PolicyFlow. All Rights Reserved © Alcatel-Lucent 2007 2 | PolicyFlow Module Objectives PolicyFlow syntax and files Understand the way a PolicyChain is

PolicyFlow

2 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007

Module Objectives PolicyFlow syntax and files

Understand the way a PolicyChain is executed and variables are created, used and modified

Templates and advantages

PolicyFlow configuration in the SMT

Viewing PF’s in a graph: PolicyGrapher

PolicyAssistant


PolicyFlow Selection

# Prot Type Code File Method radius Auth Access-Request aaa readRadiusUser

radius Acct Accounting-Request aaa writeDetail

method_dispatch

readRadiusUser Method-Type = "ReadUserFile“ Method-On-Success = "checkPassword" ReadUserFile-Filename = "users"

checkPassword Method-Type = "AuthLocal" Method-On-Success = "checkVerifications"

checkVerifications Method-Type = "CheckItems“

writeDetail Method-Type = "Classic"Classic-Filename = "radacct/${packet.Client-Name}/detail2"

aaa.pf

The line matched in the method_dispatch file determines the initial method to be executed


PolicyFlowTM Method Chains

Success - The method succeeded (I.e. it found something or approved something).

It did what was intended

Each time a method executes, it can result one of the three following conditions:

Fail - The method failed (I.e. something could not be found, did not match, etc.)

Error - Method was unable to execute (I.e. uncertainty due to abnormal conditions, mis-configuration or timeout) and could not determine if it succeeded or failed.


Method syntax (revisited)

method1 Unique name of the methodMethod-Type = “ReadUserFile“Method-Disabled = "FALSE" Type of plug-inMethod-On-Success = “[file:]checkPwd“Message-On-Success = “User found in file"Level-On-Success = “DEBUG“Channel-On-Success = "LogToFile“

What to do if the plug-in ends with success:• which other method to invoke (and in which file it is stored)• optionally to generate a log

Method-On-Failure = “method2“Message-On-Failure = “User not found in file“Level-On-Failure = “INFO“Channel-On-Failure = "LogToFile"Method-Timeout = 2000Method-On-Error = "“Message-On-Error = “File not found"Level-On-Error = "WARNING"Channel-On-Error = "LogToFile"ReadUserFile-Filename = "users"ReadUserFile-SearchKey = "${packet.Base-User-Name}"

Plug-in properties

PLUG-IN

•Success Failure Error

•Method


Default Actions Method-On-Success

If the method executes successfully and Method-On-Success is not defined, the PolicyFlow will end and an Access-Accept is sent. Or an Account-Response for accounting

Method-On-Fail If the method execution ends in failure and Method-On-Fail is not

defined, the PolicyFlow will end and an Access-Reject is sent. Or the packet will be discarded for accounting

–The NAS will not receive a response and will retransmit

Method-On-Error If the method execution ends in error and Method-On-Error is not

defined, the PolicyFlow will end and an Access-Reject is sent.–It can be configured in server_properties to discard the packet

Or the packet will be discarded for accounting –The server never receives a response and will retransmit

Method-Timeout If the method does not complete execution before the timeout

period, the PF ends and Method-On-Error is followed.


Optional actions at the end of the PF

When the PolicyFlow ends, VitalAAA can performs 2 checks…First, it looks to see if the Password has been checked (I.e. if $

{check.Password} is still defined) If the Password has not been checked, the AuthLocal plug-in can be

automatically invokedSecond, it checks if there are any check-items that still need to

be tested (I.e. if any attributes with the “check” prefix are still defined). If untested check-items are found, the CheckItems plug-in can be

automatically invoked.

