Amigopod Implementing Accounting-Based Authorization
Copyright © 2011 Aruba Networks, Inc. Aruba Networks trademarks include Airwave, Aruba Networks®, Aruba Wireless Networks®, the registered Aruba the Mobile Edge Company logo, Aruba Mobility Management System®, Mobile Edge Architecture®, People Move. Networks Must Follow®, RFProtect®, Green Island®. All rights reserved. All other trademarks are the property of their respective owners.
Table of Contents 1 Introduction ............................................................................................................................ 4 Audience ................................................................................................................................................. 4 Document Overview .............................................................................................................................. 4 Disclaimer ....................................
1 Introduction This technical note explains how to use accounting-based authorization to build a complete portal for a network service that offers free usage to guests, where guests are restricted to a certain daily quota of traffic. The completed portal includes: • A login page where guests can log in with their username and password. • A terms of use page describing the conditions under which the guest service is provided.
The next section contains a detailed configuration guide for creating the portal. Step-bystep instructions are provided for creating each page, and for performing all necessary configuration tasks.
2 About Accounting-Based Authorization This section provides background information explaining the concepts of authorization and accounting, and how these can interact to provide a restricted network service to guests. Authentication, Authorization and Accounting The Amigopod Visitor Management Appliance is built on the industry standard AAA framework, which consists of authentication, authorization and accounting components.
In the standard AAA framework, network access is provided to a user according to the following process: • The user connects to the network by associating with a local access point [1]. • A landing page is displayed to the user [2] which allows them to log into the NAS [3], [4] using the login name and password of their guest account. • The NAS authenticates the user with the RADIUS protocol [5].
Guest NAS Amigopod VMA Traffic less than limit Complete login form Submit form Login Message page Automated NAS login Access-Request Access-Accept [2] Traffic Limited Guest l Web login Authentication Authorization [1] Traffic over limit Complete login form Submit form Login Message page Automated NAS login Returned to login form States: Unauthorized Access-Request Access-Reject [4] Traffic Limited Guest l Authenticating Web login Authentication Authorization [3] Authorized Diagram 2: Sequenc
There are two ways to achieve this, depending on the type of NAS equipment in use: • Vendor-specific attributes — Certain NAS vendors provide the capability to limit the amount of traffic in a particular session. For example: The ChilliSpot-Max-Total-Octets attribute may be used with a coova-chilli NAC device. The Colubris-AVPair attribute may be used with a HP/Colubris controller; set a suitable value for this attribute such as max-total-octets=200000000.
message [1]. The session information is updated on the RADIUS server [2], and can be seen using the Active Sessions view. If the guest reaches the allowed traffic limit, then on the next accounting update [3] the authorization will be rechecked. Because the session is no longer authorized to continue, the Amigopod Visitor Management Appliance will initiate an RFC 3576 Disconnect-Request [4] to the NAS, which will disconnect the visitor’s session and respond with an acknowledgment.
3 Configuring Accounting-Based Authorization Check Plugin Versions Accounting-based authorization requires the Amigopod RADIUS Services plugin, version 2.1.30 or later. To verify you have the correct plugin versions installed, navigate to Administrator> Plugin Manager>Manage Plugins and check the version number in the list. Use the Update Plugins link to download and install updated plugins. Create RADIUS User Role Navigate to RADIUS> User Roles and then click the Create a new role link. 1.
Your newly created role should appear as shown in the screenshot below: Create RADIUS NAS Client Navigate to RADIUS>NAS List and then click the Create tab. Enter suitable values for the name and IP address fields, and select a NAS Type that is marked as RFC 3576 capable. NOTE If the network access server does not provide RFC 3576 support, the Amigopod RADIUS server will not be able to disconnect sessions that are currently in progress.
NOTE 3. Select the [x] Provide a custom login form checkbox. 4. Under the Login Page heading, select an appropriate skin to control the look and feel of the page. 5. Enter a page title, such as Terms of Use, in the Title field. 6. Provide the HTML for the terms of use in the Header HTML text area. Refer to the “Basic HTML syntax” section of the Amigopod Deployment Guide for information about the syntax of HTML.
{* NOTE: The allowed traffic limit is defined below: *} {assign var=traffic_limit value=200e6} {* Do not edit below this line *} {nwa_radius_query _method=GetIpAddressCurrentSession _assign=current_session} {if $current_session.username} {nwa_radius_query _method=GetUserTraffic username=$current_session.
{nwa_icontext icon="images/icon-clock22.png" valign="middle" novspace="1"} So far today, you have used {$traffic_used|NwaByteFormatBase10:0}. {/nwa_icontext}
{nwa_icontext icon="images/icon-report-bytes-out22.png" valign="middle" novspace="1"} Your remaining quota is {$traffic_remaining|NwaByteFormatBase10:0}. |
