to a captive portal where they cannot use the Internet until the beginning of the next month For further information on configuring your system for this feature, see the HTTP Redirect Profiles section on page 3-27.

The NetOp PM software includes a sample monthly recurring Tiered Volume Quota service bundle which provides the subscriber with 1 GB at Gold bandwidth (1 Mbps), 1 GB at Silver bandwidth (512 kbps), and Top Up Redirect when the quota is exceeded. The sample service bundle requires two bandwidth service offerings: Tiered MonthlyFirst 1GB Gold provides the first tier of the service bundle. Tiered MonthlyNext 1GB Silver provides the second tier of the service bundle and the quota exceeded action for the service bundle. Note A Tiered Quota service requires that all service subscriptions in the service bundle be assigned to a subscriber account.

Create Tiered Volume Quota Service Bundles

To create a Tiered Volume Quota service bundle that redirects subscribers to the Top Up redirect web page, perform the following steps: 1. Create a bandwidth service offering for the first tier. 2. Specify the service as a complex volume service and define values for the Time Quota, Incoming Traffic Quota, and Outgoing Traffic Quota fields; see the Create a Metered Variation section on page 11-13. 3. Define the When Quota Exceeded action as Deactivate to indicate that when the quota is depleted, this bandwidth service is deactivated. 4. Create a bandwidth service offering for the second tier, ensuring that the priority of this service offering is lower than the first tier bandwidth service offering. 5. Specify the service as a complex volume service and define values for the Time Quota, Incoming Traffic Quota, and Outgoing Traffic Quota fields; see the Create a Metered Variation section on page 11-13. Volume quota is consumed concurrently from both tiers. The quota for the second tier must be larger than the quota for the first tier. 6. Define the When Quota Exceeded action as Replace Variation to indicate that when the quota is depleted, this bandwidth service is deactivated. 7. Create a Quota Exceeded Variation. To redirect the subscriber, select Top Up Redirect; see the Create a Quota Exceeded Variation section on page 11-14. If you select Top Up Redirect, when the quota for this last tier of service is depleted, the service stops and the subscriber is sent to a captive portal Usage web page. Here, subscribers can purchase more volume by clicking Add Bytes. 8. Optional. To decrease the subscribers bandwidth, type the name of the alternative Bandwidth Service in the Bandwidth Variation Name field.

11-16

NetOp Policy Manager Configuration Guide

Chapter 12

Online Charging for Prepaid Services

Prepaid services ensure revenue by verifying that the subscribers account balance is not zero and can cover the requested service before initiating the service. When the balance in the subscribers account is exhausted or expired, the subscriber is redirected to a captive portal to purchase additional quota or take another action. The NetOp PM system can support prepaid scenarios in a stand-alone deployment scenario using NetOp PMs service manager, or in an integrated deployment scenario, coordinating with an external credit-control server. The NetOp PM system interacts with a credit-control server through the Diameter Ro interface and uses the Diameter Credit Control Application (DCCA) to provide real-time credit control, or online charging. This chapter describes online charging. Note You must purchase a license for NetOp PM Credit Control to use the Diameter Credit-Control Application (DCCA) to provide credit authorization for prepaid users.

The NetOp PM system supports real-time credit-control based on IETF RFC 4006: Diameter Credit-Control Application. For details on compliance to the RFC 4006 and 3GPP TS 32.299 technical specifications, see the Statement of Compliance, Ro Interface for the NetOp PM system.
Figure 12-1 Typical Architecture for Online Charging in an Integrated Deployment

The NetOp PM system acts as the credit-control client in interactions with the credit-control server. Deployed on the NetOp PM application server, the credit-control client manages the quota provided by the credit-control server and uses RADIUS CoA to reauthenticate the subscriber session on the node. The client communicates with the server using the Diameter protocol Credit-Control-Request (CCR) messages; responses from the server are sent in Credit-Control-Answer (CCA) messages.

Online Charging for Prepaid Services

12-1

Figure 12-2

Communication Using CCR and CCA Messages and RADIUS CoA

When real-time credit control is required, the NetOp PM system acts as the credit-control client and contacts the credit-control server with information about the requested service. The credit-control process determines potential charges and verifies whether the subscribers account balance covers the cost of the requested service. The server grants credit resources in the form of units (for example, data volume or time), and the units are metered by the client. The NetOp PM system supports time metering only; any other units returned (volume, currency, and so on) are ignored. The NetOp PM implementation of online charging supports credit authorization with Session Charging with Unit Reservation (SCUR) as defined in RFC 4006. SCUR is session-based and requires multiple interrogations between the credit-control client and the credit-control server: Initial interrogation to reserve units before initiating the service. Terminate interrogation to report the units used when the service terminates. (Optional) Intermediate update interrogations to report units used, and to reserve additional units if required.

Figure 12-3 illustrates the component interactions when a prepaid subscriber requests a time-based service:
Figure 12-3 Component Interactions During Credit-Control Service Initiation

Figure 12-4 illustrates the component interactions when an intermediate balance update is requested for a time-based service:

12-2

NetOp Policy Manager Configuration Guide

Figure 12-4

Component Interactions During Intermediate Balance Update

Figure 12-5 illustrates the component interactions when the prepaid subscriber terminates the time-based service; for example, by logging off:
Figure 12-5 Component Interactions During Subscriber-Initiated Service Termination

Figure 12-6 illustrates the component interactions when the NetOp PM system detects that the prepaid subscribers time-based quota is exceeded, and the quota-exceeded action is to terminate the session:

Online Charging for Prepaid Services

12-3

Configure Online Charging

Figure 12-6

Component Interactions During Service Termination When Quota Exceeded

Figure 12-7 illustrates the component interactions when the node terminates the session:
Figure 12-7 Component Interactions During Service Termination From Node

Configure Online Charging

To configure online charging: 1. Ensure you have installed and deployed the NetOp PM application server and deployed the credit-control application; see Chapter 8, Configure, Deploy, and Start the NetOp PM Components in the NetOp Policy Manager Installation Guide. 2. Optional. Define AVPs in the credit-control request structure; see the Define Additional AVPs section on page 12-5. 3. Optional. Configure the NetOp PM credit-control client to communicate with a different or additional credit-control server; see the Configure the Diameter Peer Type section on page 12-5.

12-4

NetOp Policy Manager Configuration Guide

Configure Online Charging

4. Configure the NetOp PM credit-control client to communicate with the Diameter credit-control server; see the Configure Communication with the Credit-Control Server section on page 12-6.

Define Additional AVPs

Diameter credit-control application attribute-value pairs (AVPs) are included in credit-control messages and communicate information about services between the credit-control client and credit-control server. By default, the NetOp PM credit-control client is configured with a number of AVPs. Unsupported AVPs in the credit-control message cause the credit-control server to reject the request from the credit-control client. Optional. To define additional AVPs in the credit-control request structure: 1. Create an XML document or modify sampleAttributeType.xml. 2. Pass the XML document to the addAttributeTypeXML method. 3. Specify the additional attributes in the Diameter peer type definitions; see the Configure the Diameter Peer Type section on page 12-5. For example, the following XML document configures the 3GPP MS TimeZone attribute:

Configure the Diameter Peer Type

The credit-control request structure dictates how the NetOp PM credit-control client communicates with the credit-control server during Credit-Control-Request (CCR) interrogations (initial, update, and terminate), including the Diameter AVPs to send. The credit-control request structure is defined in the Diameter peer type configuration. Diameter AVPs can be configured by the NetOp PM system (configuredIn=NPM) or in a credit control variation (configuredIn=Variation). If an AVP is configured in the credit control variation, the variation can specify the attribute value; if no value is specified, the default value configured for the attribute is sent. AVPs configured in the NetOp PM software should be defined with a default value or should be attributes that the NetOp PM system can populate. The NetOp PM credit-control client is configured with a default Diameter peer type, Default. To communicate with a different or additional peer type, and to define or modify the request structure, including Diameter AVPs to send in the CCR message: 1. Create an XML document or modify sampleDiameterPeerType.xml. 2. Include in the XML document any additional attributes defined in the Define Additional AVPs section on page 12-5. 3. Pass the XML document to the addDiameterPeerTypeXML method.

Online Charging for Prepaid Services

12-5

Configure Online Charging

For example, the following XML document configures a Diameter peer type that includes the Diameter AVP Service-Identifier in the initial interrogation:

Configure Communication with the Credit-Control Server

Configure the NetOp PM credit-control client to communicate with the credit-control server: 1. Create an XML document or modify sampleDiameterPeer.xml to configure communication settings. To configure failover, specify more than one credit-control server for the same realm. For one server, specify isPrimary=true; for the other server specify isPrimary=false. 2. Pass the XML document to the addDiameterPeerXML method. For example, the following XML document configures communication with the primary credit-control server for the aol.com realm, CCSTYPE:

12-6

NetOp Policy Manager Configuration Guide

Manage the Credit-Control Server

Manage the Credit-Control Server

Table 12-1 describes the management tasks for the credit-control server.
Table 12-1
Task Return details of all Diameter Peer types from the NetOp PM database. Return details of the specified Diameter Peer type from the NetOp PM database. Remove a Diameter Peer type from the NetOp PM database. Modify the details of the specified Diameter Peer type in the NetOp PM database. Return details of all Diameter Peers from the NetOp PM database. Return details of the specified Diameter Peer from the NetOp PM database. Remove a Diameter Peer from the NetOp PM database. Modify the details of the specified Diameter Peer in the NetOp PM database.

Credit-Control Server Management Tasks

API Method getAllDiameterPeerTypesXML() getDiameterPeerTypeXML(String diameterPeerTypeName) removeDiameterPeerType(String diameterPeerTypeName) updateDiameterPeerTypeXML(String diameterPeerTypeXML) getAllDiameterPeersXML() getDiameterPeerXML(String diameterPeerName) removeDiameterPeer(String diameterPeerName) updateDiameterPeerXML(String diameterPeersXML)

Configure the Subscriber For Prepaid Services

For a subscriber to receive credit-control services, the subscriber account in the NetOp PM system must be linked to the subscriber information on the credit-control server. To create this link, modify the subscriber account to include the Subscription-Id-Type and Subscription-Id-Data AVPs used by the credit-control server. To include the Subscription-Id-Type and Subscription-Id-Data AVPs in the subscriber record using the NetOp PM API: 1. Create or modify a subscriber account XML document. 2. Include the Subscription-Id-Type value in the <CreditControlExternalId> attribute. 3. Include the Subscription-Id-Data value in the <CreditControlExternalType> attribute. 4. Pass the XML document to the addSubscriberAccountXML or updateSubscriberAccountXML method.

Configure a Prepaid Service

To configure a prepaid service: 1. Create a credit-control variation; see the Credit-Control Variations section on page 12-8.

Online Charging for Prepaid Services

12-7

Configure a Prepaid Service

2. Create service attribute variations; see the Override RADIUS Attributes with Diameter Attributes section on page 12-10. 3. Create the service offering; see the Configure a Prepaid Service Offering section on page 12-12.

Credit-Control Variations
An access service offering with credit control references a credit-control variation. The credit-control variation defines Diameter attribute values that are sent in a CCR to the credit-control server. Figure 12-8 illustrates the relationship between an access service offering, credit-control variation, and service attribute variations.
Figure 12-8 Credit-Control Variation Referenced by Access Service Offering

Diameter attribute values can only be defined in the credit-control variation if the Diameter peer type definition indicates that an AVP is configured in the credit-control variation (configuredIn=Variation):
Figure 12-9 Credit-Control Variation Defines Values for Attributes Configured in Diameter Peer Type as configuredIn=Variation

12-8

NetOp Policy Manager Configuration Guide

Configure a Prepaid Service

When a subscriber adds a prepaid service (or an update or terminate interrogation is initiated), the credit-control client sends a CCR to the credit-control server, including any Diameter AVPs specific to the subscriber service. The values sent to the credit-control server are based on the attribute values defined by the NetOp PM system, and in the referenced credit-control variation. A credit-control variation can apply to multiple Diameter peer types and can define multiple interrogations. Different credit-control variations can be defined for different realms. If the Diameter peer type definition indicates that an AVP is configured in the credit-control variation (configuredIn=Variation), the variation can specify the values of Diameter attributes for each interrogation defined in the Diameter peer type; different values can be configured for different realms by creating realm-specific variations. If no value is specified in the credit-control variation, the default value configured for the attribute is sent to the credit-control server.

Configure a Credit-Control Variation with the NetOp Client

To configure a credit-control variation with the NetOp client: 1. On the network navigator, click Diameter Request Variation > Credit Control Variation. 2. Click Add Diameter Request to open the Add Diameter Request dialog box. 3. Click OK to add a Credit Control Variation. 4. Specify a unique Id and Name for the variation. 5. To specify which Diameter peer type the credit-control variation applies to, activate the primary instance by selecting the check box. A credit-control variation can apply to multiple Diameter peer types. For information on creating additional instances, see the Create and Remove Variation Instances section on page 10-6. 6. To define values to send during the Initial, Terminate, or Update interrogation, activate the interrogation under the Diameter peer type. A credit-control variation can define multiple interrogations. 7. For each interrogation included in the credit-control variation, define values for filtering attributes and Diameter attributes: Optional. To restrict the credit-control variation to a specific realm, enter the Realm. Define values for Diameter attributes. The Diameter attributes available for definition in the credit-control variation depend on the Diameter peer type configuration. The Service-Identifier defined in a credit-control variation must map to the service Id defined in the external credit-control server. This is how the credit-control client maps services defined in the NetOp PM system to services defined in the credit-control server.

Note

8. Click OK to create the credit-control variation.

Configure a Credit-Control Variation with the NetOp PM API

To create a credit-control variation with the NetOp PM API: 1. Create an XML document or modify sampleDiameterRequestVariation.xml.

Online Charging for Prepaid Services

12-9

Configure a Prepaid Service

2. Pass the XML document to the addDiameterRequestVariationXML method. The following example shows an XML document used to inject a credit-control variation named 1 Day Prepaid Credit using the NetOp PM API:

Override RADIUS Attributes with Diameter Attributes

The NetOp PM system creates a RADIUS CoA request containing the attributes defined in the service attribute variation for the subscriber service and sends the CoA request to the node to reauthenticate the subscriber session. The NetOp PM system can override the RADIUS attributes defined in the subscriber service with the Diameter attributes received in the CCA message from the credit-control server. Configure Diameter attribute overrides to RADIUS attributes by creating service attribute variation instances for each configured Diameter peer type in the variation. If no instance is defined for a Diameter peer type, no overrides are sent for that peer type; the RADIUS attributes are sent as usual in the CoA packet.

12-10

NetOp Policy Manager Configuration Guide

Configure a Prepaid Service

Figure 12-10

Override RADIUS Attributes with Diameter Attributes

To override RADIUS attributes with Diameter attributes in the CoA packet sent to the node, in the NetOp client: 1. Create or modify a service attribute variation. 2. Activate one or more Diameter peer type instances under a node type or encapsulation type instance. 3. Specify static override values for RADIUS attributes in the Diameter Attributes section, or write Java code to dynamically generate values. Static override values do not require any special formatting. Dynamic override values should be written as Java code and must conform to correct Java syntax, enclosed in braces {}, and return a String value. {return (String) context.get(Diameter-Attribute);} where Diameter-Attribute is the name of an attribute received in the CCA. For example, enter the following code in the RB-HTTP-Redirect-URL field to override the RB-HTTP-Redirect-URL RADIUS attribute with the Redirect-Server-Address Diameter attribute:
{ return (String) context.get(Redirect-Server-Address);}

Online Charging for Prepaid Services

12-11

Configure a Prepaid Service

Configure a Prepaid Service Offering

A prepaid service configured for an online charging scenario includes a credit-control variation and indicates what the system should do if the credit-control server cannot be reached. The service offering definition can optionally include service attribute variations to apply to the subscriber session when quota is exceeded.

Configure a Prepaid Service Offering with the NetOp Client

To configure a prepaid service offering with the NetOp client: 1. Create an access service offering. 2. On the service definition navigator, double-click to select the Time/Volume Variation check box. 3. Click Credit Control Variation. 4. To specify what action the NetOp PM system should take when communication with the credit-control server is down, select a Credit Control Failure Handling option: Terminate Subscription (default), Continue Subscription, or Retry and Terminate Subscription. 5. Expand the Credit Control Variation and select Credit Control Request Variation. 6. Browse to an existing Credit Control Variation. 7. Optional. Expand the Quota Exceeded Variation and define Redirect Variations and Restrict Access Variations to indicate the service attribute variations to apply when the credit-control server redirects or restricts access when the subscribers quota is exceeded. If no variations are specified, the subscriber continues to receive services. 8. Select a Dynamic IP Address Variation service attribute variation to reference or define a variation inline. 9. Optional. Select a Bandwidth Variation service attribute variation to reference or define a variation inline.

12-12

NetOp Policy Manager Configuration Guide

Configure a Prepaid Service

Configure a Prepaid Service Offering with the NetOp PM API

To configure a prepaid service offering with the NetOp PM API: 1. Create an XML document or modify a service offering. 2. Pass the XML document to the createServiceOfferingXML method. 3. Include the following in the service offering XML document: A credit-control failure handling action for NetOp PM to take when communication with the credit-control server is unavailable. The valid values are Terminate Subscription, Continue Subscription, or Retry and Terminate Subscription. A credit-control request variation to specify the values of Diameter attributes for each interrogation defined in the Diameter peer type. Optional. A quota-exceeded redirect variation and restrict-access variation to indicate the service attribute variations to apply when the credit-control server redirects or restricts access when the subscribers quota is exceeded. If no variations are specified, the subscriber continues to receive services. The order of objects must be exactly as shown in the example below; Redirect-Variation must be defined before Restrict-Access-Variation, and RaGrpBandwidthReferenced must be defined before RaGrpDynamicIPAddressReferenced, which must be defined before RaGrpIPRedirectReferenced.