These behaviors can be overridden by setting the Auto_CheckItem and or Auto_Password server properties to false Also configurable via the SMT: Server Properties


PolicyFlowSM Example 1 Example case #1

Look for a user record in user file #1 If the record is found, verify the password and check-items

If the password and check-items are OK send an Access-Accept,

Otherwise, send an Access-Reject

If no record is found, send an Access-Reject


Methoddispatch

PolicyFlowSM Example 1

ReadUserFile“users”

Accept

succeed CheckItems

succeed

succeed

AuthLocal

fail

Reject

fail

fail

Look up the user in “users” file

If we cannot find the user record,

reject the request

Verify the password

Check the CheckItems

If the Check-Items or

the password

do not match,

reject the request

Empty text



read-user-file Method-Type = ReadUserFile Method-On-Success = pass-check ReadUserFile-Filename = users

pass-check Method-Type = AuthLocal Method- On-Success = auth-check

auth-check Method-Type = CheckItems

Remember, the default action for Method-On-Fail is to send an Access-Reject.

If that behavior is desired (as it is in our example) the Method-On-Fail control tag does not need to be specified.

aaa.pf



user1 password = foobar Service-Type = Framed-UserAscend-Assign-IP-Pool = 0 Framed-IP-Netmask = 255.255.255.255

user2 password = secret Service-Type = Framed-UserAscend-Assign-IP-Pool = 0 Framed-IP-Netmask = 255.255.255.255

user3 password = cant-tell Service-Type = Framed-UserAscend-Assign-IP-Pool = 0 Framed-IP-Netmask = 255.255.255.255

user4 password = don’t-ask Service-Type = Framed-UserAscend-Assign-IP-Pool = 0 Framed-IP-Netmask = 255.255.255.255

user1 password = foobar Service-Type = Framed-UserAscend-Assign-IP-Pool = 0 Framed-IP-Netmask = 255.255.255.255

user2 password = secret Service-Type = Framed-UserAscend-Assign-IP-Pool = 0 Framed-IP-Netmask = 255.255.255.255

user3 password = cant-tell Service-Type = Framed-UserAscend-Assign-IP-Pool = 0 Framed-IP-Netmask = 255.255.255.255

user4 password = don’t-ask Service-Type = Framed-UserAscend-Assign-IP-Pool = 0 Framed-IP-Netmask = 255.255.255.255

users



Given the request:

We start the PolicyFlow with the following attribute settings

User-Name = user3@localpassword = cant-tellNAS-IP-Address = 192.12.43.56NAS-Port = 24Called-Station-Id = 5105551212Service-Type = Framed-User

request.User-Name = [email protected] = cant-tellrequest.NAS-IP-Address = 192.12.43.56request.NAS-Port = 24request.Called-Station-Id = 5105551212request.Service-Type = Framed-User

packet.Base-User-Name = user3packet.User-Realm = local

Added Automatically before method_select


PolicyFlowSM Example 1 After reading the “users” file we now have:



check.password = cant-tellcheck.Service-Type = Framed-User

reply.Ascend-Assign-IP-Pool = 0 reply.Framed-IP-Netmask = 255.255.255.255

Read from the “users” file


PolicyFlowSM Example 1The auth-check method uses the AuthLocal plug-in.

If the password from the request and the user record match, the password retrieved from the user record is deleted (I.e. it is removed from the “check” attributes):



check.password = cant-tellcheck.Service-Type = Framed-User



PolicyFlowSM Example 1The pass-check method uses the CheckItem plug-in.

If the Check Items from the user record are “true”, (I.e. they match items in the access request) they are removed:

request.User-Name = [email protected] = cant-tellrequest.NAS-IP-Address = 192.12.43.56request.NAS-Port = 24request.Called-Station-Id = 5105551212 request.Service-Type = Framed-User

check.password = cant-tell check.Service-Type = Framed-User





Finally the reply items (I.e. attributes with the reply prefix) are used to create an Access-Accept packet:

The Access-Accept would be a RADIUS type 2 packet and would contain the following attributes:


Ascend-Assign-IP-Pool = 0 Framed-IP-Netmask = 255.255.255.255


Templates - Introduction Templates are used to provide a common reference point for

reply item or Check Items sets that are often used for many users.

