BQN Documentation
BQN Documentation

Radius Introduction

The BQN subscriber rate policies and the assignment of subscribers to subscriber rate policies can be performed via a RADIUS interface. To do this, of course, the BQN must have visibility of the subscriber IP addresses, i.e., there cannot be a NAT between the subscribers and the BQN because the rate limits will be applied per subscriber IP address. It is also important that the wires are connected in the right way (access ports connected on the side of the subscribers).

Currently, only IPv4 subscribers can be provisioned via RADIUS.

The integration is between the RADIUS clients or NAS (Network Access Servers, e.g., PPPoE servers) and the BQN management interface. The BQN acts as RADIUS server for RADIUS Accounting (but not for RADIUS Authentication and Authorization, which must keep going to the RADIUS server in charge of Authentication and Authorization). Ideally, the BQN should receive just a copy of the RADIUS Accounting messages, which carry all the necessary information, while the rest of the RADIUS interactions with the original RADIUS server should remain unchanged. The BQN uses the management IP address (same as GUI) to receive RADIUS messages in the standard Radius Accounting port (1813).

The RADIUS Accounting Start and Interim messages link a subscriber IP address with a subscriber rate policy. The subscriber IP address is received in the Framed-IP-Address field. There are two ways in which RADIUS can specify the subscriber rate policy:

  • Specifying the subscriber rate policy parameters (like the rate limit), where the RADIUS attribute provides the policy definition and the BQN creates a policy based on that information.
  • Specifying the subscriber rate policy name, where the RADIUS attribute contains the name of the policy to choose from the policies that are part of the BQN configuration.

The following parameters are supported. We list them in order of priority (parameters evaluated first will take precedence):

Priority Name Vendor ID Description Example
1 Mikrotik Rate-Limit 14988 8 Contains the policy rate limits, including optional burst parameters:

rx-rate[/tx-rate] [rx-burst-rate[/tx-burst-rate] [rx-burst-threshold[/tx-burst-threshold] [rx-burst-time[/tx-burst-time] [priority] [rx-rate-min[/tx-rate-min]]]]
“15M/20M 30M/40M 15M/20M 5/5”
2 Ascend Data-Rate 529 197 The first instance defines the downlink rate limit in Mbps.
The second instance defines the uplink rate limit in Mbps.

If there is only one instance, it specifies the downlink limit, unless Ascend-Xmit-Rate is present, in which case it will specify the uplink limit.
50
3 Ascend Xmit-Rate 529 255 The downlink rate limit in Mbps. 100
4 Mikrotik Address-List 14988 19 Defines the policy parameters if meets the following format:
[rate-limit][K|M|G] Uplink-[rate-limit][K|M|G] Downlink
“50M Uplink-50M Downlink”
5 CISCO sub-qos-policy 9 1 Defines the rate limits with the following format:

sub-qos-policy-out=[rate-limit][K|M|G] Downlink

sub-qos-policy-in=[rate-limit][K|M|G] Uplink
“sub-qos-policy-out=100M Downlink”

“sub-qos-policy-in=50M Uplink“
6 CISCO rate limits 9 37, 38 Defines the rate limits with the following format:

ID=37 (downlink rate limit):

[rate-limit][K|M|G] Downlink.

ID=38 (uplink rate limit):

[rate-limit][K|M|G] Uplink.
ID 37: “10M Downlink”
ID 38: “5M Uplink”
7 Mikrotik Address-List 14988 19 If Mikrotik Address-List format does not match the format described in priority 4, its content will be interpreted as a policy name configured in the BQN. “Gold_Users”
8 CISCO sub-qos-policy 9 37, 38 If CISCO rate limits format does not match the format described in priority 5, its content will be interpreted as a policy name configured in the BQN.

Both AVPs are combined in the following way: [qos-in AVP]-[qos-out AVP]

and if a AVP is absent, it is replaced by an 'u'.
"“Plan_50-Plan_100”

“u-Plan_100”
9 CISCO rate limits 9 37, 38 If CISCO rate limits format does not match the format described in priority 6, its content will be interpreted as a policy name configured in the BQN.

Both AVPs are combined in the following way:

[downlink AVP]-[uplink AVP]

and if a AVP is absent, it is replaced by an 'u'.
"“Plan_50-Plan_100”

“Plan_50-u”
10 Class n/a 25 Generic RADIUS parameter.

A dynamic policy is created if Class contains the substring:

Policy=[rate-limit][K|M|G] Uplink-[rate-limit][K|M|G] Downlink
Dynamic policy:
“Policy=5M Uplink-10M Downlink, other-param=foo”
11 Class n/a 25 If Class content does not match the previous pattern, a reference to a configured policy is created with the substring following the = up to a comma:

Policy=[policy.name],

Otherwise, the parameter is ignored.
“policy=mypolicy, other-param=foo”
Resulting policy name (configured in BQN): “mypolicy”
“policy=anotherpolicy”
Resulting policy name (configured in BQN): “anotherpolicy”
12 Connect-Info n/a 77 The speeds are specified as follows:

[downlink-rate][K|M|G][/[uplink-rate][K|M|G]]

If uplink-rate is absent, it will take the same value as downlink-rate.