The following example shows credit-control variation attributes in an XML document used to inject a credit-control service offering:

Online Charging for Prepaid Services

12-13

Credit-Control Service Errors and Failures

Credit-Control Service Errors and Failures

Table 12-2 describes errors or failures that can occur during credit-control service initiation, update, or termination.
Table 12-2 Credit-Control Service Errors and Failures
Description If a database error is encountered when retrieving information for service initiation, update, or termination, an error is logged, and the previous service is reinstated. During service initiation, update, or termination, if the credit-control client does not receive a CCA message from the credit-control server, one of the following occurs: If the Credit Control Failure Handling is set to Terminate Subscription, the session is terminated after the transmission timer expires. During update or termination, if the Credit Control Failure Handling is set to Continue Subscription, the session is continued or terminated even if the update or terminate request message cannot be delivered. If a secondary credit-control server is configured, and failover is supported, the session will behave as expected after the credit-control client connects to the secondary credit-control server. During service initiation, if the Credit Control Failure Handling is set to Continue Subscription, the session is terminated if the initial request message cannot be delivered. If a secondary credit-control server is configured, and failover is supported, the session will start after the credit-control client connects to the secondary credit-control server. If the Credit Control Failure Handling is set to Retry and Terminate Subscription, the session is terminated after the transmission timer expires. If failover is supported, the credit-control client will try to reach the secondary credit-control server. CCA Contains Error Result Code If the credit-control client receives a CCA with a result code other than 2001 (Diameter_Success), the NetOp PM system will behave as follows: Error result code received in initial interrogation: Terminate Error result code received in update interrogation: use Credit Control Failure Handling behavior Error result code received in final interrogation: Terminate

Error or Failure Database Errors Diameter Connectivity Failure

12-14

NetOp Policy Manager Configuration Guide

Chapter 13

Configure Admission Control Function

To configure the NetOp PM admission control function , you must first install the license key; for information on installing NetOp PM licenses, see Chapter 7, Install NetOp PM Software Licenses in the NetOp Policy Manager Installation Guide. Before operating the NetOp PM system and activating a service requiring a guaranteed bandwidth reservation, the resource_config table in the NetOp PM database must be configured. This is done by both manual and automatic prepopulation. See the Populate the resource_config Table section on page 13-2 for instructions on manual population. The resource_config table is prepopulated with default filtering examples. Use the default filtering examples to manually define filters you want the resource_config table to use for information on maximum bandwidth, background bandwidth, and usage at the residential gateway level and the access node level. Reference the PWFQ policy information when defining the templates in the resource_config table. For sessions terminating on ATM, or terminating on Fast Ethernet (FE) cards where PWFQ is not supported, reference the metering and policing policies to derive the values for templates. The first time a service requiring a bandwidth reservation is requested for a card, the admission control function feature learns the capacity of the card and all its ports from the network, and automatically creates a resource defaults template (see Resource Defaults Template on page 6-4) for each port-level congestion point. The ports inherit the background and utilization characteristics from any template that is less specific and that uses wildcards. This function is achieved through an SNMP interface. Note To support the admission control function feature, the SmartEdge OS provides hierarchical QoS. It is important to configure the node hierarchical QoS policies to model the subscriber access network. The bandwidth minimums and maximums in the hierarchy should be used as the basis for populating the resource defaults template. For information on configuring QoS policies, see the QoS Policies section on page 3-31.

Note

Do not manually populate the port level capacity information in the resource_config table, and do not manually populate the congestion_point table, as it is done dynamically by the NetOp PM system.

When the admission control function adds a new congestion point to the congestion_point table, it scans the resource_config table for a match. The admission control function also applies node auditing to periodically assess node capacity at the port level. This allows the NetOp PM system to update port template information thereby ensuring that node capacity information is always up to date. By default, a node audit takes place every four hours. You can change the four-hour default setting in the npm.cfg file located in the /usr/local/apache-tomcat-n.n.n/webapps/NPM_API-x.x.x.x/WEB-INF/classes/ directory.

Configure Admission Control Function

13-1

Populate the resource_config Table

Populate the resource_config Table

To manually populate the resource_config table in the NetOp PM database, use a database management tool, such as the SQL*Plus application, and perform the following steps: 1. In the congestion_point_filter column, enter a filter rule used to match new congestion points for the congestion_point table, in other words, the port, access node, and residential gateway levels. You can use a wildcard (*) so that each component of a congestion point ID has the capability to match all. The following default congestion point level filters are provided in the resource_config table: Port level: **/* Access node level: **/* vpi-vci* or * */* vlan-id* Residential gateway level: **/* vpi-vci ** or **/* vlan-id *:* For example, rickys1/* matches all port-level congestion points on slot 1 on the node identified as rickys. If you do not configure a filter for a congestion point level, the capacity for that congestion point level defaults to a value of -1 for unlimited capacity, the background defaults to a value of 0%, and utilization defaults to a value of 100%. 2. In the in_capacity column, specify the inbound capacity in Kbps. The default value is -1 or unlimited. 3. In the out_capacity column, specify the outbound capacity in Kbps. The default value is -1 or unlimited. Note Do not manually populate the port level capacity information in the resource_config table; this is done dynamically by the NetOp PM system.

4. In the in_background column, specify the inbound background bandwidth as a percentage (%). The default value is 0. 5. In the out_background column, specify the inbound background bandwidth as a percentage (%). The default value is 0. 6. In the in_utilization column, specify the inbound usage factor as a percentage (%). The default value is 100. Values greater than 100 represent oversubscription. 7. In the out_utilization column, specify the outbound usage factor as a percentage (%). The default value is 100. Values greater than 100 represent oversubscription. Note Manually changing the capacity, utilization, and background bandwidth resource attributes does not affect existing congestion points. New attributes only apply to new congestion points created due to a bandwidth reservation request. If you want an attribute change to apply to an existing congestion point, modify the existing congestion point derived from the resource_config item.

For information on defining the admission control function services, see the Bandwidth Service Offerings section on page 3-28 in the NetOp Policy Manager Reference.

13-2

NetOp Policy Manager Configuration Guide

Chapter 14

Configure NetOp PM to Support Wireless Networks

Before you set up wireless networks, you must purchase and install a third-party vendor support license to use EAP authentication. The NetOp PM system must be configured to: Authenticate and forward EAP RADIUS requests Deploy simple and mobile IP networks

EAP authentication must be configured to use mobile IP. You must also install the required additional RADIUS attributes and support for third-party devices, such as external RADIUS servers.

NetOp PM EAP Authentication Overview

The NetOp PM system uses Extensible Authentication Protocol (EAP) authentication to authenticate mobile subscribers. EAP authentication allows service providers to authenticate subscribers before they achieve IP connectivity, which enables a secure connection between mobile subscribers and an authentication server. EAP authentication can be used in many different scenarios. Although nothing precludes it for use with wireline circuits, the NetOp PM system does not currently support that scenario. Using various releases of the NetOp PM software, service providers can implement the following types of wireless support using EAP authentication: Wireless access points (WAP) with EAP Simple IP, also known as fixed Mobile IP Mobile IP with static keys Mobile IP with dynamic keys Note EAP is a licensed feature. You must purchase and install the NetOp PM EAP Support license and the Third-party Vendor Support license before using this feature. See Chapter 7, Install NetOp PM Software Licenses in the NetOp Policy Manager Installation Guide

Configure NetOp PM to Support Wireless Networks

14-1

Configure EAP-Aware Devices

Configure EAP-Aware Devices

For the procedures to configure your wireless APs, see the proprietary documentation. Use the following guidelines when configuring them to communicate with the NetOp PM system: The ports for the NetOp PM RADIUS processes must match the RADIUS port numbers specified in the wireless AP. To configure EAP clients (such as the Odyssey Funk or SecureW32 clients) on computers, PDAs, or cellular phones, see the proprietary documentation.

Enable the NetOp PM system to communicate with and support the third-party device. For more information on this topic, see Chapter 5, Configure External RADIUS and LDAP Servers.

Configure Support for EAP Authentication

For wireless subscribers, the NetOp PM RADIUS server can locally authenticate EAP requests or the NetOp PM system can forward the requests to an external RADIUS server for authentication. The NetOp PM system can authenticate and forward EAP requests in various ways, including the following: EAP TLSPerforms local authentication and provides a high level of security by issuing certificates for requests internally between the NetOp PM and RADIUS servers, or externally between the NetOp PM and third-party devices. The NetOp PM system also supports forwarding the EAP TLS protocol. EAP TTLSExtends EAP TLS by establishing a secure channel within which to perform local authentication of the tunneled and inner authentication requests. The NetOp PM can perform local authentication of tunneled requests and forward EAP-MSCHAPv2 and MSCHAPv2 requests, or perform forwarding of tunneled and inner authentication requests to external RADIUS servers. EAP-MD5Performs local authentication or forward authentication requests to external RADIUS servers. Caution For EAP to function properly it is critical that the wireless AP is configured to send the Calling-Station-Id that contains the wireless network subscribers MAC address.

Local EAP Authentication

The NetOp PM system determines whether to locally authenticate or forward RADIUS access and accounting requests based on the realm configured in the proxy_config table and the setting for the proxy_login_access_request field. If that field is set to Y, the NetOp PM system then looks at the realm attached to the username to determine which external authentication or accounting server to use. To locally authenticate EAP-MD5, EAP-MSCHAPv2, and EAP TLS requests for all realms using the NetOp PM RADIUS servers, create a record in the proxy_config table for the eap_default realm and set the proxy_login_access_request field value to N.

14-2

NetOp Policy Manager Configuration Guide

Configure Support for EAP Authentication

To locally authenticate realm-specific EAP requests, create a record in the proxy_config table for the realm eap_realmname (where realmname is the username realm) and set the proxy_login_access_request field value to N. If the eap_realmname realm is not specifically defined in the proxy-config table, the eap_default realm defines how to handle the EAP request. Note Service providers can configure EAP authentication with a single layer of security using the MSCHAPv2, EAP-MD5, or EAP transport layer security (TLS) protocols. EAP tunneled transport layer security (TTLS) lets you add a second layer of security when locally authenticating EAP-MSCHAPv2, MSCHAPv2, and EAP-MD5 protocols.

Forward EAP Authentication Requests

To forward EAP authentication requests for all realms to an external RADIUS server, create a record in the proxy_config table for the eap_default realm and set the proxy_login_access_request field value to Y. Create one or more records in the radius_proxy_server table for the eap_default realm. To forward EAP authentication requests to a realm-specific external RADIUS server, create a record in the proxy_config table for the eap_realmname realm and set the proxy_login_access_request field value to Y. Create one or more records in the radius_proxy_server table for the eap_realmname realm, where realmname is the username realm. If the eap_realmname realm is not specifically defined in the proxy-config table, the eap_default realm defines how to deal with the EAP request. For more information, see the Forward RADIUS Authentication Requests section on page 5-3 and the Configure RADIUS Servers External to the NetOp PM System section on page 5-2.

EAP TLS Authentication

Service providers can perform local authentication and provide a high level of security to their subscribers by using EAP TLS and issuing certificates. Certificates are issued to the subscriber or are supplied with the device to provide a secure authentication mechanism with the NetOp PM server.

Locally Authenticate EAP TLS Requests

To locally authenticate EAP TLS requests using the NetOp PM RADIUS servers, perform the following steps: 1. Configure the wireless client devices, such as computers, PDAs, or cellular phones, to send the TLS client certificate. 2. Create a record in the proxy_config table for the eap_default realm and set the proxy_login_access_request field value to N.

Forward EAP TLS Requests

To forward EAP TLS requests to external EAP-aware RADIUS servers, perform the following steps: 1. Configure the wireless client devices (such as computers, PDAs, or cellular phones) to send the TLS client certificate. 2. Create a record in the proxy_config table for the eap_default realm and set the proxy_login_access_request field to Y. For more information, see the Forward RADIUS Authentication Requests section on page 5-3.

Configure NetOp PM to Support Wireless Networks

14-3

Configure Support for EAP Authentication

3. Create a record for each EAP-aware RADIUS server in the radius_proxy_server table for the eap_default realm. For more information, see the Configure RADIUS Servers External to the NetOp PM System section on page 5-2. 4. Optional. Create a record in the radius_proxy_attributes table for the eap_default realm. For more information, see the Configure RADIUS Attributes to Flow Through the NetOp PM System section on page 5-7. This can also be done when you are enabling forwarding to an external RADIUS server. Note The NetOp PM system does not support forwarding EAP requests using the round-robin algorithm.

Issue Certificates for EAP TLS Authentication

To add security when locally authenticating EAP TLS requests, you must install certificates. The NetOp PM RADIUS server installation includes the files for sample EAP TLS certificates. These certificates are not intended for a production deployment. Use a private certificate authority to generate certificates for your production environment; for procedures to install them, refer to the vendor documentation found in the /user/local/Radiator-4.3.1/doc/ref.pdf file. The sample certificates provided with the NetOp PM RADIUS server include the following files: For the NetOp PM RADIUS server: /usr/local/Radiator-4.3.1/certificates/demoCA/cacert.pemCA Root certificate file used by the NetOp PM RADIUS server to validate client certificates. Specify the location of the CA root certificate file with the npm_eaptls_cafile entry in the npm_radiator_env.cfg file. /usr/local/Radiator-4.3.1/certificates/cert-srv.pemServer certificate and private key for the NetOp PM RADIUS server; the private key password is whatever. Configure the location of the server certificate with the npm_eaptls_certfile entry in the npm_radiator_env.cfg file. Configure the location of the servers private key with the npm_eaptls_privatekeyfile entry in the npm_radiator_env.cfg file The server name in the certificate is test.server.some.company.com. If the servers private key is encrypted, then configure the password to decrypt the servers private key with the npm_eaptls_privatekeypassword entry in the npm_radiator_env.cfg file. For Microsoft Windows (in Windows, double-click on each file to import the certificate): root.derRoot security certificate suitable for importing into Windows as a root certificate. Used by the client to validate the NetOp PM RADIUS server certificate. cert-clt.p12Client certificate and private key, suitable for importing into Windows. The NetOp PM RADIUS server validates this client certificate against its root certificate. The password for the private key is whatever. The certificate is for a user named testUser. For Linux (follow the instructions for your client to install the certificate): root.pemRoot certificate that matches the preceding cert-srv.pem test certificate for the NetOp PM RADIUS server; for example, it is suitable for use with TLS, TTLS, and EAP-MSCHAPv2 on Linux. cert-clt.pemClient certificate _and_ private key; for example, it is suitable for use with TLS, TTLS, and EAP-MSCHAPv2 on Linux.

14-4

NetOp Policy Manager Configuration Guide

Configure Support for EAP Authentication

For more information about the NetOp PM RADIUS server certificates, see the /usr/local/Radiator-4.3.1/certificates/README file. Note When configuring EAP TLS authentication, the subscriber account name must match the subscriber certificate user name. For information on adding a subscriber account to the NetOp PM system, see the Add Subscriber Accounts to the NetOp PM System section on page 16-7.

EAP TTLS Authentication

EAP-Tunneled Transport Layer Security (EAP TTLS) is an EAP protocol that extends TLS. You do not need to install a certificate for every subscriber, which simplifies the setup procedure. EAP TTLS is widely supported across platforms and offers very good security. After the server is securely authenticated to the subscriber through its certificate, the server then uses the established secure connectionalso known as a tunnelto authenticate the subscriber. EAP TTLS can use an existing and widely deployed authentication protocol and infrastructure, incorporating legacy passwords and authentication databases, while the secure tunnel provides protection against eavesdropping and man-in-the-middle attacks. The subscribers username is never transmitted in unencrypted format, thereby improving privacy. The NetOp PM system determines whether to locally authenticate or forward EAP access or accounting requests in the following ways: By using the eap_realmname realm to define how to deal with an outer EAP request with a username such as joe@realmname. If the eap_realmname realm is not specifically defined in the proxy_config table, the eap_default realm defines how to handle an outer EAP request with a username such as joe@realmname. By using the realmname realm to define how to deal with the inner EAP request with a username such as joe@realmname. If the realmname realm is not specifically defined in the proxy_config table, the default realm defines how to handle the inner EAP authentication with a username such as joe@realmname.

Forward EAP TTLS Requests

To forward EAP TTLS inner tunnel requests to external RADIUS servers, perform the following steps: 1. Configure the wireless client devices (such as computers, PDAs, or cellular phones) to send EAP TTLS requests with usernames, such as anonymous or anonymous@realmname. 2. Create a record in the proxy_config table for the realm eap_default and set the proxy_login_access_request field value to Y for the EAP TTLS authentication requests. For more information, see the Forward RADIUS Authentication Requests section on page 5-3. 3. Create one record for each external RADIUS server in the radius_proxy_server table for the realm eap_default for the EAP TTLS authentication requests. For more information, see the Configure RADIUS Servers External to the NetOp PM System section on page 5-2.

Configure NetOp PM to Support Wireless Networks

14-5

Configure Support for EAP Authentication

4. Optional. Create a record in the radius_proxy_attributes table for the eap_default realm. For more information see the Configure RADIUS Attributes to Flow Through the NetOp PM System section on page 5-7. This can also be done when you are enabling forwarding to an external RADIUS server. Note The NetOp PM system does not support forwarding EAP requests using the round-robin algorithm.

Locally Authenticate Tunneled and Inner Authentication Requests

To configure local authentication of tunneled and inner authentication EAP TTLS requests, perform the following steps: 1. Configure the wireless AP to send EAP TTLS requests with usernames such as anonymous or anonymous@realm. EAP TTLS authentications have both an outer EAP TTLS message and an inner EAP-MSCHAPv2 or MSCHAPv2 authentication. 2. Create a record in the proxy_config table for the eap_default realm and set the proxy_login_access_request field value to N for the outer TTLS authentication requests. The NetOp PM system uses the subscriber account realm in the inner authentication to determine whether to locally authenticate or to forward the inner authentication to an external RADIUS server. 3. To locally authenticate the inner authentication, create a record in the proxy_config table for the default realm and set the proxy_login_access_request field value to N for the inner authentication requests.

Locally Authenticate Outer EAP TTLS Requests and Forward Inner EAP Requests
To locally authenticate outer TTLS requests and forward inner EAP requests to external EAP-aware RADIUS servers, perform the following steps: 1. Configure the wireless AP to send EAP TTLS requests with usernames such as anonymous or anonymous@realm. 2. Create a record in the proxy_config table for the eap_default realm and set the proxy_login_access_request field value to N for the outer TTLS authentication requests. For more information, see the Forward RADIUS Authentication Requests section on page 5-3. 3. Create a record in the proxy_config table for the default realm and set the proxy_login_access_request field value to Y for the inner EAP authentication requests. For more information, see the Forward RADIUS Authentication Requests section on page 5-3. 4. Create one record for each external RADIUS server in the radius_proxy_server table for the default realm for the inner EAP authentication requests. For more information, see the Configure RADIUS Servers External to the NetOp PM System section on page 5-2.

14-6

NetOp Policy Manager Configuration Guide

Wireless Authorization Overview

5. Optional. Create a record in the radius_proxy_attributes table for the default realm. For more information, see the Configure RADIUS Attributes to Flow Through the NetOp PM System section on page 5-7. This can also be done when you are enabling the NetOp PM system to forward requests to an external RADIUS server. Note The NetOp PM system does not support forwarding inner EAP authentication requests to external RADIUS servers using the round-robin algorithm.

EAP-MD5 Authentication
EAP-MD5 performs local authentication or forward authentication requests to external RADIUS servers.

Locally Authenticate EAP-MD5 Requests

To locally authenticate EAP-MD5 requests, create a record in the proxy_config table for the eap_default realm and set the proxy_login_access_request field value to N.

Forward EAP-MD5 Requests

To forward EAP-MD5 requests to an external EAP-aware RADIUS server, perform the following steps: 1. Create a record in the proxy_config table for the eap_default realm and set the proxy_login_access_request field value to Y for the EAP-MD5 authentication requests. For more information, see the Forward RADIUS Authentication Requests section on page 5-3. 2. Create one record for each external RADIUS server in the radius_proxy_server table for the eap_default realm for the EAP-MD5 authentication requests. For more information, see the Configure RADIUS Servers External to the NetOp PM System section on page 5-2. 3. Optional. Create a record in the radius_proxy_attributes table for the eap_default realm. For more information, see the Configure RADIUS Attributes to Flow Through the NetOp PM System section on page 5-7. This can also be done when you are enabling the NetOp PM system to forward requests to an external RADIUS server.

