Telkom Openserve IPC user authentication setup

  1. Set up NAS for POD and Proxy requests
  2. Add custom radius attributes
  3. Set up radius service
  4. Troubleshooting failed disconnections

Introduction

This is a guide on how to set up a radius user in DataTill to authenticate and disconnect through Telkom IPC.

1. Set up all of the NAS’s that is used for POD and Proxy Requests

  • Go to Radius -> NAS List
  • Add the IP’s that is used for the POD and Proxy requests with Telkom’s secret (telkom_radius_secret).
  • Example IP’s
    • 196.43.1.86
    • 196.43.1.87
    • 196.43.1.88
    • 196.43.1.89
    • 196.43.3.86
    • 196.43.3.87

radius-nas-list2. Add Custom Radius Attributes

  • Go to Radius -> Custom Radius Attributes
  • Click on Add Attribute.
  • Make the Attribute Name ‘Cisco-AVPair’.
  • Make the Operand ‘+=’.
  • Assign the Compatible NAS type as Cisco.
  • Add a Attribute Description if necessary.
  • Click Save Changes.
  • Screenshot below for visual representation.

ipcattribute

3. Set up Radius Service

  • Go to Radius -> Radius Services
  • Click on Add Service.
  • Set up the radius service details as usual (click here for a guide on adding a radius service).
  • Navigate to the Radius Attribute tab.
  • Click on Add Custom Attribute.
    • Add the following three Cisco-AVPair attribute values with the quotation marks:
      • Value (Your Loopback Interface): “ip:ip-unnumbered=LoopbackXXXX”
        • LoopbackXXXX is the Loopback interface associated with the address pool.
      • Value (Your Address Pool): “ip:addr-pool=YYYY”
        • YYYY is the address pool name from which an IP address should be allocated to the user.
      • Vallue (Your primary and secondary DNS servers): “ip:dns-servers=a.a.a.a b.b.b.b”
        • Replace a.a.a.a with the IP address of your Primary DNS server and b.b.b.b with your secondary DNS server.
  • After this the Radius Service can be assigned to a Data Package and then to a Radius User where the Custom Radius Attributes will be applied for IPC Authentication.
  • Bellow are screenshots of the setup. First screenshot is the Radius Attributes on the Radius Service and second screenshot is on the Radius User.

Radius Service Atributes

radius-attributes-ipc

Radius User Attributes (Automatically assigned after Data Package is assigned to the user)

radius-user-ipc

 

4. Troubleshooting failed disconnections

If DataTill fails to disconnect Openserve IPC connections then it is most likely related to NAT or firewall issues.

DataTill sends the radius disconnect request to one of the Telkom radius proxy servers in the 196.43.0.0/16 network range.

The Telkom proxy will only accept requests directed to UDP port 1700 and originating from the IP address associated with your ICP. If the disconnect packets are NAT’ed to another public IP then these requests will be ignored by the Telkom radius proxy.

To test wether your DataTill instance can successfully commiunicate with the Telkom proxy run the following command on the command line of your DataTill server:

echo 'User-Name=dummy@testrealm.co.za,Acct-Session-Id=0CA77E20022BAD5S0BAD50,Framed-IP-Address=10.11.12.13,NAS-IP-Address=10.10.10.10'|/usr/local/bin/radclient -c '1' -n '1' -r '1' -t '1' -x 196.43.1.86:1700 disconnect telkom_radius_secret

A successful response would look like this:

Sending Disconnect-Request of id 89 to 196.43.1.86 port 1700
User-Name = "dummy@testrealm.co.za"
Acct-Session-Id = "0CA77E20022BAD5S0BAD50"
Framed-IP-Address = 10.11.12.13
NAS-IP-Address = 10.10.10.10

rad_recv: Disconnect-NAK packet from host 196.43.1.86 port 1700, id=89, length=26
Error-Cause = Session-Context-Not-Found

The “rad_recv” line indicates a valid response received back from the Telkom radius proxy. The error in the result indicates that the session we wanted disconnected does not exist on their end.

An unsuccessful response will look like this:

Sending Disconnect-Request of id 136 to 196.43.1.86 port 1700
User-Name = "dummy@testrealm.co.za"
Acct-Session-Id = "0CA77E20022BAD5S0BAD50"
Framed-IP-Address = 10.11.12.13
NAS-IP-Address = 10.10.10.10

radclient: no response from server for ID 136 socket 3

Note the ‘no response’ section. This indicates that either the packet did not arrive at the Telkom radius proxy or the Telkom radius proxy ignored the request as it originated from a non authorised source IP.