Subscriber Virtual Servers

AAA Servers are virtualised and run on multiple physical hosts for redundancy and scalability, ensuring a secure and uninterrupted service.

  • Subscribers are associated with Virtual Servers.

  • Proxy servers connect RADIUS clients (NAS/BNG) to Virtual Servers.

Proxy Instances and Virtual Servers

An example of the network topology.

/static/radius-proxy.png

A proxy server, whether on a physical host, virtual machine, remote, on-premises, or within the NebularStack distributed cloud, is a crucial component of your authentication, authorisation, and accounting service. One proxy can run multiple instances of proxies to different Virtual AAA instances.

The proxy serves as a bridge between NebularStack backend systems and your radius client (NAS/BNG) nodes.

By default, we assign 3 proxy instances per virtual server.

Virtual Servers are located at Subscriber Management > Virtual Servers.

/static/subscriber/virtual-servers.png

When a Virtual Server is running & Proxy Instances have been assigned, information about the Proxy Instances can be viewed for the Virtual Server in question. This information is located at Subscriber Management > Virtual Servers > {server} > Instances.

/static/subscriber/virtual-assigned-proxies.png

The Instances button can be found at the top of the dialog after selecting a Virtual Server.

Your Radius clients should be configured to communicate with all the proxy instances for redundancy purposes on the IP and port numbers provided for authentication and accounting. It is best practice to use port 1812 for authentication, 1813 for accounting, and 3799 for COA.

Creating a new Client Profile

Before you can add clients you must define client profiles. Client profiles are used to identify RADIUS client types; examples are Cisco, Juniper, H3C, Huawei, Mikrotik, etc. Attributes per service are assigned to client profiles, and RADIUS clients are assigned to these profiles. Based on the specific service assigned to the subscriber, we can then identify which attributes are for which RADIUS client.

A new NAS profile can be created by navigating to Subscriber Management > Virtual Servers > Client Profiles and selecting the Add button at the bottom of the open dialog.

Virtual Server Client

Each client must be assigned a Client Profile. There are two types of clients:

  • PROXY - For external Radius Proxy.

  • NAS - Actual Radius Client.

The Client Profile for a 'proxy' client type is a default value assigned to all network access servers (NAS) behind the proxy if not explicitly configured. You can still add your network access servers as clients with a defined Client Profile even when they are behind an external proxy.

To add a new Virtual Server Client navigate to Subscriber Management > Virtual Servers > {server} > Edit > Add Client.

/static/subscriber/add-client.png

  • Name of the client must be unique and is only used to identify the client.

  • Tags You can tag the client. Other features, such as telemetry, can use tags.

  • Client Profile is used to associate attributes in services with the clients.

  • Secret is shared between the client and our radius platform and used to authenticate the client.

  • Reachable IP address of the client.

  • The Change of Authorisation / COA port of the client, typically 3799 or 1700. It is used for both COA and POD packets.

  • Dynamic IP Pool - Define a default pool of IP addresses to assign to subscribers authenticating from this client.

  • Deactivate IP Pool - If not assigned, it falls to the Dynamic IP Pool. When a subscriber is marked suspended for any reason, he will be allocated an IP address from the pool.