Wireless Authorization Overview

Wireless networks require device authentication and subscriber authentication, or subscriber authentication only, through a portal or Extensible Authentication Protocol (EAP) before letting mobile subscribers access the network. Device authentication is required to ensure that the device being used is compatible with the network. Subscriber authentication verifies that the subscriber account is known to the network because this is the account that is billed for services. Subscriber authorization grants specific privileges, including no privilege to the subscribers device. Authorization may be based on restrictions; for example, physical location restrictions or restrictions against multiple logins by the same subscriber. Often, granting a privilege constitutes the ability to use a certain type of service.

Configure NetOp PM to Support Wireless Networks

14-7

Wireless Web Login Through a Portal

Authentication takes place whether subscribers access their service subscriptions from a fixed address, such as their home computer (Simple IP), or use wireless access to connect from a location other than their home location (Mobile IP), such as a PC, PDA, or phone.
Figure 14-1 NetOp PM WiMAX Home Agent-Based Authentication

Wireless Web Login Through a Portal

Wireless web login through a portal provides authentication over a web portal and authorizes a DHCP CLIPS subscriber session. For more information about this support, see Appendix B, Subscriber Session Processes in the NetOp Policy Manager Product Overview.

Simple IP
Using Simple IPalso known as Fixed Mobile IPa wireless device must obtain a new IP address and lose its existing connections every time it changes its point of attachment. Deploy this NetOp PM solution with EAP authentication and SER DHCP CLIPS authorization.

14-8

NetOp Policy Manager Configuration Guide

Simple IP

Simple IP provides EAP authentication and authorizes a DHCP CLIPS subscriber session., which is fixed to one base station in a service provider network. Simple IP also provides support for both WiFi and WiMAX. For information on how subscribers are authenticated and granted Internet access, see Appendix B, Subscriber Session Processes in the NetOp Policy Manager Product Overview. For more information about deploying Simple IP, see the Deploy a NetOp PM System for Simple IP section on page 14-9.

Deploy a NetOp PM System for Simple IP

Simple IP is also known as Fixed Mobile IP. You can use EAP authentication and DHCP CLIPS authorization, which is fixed to one base station in a service provider network. For Simple IP, the EAP authentication pre-authenticates the CLIPS session. Simple IP is similar to the concept of WiFi authentication over a portal. The following concepts are used interchangeably and are part of the overall concept of wireless authentication: 802.1x Wireless EAP

You can either terminate subscribers logging on from a wireless AP or forward EAP requests to an external EAP-capable RADIUS server. The legacy component, NetOp PM EAP proxy server, is no longer distributed. This functionality is incorporated into the new NetOp PM RADIUS server. For information on configuring the NetOp PM RADIUS servers to support wireless authentication, see the Configure Support for EAP Authentication section on page 14-2. To forward EAP requests to external EAP-aware RADIUS servers, see Chapter 5, Configure External RADIUS and LDAP Servers. Service providers can install, configure, and define services that deliver Simple IP service to their subscribers by following the steps in the order they are shown in Table 14-1. All references are to sections in this guide, unless otherwise noted.
Table 14-1
Task Install NetOP PM for Simple IP

Steps to Set Up your NetOp PM System to Provide Simple IP Services

What do you need to know? Determine what type of system you require, including the following: Required hardware Required software Verify you are set up to use NTP client service on Solaris 10. You need these licenses: Third-party device types require the NetOp PM Multi-Vendor Support license. EAP requires the NetOp PM EAP Support license. Configure NTP on page 1-4 Configure RADIUS Attributes for ASN Gateways on page 14-16 Information can be found here NetOp Policy Manager Installation Guide

Configure NetOp PM to Support Wireless Networks

14-9

Mobile IP

Table 14-1
Task

Steps to Set Up your NetOp PM System to Provide Simple IP Services (continued)

What do you need to know? If you are installing the NetOp PM system for the first time, do the following: Review the RADIUS dictionary file and add any required additional RADIUS attributes to it. Add the ASNGW and SmartEdge nodes being used in the Simple IP deployment to the NetOp PM system. If you are upgrading the NetOp PM system, do the following: Stop the RADIUS and API servers. Migrate your dictionary customizations to the new dictionary. Start the RADIUS and API servers. Chapter 4, Configure RADIUS. Chapter 2, Configure the NetOp PM API Servers. Information can be found here Chapter 4, Configure RADIUS. Chapter 2, Configure the NetOp PM API Servers. Configure RADIUS Attributes for ASN Gateways on page 14-16 Verify or Add Additional RADIUS Attributes to the dictionary_redback.cfg File on page 7-3

Configure the NetOp PM system for wireless authentication and authorization

Verify the following for a typical SER configuration enabling Simple IP services: Required SmartEdge node configuration Sample node configurations If not set up already, configure the SmartEdge router and NetOP PM hosts to run NTP client. Enable EAP authentication for Simple IP services.

Chapter 3, Configure the Node for the NetOp PM System Appendix 1, Sample Configurations,

Configure NTP on page 1-4

Chapter 14, NetOp PM EAP Authentication Overview Chapter 14, Configure RADIUS Attributes for ASN Gateways Note: See also the NetOp Policy Manager Product Overview.

Craft services for Simple IP

Determine what services you want to offer for the Simple IP deployment. Configure the ASNGW-EAP variation for each service attribute variation referenced by those services. Configure the SER-CLIPS variation for each service attribute referenced by those services.

Authenticating mobile subscribers for Simple IP is based on individual carriers business rules. Consult your local Redback technical support team for further assistance if required.

Mobile IP
Mobile IP allows mobile nodes (MNs) to maintain their existing IP sessions regardless of the location from which they attempt to connect. You can enable the NetOp client to support configurations for Mobile IP circuit types and EAP authentication types. Mobile IP services enable subscribers with MNs to roam across multiple networks without having to reconnect their sessions. This roaming is done by allowing a mobile node (MN) to retain its IP address and thereby maintain its existing IP session.

14-10

NetOp Policy Manager Configuration Guide

Mobile IP

Mobile IP with Static Keys Authorization

Mobile IP with static keys authorization provides EAP authentication and authorizes a mobile IP subscriber session, potentially multiple times. This type of Mobile IP supports the 3GPP Forum where a session moves between Foreign Agents (FAs). The NetOp PM system supports FAs and HAs for mobile subscribers who are not likely to roam across service providers. One example of this type of service is cellular CDMA standards for cellular devices. The NetOp PM system supports static keys for MN-HA, FA-HA, and EAP authentication.

Deploy a NetOp PM System for Mobile IP with Static Keys Authorization

Wireless authorization services allow service providers to offer their subscribers access to the uninterrupted service regardless from where they establish their sessions. For example, a subscriber may establish service from a home-based PC and, without losing connection, move about the day with the same established circuit. In this example, this type of service is used for cellular CDMA standards for cellular devices. Mobile IP with static keys service supports both the 3GPP2 and WiMAX forums where a session moves between Foreign Agents (FAs). Use the 3GPP2 and WiMAX vendor attributes to configure static keys for FA-HA tunnel and the MN-HA authorization keys. The NetOp PM system supports static keys for home agent (HA), and the ASN gateway for these protocolsEAP TLS, EAP TTLS, EAP-MSCHAPv2, and EAP-MD5. For information about HA, see Configure Additional RADIUS Attributes on page 7-1. For information about the ASN gateway, see Configure RADIUS Attributes for ASN Gateways on page 14-16. To use static keys, add the required additional 3GPP2 and WiMAX RADIUS attributes to the Dynamic IP Address service attribute variation (SAV) for SER-MOBILE IP and ASNGW-EAP variations. Then enter the static key values in the SAV. A static key in the NetOp PM service offering suppresses the generation of a dynamic key. The following sample XML files demonstrate the additional RADIUS attributes that can be injected for either 3GPP2 or WiMAX static keys:
/usr/local/npm/soap_client/perl/sampleMobileIP3GPP2StaticKeyRadiusAttri butes.xml /usr/local/npm/soap_client/perl/sampleMobileIPWiMAXStaticKeyRadiusAttri butes.xml

You can install, configure, and define services that deliver Mobile IP with static keys service to subscribers by following the steps in the order they are shown in Table 14-2. All references are to sections in this guide, unless otherwise noted.
Table 14-2
Task Install NetOP PM for Mobile IP with static keys

Steps to Set Up your NetOp PM System to Provide Services for Mobile IP with Static Keys
What do you need to know? Determine what type of system you require, including the following: Required hardware Required software Verify you are set up to use NTP client service on Solaris 10. If not set up already, configure the SmartEdge router and NetOP PM hosts to run NTP client. Configure NTP on page 1-4 Information can be found here NetOp Policy Manager Installation Guide

Configure NetOp PM to Support Wireless Networks

14-11

Mobile IP

Table 14-2
Task

Steps to Set Up your NetOp PM System to Provide Services for Mobile IP with Static Keys
What do you need to know? You need these licenses: Third-party device types require the NetOp PM Multi-Vendor Support license. EAP requires the NetOp PM EAP Support license. If you are installing the NetOp PM system for the first time, do the following: Review the RADIUS dictionary file and add any required additional RADIUS attributes to it. Add the ASNGW and SmartEdge Home Agent nodes being used in the Mobile IP deployment to the NetOp PM system. If you are upgrading the NetOp PM system, do the following: Stop the RADIUS and API servers. Migrate your dictionary customizations to the new dictionary. Start the RADIUS and API servers. Chapter 4, Configure RADIUS. Chapter 2, Configure the NetOp PM API Servers.. Chapter 4, Configure RADIUS. Chapter 2, Configure the NetOp PM API Servers. Configure RADIUS Attributes for ASN Gateways on page 14-16. Verify or Add Additional RADIUS Attributes to the dictionary_redback.cfg File on page 7-3. Information can be found here NetOp Policy Manager Installation Guide

Configure the NetOp PM system to support Mobile IP with static keys

Verify the following for a typical SmartEdge router configuration enabling Mobile IP with static keys services: Required SmartEdge node configuration Sample node configurations Typical HA and FA SER configuration files Enable EAP authentication for Mobile IP with static keys.

Chapter 3, Configure the Node for the NetOp PM System.

Chapter 14, NetOp PM EAP Authentication Overview Chapter 14, Configure RADIUS Attributes for ASN Gateways

Configure static keys

Do the following: Inject the appropriate sampleMobileIP3GPP2StaticKeyRadius Attributes.xml or sampleMobileIPWiMAXStaticKeyRadius Attributes.xml sample XML file from the /usr/local/npm/soap_client/perl/ directory. Configure the static keys in the appropriate Dynamic IP Address service attribute variations. Change of Authentication (CoA) for mobile subscribers; SER command.

CoA on page 3-9 Chapter 14, Configure RADIUS Attributes for ASN Gateways Note: See also the NetOp Policy Manager Product Overview.

Craft services for Simple IP

Determine what services you want to offer for the Mobile IP deployment. Configure the ASNGW-EAP variation for each service attribute variation referenced by those services. Configure the SER-MOBILE_IP variation for each service attribute referenced by those services.

14-12

NetOp Policy Manager Configuration Guide

Mobile IP

Mobile IP with Dynamic Keys Authorization

Mobile IP with dynamic keys authorization provides EAP authentication and authorizes a mobile IP subscriber session, potentially multiple times. This is the most secure method of Mobile IP. With this feature, the NetOp PM system supports WiMAX Forum industry-standard attributes for WiMAX third-party devices. A Mobile IP session moves between FAs. The NetOp PM system supports FAs and HAs for mobile subscribers who can roam across service providers.

Deploy the NetOp PM System for Mobile IP with Dynamic Keys Authorization
Wireless authorization services allow you to offer subscribers access to uninterrupted service regardless from where subscribers establish their sessions. For example, a subscriber may establish service from a home-based PC and, without losing connection, move through the day with the same established circuit. Mobile IP with dynamic WiMAX keys service provides the most secure method of Mobile IP and it supports the WiMAX forum for WiMAX third-party devices. A Mobile IP session can move between Foreign Agents (FAs) within a single access network or across multiple access networks. The NetOp PM system supports dynamic WiMAX keys for Home Agent (HA), EAP TLS, EAP TTLS, EAP-MSCHAPv2, and EAP-MD5. The NetOp PM system generates the following WiMAX forum RADIUS attributes: WiMAX-FA-RK-Key WiMAX-FA-RK-SPI WiMAX-HA-RK-Key WiMAX-HA-RK-SPI WiMAX-MN-HA-MIP4-Key WiMAX-MN-HA-MIP4-SPI

These keys and their security parameter indexes (SPIs) are dynamically generated during network access authentication and are returned to the HA during Mobile IP registration on request through a matching SPI. The default HA-RK lifetime for all HA-RK keys is 24 hours. Note The NetOp PM system does not support the user of both static WiMAX keys and dynamic WiMAX keys in the same deployment.

For information on WiMAX Forum NWG Release 1.1.2 specifications, visit the WiMAX Forum web site at http://www.wimaxforum.org/home/. Service providers can install, configure, and define services that deliver Mobile IP service to their subscribers by following the steps in the order they are shown in Table 14-3. All references are to sections in this guide, unless otherwise noted. Be aware that deploying a service for Mobile IP with dynamic keys means that static keys are not defined in the service attribute variations.

Configure NetOp PM to Support Wireless Networks

14-13

Mobile IP

Table 14-3

Steps to Set Up your NetOp PM System to Provide Services for Mobile IP with Dynamic Keys
What do you need to know? Determine what type of system you require, including the following: Required hardware Required software Verify you are set up to use NTP client service on Solaris 10. You need these licenses: Third-party device types require the NetOp PM Multi-Vendor Support license. EAP requires the NetOp PM EAP Support license. If you are installing the NetOp PM system for the first time, do the following: Review the RADIUS dictionary file and add any required additional RADIUS attributes to it. Add the ASNGW and SmartEdge Home Agent nodes being used in the Mobile IP deployment to the NetOp PM system. If you are upgrading the NetOp PM system, do the following: Stop the RADIUS and API servers. Migrate your dictionary customizations to the new dictionary. Start the RADIUS and API Servers. Chapter 4, Configure RADIUS. Chapter 2, Configure the NetOp PM API Servers. Chapter 4, Configure RADIUS. Chapter 2, Configure the NetOp PM API Servers. Chapter 14, Configure RADIUS Attributes for ASN Gateways Verify or Add Additional RADIUS Attributes to the dictionary_redback.cfg File on page 7-3 Configure NTP on page 1-4 NetOp Policy Manager Installation Guide Information can be found here NetOp Policy Manager Installation Guide

Task Install NetOP PM for Mobile IP with dynamic keys

Configure the NetOp PM system for wireless authentication and authorization

Verify the following for a typical SER configuration enabling Mobile IP services: Required SmartEdge node configuration Sample node configurations If not set up already, configure the SmartEdge router and NetOP PM hosts to run NTP client. Enable EAP authentication for Mobile IP services.

Chapter 4, Configure RADIUS.

Configure NTP on page 1-4

Chapter 14, NetOp PM EAP Authentication Overview Chapter 4, Configure RADIUS.

Configure your NetOp PM system for Mobile IP with dynamic keys

Required SmartEdge node configuration and sample node configurations for Mobile IP services. Typical HA, FA, and MN-HA SER configuration files. Change of Authentication (CoA) for mobile subscribers; SER command. Configure SER for CoA, LI, Hotline, and HA.

CoA on page 3-9 Note: For HA, see the Configuring Hotlining for a Home Agent document in the SmartEdge OS Library.

14-14

NetOp Policy Manager Configuration Guide

Configuration Tasks

Table 14-3

Steps to Set Up your NetOp PM System to Provide Services for Mobile IP with Dynamic Keys (continued)
What do you need to know? Configure DNS. Information can be found here Chapter 4, Configure RADIUS. Note: See also the Configuring DNS document in the SmartEdge OS Library.

Task

Craft services for Simple IP

Determine what services you want to offer for the Mobile IP deployment. Configure the ASNGW-EAP variation for each service attribute variation referenced by those services. Configure the SER-MOBILE_IP variation for each service attribute referenced by those services.

Chapter 14, Configure RADIUS Attributes for ASN Gateways.

Configuration Tasks
Mobile IP services require that you configure your NetOp PM system for EAP authentication. This configuration enables the NetOp PM system to recognize third-party devices (NAS types) that support EAP circuit types. After you have configured EAP authentication, you can enable Mobile IP services. Service providers can craft Mobile IP with static keys services and configure the NetOp PM system to support Mobile IP services for home agents (HA) configured on the SmartEdge router or third-party devices. To configure EAP authentication for Mobile IP services, perform the following steps: 1. Install the EAP Support and the Third-party Vendor Support licenses. 2. Configure the NetOp PM RADIUS server to support EAP authentication 3. Configure EAP authentication to return additional RADIUS attributes. For instructions on how to configure EAP authentication to return additional RADIUS attributes, see the Configure Support for Mobile IP Third-Party Device Types section on page 14-24. 4. Configure the HA on the SmartEdge router or third-party device. For detailed instructions on how to configure an HA on a SmartEdge router, see the Configuring Mobile IP for a Home Agent document in the SmartEdge OS Library. 5. Using the NetOp client, define an ASNGW-EAP and a SER-MOBILE_IP service attribute variation for the Dynamic IP Address service attribute by performing the following steps: a. Navigate to the Service Attribute Variation Properties panel and select the Dynamic IP Address Variation folder. The Dynamic IP Address Variation summary is displayed. b. Select Dynamic IP Address in Context BASIC from the summary and then select the ASNGW-EAP and then the SER-MOBILE_IP from the list of variations that appear. c. Enter the appropriate attribute values for the ASNGW-EAP and SER-MOBILE_IP service attribute variations.

Configure NetOp PM to Support Wireless Networks

14-15

Configure RADIUS Attributes for ASN Gateways

d. Click Apply to save your changes. For detailed instructions on how to define service attribute variations, see the Create Service Attribute Variations section on page 10-1. The following SAV types are supported by the SER-MOBILE_IP circuit type: Dynamic IP Address IP Redirect Lawful Intercept

Configure RADIUS Attributes for ASN Gateways

ASN Gateways
The ASNGW-EAP variation allows you to configure service attribute variations with WiMAX-specific, vendor-specific, and standard RADIUS attributes and return them to the ASN gateway during EAP authentication. An access service network (ASN) gateway is a third-party device within the ASN that connects a mobile station to an IP connectivity service network (CSN). Typical functions include authenticating EAP with an AAA RADIUS server, caching subscriber encryption keys, and establishing and managing Mobile IP sessions between base stations and foreign agents (FAs). The NetOp PM system supports EAP authentication for Mobile IP to comply with WiMAX Forum industry standards. To deploy Mobile IP with EAP authentication, you must use ASN gateways in your network. Note Mobile IP requires that you purchase and install the following licences: NetOp PM EAP Support NetOp PM Third-party Vendor Support

In the NetOp client, the ASNGW-EAP variation is associated with the Bandwidth, Custom, and Dynamic IP Address service attribute variations. To configure WiMAX Forum-compliant RADIUS attributes for ASN gateways that support EAP authentication for Mobile IP, perform the following steps: 1. Install the NetOp PM EAP Support and NetOp PM Third-party Vendor Support licences. For information on installing NetOp PM licenses, see Chapter 7, Install NetOp PM Software Licenses in the NetOp Policy Manager Installation Guide. 2. Add NWG-compliant additional RADIUS attributes to the NetOp PM system by using the ConfigRADIUSAttribute.addRADIUSAttributeXML.pl script. For detailed information on how to add additional RADIUS attributes, see Chapter 7, Configure Additional RADIUS Attributes.