If units K,M,G are absent, rate will be in bits per second (bps).
50000K/5000K

5M

5000000/5000000

10M/5M

When more than one parameter is present, the policy will be managed according to the priority order. For example, if both Mikrotik-Rate-Limit and Ascend-Data-Rate are present, Mikrotik-Rate-Limit will take precedence. Also, if both Ascend-Data-Rate and Mikrotik-Address-List are in the Radius message, Mikrotik-Address-List will be ignored. In any case, it is possible to use any of those information elements, since the BQN can be configured to ignore the ones with more precedence, as can be seen in the following section.

If a RADIUS message contains none of the supported attributes, the subscriber rate policy previously assigned to the subscriber IP address in this RADIUS message, if any, will be removed and a new one will be chosen based on BQN configured subscriber rate policy rules.

To integrate the BQN to the RADIUS, the steps are:

  1. Configure RADIUS in the BQN
  2. Configure the RADIUS clients
  3. Specific steps (whether RADIUS provides policy parameters or policy names).
  4. Check the state of policies and subscribers.

Configuration of RADIUS in the BQN

  1. To activate the RADIUS interface in the BQN, go to Configuration->RADIUS/REST/Billing-> RADIUS and set the RADIUS switch to On.
  2. Add the IP addresses of each RADIUS client, along with its secret. In the BQN GUI, go to Configuration->RADIUS/REST/Billing->RADIUS and click on Add Client…

An optional description for each RADIUS client can be added (the description cannot contain spaces).

Configuration of the RADIUS clients


The goal is to configure the RADIUS client to send copies of RADIUS accounting messages to the BQN, as if the BQN server is a RADIUS server only for accounting. The following instructions are related to a Mikrotik PPPoE server, but similar steps can be followed for other vendors:

1. First, the existing RADIUS configuration should not be changed.

2. A new RADIUS server will be configured with the BQN as an Accounting backup server. To create a new RADIUS server, go to the RADIUS section and click on “Add New”. The following screen will be shown:

As it can be observed:

  • The service of the router/switch should be enabled (usually ppp).
  • In “Address” the IP address will be the BQN management IP address (you can see which one it is in BQN GUI Configuration->Interfaces->Management).
  • The field Accounting Backup must be selected (otherwise, the BQN would receive RADIUS Authentication and Authorization messages, which it does not support).
  • The accounting port is left in its default value(1813).
  • Optionally, a secret can be specified (if used, it must match the one configured in the BQN RADIUS configuration).
  • Optionally, a Comment can add a description of the RADIUS server (e.g., “BQN RADIUS”).

3.      After creating the RADIUS server, the list should be as follows:

4. Make sure the service has RADIUS Interim Updates enabled and with a reasonable period (1-5 minutes). For example, for PPP, in option PPP->Secrets->PPP Authentication & Accounting.

The process must be repeated in all the nodes whose RADIUS is to be sent to the BQN.

Specific Steps when RADIUS Provides Policy Parameters

This requires basically no specific configuration. Just make sure that in Configuration-> RADIUS/REST/Billing->RADIUS, some of the RADIUS parameters that can describe the policy (all are enabled by default), are enabled (for example, Mikrotik). Once the BQN starts receiving the RADIUS messages, it will assign each subscriber (for which a RADIUS message is received) a subscriber rate policy with the rate limits defined in the RADIUS message.

The name of the policy created dynamically is composed based on the AVP content, with the following format:


RA-rx-rate[/tx-rate]-[rx-burst-rate[/tx-burst-rate]-[rx-burst-threshold[/tx-burst-threshold]-[rx-burst-time[/tx-burst-time]

where:

  • RA-: a prefix indicating that it is a policy created from RADIUS.
  • rx-rate: rate limit in uplink.
  • tx-rate: rate limit in downlink.
  • rx-burst-rate: burst rate in uplink.
  • tx-burst-rate: burst rate in downlink.
  • rx-burst-threshold: burst threshold in uplink(average speed not to be exceeded before granting a new burst).
  • tx-burst-threshold: burst threshold in downlink(average speed not to be exceeded before granting a new burst).
  • rx-burst-time: uplink burst duration, in seconds.
  • tx-burst-time downlink burst duration, in seconds.

Rates and thresholds will include their units (K for Kbps, Mfor Mbps and G for Gbps).

Optionally, a percentage can be specified to scale the policy limits. One can keep limits in the BQN below those of the PPPoE servers, to enforce the plans in the BQN and have the PPPoE servers as backup and to limit local traffic that does not go through the BQN (for example, direct traffic between subscribers in the same access area).  This parameter can also be set to a higher value (e.g. 200%) to enforce higher rate limits than the current NAS, so that you will get rate policies assigned to subscribers, but the rates will still be controlled by the NAS. Setting a Rate-Limit scaling higher than 100% can be considered when initially testing the RADIUS interface, or if you just want to get the rate information for each subscriber (maybe to use it to select an appropriate flow policy). The scaling percentage is defined in the field Rate-Limit Scaling % in Configuration->External Subscriber Data->Radius (by default,100%, i.e., no scaling).

