Cisco Cisco ASR 5500
• Routing Algorithm: Dictate the method for selecting among configured servers. The specified algorithm
dictates how the system distributes AAA messages across the configured AAA servers for new sessions.
Once a session is established and an AAA server has been selected, all subsequent AAA messages for
the session will be delivered to the same server.
Once a session is established and an AAA server has been selected, all subsequent AAA messages for
the session will be delivered to the same server.
In the event that a single server becomes unreachable, the system attempts to communicate with the other
servers that are configured. The system also provides configurable parameters that specify how it should
behave should all of the RADIUS AAA servers become unreachable.
servers that are configured. The system also provides configurable parameters that specify how it should
behave should all of the RADIUS AAA servers become unreachable.
The system provides an additional level of flexibility by supporting the configuration RADIUS server groups.
This functionality allows operators to differentiate AAA services based on the subscriber template used to
facilitate their PDP context.
This functionality allows operators to differentiate AAA services based on the subscriber template used to
facilitate their PDP context.
In general, 128 AAA Server IP address/port per context can be configured on the system and it selects servers
from this list depending on the server selection algorithm (round robin, first server). Instead of having a single
list of servers per context, this feature provides the ability to configure multiple server groups. Each server
group, in turn, consists of a list of servers.
from this list depending on the server selection algorithm (round robin, first server). Instead of having a single
list of servers per context, this feature provides the ability to configure multiple server groups. Each server
group, in turn, consists of a list of servers.
This feature works in following way:
• All RADIUS authentication/accounting servers configured at the context-level are treated as part of a
server group named "default". This default server group is available to all subscribers in that context
through the realm (domain) without any configuration.
through the realm (domain) without any configuration.
• It provides a facility to create "user defined" RADIUS server groups, as many as 399 (excluding "default"
server group), within a context. Any of the user defined RADIUS server groups are available for
assignment to a subscriber through the subscriber configuration within that context.
assignment to a subscriber through the subscriber configuration within that context.
Since the configuration of the subscriber can specify the RADIUS server group to use as well as IP address
pools from which to assign addresses, the system implements a mechanism to support some in-band RADIUS
server implementations (i.e. RADIUS servers which are located in the corporate network, and not in the
operator's network) where the NAS-IP address is part of the subscriber pool. In these scenarios, the PDSN
supports the configuration of the first IP address of the subscriber pool for use as the RADIUS NAS-IP address.
pools from which to assign addresses, the system implements a mechanism to support some in-band RADIUS
server implementations (i.e. RADIUS servers which are located in the corporate network, and not in the
operator's network) where the NAS-IP address is part of the subscriber pool. In these scenarios, the PDSN
supports the configuration of the first IP address of the subscriber pool for use as the RADIUS NAS-IP address.
In 12.3 and earlier releases, refer to the AAA and GTPP Interface Administration and Reference for more
information on RADIUS AAA configuration. In 14.0 and later releases, refer to the AAA Interface
Administration and Reference.
information on RADIUS AAA configuration. In 14.0 and later releases, refer to the AAA Interface
Administration and Reference.
Important
Access Control List Support
Access Control Lists provide a mechanism for controlling (i.e permitting, denying, redirecting, etc.) packets
in and out of the system.
in and out of the system.
IP access lists, or Access Control Lists (ACLs) as they are commonly referred to, are used to control the flow
of packets into and out of the system. They are configured on a per-context basis and consist of "rules" (ACL
rules) or filters that control the action taken on packets that match the filter criteria. Once configured, an ACL
can be applied to any of the following:
of packets into and out of the system. They are configured on a per-context basis and consist of "rules" (ACL
rules) or filters that control the action taken on packets that match the filter criteria. Once configured, an ACL
can be applied to any of the following:
• An individual interface
• All traffic facilitated by a context (known as a policy ACL)
• An individual subscriber
PDSN Administration Guide, StarOS Release 19
4
CDMA2000 Wireless Data Services
Access Control List Support