It is a way of grouping together common attributes for groups of users

user1

user2

user3

user_N

template_1

common attributes

template_2

common attributesuser4


Templates - without a Template

bob password = “secret” NAS-Port-Type = Async Time-of-Day = “1800-0800”Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Framed-IP-Netmask = 255.255.255.0, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP

chuck password = “canttell” NAS-Port-Type = Async Time-of-Day = “1800-0800”Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Framed-IP-Netmask = 255.255.255.0, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP

sara password = “terces” NAS-Port-Type = Async Time-of-Day = “1800-0800”Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Framed-IP-Netmask = 255.255.255.0, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP

bob password = “secret” NAS-Port-Type = Async Time-of-Day = “1800-0800”Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Framed-IP-Netmask = 255.255.255.0, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP

chuck password = “canttell” NAS-Port-Type = Async Time-of-Day = “1800-0800”Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Framed-IP-Netmask = 255.255.255.0, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP

sara password = “terces” NAS-Port-Type = Async Time-of-Day = “1800-0800”Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Framed-IP-Netmask = 255.255.255.0, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP

users


No Templates - Disadvantages Note that except for the User-Name and Password, each entry is

otherwise identical.

It also suffers from a number of weaknesses It requires a lot of extra data entry work Is prone to input errors Wastes disk space Makes changes very difficult


Templates - Advantages Using a “template” for the Check Items and Reply Items would

make our task much easier.

The file would look like this instead:

bob password = “secret” Service-Template = Limited-Analog

chuck password = “canttell” Service-Template = Limited-Analog

sara password = “terces” Service-Template = Limited-Analog

Etc…

bob password = “secret” Service-Template = Limited-Analog

chuck password = “canttell” Service-Template = Limited-Analog

sara password = “terces” Service-Template = Limited-Analog

Etc…

user_accounts


Templates - The Template File To make this all work we will create a file, called service-templates, with the following entries:

Limited-Analog NAS-Port-Type = Async Time-of-Day = “1800-0800”Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Framed-IP-Netmask = 255.255.255.255, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IPSession-Timeout = 3600 # 1 hour

Gold-Analog NAS-Port-Type = Async

Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Framed-IP-Netmask = 255.255.255.255, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IPSession-Timeout = 42300 # 12 hours

Etc.

Limited-Analog NAS-Port-Type = Async Time-of-Day = “1800-0800”Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Framed-IP-Netmask = 255.255.255.255, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IPSession-Timeout = 3600 # 1 hour

Gold-Analog NAS-Port-Type = Async

Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Framed-IP-Netmask = 255.255.255.255, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IPSession-Timeout = 42300 # 12 hours

Etc.


Templates - Methods 1.- Read things that are different for every user: password and

template name

2.- Read things that are common for a group of users: the parameters in that template

read-user-file Method-Type = ReadUserFile Method-On-Success= get-template ReadUserFile-Filename = user-accounts

get-template Method-Type = ReadUserFile Method-On-Success= pass-checkReadUserFile-Filename = service-templates

ReadUserFile-SearchKey = ${reply.Service-Template}# Now, we should delete the non-dictionary reply item

ReadUserFile-Map = “delete ${reply.Service-Template};”

pass-check Method-Type = AuthLocal Method-On-Success= auth-check



Templates - Final Thoughts Templates can be retrieved from any data source:

Delimited files, Database records, LDAP, etc.

However, standard “users” files usually make the best choice for template storage They are read into memory and cached at startup

Can be reloaded without restarting the PolicyServer

Check Item and Reply Item mapping is simplified

Separate templates can be provided for Reply Items and Check Items Handy when users can have any combination of reply-items & check-

items

Specific reply-items and check-items could be used for each user


PolicyFlow Example 2 Example case #2

Look for a user record in the LDAP directory If the record is found, retrieve the template If the template is found, check the password and check-items

If the password and check-items are OK send an Access-Accept,

Otherwise, send an Access-Reject



Methoddispatch

Ldap

Reject

Accept

succeed Checktems

succeed

succeed

AuthLocalfail

fail

fail/error

ReadUserFile fail

Start by doing an LDAP query. Save the “service type” field contents in $

{user.Service–Type}

Lookup the “service–type” in a

text file

Finish up by checking the password and any check-items from the “service–type” entry

Return the reply attributes from the

“service–type” entry in an access

accept packet.