14-16

NetOp Policy Manager Configuration Guide

Configure RADIUS Attributes for ASN Gateways

Note

If you have existing non-WiMAX-NWG compliant ASN gateways that you want to upgrade to be WiMAX-NWG compliant, you must add the ASNGW NAS type and the EAP circuit type to each existing additional RADIUS attribute; for example:
<NASType> <Name>ASNGW</Name> <CircuitTypes> <CircuitType>EAP</CircuitType> </CircuitTypes> </NASType>

3. Activate the ASNGW-EAP variation in the NetOp client: a. Navigate to the Service Attribute Variation Properties panel and select the Dynamic IP Address Variation folder. The Dynamic IP Address Variation summary is displayed. b. Select the Dynamic IP Address variation that you want to configure for ASN gateway with EAP authentication. The list of options associated with the Dynamic IP Address variations are displayed in the navigator. c. Right-click on the grayed ASNGW-EAP variation check box and select Activate. d. The ASN gateway RADIUS attributes are displayed in the management view panel. Figure 14-2 shows the ASNGW-EAP variation with its Filtering and RADIUS attributes:
Figure 14-2 Configuring Support for ASN Gateway RADIUS Attributes

Configure NetOp PM to Support Wireless Networks

14-17

WiMAX Outer Identity

4. Enter the values for the RADIUS, additional RADIUS, and filtering attributes. For descriptions and valid values of the supported RADIUS attributes and filtering attributes, see Chapter 1, Filtering Attribute and RADIUS Attribute Descriptions in the NetOp Policy Manager Reference. 5. Use the NASMgmt.addNASXML API method to add each WiMAX-NWG compliant ASN gateway you want to deploy on the network. For more information on adding a NAS type, see the Add, View, Remove, and Update Node Information in the NetOp PM System section on page 1-11. Note If you have pre-existing nodes that are NWG-compliant ASN gateways, update the NAS type for these nodes to ASNGW by using the ConfigNASType.updateNASTypeXML API method.

The NetOp PM services are configured for use with an ASN gateway.

Home Agent
A SmartEdge router or third-party device can act as a Mobile IP home agent (HA); see Figure 14-1. The HA is the anchor component in a Mobile IP network that provides seamless mobility to the mobile node (MN). When an MN is attached to its home network, it does not use Mobile IP services because it communicates directly using normal IP routing. When an MN is roaming and is not connected to its home network, its HA authenticates the MN through the NetOp PM system and verifies that the IP Mobile services should be provided. Mobile IP services enable the SmartEdge router to act as one or more HA instances. Each instance communicates with its MNs. When an MN moves outside the network for the HA, it connects to the HA through a foreign agent (FA), which then communicates with the HA. In a typical deployment, MNs connect wirelessly to base transceiver stations (BTSs), which connect to the SmartEdge router FA through Ethernet. The EAP access point can be at the BTS or the access point controller.

WiMAX Outer Identity

When a mobile subscriber attempts a network entry from a foreign network, the authentication request can be routed through a series of visited AAA (VAAA) servers until it reaches the home AAA (HAAA) server to be authenticated. The EAP authentication request carries an outer identity in the User-Name attribute, which contains realm information used by the VAAAs for routing and is used as the Network Access Identifier (NAI) at the HAAA when the NetOp PM system is configured. Pseudo ID and WiMAX decoration in the User-Name attribute is supported by the NetOp PM system. The pseudo ID provides increased security by hiding the subscribers identity, such as MAC address. The Netop PM system accepts WiMAX decoration, but it currently is not functional. The WiMAX decoration is removed from the User-Name value by NetOp PM, and is then used as the authenticated NAI. Note If you set Service-Type=Login for devices that are not fully network group (NWG) compliant, reauthorization is handled as a new authorization. For NWG-compliant devices, when an outer identity changes for reauthorization but maintains the original NAI, you must set Service-Type=Authenticate-Only.

14-18

NetOp Policy Manager Configuration Guide

WiMAX Outer Identity

Configure the NetOp PM System and the ASN Gateway to Authenticate Subscribers with WiMAX Outer Identity
Configure the NetOp PM system and the ASN gateway to authenticate a subscriber using WiMAX outer identity. Configure the ASN gateway to send WiMAX capability in the EAP access-request and provision the WiMAX-HA-IP VSA to send WiMAX attributes in the EAP access-accept. Provisioning these attributes determines whether the subscriber session is mobile IP or simple IP. Table 14-4 shows the outcomes of an EAP access-accept, depending on which attributes are configured and if WiMAX capability is present in the EAP access-request sent by the ASN gateway.
Table 14-4 WiMAX Access-Accept Sent by Configuring Attributes
WiMAX-HA-IP VSA Configured Yes No Yes No WiMAX Attributes sent in Access-Accept No No Yes No Type of Subscriber Session Simple IP Simple IP Mobile IP Simple IP

WiMAX Capability sent by ASN Gateway Not Present Not Present Present Present

Note

To authenticate WiMAX outer identity for EAP access-requests without WiMAX capability, contact your customer support representative.

EAP TLS/TTLS Authentication with WiMAX Outer Identity

Configure the NetOp PM system to run as an HAAA to authenticate mobile subscribers using outer identity. The EAP authentication request with a WiMAX outer identity can be forwarded through VAAAs until it reaches an HAAA, where forwarding stops and the EAP-request is authenticated by the HAAA. To run the NetOp PM system as an HAAA: 1. Create a record of the ASN gateway in the nas_info table. 2. Create a record of the VAAA in the nas_info table. 3. Set the proxy_config table flags to N.

EAP TLS/TTLS Request Routing with WiMAX Outer Identity

The EAP authentication request with a WiMAX outer identity is forwarded through one or more visiting VAAAs until reaching a HAAA for authentication. The WiMAX outer identity contains the routing realms for the VAAAs. To route an authentication request based on the outer identity, you must configure the NetOp PM system as a VAAA for the specific routing realm, where the NetOp PM system routes an EAP access-request. To run the NetOp PM system as a VAAA: 1. Create a record of the ASN gateway in the nas_info table. 2. Create a record in the proxy_config table for the eap_<realm> and set the proxy_login_accesss_request field to Y.

Configure NetOp PM to Support Wireless Networks

14-19

Define a Mobile IP Home Agent Hotline Service Offering

3. Create a record for each EAP-aware RADIUS server in the radius_proxy_server table for eap_realm.

Define a Mobile IP Home Agent Hotline Service Offering

Note If you plan to use redirect Mobile IP sessions, contact your customer support representative to confirm that you have a compatible version of the SmartEdge OS. To hotline a subscriber through the NetOp PM client, see the Redirect a Subscriber using EAP section on page 7-12. Service providers can redirect Mobile IP subscribers with the SmartEdge router acting as the home agent (HA). In effect, the NetOp PM system acts as the home AAA server that activates IP redirect for subscribers, as instructed by the RADIUS attributes. Subscribers are not authorized to use normal service while being redirected (hotlined). The scenario described here is that service providers can use the NetOp PM system to redirect Mobile IP subscribers who enroll with a temporary username and password to a web page where the subscribers can obtain or enter their permanent username and password, or voucher and PIN number, which need to be entered before their service subscriptions begin. Service providers also need to stop the hotline feature to allow subscribers to continue their Mobile IP sessions. Note The NetOp PM system support for redirecting Mobile-IP sessions requires SmartEdge OS 6.1.4.0 and later. The NetOp PM system also supports redirecting CLIPS sessions; for example, in a WiFi hot-spot scenario or a fixed WiMAX scenario. Carrying this sample scenario forward, follow the guidance in these topics: Overview of Redirecting a Mobile IP Subscriber Session Hotline Mobile IP Subscribers at Session Startup

Overview of Redirecting a Mobile IP Subscriber Session

To hotline subscribers, service providers need to create an IP Redirect service offering that defines an inline service attribute variation with the appropriate filtering and RADIUS attributes required to establish a hotline redirect for Mobile IP subscribers. This new service and an appropriate access service are then added to a Mobile IP subscriber session to preconfigure a hotline redirect. For temporary subscribers, service providers need to add an appropriate access service, as described in the Configure RADIUS Attributes for ASN Gateways section on page 14-16, and for the Account Registration Login service offering to the service subscription, as shown in the following figure:

14-20

NetOp Policy Manager Configuration Guide

Define a Mobile IP Home Agent Hotline Service Offering

The sample service offering Account Registration Login, which is an IP Redirect service type, has been created (see Hotline Mobile IP Subscribers at Session Startup on page 14-22 for instructions) and added to the subscriber along with the appropriate Access service offering (see Create an Access Service Offering on page 9-4 for instructions). Note To hotline subscribers, you need to configure Mobile IP with Dynamic keys plus ASNGW-EAP. For more information, see the Mobile IP with Dynamic Keys Authorization section on page 14-13.

The hotline redirect profile mobile-account-registration-redirect, which is used by the Account Registration Login service offering, has been configured on the SmartEdge Home Agent with an http redirect URL defined as http://10.192.100.238/NPM-6.n.n.n/newaccount.htm. With this set up, when new Mobile IP subscribers log in, they are redirected to the newaccount.htm web page where they enter or obtain their permanent username and password. Service providers need to bring the subscribers out of the redirect page by stopping the hotline redirect service. One way to achieve this is to issue the addSubscriberAccount() API method to add the new subscriber account with the permanent username and password for the default service, followed by logOffSubSession() API method. The subscriber would now have to reconnect with the permanent username and password.

Configure NetOp PM to Support Wireless Networks

14-21

Define a Mobile IP Home Agent Hotline Service Offering

Hotline Mobile IP Subscribers at Session Startup

To use the sample account registration service offering that hotlines subscribers to a registration page when they begin a Mobile IP session, service providers can use the following example, which is based on the sample Account Registration Login service offering that comes with the NetOp PM system: 1. Open the NetOp Client, click Service Offering, and then click IP Redirect Offering. 2. Click the Account Registration Login service offering. 3. In the IP Redirect pane at the far right, enter the appropriate information. For a detailed explanation of the various fields, see the IP Redirect Service Offerings section on page 3-35 in the NetOp Policy Manager Reference. Set the priority for this service offering higher than that set for the configured Access service. For example, if the Priority field for the Access service offering is 99, set the Priority field for the Account Registration Login service offering at 90. 4. The following figure shows the IP Redirect Account Registration Login sample service offering in the NetOp client:

In the middle pane, under IP Redirect Variation, the SER-MOBILE-IP circuit is checked.

14-22

NetOp Policy Manager Configuration Guide

Define a Mobile IP Home Agent Hotline Service Offering

5. Define the inline IP Redirect service attribute variation type by clicking the Defined Variation option under the IPRedirect Variation service attribute variation. In this sample service offering, the SER-MOBILE-IP circuit has been defined inline. For a list of valid attributes for defining an IP Redirect service attribute variation for SmartEdge routers, see Table 2-3 on page 2-4 in the NetOp Policy Manager Reference. For further information, see Define a service attribute variation inline on page 9-4. 6. Double-click the SER-MOBILE-IP circuit to see the filtering attributes and radius attributes for the SER-MOBILE-IP circuit. The following figure shows the defined inline service attribute variation sample that comes with the NetOp PM system:

7. In the Filtering Attributes pane at the far right of the panel, set the software version field to the same version number as the SmartEdge OS running on the SmartEdge router; that is, if this field is set to ALL you may not get the results you intended. 8. In the Filtering Attributes pane, set the WiMAX -Protocol-Version field to 1.0. 9. In the RADIUS Attributes pane, enter the WiMAX-Hotline-Profile-ID RADIUS attribute that matches the RADIUS service profile name configured on the SmartEdge router. In the sample Account Registration Login service offering, it is defined as mobile_account_registration_redirect. 10. When you have set the SER-MOBILE-IP circuit to your satisfaction, click the Apply button.

Configure NetOp PM to Support Wireless Networks

14-23

Configure Support for Mobile IP Third-Party Device Types

Service providers need to bring the subscribers out of the redirect page by stopping a hotline redirect service. One way to achieve this is to issue the addSubscriberAccount() API method to add the new subscriber account with the permanent username and password for the default service, followed by the logOffSubSession() API method. The subscriber would now have to reconnect with the permanent username and password.

Configure Support for Mobile IP Third-Party Device Types

To add a third-party device type with Mobile IP support for HA to the NetOp PM system, perform the following steps: 1. Use the ConfigNASType.addNASTypeXML or ConfigNASType.updateNASTypeXML SOAP API method to define the NAS type. Specify MOBILE_IP as the circuit type in the CircuitType element. For example, to define a third-party device type (NAS type) named Other-HA and specify Mobile IP as the circuit type, create an XML document similar to the following:
<NASType> <Name>OTHER-HA</Name> <CircuitTypes> <CircuitType>MOBILE_IP</CircuitType> </CircuitTypes> </NASType>

For detailed instructions on how to configure third-party vendor support, see Chapter 8, Configuring NetOp PM Third-Party Vendor Support. 2. If required by the third-party device, use a SOAP client to configure an additional RADIUS attribute. The sampleMobileIP3GPP2StaticKeyRadiusAttributes.xml sample XML file located in the /usr/local/npm/soap_client/perl/ directory demonstrates the configuration of third-party vendor RADIUS attributes for an Mobile IP third-party device, which supports Mobile IP with static 3GPP keys. For detailed instructions on how to configure an additional RADIUS attribute, see the Configure Additional RADIUS Attributes section on page 7-1.

14-24

NetOp Policy Manager Configuration Guide

Chapter 15

Configure the NetOp PM Lightweight Web Portal

This section describes how to configure the NetOp PM lightweight web portal after it is deployed and includes the following topics: Configure the NetOp PM Lightweight Web Portal After Deployment Configure the NetOp PM Lightweight Web Portal to Communicate with a Secure NetOp PM API Server Start the NetOp PM Lightweight Web Portal Stop the NetOp PM Lightweight Web Portal Change the Language Displayed by the NetOp PM Lightweight Web Portal Modify the Service Model Configuration Enable Web Proxy Support Customizing the NetOp PM Lightweight Web Portal

The following browsers are supported for viewing the NetOp PM lightweight web portal: Microsoft Internet Explorer 6 or later Mozilla Firefox 2.0 or later Note To install and configure the NetOp PM lightweight web portal for the first time, run the deploy_portal.sh script; see the Chapter 6, Install the NetOp PM Components in the NetOp Policy Manager Installation Guide. Thereafter use the config_portal.sh script.

For more information about the sample NetOp PM lightweight web portal provided with the NetOp PM software, how to customize it to fulfill your corporate requirements, and how to integrate the NetOp PM system with your corporate portal see the Customizing the NetOp PM Lightweight Web Portal section on page 15-7

Configure the NetOp PM Lightweight Web Portal After Deployment

To configure the NetOp PM lightweight web portal after it is deployed, perform the following steps: 1. Log on to the machine as root.
Configure the NetOp PM Lightweight Web Portal 15-1

Configure the NetOp PM Lightweight Web Portal After Deployment

2. Open a terminal window and navigate to the NetOp PM installation directory: cd /usr/local/npm 3. Run the config_portal.sh script: ./config_portal.sh Note For specific instructions on configuring the NetOp PM lightweight web portal to communicate with a secure NetOp PM API server, see the Configure the NetOp PM Lightweight Web Portal to Communicate with a Secure NetOp PM API Server section on page 15-4. For specific instructions on modifying the service model and the language displayed by the NetOp PM lightweight web portal, see the Change the Language Displayed by the NetOp PM Lightweight Web Portal section on page 15-5 and the Modify the Service Model Configuration section on page 15-6. For specific instructions on enabling web proxy support, see the Enable Web Proxy Support section on page 15-6.

4. If you modify any of the arguments in the following syntax constructs, you must stop and restart the Apache HTTP server for changes to take effect: -apache_user apache_server_username -apache_group apache_server_group See the Configure the NetOp PM Lightweight Web Portal to Communicate with a Secure NetOp PM API Server section on page 15-4. The full syntax for the config_portal.sh script is: config_portal.sh [-apache_group apache_server_group] [-apache_user apache_server_username] [-auto_start | -noauto_start] [-f] [-h] [-http_charset character_set] [-npmapi_host api_host] [-npmapi_passwd api_password] [-npmapi_ssl | -nonpmapi_ssl] [-npmapi_username api_username] [-service_model {RETAIL | WHOLESALE}] [-web_proxy web_proxy_server[,web_proxy_server2,web_proxy_server3...] | none] To install and configure the NetOp PM lightweight web portal for the first time, run the deploy_portal.sh script; see Table 8-4 in the Chapter 8, Configure, Deploy, and Start the NetOp PM Components in the NetOp Policy Manager Installation Guide. Thereafter use the config_portal.sh script. Table 15-1 describes the syntax and usage guidelines for the config_portal.sh and deploy_portal.sh scripts. For details on running the deploy_portal.sh script, see Chapter 6, Install the NetOp PM Components in the NetOp Policy Manager Installation Guide.
Table 15-1
Syntax -apache_groupapache_server_gro up -apache_userapache_server_usern ame

Syntax for the config_portal.sh and deploy_portal.sh Scripts

Description Optional. UNIX group used to run the Apache HTTP server. The default value is entered in the Apache HTTP server configuration file (httpd.conf). Optional. UNIX username used to run the Apache HTTP server. The default value is entered in the Apache HTTP server configuration file (httpd.conf). Note: We recommend that you do not set the apache_server_username argument to root.

-auto_start

Optional. Activates the automatic shutdown and startup of the NetOp PM lightweight web portal when the web server host reboots. The default value is this keyword.

15-2

NetOp Policy Manager Configuration Guide

Configure the NetOp PM Lightweight Web Portal After Deployment

Table 15-1
Syntax -noauto_start -f -h -http_charset character_set

Syntax for the config_portal.sh and deploy_portal.sh Scripts (continued)

Description Optional. Disables the automatic restart of the NetOp PM lightweight web portal when the web server host reboots. Optional. Runs the script without prompting the user. Optional. Prints usage information and exits. Optional. Character set that enables the extensible stylesheet language (XSL) stylesheets to use message descriptions in a language other than English. The character_set argument is defined by Multi-Purpose Internet Mail Extensions (MIME). Enter the none keyword for no encoding. Optional. IP address or hostname of the NetOp PM host on which the NetOp PM API server is running. The default value is localhost, which means that the NetOp PM lightweight web portal assumes that it is running on the same NetOp PM host as the NetOp PM API server. Therefore, you must change this value for deployments in which the NetOp PM lightweight web portal is installed on a different host. When multiple NetOp PM API servers are installed, the value for the api_host argument is the API server host that receives requests and performs load balancing. Note: If you use a hostname, it must be found in the local host list or in the DNS.

-npmapi_host api_host

-npmapi_passwd api_password -npmapi_ssl -nonpmapi_ssl -npmapi_username api_username -service_model RETAIL

Optional. NetOp PM API client password. Optional. Uses an SSL connection to connect to the NetOp PM API server. Optional. Does not use an SSL connection to connect to the NetOp PM API server. This is the default value. Optional. NetOp PM API client username. Optional. Assumes that the carrier attempting to provide services also owns the subscriber accounts. By default, the NetOp PM lightweight web portal is configured to run in the retail model. If you create a custom portal based on the NetOp PM lightweight web portal and you run the portal in the wholesale model, you must modify the service model for the portal to display the correct services to the subscriber.