For example, with a percentage of 80%, a 125 Mbps limit in RADIUS will be converted to a 100Mbps limit in the BQN (125*0.8).

The percentage is applied to all parameters of the subscriber rate policy (rate limit, burst speed and burst threshold).

And that’s all. You can now check policies in Status->Policies->RatePolicies and subscriber assigned policies in Status->Subscribers Attributes.

Mikrotik-Rate-Limit Field Format

For information purposes, the AVP field Mikrotik-Rate-Limit is described. The Mikrotik RADIUS client will automatically codify this field according to its configuration. The format is as follows:

rx-rate[/tx-rate] [rx-burst-rate[/tx-burst-rate][rx-burst-threshold[/tx-burst-threshold] [rx-burst-time[/tx-burst-time][priority] [rx-rate-min[/tx-rate-min]]]]

where:

  • rx-rate: rate limit in uplink.
  • tx-rate: rate limit in downlink.
  • rx-burst-rate: burst rate in uplink.
  • tx-burst-rate: burst rate in downlink.
  • rx-burst-threshold: burst threshold in uplink(average speed not to be exceeded before granting a new burst).
  • tx-burst-threshold: burst threshold in downlink(average speed not to be exceeded before granting a new burst).
  • rx-burst-time: uplink burst duration, in seconds.
  • tx-burst-time downlink burst duration, in seconds.
  • priority: ignored.
  • rx-rate-min: ignored.
  • tx-rate-min: ignored.

Speed can be given in Mbps (M) or Kbps (K). For example, a subscriber rate policy with a downlink limit of de 20Mbps, an uplink limit of 15Mbps, burst of double the limit, thresholds equal to the limit and a burst duration of 5 seconds, would be:

15M/20M 30M/40M15M/20M 5/5

If no burst is required, the values are set to zero:

15M/20M 0K/0K 0K/0K0/0

And if the limits are symmetrical, it is enough to specify one of them (the other will take the same value). For example, a symmetrical 15Mbps (in both downlink and uplink).

15M 0K 0K 0

The BQN creates dynamically a subscriber rate policy, if it does not exist yet, using the parameters in this field. A policy name in the BQN cannot have spaces, so spaces are replaced by an underscore (“_”). For example, the policy from RADIUS “20M/40M 0K/0K 0K/0K 0/0” will be converted to “20M/40M_0K/0K_0K/0K_0/0”in the BQN. The policy name is limited to 63 characters (if the limits is exceeded, the name will be truncated).

Specific Steps when RADIUS Provides Policy Names


The subscriber rate policy are configured in the BQN and the RADIUS interface provides the name of the policy to apply. The policy name can be specified in AVP Mikrotik-Address-List.

To make the BQN take this AVP, disable the AVPs of higher priority (not necessary if the Mikrotik or Ascend Rate-Limit parameters do not exist):

The name of the policy configured in the BQN is based on the AVP content, with spaces replaced by underscores (“_”). Those are the names that should be used when configuring the policies in the BQN:

  • With Mikrotik-Address-List:the AVP content. Example: “GOLD_PLAN”
  • With CISCO sub-qos-policy-out/in: the sub-qos-policy-out value + ‘-‘ + sub-qos-policy-out value. Example: “PPPoE_100Mbps_Downlink-PPPoE_50Mbps_Uplink”

The policies specified by RADIUS for each subscriber may already be configured in the BQN, in which case they will just be assigned. However, certain policy names specified in Radius may not exist in the BQN yet. Status->Policies->Rate Policies lists the names of the policies. Those used in RADIUS assignments but not configured are marked as “undefined” in TYPE column.

The SUBS-PROVISIONED counter indicates how many subscribers are assigned to each policy. For example, policy “radius-static-4” has 10 subscribers assigned. SUBS-ACTIVE indicates how many subscribers with traffic are present at the moment (0 in the example).

In Status->Subscribers->Subscriber Attributes, subscribers associated to an undefined policy are marked in red in RATE-POLICY column.

Clicking on the undefined policy name goes to a page to configure it, with the right name already filled in.

The process is repeated for each subscriber rate policy pending configuration.

As RADIUS assignments are received, the SUBS_PROVISIONED counter grows and, as subscriber traffic is received, the “SUBS-ACTIVE” counter will increase.

To go to the list of subscribers associated to a subscriber rate policy via RADIUS, go to Status->Subscribers->Subscriber Attributes.

Enable/Disable ACM Optimization

ACM is enabled by default for all RADIUS dynamic policies. Toenable or disable ACM, change the “Automatic Congestion Management"field in the configuration of the RADIUS/REST/Billing->RADIUS:

Subscriber ID

Go to Configuration->RADIUS. The following RADIUS parameters can be mapped to BQN subscriber ID:

  • Username
  • Calling-Station-ID

previous
NEXT