ADC

RADIUS support for responder

The NetScaler expressions language contains expressions that can extract information from and manipulate RADIUS requests. These expressions enable you to use the Responder feature to respond to RADIUS requests. Your responder policies and actions can use any expression that is appropriate or relevant to a RADIUS request. The available expressions enable you to identify the RADIUS message type, extract any attribute-value pair (AVP) from the connection, and send different responses on the basis of that information. You can also create policy labels that invoke all responder policies for RADIUS connections.

You can use RADIUS expressions to construct simple responses that do not require communication with the RADIUS server to which the request was sent. When a responder policy matches a connection, the NetScaler constructs and sends the appropriate RADIUS response without contacting the RADIUS authentication server. For example, if the source IP address of a RADIUS request is from a subnet that is specified in the responder policy, the NetScaler can reply to that request with an access-reject message, or can simply drop the request.

You can also create policy labels to route specific types of RADIUS requests through a series of policies that are appropriate to those requests.

Note: The current RADIUS expressions do not work with RADIUS IPv6 attributes.

The NetScaler documentation for expressions that support RADIUS assumes familiarity with the basic structure and purpose of RADIUS communications. If you need more information about RADIUS, see your RADIUS server documentation or search online for an introduction to the RADIUS protocol.

Configuring Responder Policies for RADIUS

The following procedure uses the NetScaler command line to configure a responder action and policy, and bind the policy to a RADIUS-specific global bind point.

To configure a Responder action and policy, and bind the policy:

At the command prompt, type the following commands:

  • add responder action <actName> <actType>
  • add responder policy <polName> <rule> <actName>
  • bind responder policy <polName> <priority> <nextExpr> -type <bindPoint> where <bindPoint> represents one of the RADIUS-specific global bind points.

RADIUS Expressions for Responder

In a responder configuration, you can use the following NetScaler expressions to refer to various portions of a RADIUS request.

Identifying the Type of Connection:

  • RADIUS.IS_CLIENT. Returns TRUE if the connection is a RADIUS client (request) message.

  • RADIUS.IS_SERVER. Returns TRUE if the connection is a RADIUS server (response) message.

Request Expressions:

  • RADIUS.REQ.CODE. Returns the number that corresponds to the RADIUS request type. A derivative of the num_at class. For example, a RADIUS access request would return 1 (one). A RADIUS accounting request would return 4.
  • RADIUS.REQ.LENGTH. Returns the length of the RADIUS request, including the header. A derivative of the num_at class.
  • RADIUS.REQ.IDENTIFIER. Returns the RADIUS request identifier, a number assigned to each request that allows the request to be matched to the corresponding response. A derivative of the num_at class.
  • RADIUS.REQ.AVP(<AVP Code No>).VALUE. Returns the value of first occurrence of this AVP as a string of type text_t.
  • RADIUS.REQ.AVP(<AVP code no>).INSTANCE(instance number). Returns the specified instance of the AVP as a string of type RAVP_t. A specific RADIUS AVP can occur multiple times in a RADIUS message. INSTANCE (0) returns the first instance, INSTANCE (1) returns second instance, and so on, up to sixteen instances.
  • RADIUS.REQ.AVP(<AVP code no>).VALUE(instance number). Returns the value of specified instance of the AVP as a string of type text_t.
  • RADIUS.REQ.AVP(<AVP code no>).COUNT. Returns the number of instances of a specific AVP in a RADIUS connection, as an integer.
  • RADIUS.REQ.AVP(<AVP code no>).EXISTS. Returns TRUE if the specified type of AVP exists in the message, or FALSE if it does not.

Response Expressions:

RADIUS response expressions are identical to RADIUS request expressions, except that RES replaces REQ.

Typecasts of AVP Values:

The ADC supports expressions to typecast RADIUS AVP values to the text, integer, unsigned integer, long, unsigned long, ipv4 address, ipv6 address, ipv6 prefix and time data types. The syntax is the same as for other NetScaler typecast expressions.

Example:

The ADC supports expressions to typecast RADIUS AVP values to the text, integer, unsigned integer, long, unsigned long, ipv4 address, ipv6 address, ipv6 prefix and time data types. The syntax is the same as for other NetScaler typecast expressions.

RADIUS.REQ.AVP(8).VALUE(0).typecast_ip_address_at
<!--NeedCopy-->

AVP Type Expressions:

The NetScaler supports expressions to extract RADIUS AVP values by using the assigned integer codes described in RFC2865 and RFC2866. You can also use text aliases to accomplish the same task. Some examples follow.

  • RADIUS.REQ.AVP (1).VALUE or RADIUS.REQ.USERNAME.value. Extracts the RADIUS user-name value.
  • RADIUS.REQ.AVP (4). VALUE or RADIUS.REQ. ACCT_SESSION_ID.value. Extracts the Acct-Session-ID AVP (code 44) from the message.
  • RADIUS.REQ.AVP (26). VALUE or RADIUS.REQ.VENDOR_SPECIFIC.VALUE. Extracts the vendor-specific value.

The values of most commonly-used RADIUS AVPs can be extracted in the same manner.

RADIUS Bind Points:

Four global bind points are available for policies that contain RADIUS expressions.

  • RADIUS_REQ_OVERRIDE. Priority/override request policy queue.
  • RADIUS_REQ_DEFAULT. Standard request policy queue.
  • RADIUS_RES_OVERRIDE. Priority/override response policy queue.
  • RADIUS_RES_DEFAULT. Standard response policy queue.

RADIUS Responder-Specific Expressions:

  • RADIUS_RESPONDWITH. Respond with the specified RADIUS response. The response is created with NetScaler expressions, both RADIUS expressions and any others that are applicable.
  • RADIUS.NEW_ANSWER. Sends a new RADIUS answer to the user.
  • RADIUS.NEW_ACCESSREJECT. Rejects the RADIUS request.
  • RADIUS.NEW_AVP. Adds the specified new AVP to the response.

Use Cases

Following are use cases for RADIUS with responder.

Blocking RADIUS Requests from a Specific Network

To configure the responder feature to block authentication requests from a specific network, begin by creating a responder action that rejects requests. Use the action in a policy that selects requests from the networks that you want to block. Bind the responder policy to a RADIUS-specific global bind point, specifying:

  • The priority
  • END as the nextExpr value, to ensure that policy evaluation stops when this policy is matched
  • RADIUS_REQ_OVERRIDE as the queue to which you assign the policy, so that it is evaluated before policies assigned to the default queue

To configure Responder to block logons from a specific network**

  • add responder action <actName> <actType>
  • add responder policy <polName> <rule> <actName>
  • bind responder global <polName> <priority> <nextExpr> -type <bindPoint>

Example:

> add responder action rspActRadiusReject respondwith radius.new_accessreject
Done

> add responder policy rspPolRadiusReject client.ip.src.in_subnet(10.224.85.0/24) rspActRadiusReject
Done

> bind responder global rspPolRadiusReject 1 END -type RADIUS_REQ_OVERRIDE
<!--NeedCopy-->
RADIUS support for responder