-service_model WHOLESALE

Optional. Assumes that the carrier attempting to provide services does not own the subscriber accounts. By default, the NetOp PM lightweight web portal is configured to run in the retail model. If you create a custom portal based on the NetOp PM lightweight web portal and you run the portal in the wholesale model, you must modify the service model for the portal to display the correct services to the subscriber.

-web_proxy web_proxy_server -web_proxy none

Optional. Comma-separated list of IP addresses of trusted web proxy servers. The default value is none. To specify additional web proxy servers, use the optional web_proxy_server2 and web_proxy_server3 arguments. Optional. Specifies that no web proxy servers are trusted.

Configure the NetOp PM Lightweight Web Portal

15-3

Configure the NetOp PM Lightweight Web Portal to Communicate with a Secure NetOp PM API Server

Configure the NetOp PM Lightweight Web Portal to Communicate with a Secure NetOp PM API Server
To configure the NetOp PM lightweight web portal to communicate with a secure NetOp PM API server, perform the following steps: 1. Log on as root. 2. Open a terminal window and navigate to the NetOp PM installation directory: cd /usr/local/npm 3. Run the config_portal.sh script: ./config_portal.sh -npmapi_passwd api_password -npmapi_username api_username -npmapi_ssl Table 8-4 in the Deploy and Start the NetOp PM Lightweight Web Portal section on page 8-8 in the NetOp Policy Manager Installation Guide describes the syntax and usage guidelines for the config_portal.sh and deploy_portal.sh scripts and provides details on running the deploy_portal.sh script. The deploy_portal.sh script is used for the first installation; thereafter use the config_portal.sh script.

Start the NetOp PM Lightweight Web Portal

The start_portal.sh script starts the NetOp PM lightweight web portal only on the host where the script is run. Note The NetOp PM Lightweight Web Portal automatically restarts when the Solaris host reboots.

To start the NetOp PM lightweight web portal, perform the following steps: 1. Log onto the NetOp PM lightweight web portal host as root. 2. Open a terminal window and navigate to the NetOp PM lightweight web portal directory: cd /usr/local/npm/portal 3. Run the start_portal.sh script according to the following syntax: ./start_portal.sh [-h] If you include the optional -h keyword, the script prints usage information and exits. If you do not include it, the script starts the NetOp PM lightweight web portal and a message displays indicating that the startup is complete. Note By default, the config_portal.sh script configures the NetOp PM lightweight web portal to automatically restart if the Solaris host reboots. To modify this behavior, run the config_portal.sh script using the optional -auto_start or -noauto_start keyword; see the Configure the NetOp PM Lightweight Web Portal After Deployment section on page 15-1.

15-4

NetOp Policy Manager Configuration Guide

Stop the NetOp PM Lightweight Web Portal

Stop the NetOp PM Lightweight Web Portal

The stop_portal.sh script stops the NetOp PM lightweight web portal only on the host where the script is run. To stop the NetOp PM lightweight web portal, perform the following steps: 1. Log onto the NetOp PM lightweight web portal host as root. 2. Navigate to the NetOp PM lightweight web portal directory: cd /usr/local/npm/portal 3. Stop the Apache HTTP server by running the stop_portal.sh script: ./stop_portal.sh [-h] If you include the optional -h keyword, the script prints usage information and exits. If you do not include it, the script stops the NetOp PM lightweight web portal.

Change the Language Displayed by the NetOp PM Lightweight Web Portal

You can configure the NetOp PM system to support other languages by changing the setting that controls the character set used in the HTML page: 1. Log on as root. 2. Open a terminal window and navigate to the NetOp PM installation directory: cd /usr/local/npm 3. Run the config_portal.sh script: ./config_portal.sh -http_charset character_set Table 8-4 in the Deploy and Start the NetOp PM Lightweight Web Portal section on page 8-8 in the NetOp Policy Manager Installation Guide describes the syntax and usage guidelines for the config_portal.sh and deploy_portal.sh scripts and provides details on running the deploy_portal.sh script. When you define the http_charset keyword, the NetOp PM system configures the Content-Type of the HTTP response with this character set. For more information on character sets that are commonly available, see the Internet Assigned Numbers Authority (IANA) web site at http://www.iana.org/assignments/character-sets. (This URL may change over time.)

Configure the NetOp PM Lightweight Web Portal

15-5

Modify the Service Model Configuration

Modify the Service Model Configuration

In the NetOp PM software, the retail model assumes that the carrier attempting to provide services owns the subscriber accounts; the wholesale model assumes that the carrier that is attempting to provide services does not own the subscriber accounts. For more information on wholesale versus retail model, see Chapter 3, Services in the NetOp Policy Manager Product Overview. By default, the NetOp PM lightweight web portal is configured to run in the retail model. If you create a custom portal based on the NetOp PM lightweight web portal, and you run the portal in the wholesale model, you must modify the service model configuration by running the config_portal.sh script for the portal to display the correct services to the subscriber. To modify the NetOp PM lightweight web portal to run in the wholesale model, perform the following steps: 1. Log on as root. 2. Open a terminal window and navigate to the NetOp PM installation directory: cd /usr/local/npm 3. Run the config_portal.sh script: ./config_portal.sh -service_model WHOLESALE Table 8-4 in the Deploy and Start the NetOp PM Lightweight Web Portal section on page 8-8 in the NetOp Policy Manager Installation Guide describes the syntax and usage guidelines for the config_portal.sh and deploy_portal.sh scripts and provides details on running the deploy_portal.sh script.

Enable Web Proxy Support

When the NetOp PM software detects that the user is accessing the web pages through an intermediate web proxy server, it checks the IP address of the web proxy server against the list of known web proxy servers. This is a security precaution to prevent spoofing attacks; the NetOp PM software rejects all subscribers attempting to access the system through unknown web proxy servers. Note The NetOp PM software cannot operate with anonymous or high-anonymity web proxy servers.

You must run the config_portal.sh script with the IP addresses of all trusted web proxy servers. To enable web proxy support, perform the following steps: 1. Log on as root. 2. Open a terminal window and navigate to the NetOp PM installation directory: cd /usr/local/npm

15-6

NetOp Policy Manager Configuration Guide

Customizing the NetOp PM Lightweight Web Portal

3. Run the config_portal.sh script according to the following syntax: ./config_portal.sh -web_proxy {web_proxy_server | none} where the web_proxy_server argument is a comma-separated list of IP addresses; for example: ./config_portal.sh -web_proxy 1.1.1.1,1.1.1.2 Note Use the none keyword to remove the configured web proxy servers; for example: ./config_portal.sh -web_proxy none For syntax descriptions and usage guidelines for this script, see Table 8-4 in the Deploy and Start the NetOp PM Lightweight Web Portal section on page 8-8 in the NetOp Policy Manager Installation Guide .

Customizing the NetOp PM Lightweight Web Portal

This chapter describes the NetOp Policy Manager (PM) lightweight web portal provided with the NetOp PM software. It also provides guidelines and procedures to implement a NetOp PM customer portal in one of two waysintegrating the NetOp PM software with your corporate portal or customizing the NetOp PM lightweight web portal to display your corporate logo and formatting to match your corporate portal. This chapter includes the following topics: Understand the NetOp PM Lightweight Web Portal Integrate the NetOp PM System with Your Corporate Portal Customize the NetOp PM Lightweight Web Portal Note One of the following web browser applications is required for viewing the NetOp PM lightweight web portal: Microsoft Internet Explorer 6 or later Mozilla Firefox 2.0 or later

Before modifying the NetOp PM lightweight web portal, you should be familiar with the following standards: Extensible HTML (XHTML) Extensible Markup Language (XML) Extensible Stylesheet Language (XSL) Simple Object Access Protocol (SOAP) Hypertext Preprocessor (PHP) NetOp PM Application Programming Interface (API)

Configure the NetOp PM Lightweight Web Portal

15-7

Customizing the NetOp PM Lightweight Web Portal

Understand the NetOp PM Lightweight Web Portal

There are three main components to the NetOp PM lightweight web portal (provided with the NetOp PM software): the web server, the SOAP library, and XSL Transformations (XSLT) library. The portal viewed by subscribers is generated by applying XSL stylesheets to XML documents, and created when the PHP module processes SOAP messages returned by the NetOp PM API server. The resulting output is returned to the subscribers browser in the form of XHTML pages. The XSL stylesheets exist on the file system of the machine that is running the Apache HTTP server. You can modify these stylesheets in place to provide a custom format to the NetOp PM lightweight web portal web pages. XSL stylesheets can define a stand-alone XHTML page or can transform an XML document into an XHTML fragment that can then be embedded in a larger HTML portal page. Note The Apache HTTP server assumes that the XSL stylesheets exist in the /usr/local/lib/php/redback/NPM-releaseID/xsl directory on the NetOp PM API server.

The Apache HTTP server runs the NetOp PM lightweight web portal and its PHP pages as shown in Figure 15-1.
Figure 15-1 Apache HTTP Server

This illustration represents the following operations: 1. The Apache HTTP server accepts data from the subscribers browser through HTTP. 2. The Apache HTTP server recognizes that the requested web page has been implemented using PHP. Depending on the page requested, the Apache HTTP server forwards the appropriate API request to the API server. 3. The PHP page processes the request using SOAP, and encapsulates any results to be returned, as an XML document. 4. The PHP page loads the appropriate XSL stylesheet and XML document. 5. The XML data and XSL stylesheets are transformed into HTML. 6. The resulting HTML is returned to the subscribers browser.

15-8

NetOp Policy Manager Configuration Guide

Customizing the NetOp PM Lightweight Web Portal

Integrate the NetOp PM System with Your Corporate Portal

This section describes the calls for integrating the NetOp PM system with your corporate portal. You can integrate the NetOp PM system with your corporate portal with the same calls used by the NetOp PM lightweight web portal to integrate with the NetOp PM system. Note It is outside the scope of this document to specifically describe how to integrate the NetOp PM system with your corporate portal.

The following NetOp PM API server calls can be used to perform various high level portal functions: To determine if a subscriber account is already logged on:
AuthenticationIfc.subSessionIsLoggedOn(<ip Address>); // // If the IP address is logged on, get the subscriber account name // UserMgmtIfc.getSubAcctName(<ip Address>);

To web log on a subscriber account:

AuthenticationIfc.logonSubSession(<ip address>, <subscriber account name>, <subscriber account password>);

To web log off a subscriber account:

AuthenticationIfc.logoffSubSession(<ip address>);

To display the available and selected services for a subscriber account:

ServiceIfc.getAvailableServicesForSubSession(<ip address>); ServiceIfc.getSelectedServicesForSubSession(<ip address>);

To change the services for a subscriber account:

// // Authenticate the subscriber account password // AuthenticationIfc.authenticateSubscriberSession(<ip address>, <subscriber account password>); // // If subscriber has validated password, do the actual change of service // ServiceIfc.changeAndApplyServicesToSubSession(<ip address>, <Complete list of serviceids>);

To retrieve the usage record for a subscriber account:

ServiceIfc.getMeteredTimeUsageForSubSession(<ip address>); ServiceIfc.getMeteredVolumeUsageForSubSession(<ip address>);

Configure the NetOp PM Lightweight Web Portal

15-9

Customizing the NetOp PM Lightweight Web Portal

Customize the NetOp PM Lightweight Web Portal

You can customize the NetOp PM lightweight web portal, which is provided with the NetOp PM software, to display your corporate logo and formatting to match your web site. This section describes guidelines and procedures for customizing the NetOp PM lightweight web portal, including the sample XSL stylesheets, the Inactive Account Login, the Invalid Location Login, and the Invalid Login Redirect pages, the Quota Exceeded page, and the Help page. This section includes the following topics: Modify the NetOp PM Lightweight Web Portal Do Not Modify These <input> and <img> Tags Customize Sample XSL Stylesheets Customize the Inactive Account Login Redirect Page Customize the Invalid Location Login Redirect Page Customize the Invalid Login Redirect Page Customize the Quota Exceeded Page Customize the Help Page

Modify the NetOp PM Lightweight Web Portal

You can customize the NetOp PM lightweight web portal to change the appearance of the NetOp PM lightweight web portal to meet your needs. For example, you can replace the graphics with your corporate graphics and advertisements, or change formatting such as the table colors, font selections, background, text, and link colors to match the rest of your web site. These modifications do not modify the logic of the NetOp PM lightweight web portal or the underlying programming. To configure the NetOp PM lightweight web portal to communicate with a secure NetOp PM API server, change the language displayed by the NetOp PM lightweight web portal, modify the service model configuration, and enable web proxy support, see the Configure the NetOp PM Lightweight Web Portal After Deployment section on page 15-1. Note This section describes specifically how to customize the NetOp PM lightweight web portal. It does not provide information on creating or integrating new web pages; for information on integrating the NetOp PM system with your corporate portal, see the Integrate the NetOp PM System with Your Corporate Portal section on page 15-9.

To modify the NetOp PM lightweight web portal before deployment, modify the XSL stylesheets in the /usr/local/lib/php/redback/NPM-releaseID/xsl/ directory and modify the graphics in the /usr/local/npm/portal/htdocs/NPM-releaseID/images/ directory. To modify the NetOp PM lightweight web portal after deployment, perform the following steps: 1. Back up the files you want to modify. 2. Modify the XSL stylesheets in the /usr/local/lib/php/redback/NPM-releaseID/xsl directory and the graphics in the /usr/local/apache2/htdocs/NPM-releaseID/images/ directory.

15-10

NetOp Policy Manager Configuration Guide

Customizing the NetOp PM Lightweight Web Portal

3. Stop and restart the NetOp PM lightweight web portal. For more details, see the Configure the NetOp PM Lightweight Web Portal to Communicate with a Secure NetOp PM API Server section on page 15-4. Note If you create a custom portal based on the NetOp PM lightweight web portal provided with the NetOp PM software, and you run the portal in the wholesale model, you must modify the service model configuration for the portal to display the correct services to the subscriber. For more information, see the Modify the Service Model Configuration section on page 15-6.

The sample XSL stylesheets contain XSL and XHTML tags that work with the provided XML documents to create XHTML pages. You can modify any of the XHTML tags, including specific images, table colors, font selections, background, text, and link colors. To ensure that your customized web portal functions as expected, follow these general guidelines when modifying the XSL stylesheets provided with the NetOp PM software: Do not modify the XSL, <select>, or <option> tags. XSL tags appear as <xsl:tag>. Figure 15-2 displays a portion of the services/bodyservices.xsl file that should not be modified.
Figure 15-2 Do Not Modify XSL Tags

Do not modify the order of the XSL tags. Do not modify the XHTML <input> and <img> tags described in the Do Not Modify These <input> and <img> Tags section on page 15-12. Note Links to images within the <input> and <img> tags can be replaced with custom images. You can modify size and border settings within tags. Certain images, such as help.jpg and login.jpg, provide links to various NetOp PM lightweight web portal pages. If you remove these images, you may remove access to these web pages.

Configure the NetOp PM Lightweight Web Portal

15-11

Customizing the NetOp PM Lightweight Web Portal

Do not make modifications to the XSL stylesheets that would result in any invalid XHTML markup within the generated pages. Creating invalid XHTML markup generates inoperable web pages. For example, tags such as <hr>, <br>, and <img> are considered invalid XHTML, because they do not have end tags, such as <h1></h1> and <p></p>. In XHTML, you must use well-formed XHTML tags: <hr/>, <br/>, and <img.../>.

Do Not Modify These <input> and <img> Tags

This section lists the <input> and <img> tags in the XSL stylesheets of the NetOp PM lightweight web portal that should not be modified. Note Links to images within the <input> and <img> tags can be replaced with a custom image. Size and border settings within tags can also be modified. Certain images, such as help.jpg and login.jpg, provide links to various NetOp PM lightweight web portal pages. If you remove these images, you may remove access to these web pages. Do not modify these tags: portal/bodyportal.xsl:
<input name="url_username" type="text" size="15" /> <input name="url_userpassword" type="password" size="15" /> <input type="hidden" value="loginSubmit" name="loginSubmit"/> <input name="todo" type="image" src="images/go.jpg" value="Login" width="22" height="17" border="0" />

services/bodyservices.xsl:
<img src="images/add.jpg" name="addServicesButton" alt="[ >> ]" title="Add the highlighted services" onclick="javascript:addServices();" /> <img src="images/remove.jpg" name="removeServicesButton" alt="[ << ]" title="Remove the highlighted services" onclick="javascript:removeServices();" /> <input type="password" name="url_userpassword" onkeypress="javascript:enterPressed(event, this.form, this.form.selectedServices);" /> <input name="todo" type="hidden" value="Modify" /> <input name="modifyServicesValues" type="hidden" /> <input name="submit" type="image" src="images/modify.jpg" alt="[modify]" title="Change your service subscriptions to the services currently selected" onclick= "javascript:modifyServices(this.form,this.form.selectedServices);" border="0" />

wireless/bodywireless.xsl:
<input name="url_username" type="text" size="15" /> <input name="url_userpassword" type="password" size="15" />

15-12

NetOp Policy Manager Configuration Guide

Customizing the NetOp PM Lightweight Web Portal

<input type="hidden" value="loginSubmit" name="loginSubmit" /> <input name="todo" type="image" src="images/go.jpg" value="Login" width="22" height="17" border="0" />

top_up/bodytop_up.xsl
<input type="password" name="url_userpassword" /> <input name="todo" type="hidden" value="Topup" /> <input type="hidden" name="serviceId"> <input type="hidden" name="serviceName"> <input name="submit" type="image" src="images/go.jpg" alt="[Go]" title="Top up the service with selected value" border="0" />

Figure 15-3 displays one of the <input> tags that you should not modify.
Figure 15-3 Do Not Modify <input> Tags

Customize Sample XSL Stylesheets

The following sections use screen captures from the NetOp PM lightweight web portal to demonstrate the portions of the XSL stylesheets that can be modified to create a custom web portal: Standard XSL Stylesheets Portal XSL Stylesheets Services XSL Stylesheets Wireless XSL Stylesheets Usage XSL Stylesheets Top_Up XSL Stylesheets

Standard XSL Stylesheets

Each web page in the NetOp PM lightweight web portal contains include tags that reference the following XSL stylesheets: common/headtag.xsl The common/headtag.xsl stylesheet defines the common META tags for the NetOp PM lightweight web portal web pages.

Configure the NetOp PM Lightweight Web Portal

15-13

Customizing the NetOp PM Lightweight Web Portal

common/header.xsl Figure 15-4 displays a portion of the XHTML code that controls the common/header.xsl page included in all web pages in the NetOp PM lightweight web portal. You can customize aspects such as the background image and color, the welcome image, and web page references. You can modify or replace the common/header.xsl file, but to provide the ability for subscribers to log off, ensure that the following link exists either in common/header.xsl or in one of the body XSL stylesheets (portal/bodyportal.xsl or services/bodyservices.xsl): portal.php?todo=Logout. To provide a link to the NetOp PM lightweight web portal services page, one of the XSL stylesheets should contain the following link: <a href=service.php>. To provide a link to the Help page, one of the XSL stylesheets should contain the following link: <a href=help.php>. Note The common/header.xsl stylesheet displays the Services and Logout links only when the subscriber is logged on. The Invalid Login Redirect page and the Help page never display the Services or Logout links.
Portion of common/header.xsl Stylesheet

Figure 15-4

common/footer/.xsl Figure 15-5 displays the XHTML code that controls the common/footer.xsl page included in all web pages in the NetOp PM lightweight web portal.

