Appendix A: SG-1Vendor-Specific Attributes

June 30, 2006

Hierarchical Attribute Mode

Most of the EDS attributes are operated in hierarchy mode. In this mode, each session includes per each attribute 3 hierarchy-operating level spaces. The first level space is the system default that is being configured, either by management or statically. The second is the user space that is initially being filled in the user authentication phase, and the third is the service space that is being re-filled on each user service change.

The user space level defines the session's “basic” configuration; whereas the service space level is “layered” above it upon a successful dynamic service change. In each level space, the system keeps a set of relevant configurations for that level. The “lifetime” of operation in a service level space is from a successful authentication of that service until a successful authentication of a new service. The “lifetime” of operation in a user level space is the entire period in which the user is authenticated for the session. The effective value of a hierarchy attribute is the most updated value in the highest level space (the highest level for which there is a value defined for the attribute).

USER GROUP

user:accounting sub-attribute

The user:accounting sub-attribute defines the session accounting operation mode and allows the operator to define per each user the accounting methodology. The attribute may be included more than once in request or accept messages. The following operation may be configured:

disable – some operations like symmetric multilink, VPN, or unbilled services do not need the accounting information sent to the RADIUS. This accounting operation mode disables the sending of the accounting information.

The user:accounting sub-attribute is sent as a response to service authentication. It configures the accounting behavior on the received respond. The service default behavior is not to send any accounting records unless the respond includes the enable accounting option.

Accounting information is sent as followed:

Authentication Response Type

Accounting Behavior

 

 

Session Authentication

Accounting Start and Stop are disabled

Access Accept message includes the

 

user:accounting=disable sub-attribute

 

 

 

Service Authentication

Accounting On and Off are disabled

Access Accept message does not include the

 

user:accounting sub-attribute

 

A-6

SG1-UM-8500-03

Page 164
Image 164
ADC SG-1 user manual User Group, Hierarchical Attribute Mode, Useraccounting sub-attribute