Reject the attempt if we fail to find the user in LDAP or if the Password or

Check-Items tests fail.



ldap-query Method-Type = Ldap Method-On-Success= get-template Method-Timeout = 2000 Ldap-Host = directory.isp1.net Ldap-Operation = SEARCH Ldap-BindDN = " cn = dir_man, o = isp1, c = US " Ldap-BindPasswd = 7olleh-44 Ldap-SearchBase = " o = isp1, c = US” Ldap-SearchFilter = "uid = ${packet.Base-User-Name} " Ldap-Map = " ${check.Password} = ${Password}; "

Ldap-Map = " ${user.Service-Class} = ${Service-Type}; "

get-template Method-Type = ReadUserFile Method-On-Success= pass-check

ReadUserFile-Filename = template-fileReadUserFile-SearchKey = ${user.Service-Class}

pass-check Method-Type = AuthLocal Method-On-Success= auth-check



PolicyFlowSM Example 2 An example LDAP entry

o = isp1c = US uid = happy Password = secretService-Type = basic-analog

template-file

basic-analog Prohibit-NAS-Port-Type = SyncAscend-Assign-IP-Pool = 0Framed-IP-Netmask = 255.255.255.0

isdn #Note there are no check itemsAscend-Assign-IP-Pool = 0 Framed-IP-Netmask = 255.255.255.0Port-Limit = 2


PolicyFlowSM Example 2 Given the request:

User-Name = happy@isp1password = secretNAS-IP-Address = 192.12.43.56NAS-Port = 24NAS-Port-Type = AsyncCalled-Station-Id = 5105551212Service-Type = Framed-User


PolicyFlowSM Example 2 We start the PolicyFlow with the following attribute settings

request.User-Name = [email protected] = secretrequest.NAS-IP-Address = 192.12.43.56request.NAS-Port = 24request.NAS-Port-Type = Asyncrequest.Called-Station-Id = 5105551212request.Service-Type = Framed-User

packet.Base-User-Name = happypacket.User-Realm = isp1


PolicyFlowSM Example 2 After performing a successful LDAP query, we now have the

following data saved in the internal attributes:


packet.Base-User-Name = happypacket.User-Realm = isp1

check.Password = secret

user.Service-Class = basic-analog


PolicyFlowSM Example 2 Next we lookup the “basic-analog” template. Now the internal

attribute list looks like this:


packet.Base-User-Name = user3packet.User-Realm = isp1

check.password = secretcheck.Prohibit-NAS-Port-Type = Sync

user.Service-Class = basic-analog

reply.Ascend-Assign-IP-Pool = 0reply.Framed-IP-Netmask = 255.255.255.0


PolicyFlowSM Example 2 If the password from the request and the user record match, the

password retrieved from the user record is deleted from the check items:




user.template = basic-analog



PolicyFlowSM Example 2 If the Check Items from the user record are “true”, (I.e. they

match items in the access request) they are removed




user.template = basic-analog




Finally the reply items are used to create an Access-Accept packet:

The Access-Accept would be a RADIUS type 2 packet and would contain the following attributes:


Ascend-Assign-IP-Pool = 0 Framed-IP-Netmask = 255.255.255.0


PolicyFlows Linkage (I)

RejectAccept

Reject

Accept

ReadUserFile Ldap

realm = local realm = isp1Branch


PolicyFlowsSM linkage (II)

# Prot Type Code File Method radius Auth Access-Request aaa Branch4realms

radius Acct Accounting-Request aaa writeDetail

method_dispatch

Branch4realms Method-Type = "Branch"Branch-Case = "local read-user-file“Branch-Case = “isp1 ldap-query"Branch-SelectMode = "KEY"Branch-SearchKey = "${packet.User-Realm}"Branch-IgnoreCase = "TRUE"

ldap-query Method-Type = ReadLdap …….