15-14

NetOp Policy Manager Configuration Guide

Customizing the NetOp PM Lightweight Web Portal

Figure 15-5

common/footer.xsl Stylesheet

Each of these files contains XHTML tags that you can modify to create a custom portal logon page. Alternatively, you can create custom files, as long as the filename is the same. Figure 15-4 on page 15-14 and Figure 15-5 on page 15-15 display the XHTML tags that control the various sections of the portal logon page. Note The wireless/bodywireless.xsl stylesheet does not include any of the common XSL stylesheets.

Portal XSL Stylesheets

The portal.xsl stylesheet contains the XSL and XHTML tags that produce the NetOp PM lightweight web portal web logon page pushed to subscribers during web-based authentication. In addition to the standard XSL stylesheets (see the Standard XSL Stylesheets section on page 15-13), the portal.xsl stylesheet contains an include tag that references the portal/bodyportal.xsl stylesheet. The portal/bodyportal.xsl file contains XHTML tags that you can modify to create a custom portal logon page; it also contains XSL tags that you should not modify. The XSL tags use variables returned by the NetOp PM API server to check, for example, whether the subscriber is already logged on, or whether a logon attempt failed due to an incorrect username or password, or the subscriber session limit being exceeded. Caution Risk of functionality loss. The portal/bodyportal.xsl stylesheet provides the ability for a subscriber to log on to access service subscriptions. Modifying this XSL stylesheet may disable this functionality. To reduce the risk, we recommend that you use caution when making modifications, and follow the tasks outlined in the Modify the NetOp PM Lightweight Web Portal section on page 15-10.

Configure the NetOp PM Lightweight Web Portal

15-15

Customizing the NetOp PM Lightweight Web Portal

Figure 15-6 displays the NetOp PM lightweight web portal logon page as provided with the NetOp PM software.
Figure 15-6 NetOp PM Lightweight Web Portal Logon Page

Figure 15-7 displays portions of the XHTML code in the portal/bodyportal.xsl stylesheet that controls the NetOp PM lightweight web portal logon page.
Figure 15-7 Portions of portal/bodyportal.xsl Stylesheet

Services XSL Stylesheets

The services.xsl stylesheet is structured in a similar way to the portal.xsl stylesheet. In addition to the Standard XSL Stylesheets, the services.xsl stylesheet contains include tags that reference the following XSL stylesheets: common/headtagservices.xsl services/bodyservices.xsl

15-16

NetOp Policy Manager Configuration Guide

Customizing the NetOp PM Lightweight Web Portal

Caution Risk of functionality loss. The services/headtagservices.xsl stylesheet enables the JavaScript code that provides the ability for a subscriber to select multiple services before posting a request. Modifying this XSL stylesheet may disable this functionality. To reduce this risk, we recommend that you do not modify the services/headtagservices.xsl stylesheet. Like the portal/bodyportal.xsl stylesheet, the services/bodyservices.xsl file contains XHTML tags that you can modify to create a custom services page; it also contains XSL tags that you should not modify. Figure 15-8 displays the NetOp PM lightweight web portal services page as provided with the NetOp PM software.
Figure 15-8 NetOp PM Lightweight Web Portal Services Page

Note

Subscribers must always enter a password when changing services.

Figure 15-9 displays a portion of the XHTML code in the services/bodyservices.xsl stylesheet that controls the NetOp PM lightweight web portal services page.
Figure 15-9 Portions of the services/bodyservices.xsl Stylesheet

Configure the NetOp PM Lightweight Web Portal

15-17

Customizing the NetOp PM Lightweight Web Portal

Wireless XSL Stylesheets

The wireless.xsl stylesheet contains include tags that reference the following XSL stylesheets: wireless/headtag.xslDefines the common META tags for all the NetOp PM lightweight web portal wireless web pages. wireless/bodywireless.xslThe wireless/bodywireless.xsl file contains XHTML tags that you can modify to create a custom page; it also contains XSL tags that you should not modify. Caution Risk of functionality loss. The wireless/bodywireless.xsl stylesheet provides the ability for a subscriber to access service subscriptions. Modifying this XSL stylesheet may disable this functionality. To reduce the risk, we recommend that you use caution when making modifications, and follow the tasks outlined in the Modify the NetOp PM Lightweight Web Portal section on page 15-10. Figure 15-10 displays the NetOp PM lightweight web portal wireless page as provided with the NetOp PM software.
Figure 15-10 NetOp PM Lightweight Web Portal Wireless Page

Figure 15-11 displays a portion of the XHTML code in the wireless/bodywireless.xsl stylesheet that controls the NetOp PM lightweight web portal wireless page.

15-18

NetOp Policy Manager Configuration Guide

Customizing the NetOp PM Lightweight Web Portal

Figure 15-11

Portions of the wireless/bodywireless.xsl Stylesheet

Usage XSL Stylesheets

The usage.xsl stylesheet contains include tags that reference the following XSL stylesheets: usage/headtagusage.xslDefines the common META tags for the NetOp PM lightweight web portal usage web pages. usage/bodyusage.xslContains XHTML tags that can be modified to create a custom usage page; it also contains XSL tags that should not be modified.

Figure 15-12 displays the NetOp PM lightweight web portal Usage page provided with the NetOp PM software.
Figure 15-12 NetOp PM Lightweight Web Portal Usage Page

Configure the NetOp PM Lightweight Web Portal

15-19

Customizing the NetOp PM Lightweight Web Portal

For information on working with the Usage web page, see Chapter 7, Service Subscription Attribute Overrides in the NetOp Policy Manager API Guide.

Top_Up XSL Stylesheets

The top_up.xsl stylesheet contains include tags that reference the following XSL stylesheets: top_up/headtagtop_up.xslDefines the common META tags for all the NetOp PM lightweight web portal top up web pages. top_up/bodytop_up.xslThe top_up/bodytop_up.xsl file contains XHTML tags that you can modify to create a custom page; it also contains XSL tags that you should not modify. Caution Risk of functionality loss. The top_up/bodytop_up.xsl stylesheet provides the ability for a subscriber to top up their time and volume quotas by purchasing extra time or volume on a web page, before or after their existing quota has been exceeded; quota top-up takes effect immediately. Modifying this XSL stylesheet may disable this functionality. To reduce the risk, we recommend that you use caution when making modifications, and follow the tasks outlined in the Modify the NetOp PM Lightweight Web Portal section on page 15-10.
Figure 15-13 NetOp PM Lightweight Web Portal Top Up Time Page

15-20

NetOp Policy Manager Configuration Guide

Customizing the NetOp PM Lightweight Web Portal

Figure 15-14

NetOp PM Lightweight Web Portal Top Up Volume Page

For information on working with the Top Up redirect pages, see Chapter 7, Service Subscription Attribute Overrides in the NetOp Policy Manager API Guide.

Customize the Inactive Account Login Redirect Page

You can configure the NetOp PM software to redirect a subscriber who attempts to log on with an inactive account. If the subscriber is unable to log on, the subscriber is redirected to the Inactive Account Login Redirect page, which instructs the subscriber to call the service provider to resolve the problem. The subscriber must restart the client. To redirect subscribers to the Inactive Account Login Redirect web page, you must enable the feature by using the ProxyMgmt.updateProxyInfo API method. You can modify the Inactive Account Login Redirect page (inactive_account/bodyinactive_account.xsl) freely; this page contains only HTML tags.
Figure 15-15 Inactive Account Login Redirect Page

Configure the NetOp PM Lightweight Web Portal

15-21

Customizing the NetOp PM Lightweight Web Portal

Customize the Invalid Location Login Redirect Page

You can configure the NetOp PM software to redirect a subscriber who attempts to log on from an invalid location. If the subscriber is unable to log on, the subscriber is redirected to the Invalid Location Login Redirect page, which instructs the subscriber to call the service provider to resolve the problem. The subscriber must restart the client with the valid username and password to log on. To redirect subscribers to the Invalid Location Login Redirect web page, you must enable the feature by using the ProxyMgmt.updateProxyInfo API method. You can modify the Invalid Location Login Redirect page (invalid_location/bodyinvalid_location.xsl) freely; this page contains only HTML tags.
Figure 15-16 Invalid Location Login Redirect Page

Customize the Invalid Login Redirect Page

You can configure the NetOp PM software to redirect a Point-to-Point Protocol over ATM (PPPoA) or Point-to-Point Protocol over Ethernet (PPPoE) subscriber who attempts to log on with an invalid username or incorrect password. If the subscriber is unable to log on, the subscriber is redirected to the Invalid Login Redirect page, which instructs the subscriber to call the service provider to obtain the correct username or password. The subscriber must restart the client with the valid username and password to log on. To redirect subscribers to the Invalid Login Redirect web page, you must enable the feature by using the ProxyMgmt.updateProxyInfo API method. You can modify the Invalid Login Redirect page (invalid_login/bodyinvalid_login.xsl) freely; this page contains only HTML tags.
Figure 15-17 Invalid Login Redirect Page

15-22

NetOp Policy Manager Configuration Guide

Customizing the NetOp PM Lightweight Web Portal

Customize the Quota Exceeded Page

The NetOp PM software can be configured to redirect subscribers to the Quota Exceeded page. If a subscribers time or volume usage exceeds the quota configured on the service, the subscriber is redirected to the Quota Exceeded page, which instructs the subscriber to call the service provider to purchase more time or bytes. You can modify the Quota Exceeded page (quota_exceeded/bodyquota_exceeded.xsl) freely; this page contains only HTML tags.
Figure 15-18 Quota Exceeded Page

Customize the Help Page

Subscribers can access a Help page from the NetOp PM lightweight web portal by clicking the Help button in the header of the web portal. Some error messages also include a question mark (?) button. When the subscriber clicks the ? button, the Help page opens to provide more details on the error. You can modify the Help page (help/bodyhelp.xsl) to add more help topics or revise the details of the default Help text; this page contains only HTML tags.

Configure the NetOp PM Lightweight Web Portal

15-23

Customizing the NetOp PM Lightweight Web Portal

Figure 15-19

Help Page

15-24

NetOp Policy Manager Configuration Guide

Chapter 16

Manage Subscribers

Note

You cannot use the NetOp PM client to modify the subscriber account password if the NetOp PM system is configured to proxy Access-Request packets. For information on proxying authentication messages, see Chapter 5, Configure External RADIUS and LDAP Servers.

View Subscriber Account and Active Session Information

To view a specific subscriber account and active session information on the object navigator, perform the following steps: 1. On the network navigator, click Subscriber Account. The search function activates automatically, and the search field appears in the object navigator with the Narrow your search... message.

Manage Subscribers

16-1

View Subscriber Account and Active Session Information

2. Search for an object by typing search criteria in the Search field and clicking Search. To stop a search in progress, click Stop. For example, type * to search for all entities. The NetOp client software accepts DOS command line standard expressions in searches for subscriber accounts. Matching search results are displayed on the object navigator. If the search returns too many results, a Too many objects message appears. Refine the search criteria and click Search again. When you narrow your search, the matching results are shown as follows: 3. Click the subscriber account that you want to work with. 4. On the management view launch bar, click Properties to display the subscriber account details and active session information on the Subscriber Account Active Sessions tab. The Active Sessions tab records all active wireline and wireless sessions on a node. A record in the Active Sessions section represents one subscriber session. A record is added when the subscriber session comes up; that is, when an Accounting-Start packet is received. The record is removed when the subscriber session ends; that is, when an Accounting-Stop packet is received. Use the Disconnect button to clear a subscriber session from the node. You may want to do this, for example, if a subscriber has an overdue payment. You can set up the Captive Portal service offering to redirect the disconnected subscriber to a web page that provides information on the overdue account. For information about the Captive Portal service offering, see the Captive Portal Service Offering section on page 3-37 in the NetOp Policy Manager Reference. Table 4-7 on page 4-6 in the NetOp Policy Manager Reference describes the fields displayed on the Subscriber Account Properties Panel. Table 4-8 on page 4-7 in the NetOp Policy Manager Reference describes the fields displayed on the Active Sessions tab.

16-2

NetOp Policy Manager Configuration Guide

View Subscriber Circuit AttributesQoS Hierarchical Node and Node Group

View Subscriber Circuit AttributesQoS Hierarchical Node and Node Group

For information on hierarchical nodes and node groups, see the Hierarchical Nodes and Node Groups section on page 16-12. To view the quality of service (QoS) hierarchical node and node group associated with a subscriber circuit, perform the following steps: 1. View a specific subscriber account; see the View Subscriber Account and Active Session Information section on page 16-1. 2. Click the Circuit Attributes tab. The Circuit Attributes tab provides the ability to associate a QoS hierarchical node and node group with a specific subscriber circuit, identified by the circuits NAS-Identifier and NAS-Port-Id attributes. To associate a QoS hierarchical node and node group with a specific subscriber circuit, see the Add a QoS Reference to a Subscriber Circuit section on page 16-12. Table 4-9 on page 4-9 in the NetOp Policy Manager Reference describes the fields displayed in the Circuit Attributes tab of the Subscriber Account Properties panel. For information on customizing the subscriber-specific circuit attributes, see the Hierarchical Nodes and Node Groups section on page 16-12.

View Framed Routes

To view the framed route associated with a subscriber, perform the following steps: 1. View a specific subscriber account; see the View Subscriber Account and Active Session Information section on page 16-1. 2. Click the Framed Route tab. The Framed Route tab provides the ability to associate framed routes with a subscriber. To associate framed routes with a subscriber account, see the Add or Remove Framed Routes section on page 16-15. Table 4-10 on page 4-10 in the NetOp Policy Manager Reference describes the fields displayed in the Framed Route tab of the Subscriber Account Properties panel.

View Logon Status

The Logon Status tab displays a subscribers logon state, showing whether the subscriber is logged on to the network. If the Logon Status tab Authenticated column is set to N for an active subscriber session, it could mean that the subscriber session was redirected to the captive portal and has not yet logged on. In the case of implicit logon access services, after the subscriber has been initially authenticated, the Authenticated column will always be set to Y, even if the subscriber session is not active. View the Active Session tab for the subscriber to determine whether the subscriber session is active.

Manage Subscribers

16-3

View Pre-Authentication Information

In the case of explicit logon access services, the Authenticated column will toggle between Y and N based on the subscribers current state of authentication. To view the logon status of a subscriber, perform the following steps: 1. View a specific subscriber account; see the View Subscriber Account and Active Session Information section on page 16-1. 2. Click the Logon Status tab. The Session Name column reflects the subscribers Point-to-Point Protocol (PPP) username, subscriber PCs media access control (MAC) address, or the subscriber name bound to static CLIPS or RFC 1483 bridged-encapsulated circuits (using the bind subscriber command in ATM PVC or CLIPS configuration mode). The Authenticated column reflects the NetOp PM softwares understanding of who is associated with the session. Note The Authenticated column reflects whether the session is really authenticated. For information about whether a subscriber is pre-authenticated for the next session, see the Configure Pre-authentication for Subscribers section on page 16-17.

To change a subscribers logon status, see the Change Subscriber Logon Status section on page 16-19. Table 4-11 on page 4-11 in the NetOp Policy Manager Reference describes the fields displayed in the Logon Status tab of the Subscriber Account Properties panel.

View Pre-Authentication Information

The Pre-Authentication tab displays a subscribers pre-authentication session filtering information, which includes Session Name, Calling-Station-Id, and Network-Circuit-Id. System administrators can pre-authenticate subscribers before they log on. Subscribers can subscribe and then connect to a service using whatever device they choose independent of the actual device MAC address, such as a phone using VoIP. To view subscriber pre-authentication information, perform the following steps: 1. View a specific subscriber account; see the View Subscriber Account and Active Session Information section on page 16-1. 2. Click the Pre-Authentication tab. The Session Name column shows the subscriber username, the subscriber PC media access control (MAC) address, or the subscriber name bound to static CLIPS or RFC 1483 bridged-encapsulated circuits (using the bind subscriber command in ATM PVC or CLIPS configuration mode). The

16-4

NetOp Policy Manager Configuration Guide

View Service Order History

Calling-Station-Id column can be the identifying string configured as DHCP Option 82 if the SmartEdge router is configured to insert this into the Calling-Station-Id. The Network-Circuit-Id columns shows the subscribers NAS-Identifier and the NAS-Port-Id. For information about how to pre-authenticate a subscriber, see the Configure Pre-authentication for Subscribers section on page 16-17. To change subscriber pre-authentication information and session filtering, see the Configure Pre-authentication for Subscribers section on page 16-17. Table 4-12 on page 4-11 in the NetOp Policy Manager Reference describes the fields displayed in the Pre-Authentication tab of the Subscriber Account Properties panel.

View Service Order History

To view a history of a subscribers service orders, perform the following steps: 1. View a specific subscriber account; see the View Subscriber Account and Active Session Information section on page 16-1. 2. Click the Service Order History tab. The Service Order History tab displays an audit log of the events related to a particular subscriber. When services are added to or removed from the subscriber, the NetOp PM system leaves an audit trail in the Service Order History section. Table 4-13 on page 4-12 in the NetOp Policy Manager Reference describes the fields displayed in the Service Order History tab of the Subscriber Account Properties panel.

View Static Framed IP Addresses

To view a list of the framed IP addresses associated with a subscriber, perform the following steps: 1. View a specific subscriber account; see the View Subscriber Account and Active Session Information section on page 16-1. 2. Click the Static IP Addresses tab. The Static IP Addresses tab provides the ability to associate multiple framed IP addresses with a subscriber on a static PPP circuit. You can assign and dedicate a group of IP addresses (defined by the Framed-IP-Netmask Remote Authentication Dial-In User Service [RADIUS] attribute) to specific subscribers so that they can run their own Internet servers with these static IP addresses. To configure this feature, assign a static IP address and subnet to a subscriber account; see the Add or Remove Static IP Addresses section on page 16-21. Table 4-14 on page 4-12 in the NetOp Policy Manager Reference describes the fields displayed in the Static IP Addresses tab of the Subscriber Account Properties panel. For information about enabling the Framed-IP-Netmask attribute on the SmartEdge router, see Chapter 3, Configure the Node for the NetOp PM System.

Manage Subscribers

16-5

View Current Subscribed Services

View Current Subscribed Services

To view a list of a subscribers current subscribed services, perform the following steps: 1. View a specific subscriber account; see the View Subscriber Account and Active Session Information section on page 16-1. 2. Click the Subscribed Services tab. The Subscribed Services tab displays a list of the subscribers current retail, wholesale, visible, and invisible subscribed services. For instructions on changing a subscribers services, see the Modify Existing Subscriber Account Details section on page 16-11.

3. To view the details of a subscribed service, select a service. A summary of the service details appears on the Service Information panel.

