Subscriber Service Profiles

Service Profiles defines low-level parameters for a subscriber account configuration. Acting as a bridge for the parameters configured in the Subscriber Profile and the RADIUS Attributes that are required by the RADIUS Client (based on its Client Profile).

Subscriber Session Context

As you know, a subscriber must be associated with the service. The service does not define unique constraints for the user. It only details how to transform those constraints into radius attributes sent to each radius client. Different vendors have different functionality and therefore, the attributes must be uniquely defined for each vendor.

Users belong to a specific Subscriber Session Context. This context will change over the lifecycle of the user's session. The context a user belongs to dictates which state their current session is in.

Subscriber Sessions are located under Subscriber Management > Sessions.

It is important to understand the Subscriber Session Context. An explanation of the different contexts a user could belong to can be found in the table below.

Context

Description

activate-login

Session is fully activated.

deactivate-login

Session is suspended however connected.

activate-coa

Session was activated by a COA packet.

deactivate-coa

Session was suspended but connected by COA packet.

Please refer to Radius Flow to see how these profiles are used during the life cycle of a session.

Creating a Service Profile

A new Service Profile can be created by navigating to Subscriber Management > Service Profiles and selecting the New button found at the bottom of the table on this page.

/static/subscriber/new_service.png
  • Name - Unique Service Profile name. (example: Broadband PPPOE)

  • Dynamic IP Pool - Define a default pool of IP addresses to assign to subscribers authenticating using this service.

  • Deactivate IP Pool - If not assigned, it falls to the Dynamic IP Pool. When a subscriber is marked suspended for any reason, he will be allocated an IP address from the pool.

  • Authentication - Type of Authentication for Service. (default: username+password)

Service Authentication

username+password

Username, password and calling-station-id if specified on the subscriber assigned to this service should match.

username

Only the username and calling-station-id if specified on the subscriber assigned to this service should match, ignoring the password.

Service Profile RADIUS Attributes

Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorisation, and accounting (AAA) communication parameters. The data between a RADIUS server and a RADIUS client is exchanged in RADIUS packets containing attributes.

The client being a NAS, for example, will send a specific set of attributes such as user-name and user-password to the RADIUS Server in an access-request packet. The Radius server must reply with either an access-accept or access-reject packet towards the NAS. The user will be permitted to connect when the NAS receives the access-accept packet. The attributes in the access-packet define how the NAS should configure the new user session. This includes, for example, constraints such as bandwidth limitations, class-of-service and more.

It's important to understand that not all Radius clients use the same attributes, and all vendors have different sets of supported features implemented differently. However, some generic / IETF RFC attributes, such as Framed-IP-Address, work on almost all major vendor equipment. (Framed-IP-Address is used to define a static IP address, for example)

On our Subscriber Management, you assign a Subscriber (user account), a Service Profile, and a Subscriber Profile. When we receive an access-request from a defined RADIUS client, we will identify its client profile as configured on the client. For more information on creating a Client Profile, refer to the Creating a new Client Profile section of the Virtual Server documentation. If we can locate the subscriber account, authentication will be performed and then, based on the service profile defined on the subscriber account, we will respond with the attributes defined on the service profile.

The attributes have predefined variables that can be used for their values and are populated by the values configured on the subscribers profile. For example, the Upload and Download bandwidth is specified on the subscriber profile and the value of an attribute configured in the service can refer to either or both variables that contain the upload and download speed.

Services essentially define how customer service is provisioned using Radius Attributes on a specific client based on its client profile. Examples of services are: Mobile 5G/LTE, Broadband IPOE, Broadband PPPOE and WIFI Hotspot.

There are different sets of Radius Attributes for different purposes and contexts. These contexts also relate to the Subscriber session context mentioned earlier on this page. We define these attributes on the services.

/static/subscriber/view_service.png

Context Attributes define attributes only specific to a subscriber's context. Other Attributes are for managing or defining custom attributes used within the scope of all contexts.

/static/subscriber/context_attrs.png

The context attributes are used as per table:

Packet

Subscriber Status

Context Attributes

access-accept

Active

activate-login

access-accept

Suspended

deactivate-login only if attributes defined

access-reject

Suspended

if no attributes defined for decactivate-login

disconnect-request

Suspended or Activated

if no attributes defined for deactivate-coa or activate-coa uses default values or if any values defined for deactivate-pod context.

coa-request

Activated

activate-coa

coa-request

Suspended

deactivate-coa

Radius Attribute Variables

Values can contain references to variables known as placeholders here. These variables are different based on the context they are used in.

The double curly brackets {{ }} tell that whatever's inside them is a placeholder that should have a value assigned to it.

However, if any of the values are NULL for any of the placeholders used, we will simply not set the attribute and thus not be sending it to the client.

List of Variables implemented for active-login and deactivate-login:

Variable/PlaceHolder

Value

{{ user-name }} | Subscriber Username.

{{ upload }}

Exact Upload Speed (Mbit/s) value assigned by Subscriber Profile.

{{ upload_megabits }}

Same as {{ upload }}.

{{ upload_kilobits }}

Upload Mbit/s / 1000 and rounded to number.

{{ upload_bits }}

Upload Mbit/s / 1000 / 1000 and rounded to number.

{{ download }}

Exact Download Speed (Mbit/s) value assigned by Subscriber Profile.

{{ download_megabits }}

Same as {{ download }}.

{{ download_kilobits }}

Download Mbit/s / 1000 and rounded to number.

{{ download_bits }}

Download Mbit/s / 1000 / 1000 and rounded to number.

List of Variables implemented for disconnect-request or coa-request:

Variable/PlaceHolder

Value

{{ acct-session-id }}

Unique Accounting ID assigned by RADIUS client in accounting-request packet.

{{ user-name }}

User-Name as per RADIUS client in accounting-request.

{{ nas-ip-address }}

NAS-IP-Address as per RADIUS client in accounting-request.

{{ framed-ip-address }}

Framed-IP-Address as per RADIUS client in accounting-request.

{{ calling-station-id }}

Calling-Station-ID as per RADIUS client in accounting-request.

{{ called-station-id }}

Called-Station-ID as per RADIUS client in accounting-request.

List of Variables implemented for other attributes:

Variable/PlaceHolder

Value

{{ ip_address }}

Static IPV4 / IPV6 Address.

{{ ip_prefix }}

IPV4 or IPV6 prefix.

{{ metric1 }}

Metric 1 applied to IP Prefix.

{{ metric2 }}

Metric 2 applied to IP Prefix.

{{ metric3 }}

Metric 3 applied to IP Prefix.

The default attributes used for activate-login.

Attribute

Tag

Value

framed-ip-address

None

{{ ip-address }}

framed-ipv6-address

None

{{ ip_address }}

framed-route

None

{{ ip_prefix }}

framed-ipv6-route

None

{{ ip_prefix }}

The default attributes used for deactivate-pod.

Attribute

Tag

Value

acct-session-id

None

{{ acct-session-id }}

user-name

None

{{ user-name }}

nas-ip-address

None

{{ nas-ip-address }}

Example of Attributes Configured

The following example is taken from a customer using Juniper BNG MX-Series routers.

/static/subscriber/example_attrs.png