<AuthBy DIAMETER>
converts and
forwards all RADIUS authentication and accounting requests to a DIAMETER
server. The DIAMETER replies are converted back to RADIUS responses and
returned to the requesting client which might be a remote client or this
Radiator instance itself. The RADIUS requests may originate from a RADIUS
client or they may be converted from TACACS+ or DIAMETER
requests.AuthBy DIAMETER
with
Peer
, Port
and other
parameters. This peering is only usable from within the AuthBy;
orDiaPeerDef
clauses that can be
shared between multiple AuthBy DIAMETER
clauses
and other Diameter modules.goodies/diameter-authby.cfg
for a
sample configuration file.<AuthBy
DIAMETER>
understands also the same parameters as
<AuthBy xxxxxx>
. For more information, see
Section 3.32. <AuthBy xxxxxx>.
<AuthBy DIAMETER>
supports TLS. For more
information about TLS parameters, see Section 3.11. TLS configuration.DiaPeerDef
parameters are
set for an AuthBy DIAMETER
, Diameter peer connection
is established with the parameters configured directly within the AuthBy.
DiaPeerDef
requires Radiator Service Provider pack.
Configuration with DiaPeerDef
provides more
flexibility, for example, when more than one Diameter peering is
needed.DiaPeerDef
parameters allow
using load balancing algorithms to relay to multiple destinations. For
more information about available relay options, see file:/data/radiator-reference-manual/source/Configuration/AuthByDIAMETER/RelayAlgorithm_diaclient.dita#RelayAlgorithm.DiaPeerDef
parameters are set, the following
parameters within an AuthBy DIAMETER
are ignored:
Peer
, SCTPPeer
,
Port
, Protocol
,
AuthApplicationIds
,
AcctAppliationIds
,
SupportedVendorIds
,
LocalAddress
, LocalPort
,
ReconnectTimeout
and
DisconnectTraceLevel
. These parameters are ignored
because the AuthBy does not establish a direct peering.# Relay the requests to peers defined by DiaPeerDef with # Identifier dra-1 and dra-2 using Session-Id based load balancing. DiaPeerDef DiaPeerDef-Identifier=dra-1 DiaPeerDef DiaPeerDef-Identifier=dra-2 RelayAlgorithm HashBalance
DiaPeerDef
parameters is required. Some load balancing relay algorithms support
multiple destinations.FailOver
HashBalance
Session-Id
attribute is used as the distribution
key.FailOver
can use run-time information about
peers for selecting the next hop. For example when a peer advertises its
supported applications, Peer-Auth-Application-Id
can be
used to select peers based on the applications they currently advertise.
HashBalance
adds to its targets only those
DiaPeerDef
clauses that can be found during Radiator
startup. Using DiaPeerDef-Identifier
is recommended.
Here's an example:# Balance load to multiple Diameter peers based on Diameter Session-Id attribute RelayAlgorithm HashBalance # Balance to peers defined with these Identifier values DiaPeerDef DiaPeerDef-Identifier=aaa-server1 DiaPeerDef DiaPeerDef-Identifier=aaa-server2 DiaPeerDef DiaPeerDef-Identifier=aaa-server3 DiaPeerDef DiaPeerDef-Identifier=aaa-server4
AuthBy
DIAMETER
should connect to. When one or more DiaPeerDef
parameters are configured, this parameter is ignored.AuthBy DIAMETER
. An address can be an IPv4 or IPv6
address. Multiple SCTPPeer
parameters are supported.
When SCTPPeer
is defined, it is used instead of
Host
or Peer
parameters. Special
formatting characters are supported. If SCTP multihoming is not supported,
connection is attempted to each peer at a time.SCTPPeer
must be either
IPv4 or IPv6 addresses.
SCTPPeer
:# Peer has multiple IPv6 addresses SCTPPeer 2001:db8:1500:1::a100 SCTPPeer 2001:db8:1500:2::a100
DestinationHost
is unset, no
Destination-Host
attribute is added to Diameter
messages. Setting DestinationHost
is optional and
there is no default value. Special formatting characters are supported.
Formatting is done when the configuration is loaded and
<AuthBy DIAMETER>
clause is
activated.Destination-Realm
attribute in the Diameter messages
sent to the peer. Destination-Realm
is first taken from
username's realm part. If there is no realm, then
DestinationRealm
configuration parameter is used. The
default is testdestinationrealm
. Special formatting
characters are supported. Formatting is done when the configuration is
loaded and <AuthBy DIAMETER>
clause is
activated.OriginHost
sets the value of the
Origin-Realm
attribute in the Diameter messages sent to
the peer. OriginHost
is not optional and must be
specified in the AuthBy DIAMETER
clause.
OriginHost
defaults to the hostname of the server
Radiator is running on. Special formatting characters are supported.
Formatting is done when the configuration is loaded and AuthBy
DIAMETER
clause is activated.AuthBy DIAMETER
clause.
OriginRealm
defaults to
testoriginrealm
. Special formatting characters are
supported. Formatting is done when the configuration is loaded and
AuthBy DIAMETER
clause is activated.EAP_ApplicationId
defines the Diameter
message's Application-ID value and Auth-Application-Id AVP value for the
converted RADIUS EAP requests. The default is to convert RADIUS EAP
authentication to Diameter EAP application. This parameter allows, for
example, converting RADIUS EAP-AKA to Diameter 3GPP SWm.
EAP_ApplicationId
defaults to value Diameter-EAP. For
more information, see configuration sample
goodies/diameter-authby.cfg
# We can convert EAP-AKA to SWm EAP_ApplicationId 3GPP SWm
Protocol sctp
AuthApplicationIds 0, 1
AcctApplicationIds 3
# Tell the peer we support all the vendors in our # default and DiameterDictionaryFile dictionaries SupportedVendorIds DictVendors
LocalPort
is a string, it can be a port
number or name. It binds the local port if
LocalAddress
is defined. If
LocalPort
is not specified or if it is set to
0
, a port number is allocated in the usual
way.LocalAddress
must be either IPv4 or IPv6
addresses.LocalAddress 203.63.154.29 LocalPort 12345
Radius::Stream
derived type.
Examples of derived types are Radius::RadsecHost
and Radius::DiameterConnection
.$Radius::Stream::STREAM_STATE::CONNECTED
$Radius::Stream::STREAM_STATE::DISCONNECTED
StreamStateChangeHook
can be an arbitrarily
complicated Perl function, that might run external processes, consult
databases, change the contents of the current request or many other
things. IP address and other specific information is not passed to the
hook. Their format and type depends on the derived type. For example, SCTP
streams may have multiple source and destination addresses. The following
example shows how to log information from the hook no matter what the type
of the stream object is.StreamStateChangeHook sub { \ my ($self, $new_state) = @_; \ my $state = ($new_state == $Radius::Stream::STREAM_STATE::CONNECTED) ? \ 'connected' : 'disconnected'; \ main::log($main::LOG_INFO, "StreamStateChangeHook: State change to $state"); \ return; }
0
. When connections are known to be short-lived, a
non-default value may be useful. This parameter is available for all
Stream based modules, such as <ServerDIAMETER>
and <AuthBy RADSEC>
.# Debug logging is enough for peer disconnects DisconnectTraceLevel 4