16-6

NetOp Policy Manager Configuration Guide

Add Subscriber Accounts to the NetOp PM System

Note

The Overrides section of the Service Information panel lists any service subscription overrides in effect, such as Time Quota, Incoming Traffic Quota, Outgoing Traffic Quota, Requested Inbound Bandwidth, and Requested Outbound Bandwidth. This section enables you to view any quota top-up that subscribers purchased for metering services. For more information on overrides, see Chapter 7, Service Subscription Attribute Overrides and Chapter 6, Define Services Using the NetOp PM API in the NetOp Policy Manager API Guide.

4. To view full details of the service offering, click Details. The Service Offering Properties panel appears in a new NetOp client window. For information on working with services in the NetOp. Table 4-15 on page 4-13 in the NetOp Policy Manager Reference describes the fields displayed in the Subscribed Services tab of the Subscriber Account Properties panel.

Add Subscriber Accounts to the NetOp PM System

To add a subscriber account to the NetOp PM system, perform the following steps: 1. On the network navigator, click Subscriber Account. 2. On the management view launch bar, click Properties. 3. On the Properties Panel toolbar, click Add Subscriber Account to open the Add Subscriber Account dialog box. 4. Click the Account Name field and type the name of the new subscriber account. The account name must be unique in the NetOp PM system. Note When configuring EAP TLS authentication, the account number for the subscriber must match the subscriber certificate user name. The NetOp PM system ignores the password field for EAP TLS. We recommend that you enter an obscure password to enhance security. 5. Click the Password field and type the subscriber account password. 6. Optional. Click the Location Lock field and enter a string that uniquely identifies a subscribers location. The Location Lock field, when applied, requires the subscriber to connect from a specific location in the network; for example, the subscribers home. For information on the location lock feature, see the Restrict Subscriber Logon Location with Location Lock section on page 16-8. If your system is set up to redirect users who log in from incorrect locations, see the Invalid Location Login Service Offering section on page 3-40 in the NetOp Policy Manager Reference. Note The Location Lock feature is supported for subscriber accounts using Extensible Authentication Protocol (EAP) authentication by the NetOp PM RADIUS server, but not EAP authentication by an external EAP-aware RADIUS server.

7. Click the Activated field and select either True or False to indicate whether the subscriber is able to log on.

Manage Subscribers

16-7

Restrict Subscriber Logon Location with Location Lock

8. Click OK to add the subscriber to the NetOp PM database. To modify subscriber account details such as subscribed services, see the Modify Existing Subscriber Account Details section on page 16-11. Note The NetOp PM system does not validate the location lock that is associated with a subscriber account on input; this must be a manual process.

Restrict Subscriber Logon Location with Location Lock

The location lock feature enables carriers to restrict the location from which subscribers can log on; for example, the subscribers home. When the Invalid Location Login IP Redirect Service Offering is configured and a subscriber logs in from an invalid location, a redirect page opens to notify the subscriber and to provide further information; see the Invalid Location Login Service Offering section on page 3-40 in the NetOp Policy Manager Reference for more information about this redirect page. The location lock configured for the subscriber account must match a portion of one of the subscribers location attributesNAS-Port-Id or Calling-Station-Idcontained in the Access-Request packet. The subscribers location lock must be a unique substring of the NAS-Port-Id or Calling-Station-Id attributes. The substring can be any number of characters anywhere in the NAS-Port-Id or Calling-Station-Id attribute value; it does not need to match on the initial characters in the string. When a subscriber logs on through a PPP client, or through the web portal after a CLIPS connection is established, the NetOp PM system verifies that one of the location attributes matches a portion of the location lock for the subscriber, and then authenticates the username and password, proxying if necessary. The subscriber is authenticated only if both the location and the username and password verification succeed. The NetOp PM system attempts first to match the NAS-Port-Id attribute, and then attempts to match the Calling-Station-Id attribute. For CLIPS connections, if the subscriber account is available with location lock defined, the NetOp PM system also performs location verification, allowing location checks for implicit logons where web logon is bypassed. Note For information on subscriber location lock with subscriber pre-authentication see the Configure Authentication Using DHCP Option 82 section on page 16-9.

The location lock is determined to match a location attribute if the location lock is a substring of the location attributes value. For example, a location lock value of 5/1 or vpi-vci 1 123 matches a location attribute value for NAS-Port-Id of 5/1 vpi-vci 1 123. Similarly, a location lock value of host.host#12/1 matches a location attribute value for Calling-Station-Id of #host.host#12/1#0#. If the NetOp PM system includes an instance of a service attribute variation that specifies a matching value for the NAS-Identifier and NAS-Port-Id attributes, or a matching value for the Calling-Station-Id attribute, the NetOp PM system applies the location-specific instance of the service attribute variation to the subscriber session.

16-8

NetOp Policy Manager Configuration Guide

Configure Authentication Using DHCP Option 82

Note

Location lock is ignored on the L2TP network server (LNS). In cases where PPP packets are tunneled between a Layer 2 Tunneling Protocol (L2TP) access concentrator (LAC) and an LNS, in addition to the regular network access server (NAS) session initiated by the PPP connection on the LAC, an extra virtual NAS session is created on the LNS. As a result, the node sends two Access-Request packets to the NetOp PM system. The NetOp PM system receives an Access-Request packet from the LAC and verifies that the location lock and location attribute match, and that the username and password match. The NetOp PM system also receives an Access-Request packet from the LNS; the NetOp PM system bypasses location verification and performs only username and password authentication because the NAS-Port-Id value for the second Access-Request identifies the Access-Request packet as coming from an LNS.

Configure Authentication Using DHCP Option 82

Configuring authentication based on DHCP Option 82 uses subscriber location lock and subscriber pre-authentication. For example, you can configure a headless device to be permitted on to the network, based on a predefined MAC address and a predefined terminating location, which is identified during authentication with the Network-Circuit-Idwhich is the NAS-Id concatenated with the NAS-Port-Id with a space between themor the Session Name or the Calling-Station-Id RADIUS attributes, or a combination of them, as mapped from DHCP Option 82. DHCP Option 82 is described in RFC 3046DHCP Relay Agent Information Option. To configure authentication based on DHCP Option 82 on the NetOp PM system, you must configure location lock for the subscriber and configure the subscriber session for pre-authentication. To associate a dynamic CLIPS or DHCP subscriber with a specific MAC address and location, and automatically log the subscriber on, perform the following steps: 1. Click the Location Lock field and enter a string that uniquely identifies the subscribers location; that is, specify a NAS-Port-Id substring or Calling-Station-Id attribute substring. The specified substring will be compared against DHCP Option 82, if the node is configured to map Option 82 to the Calling-Station-Id attribute. 2. Ensure that the subscribers access service is configured for implicit logon to enable the subscriber to access the Internet without logging on. 3. Pre-authenticate the subscriber to enable the subscriber to access the Internet without providing a password at logon time, by performing the following steps: a. Click the Pre-Authentication tab of the Subscriber Account Properties panel. b. Click the Add button to open the Add Pre-Authentication dialog box.

Manage Subscribers

16-9

Configure Authentication Using DHCP Option 82

Caution When you configure any combination of the Pre-Authentication, Static IP Addresses, Circuit Attributes, or Framed-Route tabs, ensure that the Session Filter information for each tab matches. For example, if you provision the Pre-Authentication tab and the Circuit Attributes tab for a specific circuit, you must ensure that the Session Filter information matches. Failure to match the Session Filter information for each of these tabs could cause unexpected behavior that could impact your service. You must enter at least one of the options described in steps c. through e., or enter a combination of these options based on the results you want. c. Optional. Click the Session Name check box and type or select the subscriber record name associated with the session. The Session Name field reflects the subscribers PPP username, subscriber PCs MAC address, or the subscriber name bound to static CLIPS or RFC 1483 bridged-encapsulated circuits (using the bind subscriber command in ATM PVC or CLIPS configuration mode). d. Optional. Click the Calling-Station-Id check box and type the calling station identifier. e. Optional. Click the Network Circuit ID check box to enable and enter the NAS-Identifier and NAS-Port-Id fields: Click the NAS-Identifier field and type the name of the node associated with the subscriber circuit. Click the NAS-Port-Id field and type the node port ID that identifies the subscriber circuit. The default format is slot/port <vpi-vci vpi vci | vlan-id [tunl-vlan-id:]pvc-vlan-id>. The only accepted separator character is the space character. For example, 4/1 vpi-vci 207 138. When matching, the NetOp PM system ignores the session identifierwhich would be pppoe 5 in 12/2 pppoe 5. The information in the NAS-Port-Id field must be an exact match of the circuit identifier on which the subscriber traffic is present. No wild cards, substrings, or filters are supported for this value.

f. Click OK. g. On the Subscriber Account Properties panel, click Apply, or click Apply & Reauth. When you click Apply, changes do not take effect until the subscriber logs off and logs back on; when you click Apply & Reauth, changes take effect immediately, without requiring the subscriber to log off and log on again. Reauthorizing the subscribers session applies the selected service subscriptions, and may remove subscriptions that are actively being used. For more information, see the Configure Pre-authentication for Subscribers section on page 16-17. The Pre-Authentication tab reflects the override applied by the administrator, and may not accurately reflect whether the subscriber is assigned to the captive portal; rather, it reflects whether the subscriber is pre-authenticated for the next session. Alternatively, to prevent having to record the MAC address of the customers equipment, (for example, if the customers PC or home router is subject to change when the customer purchases new equipment), you can program the digital subscriber line-access multiplexer (DSLAM) with an Option 82 suboption 2 string on active customer DSLAM ports, and then use subscriber location lock to enable and disable the

16-10

NetOp Policy Manager Configuration Guide

Modify Existing Subscriber Account Details

NetOp PM systems recognition of the port, based on the suboption 2 string. If pre-authentication is enabled for the subscriber session, the billing system will bill a specific house, independent of whose PC is connected, since pre-authentication is tied to a specific subscriber account.

Modify Existing Subscriber Account Details

Note You cannot use the NetOp PM client to modify the subscriber account password if the NetOp PM system is configured to proxy Access-Request packets. For information on proxying authentication messages, see the Configure External RADIUS and LDAP Servers chapter.

To modify the details of an existing subscriber account, perform the following steps: 1. View a subscriber account; see the View Subscriber Account and Active Session Information section on page 16-1. 2. Modify subscriber account details as appropriate; details are provided in the subsections that follow. 3. On the Subscriber Account Properties panel, click Apply, or click Apply & Reauth. When you click Apply, changes do not take effect until the subscriber logs off and logs back on; when you click Apply & Reauth, changes take effect immediately, without requiring the subscriber to log off and log on again. Reauthorizing the subscribers session applies the selected service subscriptions, and may remove subscriptions that are actively being used.

Configure Subscriber Circuit Attributes

The Subscriber Account Properties panel enables you to add and remove an association between a QoS hierarchical node and node group, and a subscriber circuit. To configure hierarchical QoS for a subscriber circuit, perform the following steps: 1. On the SmartEdge router, define hierarchical nodes and node groups for each class of service. This includes defining the number of queues, rate limits, and queuing policies. These policies are associated with specific GE ports. For information on hierarchical nodes and node groups, see the Hierarchical Nodes and Node Groups section on page 16-12. For more information on configuring the SmartEdge router, see the SmartEdge OS Library. 2. Use the NetOp client to associate a QoS hierarchical node and node group with the subscriber circuit; see the Add a QoS Reference to a Subscriber Circuit section on page 16-12. Note To configure an RB-Qos-Reference attribute for a specific location, rather than for a specific subscriber, add the subscribers home location; see the Add a QoS Reference to a Location section on page 16-14.

Note

The NetOp PM system cannot determine whether the session traverses a GE3 or GE1020 traffic cards, and as such, cannot decide when to send a QoS reference. The SmartEdge router ignores the QoS reference attribute for non-GE3 or non-GE1020 ports.

Manage Subscribers

16-11

Modify Existing Subscriber Account Details

Hierarchical Nodes and Node Groups

Hierarchical nodes and node groups perform quality of service (QoS) scheduling and shaping using priority weighted fair queuing (PWFQ) policies for subscriber sessions assigned to hierarchical nodes. Note Traffic-managed ports are limited to ports on the Gigabit Ethernet 3 (GE3) or Gigabit Ethernet 1020 (GE1020) traffic cards. Hierarchical nodes are supported only on these ports. The NetOp PM system cannot determine whether the session traverses a GE3 or GE1020 traffic card, and as such, cannot decide when to send a QoS reference. The SmartEdge router ignores the QoS reference attribute for non-GE3 or non-GE1020 ports.

A hierarchical node functions as an individual circuit, such as an 802.1Q permanent virtual circuit (PVC); you can assign a traffic rate and attach a PWFQ policy to it. In addition, you can specify the scheduling mode for the queues defined by the PWFQ policy, either strict or weighted round-robin (WRR). Each node is a member of a node group. Like the individual nodes within it, a node group functions as a circuit, such as an 802.1Q tunnel. You can assign a traffic rate and a scheduling mode (which might not be the same traffic rate or scheduling mode assigned to any of the nodes within the group) to a node group; node groups do not support PWFQ policies. When you configure a subscriber record or profile to reference a hierarchical node, all sessions for that subscriber are governed by the QoS PWFQ policy attached to that node and to the hierarchical scheduling for the node and for the node group. Note You can also attach a PWFQ policy directly to a subscriber record or profile. However, if you attach a PWFQ policy to the subscriber record and another PWFQ policy to the hierarchical node, the policy that you attach to the subscriber record supersedes the policy that you attach to the hierarchical node.

Add a QoS Reference to a Subscriber Circuit

Note To configure an RB-Qos-Reference attribute for a specific location, rather than for a specific subscriber and the subscribers home location, see the Add a QoS Reference to a Location section on page 16-14.

To add an association between a QoS hierarchical node and node group, and a subscriber circuit, perform the following steps: 1. View a subscriber account and circuit QoS hierarchical node and node group settings; see the View Subscriber Circuit AttributesQoS Hierarchical Node and Node Group section on page 16-3. 2. Click Add to open the Add Circuit Attributes dialog box. At least one of the options presented in steps 3, 4 and 5 must be specified. Note When you configure any combination of the Pre-Authentication, Static IP Addresses, Circuit Attributes, or Framed-Route tabs, ensure that the Session Filter information for each tab matches. For example if you provision the Pre-Authentication tab and the Circuit Attributes tab for a specific circuit, you must ensure that the Session Filter information matches.

16-12

NetOp Policy Manager Configuration Guide

Modify Existing Subscriber Account Details

3. Optional. Click the Session Name check box and type or select the name of the node associated with the subscriber circuit. 4. Optional. Click the Calling-Station-Id check box and type the name of calling station identifier. 5. Optional. Click the Network Circuit ID check box to enable the NAS-Identifier and NAS-Port-Id fields. You must complete steps 6 and 7 if you selected this option. 6. Click the NAS-Identifier field and type the name of the node associated with the subscriber circuit. 7. Click the NAS-Port-Id field and type the node port ID that identifies the subscriber circuit. The default format is slot/port <vpi-vci vpi vci | vlan-id [tunl-vlan-id:]pvc-vlan-id>. The only accepted separator character is the space character. For example, 4/1 vpi-vci 207 138. When matching, the NetOp PM system ignores the session identifierwhich would be pppoe 5 in 12/2 pppoe 5. The information in the NAS-Port-Id field must be an exact match of the circuit identifier on which the subscriber traffic is present. No wild cards, substrings, or filters are supported for this value. 8. Click the RB-Qos-Reference field and type the QoS hierarchical node and node group to associate with the subscriber circuit in the following format: node-name node-idx:group-name group-idx, where node-name node-idx is the name of the node and the node index number, and group-name group-idx is the name of the node group and the node group index number on the SmartEdge router; for more information, see the Hierarchical Nodes and Node Groups section on page 16-12. When a subscriber connects through a node and port that match the values specified in the NAS-Identifier and NAS-Port-Id fields, the corresponding RB-Qos-Reference attribute is sent to the node, indicating the QoS hierarchical node and node group to apply to the subscriber circuit. If no match is found, the RB-Qos-Reference attribute will not be sent. 9. Click OK. Note Each unique node-node group combination represents a single set of queues so should only be assigned to a single subscribers sessions; another subscribers session could be added, but their traffic will consume a portion of the bandwidth.

Manage Subscribers

16-13

Modify Existing Subscriber Account Details

10. On the Subscriber Account Properties panel, click Apply, or click Apply & Reauth. When you click Apply, changes do not take effect until the subscriber logs off and logs back on; when you click Apply & Reauth, changes take effect immediately, without requiring the subscriber to log off and log on again. Reauthorizing the subscribers session applies the selected service subscriptions, and may remove subscriptions that are actively being used. The NetOp PM system adds the QoS reference to the subscriber circuit. If you close or navigate away from the Subscriber Account Properties panel, or click Refresh without clicking applying changes, the changes you made are discarded.

Remove a QoS Reference from a Subscriber Circuit

To remove an association between a QoS hierarchical node and node group, and a subscriber circuit, perform the following steps: 1. View a subscriber account and circuit QoS hierarchical node and node group settings; see the View Subscriber Circuit AttributesQoS Hierarchical Node and Node Group section on page 16-3. 2. Select the QoS reference to remove from the subscriber account. 3. Click Remove. 4. On the Subscriber Account Properties panel, click Apply, or click Apply & Reauth. When you click Apply, changes do not take effect until the subscriber logs off and logs back on; when you click Apply & Reauth, changes take effect immediately, without requiring the subscriber to log off and log on again. Reauthorizing the subscribers session applies the selected service subscriptions, and may remove subscriptions that are actively being used. The NetOp PM system adds the QoS reference to the subscriber circuit. If you close or navigate away from the Subscriber Account Properties panel, or click Refresh without clicking applying changes, the changes you made are discarded.

Add a QoS Reference to a Location

Note To add an association between a QoS hierarchical node and node group, and a specific subscriber circuit, see the Add a QoS Reference to a Subscriber Circuit section on page 16-12.

Note

An entry that specifies a subscriber takes priority over an entry that does not specify a subscriber.

To associate a location with a QoS hierarchical node and node group, independent of the specific subscriber connected to the location, perform the following steps: 1. Log on to a database management tool, such as the DbVisualizer application or SQL*Plus, and connect to the NetOp PM database. 2. Add a record to the circuit_radius_attributes table. 3. In the nas_identifier field, type the name of the node.

16-14

NetOp Policy Manager Configuration Guide

Modify Existing Subscriber Account Details

4. In the nas_port_id field, type the node port ID. The default format is slot/port [vpi-vci vpi vci | vlan-id [tunl-vlan-id:]pvc-vlan-id]. The only accepted separator character is the space character. For example, 4/1 vpi-vci 207 138. When matching, the NetOp PM system ignores the session identifierwhich would be pppoe 5 in 12/2 pppoe 5. 5. In the RB-Qos-Reference field, type the QoS hierarchical node and node group to associate with the nas_identifier and nas_port_id in the following format: node-name node-idx:group-name group-idx, where node-name node-idx is the name of the node and the node index number, and group-name group-idx is the name of the node group and the node group index number on the SmartEdge router; for more information, see the Hierarchical Nodes and Node Groups section on page 16-12. When any subscriber connects through a node and port that match the values specified in the nas_identifier and nas_port_ids fields, the corresponding RB-Qos-Reference attribute is sent to the node, indicating the QoS hierarchical node and node group to apply to the subscriber. If no match is found, the RB-Qos-Reference attribute will not be sent.

Add or Remove Framed Routes

The Subscriber Account Properties panel enables you to add and remove a framed route associated with the subscribers session.