read-user-file Method-Type = ReadUserFile …..

aaa.pf

john@local

john@isp1


PolicyFlow linkage (III)

The initial branch can be made on any VA variable: Service-Type = ${request.Service-Type}

Framed - for PPP users Call-Check - for pre-auth in dial-up Outbound - for pseudo-users Administrative - for routers/NAS administrators

Client Class = ${client.Client-Class} Calling or Called station id Type of accounting packet = ${request.Acct-Status-Type}

Start, stop, interim, accounting-on, accounting-off

Also a WILDCARD select mode can be used Branch-SearchKey = "${request.Called-Station-Id}“ Branch-Case = “909* check_calling” Branch-Case = “908* accept_call”


Cron-based PolicyFlows It is also possible to start a PF based on time

Similar to UNIX crontabs The ${request.*} variables can be specified

New 5.2

# Protocol Type Code File Method# --------- --- ------- ---- ------radius auth 1 aaa readRadiusUsercron "0 * * * *" User-Name=nobody@norealm aaa WriteLogradius acct 4 aaa updateLocalLimits

# Protocol Type Code File Method# --------- --- ------- ---- ------radius auth 1 aaa readRadiusUsercron "0 * * * *" User-Name=nobody@norealm aaa WriteLogradius acct 4 aaa updateLocalLimits

method_dispatch

*


PolicyFlow - Method Dispatch


PolicyFlow – PF files We can see all configured methods, create/delete others,

configure the Method-On-Success/Fail/Error

Also add extra PF files


PolicyFlow - Methods Configuration


PolicyGrapher (I) There is a tool to represent a PF in a graphical format

Using a 3rd party software, called “GraphViz” from AT&T This software must be installed separately from VA

The PolicyGraph can be: Viewed from the SMT Saved to a gif file

xxx.pf xxx.dot xxx.gif|jpg…

SMT GraphViz


PolicyGrapher (II)

It has to be configured: the grapher program to

use: recommended dot.exe and the directory where it

has been installed

extra parameters related to colors, shape, and to explicitly graph success, failure or error nodes representing the end of the PF

Properties stored in <$VA>/run/policygraph.properties file


PolicyGrapher (III)


PolicyFlow Editor vs. PolicyAssistant PolicyFlow Editor

To edit the method_dispatch file and the *.pf files Only viewable if not using the PolicyAssistant

PolicyAssistant To create simple policies using a Wizard Only viewable if not configuring a PolicyFlow

The SMT knows which option to show based on the server property: provisioningInstalled = FALSE => PF provisioningInstalled = TRUE => PA

Configuration Time

What can be done PF

PA


Policy Assistant (I)

A graphical wizard to configure “simple” AAA policies It has a predefined policyflow (PF) reading configuration information

from some text files data.config-info, data.dnis-info.csv, data.realm-info.csv,

policyassistant_properties

The PolicyAssistant (PA) wizard populates data in these files

*


Policy Assistant (II):Users Authentication


Policy Assistant (III):Accounting info and USS for limits


Policy Assistant (IV):Extra info and templates for authorization


Policy Assistant (& V):Policy to realm mapping

Finally, a realm must be assigned to a Policy

Extra parameters can be configured related to the USS where it is located (in case it is on a different host) extra limits based on DNIS and for the whole policy


PolicyAssistant Accounting DB schema

When selecting to store the acct records in the internal DB (Hypersonic SQL), there are 2 tables to store the information: ACTIVE: stores the active connections in that moment ACCOUNTING: stores the already ended connections

Historical data, for reporting, statistics, billing, etc


Changing PolicySet At any moment, we can change to the PolicyAssistant or to install

any of the predefined sample PolicyFlows These PF’s are under the <$VA>/run/samples directory They are just copied to the <$VA>/run directory

Documents

PolicyFlow. All Rights Reserved © Alcatel-Lucent 2007 2 | PolicyFlow Module Objectives PolicyFlow syntax and files Understand the way a PolicyChain is