Subscriber Service Profiles
Service Profiles defines low-level parameters for a subscriber account configuration. Acting as a bridge for the parameters configured in the Subscriber Profile and the RADIUS Attributes that are required by the RADIUS Client (based on its Client Profile).
Subscriber Session Context
As you know, a subscriber must be associated with the service. The service does not define unique constraints for the user. It only details how to transform those constraints into radius attributes sent to each radius client. Different vendors have different functionality and therefore, the attributes must be uniquely defined for each vendor.
Users belong to a specific Subscriber Session Context. This context will change over the lifecycle of the user's session. The context a user belongs to dictates which state their current session is in.
Subscriber Sessions are located under Subscriber Management > Sessions.
It is important to understand the Subscriber Session Context. An explanation of the different contexts a user could belong to can be found in the table below.
Context |
Description |
---|---|
activate-login |
Session is fully activated. |
deactivate-login |
Session is suspended however connected. |
activate-coa |
Session was activated by a COA packet. |
deactivate-coa |
Session was suspended but connected by COA packet. |
Please refer to Radius Flow to see how these profiles are used during the life cycle of a session.
Creating a Service Profile
A new Service Profile can be created by navigating to Subscriber Management > Service Profiles and selecting the New button found at the bottom of the table on this page.
Name - Unique Service Profile name. (example: Broadband PPPOE)
Dynamic IP Pool - Define a default pool of IP addresses to assign to subscribers authenticating using this service.
Deactivate IP Pool - If not assigned, it falls to the Dynamic IP Pool. When a subscriber is marked suspended for any reason, he will be allocated an IP address from the pool.
Authentication - Type of Authentication for Service. (default: username+password)
Service Authentication
username+password |
Username, password and calling-station-id if specified on the subscriber assigned to this service should match. |
username |
Only the username and calling-station-id if specified on the subscriber assigned to this service should match, ignoring the password. |
Service Profile RADIUS Attributes
Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorisation, and accounting (AAA) communication parameters. The data between a RADIUS server and a RADIUS client is exchanged in RADIUS packets containing attributes.
The client being a NAS, for example, will send a specific set of attributes such as user-name and user-password to the RADIUS Server in an access-request packet. The Radius server must reply with either an access-accept or access-reject packet towards the NAS. The user will be permitted to connect when the NAS receives the access-accept packet. The attributes in the access-packet define how the NAS should configure the new user session. This includes, for example, constraints such as bandwidth limitations, class-of-service and more.
It's important to understand that not all Radius clients use the same attributes, and all vendors have different sets of supported features implemented differently. However, some generic / IETF RFC attributes, such as Framed-IP-Address, work on almost all major vendor equipment. (Framed-IP-Address is used to define a static IP address, for example)
On our Subscriber Management, you assign a Subscriber (user account), a Service Profile, and a Subscriber Profile. When we receive an access-request from a defined RADIUS client, we will identify its client profile as configured on the client. For more information on creating a Client Profile, refer to the Creating a new Client Profile section of the Virtual Server documentation. If we can locate the subscriber account, authentication will be performed and then, based on the service profile defined on the subscriber account, we will respond with the attributes defined on the service profile.
The attributes have predefined variables that can be used for their values and are populated by the values configured on the subscribers profile. For example, the Upload and Download bandwidth is specified on the subscriber profile and the value of an attribute configured in the service can refer to either or both variables that contain the upload and download speed.
Services essentially define how customer service is provisioned using Radius Attributes on a specific client based on its client profile. Examples of services are: Mobile 5G/LTE, Broadband IPOE, Broadband PPPOE and WIFI Hotspot.
There are different sets of Radius Attributes for different purposes and contexts. These contexts also relate to the Subscriber session context mentioned earlier on this page. We define these attributes on the services.
Context Attributes define attributes only specific to a subscriber's context. Other Attributes are for managing or defining custom attributes used within the scope of all contexts.
The context attributes are used as per table:
Packet |
Subscriber Status |
Context Attributes |
---|---|---|
access-accept |
Active |
activate-login |
access-accept |
Suspended |
deactivate-login only if attributes defined |
access-reject |
Suspended |
if no attributes defined for decactivate-login |
disconnect-request |
Suspended or Activated |
if no attributes defined for deactivate-coa or activate-coa uses default values or if any values defined for deactivate-pod context. |
coa-request |
Activated |
activate-coa |
coa-request |
Suspended |
deactivate-coa |
Radius Attribute Variables
Values can contain references to variables known as placeholders here. These variables are different based on the context they are used in.
The double curly brackets {{ }} tell that whatever's inside them is a placeholder that should have a value assigned to it.
However, if any of the values are NULL for any of the placeholders used, we will simply not set the attribute and thus not be sending it to the client.
List of Variables implemented for active-login and deactivate-login:
Variable/PlaceHolder |
Value |
---|---|
{{ user-name }} | Subscriber Username. |
|
{{ upload }} |
Exact Upload Speed (Mbit/s) value assigned by Subscriber Profile. |
{{ upload_megabits }} |
Same as {{ upload }}. |
{{ upload_kilobits }} |
Upload Mbit/s / 1000 and rounded to number. |
{{ upload_bits }} |
Upload Mbit/s / 1000 / 1000 and rounded to number. |
{{ download }} |
Exact Download Speed (Mbit/s) value assigned by Subscriber Profile. |
{{ download_megabits }} |
Same as {{ download }}. |
{{ download_kilobits }} |
Download Mbit/s / 1000 and rounded to number. |
{{ download_bits }} |
Download Mbit/s / 1000 / 1000 and rounded to number. |
List of Variables implemented for disconnect-request or coa-request:
Variable/PlaceHolder |
Value |
---|---|
{{ acct-session-id }} |
Unique Accounting ID assigned by RADIUS client in accounting-request packet. |
{{ user-name }} |
User-Name as per RADIUS client in accounting-request. |
{{ nas-ip-address }} |
NAS-IP-Address as per RADIUS client in accounting-request. |
{{ framed-ip-address }} |
Framed-IP-Address as per RADIUS client in accounting-request. |
{{ calling-station-id }} |
Calling-Station-ID as per RADIUS client in accounting-request. |
{{ called-station-id }} |
Called-Station-ID as per RADIUS client in accounting-request. |
List of Variables implemented for other attributes:
Variable/PlaceHolder |
Value |
---|---|
{{ ip_address }} |
Static IPV4 / IPV6 Address. |
{{ ip_prefix }} |
IPV4 or IPV6 prefix. |
{{ metric1 }} |
Metric 1 applied to IP Prefix. |
{{ metric2 }} |
Metric 2 applied to IP Prefix. |
{{ metric3 }} |
Metric 3 applied to IP Prefix. |
The default attributes used for activate-login.
Attribute |
Tag |
Value |
---|---|---|
framed-ip-address |
None |
{{ ip-address }} |
framed-ipv6-address |
None |
{{ ip_address }} |
framed-route |
None |
{{ ip_prefix }} |
framed-ipv6-route |
None |
{{ ip_prefix }} |
The default attributes used for deactivate-pod.
Attribute |
Tag |
Value |
---|---|---|
acct-session-id |
None |
{{ acct-session-id }} |
user-name |
None |
{{ user-name }} |
nas-ip-address |
None |
{{ nas-ip-address }} |
Example of Attributes Configured
The following example is taken from a customer using Juniper BNG MX-Series routers.