Add a Framed Route to a Subscriber Session

To add a framed route to a subscriber session, perform the following steps: 1. View a subscriber account and framed route settings; see the View Framed Routes section on page 16-3. 2. Click Add to open the Add Framed Route dialog box. At least one of the options presented in steps 3, 4, and 5 must be specified. Note When you configure any combination of the Pre-Authentication, Static IP Addresses, Circuit Attributes, or Framed-Route tabs, ensure that the Session Filter information for each tab matches. For example if you provision the Pre-Authentication tab and the Circuit Attributes tab for a specific circuit, you must ensure that the Session Filter information matches.

Manage Subscribers

16-15

Modify Existing Subscriber Account Details

3. Optional. Click the Session Name check box and type or select the name of the node associated with the subscriber circuit. 4. Optional. Click the Calling-Station-Id check box and type the name of calling station identifier. 5. Optional. Click the Network Circuit ID check box to enable the NAS-Identifier and NAS-Port-Id fields. You must complete steps 7 and 8 if you selected this option. 6. Click the NAS-Identifier field and type the name of the node associated with the subscriber circuit. 7. Click the NAS-Port-Id field and type the node port ID that identifies the subscriber circuit. The default format is slot/port <vpi-vci vpi vci | vlan-id [tunl-vlan-id:]pvc-vlan-id>. The only accepted separator character is the space character. For example, 4/1 vpi-vci 207 138. When matching, the NetOp PM system ignores the session identifierwhich would be pppoe 5 in 12/2 pppoe 5. The information in the NAS-Port-Id field must be an exact match of the circuit identifier on which the subscriber traffic is present. No wild cards, substrings, or filters are supported for this value. 8. Click the Destination field and type the IP address of the destination host or network. The format is h.h.h.h[/nn] where h.h.h.h is the IP address of destination host or network and nn is the netmask size in bits (if not present, defaults to 32). 9. Click the Gateway field and type the IP address of the gateway. 10. Click the Metric field and type the number of hops for this route. 11. Click OK. 12. On the Subscriber Account Properties panel, click Apply, or click Apply & Reauth. When you click Apply, changes do not take effect until the subscriber logs off and logs back on; when you click Apply & Reauth, changes take effect immediately, without requiring the subscriber to log off and log on again. Reauthorizing the subscribers session applies the selected service subscriptions, and may remove subscriptions that are actively being used. The NetOp PM system adds the framed route to the subscriber session. If you close or navigate away from the Subscriber Account Properties panel, or click Refresh without applying changes, the changes you made are discarded.

16-16

NetOp Policy Manager Configuration Guide

Modify Existing Subscriber Account Details

Note

If the session name specified in the Add Framed Route dialog box does not match a NAS username already defined in the NetOp PM database, the new session also appears on the Logon Status tab. When you remove the session from the Logon Status tab, the session name is also removed from the Framed Route Tab.

Remove a Framed Route from a Subscriber Session

To remove a framed route from a subscriber session, perform the following steps: 1. View a subscriber account and framed route settings; see the View Framed Routes section on page 16-3. 2. Select the framed route to remove from the subscriber account. 3. Click Remove. 4. On the Subscriber Account Properties panel, click Apply, or click Apply & Reauth. When you click Apply, changes do not take effect until the subscriber logs off and logs back on; when you click Apply & Reauth, changes take effect immediately, without requiring the subscriber to log off and log on again. Reauthorizing the subscribers session applies the selected service subscriptions, and may remove subscriptions that are actively being used. The NetOp PM system removes the framed route from the subscriber session. If you close or navigate away from the Subscriber Account Properties panel, or click Refresh without applying changes, the changes you made are discarded.

Configure Pre-authentication for Subscribers

Pre-authenticating a subscriber means that the subscriber can immediately access the Internet when the session comes up. Service providers can set session filtering attributes to determine when to apply pre-authentication for the circuit.

Pre-authenticate a Subscriber
To pre-authenticate a subscriber session, perform the following steps: 1. View the subscriber account you want to pre-authenticate, following the steps in the View Pre-Authentication Information section on page 16-4. 2. Click the Pre-Authentication tab and click Add. The Add Pre-Authentication dialog box appears. You must specify at least one of the options described in steps 3, 4, and 5.

Manage Subscribers

16-17

Modify Existing Subscriber Account Details

Note

When you configure any combination of Static IP Addresses or Framed-Route by using the associated tabs, ensure that the Session Filter information for each tab matches. If you want both Static IP Address and Framed-Route to be applied, configure the same Session Filter information for each of the tabs and make sure they match. For example, if you want both Static IP Address and Framed-Route to be applied to a circuit, you can configure the following entries in the Static IP Address and Framed-Route tabs for the subscriber account joe: Calling-Station-Id = ser-1 12/1 vlan 1; Static IP Address = 10.192.45.20 Calling-Station-Id = ser-1 12/1 vlan 1; Framed-Route = 200.10.10.1 10.192.168.1 1 When the circuit comes up with the Calling-Station-Id = ser-1 12/1 vlan 1, the circuit will have Static IP Address = 10.192.45.20 and Framed-Route = 200.10.10.1 10.192.168.1 1 applied. If you only want either the Static IP Address or the Framed-Route to be applied, configure the Session Filter differently for each of the tabs. For example, if you want only the Static IP Address to match, you can configure the following entries in the Static IP Address and Framed-Route tabs for subscriber account joe: Session Name = 00:01:a2:3b:4c:d5; Calling-Station-Id = ser-1 12/1 vlan 1; Static IP Address = 10.92.45.20 Calling Station = ser-1 12/1 vlan 1; Framed-Route = 200.10.10.1 10.192.168.1 1 When the circuit comes up with Session Name = 00:01:a2:3b:4c:d5 and Calling-Station-Id = ser-1 12/1 vlan 1, the circuit will have Static IP Address = 10.192.45.20 applied. The circuit will not have Framed-Route = 200.10.10.1 10.192.168.1 1 applied since the Session Filter for Static IP Address is the best match for the circuit. When the circuit comes up with Session Name = 00:01:a2:3b:4c:d6 and Calling-Station-Id = ser-1 12/1 vlan 1, the circuit will have Framed Route = 200.10.10.1 10.192.168.1 1 applied. The circuit will not have Static IP Address = 10.192.45.20 applied since the Session Filter for Framed-Route is the best match for the circuit.

3. Optional. Click the Session Name check box and type or select the name of the node associated with the subscriber circuit. 4. Optional. Click the Calling-Station-Id check box and type the name of calling station identifier. 5. Optional. Click the Network-Circuit-ID check box to enable the NAS-Identifier and NAS-Port-Id fields: a. Click the NAS-Identifier field and type the name of the node associated with the subscriber circuit.

16-18

NetOp Policy Manager Configuration Guide

Modify Existing Subscriber Account Details

b. Click the NAS-Port-Id field and type the node port ID that identifies the subscriber circuit. The default format is slot/port <vpi-vci vpi vci | vlan-id [tunl-vlan-id:]pvc-vlan-id>; for example, 4/1 vpi-vci 207 138. The only accepted separator character is the space character. When matching, the NetOp PM system ignores the session identifier, which is pppoe 5 in 12/2 pppoe 5. The information in the NAS-Port-Id field must be an exact match of the circuit identifier of the circuit carrying the subscriber traffic. This value cannot include wild cards, substrings, or filters. When a subscriber is pre-authenticated, the Pre-Authentication tab reflects the override applied by the administrator and may not accurately reflect whether the subscriber is assigned to the captive portal; instead, it reflects whether the subscriber is pre-authenticated for the next session. 6. Click OK. 7. On the Subscriber Account Properties panel, click Apply, or click Apply & Reauth. When you click Apply, changes do not take effect until the subscriber logs off and logs back on; when you click Apply & Reauth, changes take effect immediately. Reauthorizing the subscriber session applies the selected service subscriptions and may remove other active subscriptions. If you close or navigate away from the Subscriber Account Properties panel, or click Refresh without applying changes, the changes you made are lost.

Remove Pre-authentication from a Subscriber

To remove the pre-authentication from a subscriber, perform the following steps: 1. Perform all steps in the View Pre-Authentication Information section on page 16-4. 2. Click the entry you want to remove and then click the Remove button. 3. On the Subscriber Account Properties panel, click Apply, or click Apply & Reauth. When you click Apply, changes do not take effect until the subscriber logs off and logs back on; when you click Apply & Reauth, changes take effect immediately, without requiring the subscriber to log off and log on again. Reauthorizing the subscribers session applies the selected service subscriptions, and may remove subscriptions that are actively being used. If you close or navigate away from the Subscriber Account Properties panel, or click Refresh without applying changes, the changes you made are discarded.

Change Subscriber Logon Status

The Subscriber Account Properties panel enables you to change the logon status of a subscriber session. Any changes to a subscribers logon status take effect the next time the subscriber starts a session. For pre-authenticated subscribers, the Authenticated column reflects the override applied by the administrator, and may not accurately reflect whether the subscriber is assigned to the captive portal; rather, it reflects whether the subscriber is pre-authenticated for the next session. See the Configure Pre-authentication for Subscribers section on page 16-17.

Change Subscriber Logon Status

To change the logon status of a subscriber, perform the following steps: 1. View a subscriber account and logon status settings; see the View Logon Status section on page 16-3.

Manage Subscribers

16-19

Modify Existing Subscriber Account Details

2. Select the subscriber session to change logon status. 3. Click Edit to open the Edit Logon Status dialog box. 4. Click the Authenticated field and select YES or NO. Note If you select NO and do not remove the pre-authentication attributes according to the instructions provided in the Remove Pre-authentication from a Subscriber section on page 16-19, the next subscriber session continues to be pre-authenticated.

5. Click OK. 6. On the Subscriber Account Properties panel, click Apply, or click Apply & Reauth. When you click Apply, changes do not take effect until the subscriber logs off and logs back on; when you click Apply & Reauth, changes take effect immediately, without requiring the subscriber to log off and log on again. Reauthorizing the subscribers session applies the selected service subscriptions, and may remove subscriptions that are actively being used. The NetOp PM system changes the logon status of the subscriber session. If you close or navigate away from the Subscriber Account Properties panel, or click Refresh without applying changes, the changes you made are discarded.

Remove Subscriber Logon Status

To remove a subscriber session from the Logon Status panel and force the subscriber to reauthenticate the next time the subscriber attempts to access the Internet, perform the following steps: 1. View a subscriber account and logon status settings; see the View Logon Status section on page 16-3. 2. Select the subscriber session to remove the logon status. 3. Click Remove. Note All framed routes associated with the subscriber are also removed from the Framed Route tab.

Note

If the session name specified in the Add Framed Route dialog box does not match a NAS username already defined in the NetOp PM database, the new session also appears on the Logon Status tab. When you remove the session from the Logon Status tab, the session name is also removed from the Framed Route tab.

4. On the Subscriber Account Properties panel, click Apply, or click Apply & Reauth. When you click Apply, changes do not take effect until the subscriber logs off and logs back on; when you click Apply & Reauth, changes take effect immediately, without requiring the subscriber to log off and log on again. Reauthorizing the subscribers session applies the selected service subscriptions, and may remove subscriptions that are actively being used. The NetOp PM system removes the subscriber session. If you close or navigate away from the Subscriber Account Properties panel, or click Refresh without applying changes, the changes you made are discarded.

16-20

NetOp Policy Manager Configuration Guide

Modify Existing Subscriber Account Details

Add or Remove Static IP Addresses

The Subscriber Account Properties panel displays a list of the framed IP addresses associated with the subscriber sessions and enables you to add and remove the IP addresses. You can assign and dedicate a group of IP addresses (defined by the Framed-IP-Netmask RADIUS attribute) to specific subscribers so that they can run their own Internet servers with these static IP addresses. To configure this feature, assign a static IP address and subnet to a subscriber account. For information about enabling the Framed-IP-Netmask attribute on the SmartEdge router, see Chapter 3, Configure the Node for the NetOp PM System.

Add Static IP Addresses

Note For Access service offerings, the Max. Sessions field must be set to 1 if you are assigning static IP addresses.

To add a static framed IP address with a subscriber session on a static PPP circuit, perform the following steps: 1. View a subscriber account and static IP addresses; see the View Static Framed IP Addresses section on page 16-5. 2. Click Add to open the Add Static IP Address dialog box. At least one of the options presented in steps 3, 4, and 5 must be specified. Note When you configure any combination of the Pre-Authentication, Static IP Addresses, Circuit Attributes, or Framed-Route tabs, ensure that the Session Filter information for each tab matches. For example if you provision the Pre-Authentication tab and the Circuit Attributes tab for a specific circuit, you must ensure that the Session Filter information matches. 3. Optional. Click the Session Name check box and type or select the name of the node associated with the subscriber circuit. 4. Optional. Click the Calling-Station-Id check box and type the name of calling station identifier. 5. Optional. Click the Network Circuit ID check box to enable the NAS-Identifier and NAS-Port-Id fields. You must complete steps 7 and 8 if you selected this option. 6. Click the NAS-Identifier field and type the name of the node associated with the subscriber circuit. 7. Click the NAS-Port-Id field and type the node port ID that identifies the subscriber circuit. The default format is slot/port <vpi-vci vpi vci | vlan-id [tunl-vlan-id:]pvc-vlan-id>. The only accepted separator character is the space character. For example, 4/1 vpi-vci 207 138. When matching, the NetOp PM system ignores the session identifierwhich would be pppoe 5 in 12/2 pppoe 5. The information in the NAS-Port-Id field must be an exact match of the circuit identifier on which the subscriber traffic is present. No wild cards, substrings, or filters are supported for this value. 8. Click the IP Address field and type the IP address statically assigned to the subscribers circuit, returned in the Access-Accept packet. 9. Click OK.

Manage Subscribers

16-21

Add Subscribed Services

10. On the Subscriber Account Properties panel, click Apply, or click Apply & Reauth. When you click Apply, changes do not take effect until the subscriber logs off and logs back on; when you click Apply & Reauth, changes take effect immediately, without requiring the subscriber to log off and log on again. Reauthorizing the subscribers session applies the selected service subscriptions, and may remove subscriptions that are actively being used. The NetOp PM system adds the static IP address to the subscriber session. If you close or navigate away from the Subscriber Account Properties panel, or click Refresh without applying changes, the changes you made are discarded. Note If you specify multiple IP addresses using the Classless InterDomain Routing (CIDR) format (h.h.h.h/nn) for the same session name, all static IP addresses must be present on the same subnet of the interface that the subscriber gets bound to.

Remove Static IP Addresses

To remove a static framed IP address from a subscriber session, perform the following steps: 1. View a subscriber account and static IP addresses; see the View Static Framed IP Addresses section on page 16-5. 2. Select the framed IP address to remove from the subscriber account. 3. Click Remove. 4. On the Subscriber Account Properties panel, click Apply, or click Apply & Reauth. When you click Apply, changes do not take effect until the subscriber logs off and logs back on; when you click Apply & Reauth, changes take effect immediately, without requiring the subscriber to log off and log on again. Reauthorizing the subscribers session applies the selected service subscriptions, and may remove subscriptions that are actively being used. The NetOp PM system removes the static IP address from the subscriber session. If you close or navigate away from the Subscriber Account Properties panel, or click Refresh without applying changes, the changes you made are discarded.

Add Subscribed Services

Note You can use the NetOp client to add subscribed services; however, if the NetOp PM software is configured to proxy Access-Request packets and is configured to flow-through the RB-NPM-Service-Id RADIUS attribute, or to map proxied RADIUS attributes or Lightweight Directory Access Protocol (LDAP) attributes to the RB-NPM-Service-Id RADIUS attribute, then the subscribed services you add are replaced by those of the external LDAP or external RADIUS server. For information on proxying authentication messages, flow-through RADIUS attributes, and mapping RADIUS and LDAP attributes to NetOp PM RADIUS attributes, see Chapter 5, Configure External RADIUS and LDAP Servers.

To add services to a subscriber account, perform the following steps: 1. View a subscribers subscribed services; see the View Current Subscribed Services section on page 16-6.

16-22

NetOp Policy Manager Configuration Guide

Remove Subscribed Services

2. In the Subscribed Services section, click Add to open the Select Service Offering dialog box. 3. Click the name of the retail, wholesale, visible, or invisible service offering to add to the subscriber account and then click OK. Note The NetOp client enables you to add services that are not available to the subscriber on the web portal services page.

4. On the Subscriber Account Properties panel, click Apply, or click Apply & Reauth. When you click Apply, changes do not take effect until the subscriber logs off and logs back on; when you click Apply & Reauth, changes take effect immediately, without requiring the subscriber to log off and log on again. Reauthorizing the subscribers session applies the selected service subscriptions, and may remove subscriptions that are actively being used. The NetOp PM system implements the service on the node. If you close or navigate away from the Subscriber Account Properties panel, or click Refresh without applying changes, the changes you made are discarded. Table 4-15 on page 4-13 in the NetOp Policy Manager Reference describes the fields displayed in the Subscribed Services section in the Subscriber Account Properties panel.

Remove Subscribed Services

Note You can use the NetOp client to remove subscribed services; however, if the NetOp PM software is configured to proxy Access-Request packets and is configured to flow-through the RB-NPM-Service-Id RADIUS attribute, or to map proxied RADIUS attributes or LDAP attributes to the RB-NPM-Service-Id RADIUS attribute, then the changes you make to the subscribed services are replaced by those of the external LDAP or external RADIUS server. For information on proxying authentication messages, flow-through RADIUS attributes, and mapping RADIUS and LDAP attributes to NetOp PM RADIUS attributes, see Chapter 5, Configure External RADIUS and LDAP Servers.

To remove services from a subscriber account, perform the following steps: 1. View a subscribers subscribed services; see the View Current Subscribed Services section on page 16-6. 2. In the Subscribed Services section, click the service you want to remove from the subscriber account. 3. Click Remove. 4. On the Subscriber Account Properties panel, click Apply, or click Apply & Reauth. When you click Apply, changes do not take effect until the subscriber logs off and logs back on; when you click Apply & Reauth, changes take effect immediately, without requiring the subscriber to log off and log on again. Reauthorizing the subscribers session applies the selected service subscriptions, and may remove subscriptions that are actively being used. The NetOp PM system removes the service on the node. If you close or navigate away from the Subscriber Account Properties panel, or click Refresh without applying changes, the changes you made are discarded.

Manage Subscribers

16-23

Remove Subscriber Accounts

Remove Subscriber Accounts

Note You cannot remove a subscriber account if an active session exists for that account. To remove a subscriber account with an active session, you must first use the Disconnect button to clear a subscriber session from the node. If you remove a subscriber account from the NetOp PM system and the NetOp PM system is configured to authenticate subscribers using an external LDAP or RADIUS server, then the subscriber account is automatically added again the next time the subscriber authenticates with the external LDAP server or external RADIUS server. To remove a subscriber account from the NetOp PM system, perform the following steps: 1. View a subscriber account; see the View Subscriber Account and Active Session Information section on page 16-1. 2. On the Properties Panel toolbar, click Remove Subscriber Account. A confirmation dialog box appears. 3. Click Yes to remove the subscriber account. Removing a subscriber account also removes any historical information associated with that subscriber.

16-24

NetOp Policy Manager Configuration Guide