PolicyFlow
All Rights Reserved © Alcatel-Lucent | PolicyFlow Module Objectives PolicyFlow syntax and files Understand the way a PolicyChain is executed and variables are created, used and modified Templates and advantages PolicyFlow configuration in the SMT Viewing PFs in a graph: PolicyGrapher PolicyAssistant
All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow Selection # Prot Type Code File Method radiusAuth Access-Request aaa readRadiusUser radiusAcct Accounting-Request aaa writeDetail method_dispatch readRadiusUser Method-Type = "ReadUserFile Method-On-Success = "checkPassword" ReadUserFile-Filename = "users" checkPassword Method-Type = "AuthLocal"Method-On-Success = "checkVerifications" checkVerifications Method-Type = "CheckItems writeDetailMethod-Type = "Classic" Classic-Filename = "radacct/${packet.Client-Name}/detail2" aaa.pf The line matched in the method_dispatch file determines the initial method to be executed
All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow TM Method Chains Success - The method succeeded (I.e. it found something or approved something). It did what was intended Each time a method executes, it can result one of the three following conditions: Fail - The method failed (I.e. something could not be found, did not match, etc.) Error - Method was unable to execute (I.e. uncertainty due to abnormal conditions, mis-configuration or timeout) and could not determine if it succeeded or failed.
All Rights Reserved © Alcatel-Lucent | PolicyFlow Method syntax (revisited) method1 Unique name of the method Method-Type = ReadUserFile Method-Disabled = "FALSE" Type of plug-in Method-On-Success = [file:]checkPwd Message-On-Success = User found in file" Level-On-Success = DEBUG Channel-On-Success = "LogToFile What to do if the plug-in ends with success: which other method to invoke (and in which file it is stored) optionally to generate a log Method-On-Failure = method2 Message-On-Failure = User not found in file Level-On-Failure = INFO Channel-On-Failure = "LogToFile" Method-Timeout = 2000 Method-On-Error = " Message-On-Error = File not found" Level-On-Error = "WARNING" Channel-On-Error = "LogToFile" ReadUserFile-Filename = "users" ReadUserFile-SearchKey = "${packet.Base-User-Name}" Plug-in properties PLUG-IN SuccessFailureError Method
All Rights Reserved © Alcatel-Lucent | PolicyFlow Default Actions Method-On-Success If the method executes successfully and Method-On-Success is not defined, the PolicyFlow will end and an Access-Accept is sent. Or an Account-Response for accounting Method-On-Fail If the method execution ends in failure and Method-On-Fail is not defined, the PolicyFlow will end and an Access-Reject is sent. Or the packet will be discarded for accounting –The NAS will not receive a response and will retransmit Method-On-Error If the method execution ends in error and Method-On-Error is not defined, the PolicyFlow will end and an Access-Reject is sent. –It can be configured in server_properties to discard the packet Or the packet will be discarded for accounting –The server never receives a response and will retransmit Method-Timeout If the method does not complete execution before the timeout period, the PF ends and Method-On-Error is followed.
All Rights Reserved © Alcatel-Lucent | PolicyFlow Optional actions at the end of the PF When the PolicyFlow ends, VitalAAA can performs 2 checks… First, it looks to see if the Password has been checked (I.e. if ${check.Password} is still defined) If the Password has not been checked, the AuthLocal plug-in can be automatically invoked Second, it checks if there are any check-items that still need to be tested (I.e. if any attributes with the check prefix are still defined). If untested check-items are found, the CheckItems plug-in can be automatically invoked. These behaviors can be overridden by setting the Auto_CheckItem and or Auto_Password server properties to false Also configurable via the SMT: Server Properties
All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlowSM Example 1 Example case #1 Look for a user record in user file #1 If the record is found, verify the password and check-items If the password and check-items are OK send an Access-Accept, Otherwise, send an Access-Reject If no record is found, send an Access-Reject
All Rights Reserved © Alcatel-Lucent | PolicyFlow Method dispatch PolicyFlow SM Example 1 ReadUserFile users Accept succeed CheckItems succeed AuthLocal fail Reject fail Look up the user in users file If we cannot find the user record, reject the request Verify the password Check the CheckItems If the Check- Items or the password do not match, reject the request Empty text
All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow SM Example 1 read-user-file Method-Type = ReadUserFile Method-On-Success = pass-check ReadUserFile-Filename = users pass-check Method-Type = AuthLocal Method- On-Success = auth-check auth-check Method-Type = CheckItems Remember, the default action for Method-On-Fail is to send an Access-Reject. If that behavior is desired (as it is in our example) the Method-On-Fail control tag does not need to be specified. aaa.pf
All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow SM Example 1 user1password = foobar Service-Type = Framed-User Ascend-Assign-IP-Pool = 0 Framed-IP-Netmask = user2password = secret Service-Type = Framed-User Ascend-Assign-IP-Pool = 0 Framed-IP-Netmask = user3password = cant-tell Service-Type = Framed-User Ascend-Assign-IP-Pool = 0 Framed-IP-Netmask = user4password = dont-ask Service-Type = Framed-User Ascend-Assign-IP-Pool = 0 Framed-IP-Netmask = user1password = foobar Service-Type = Framed-User Ascend-Assign-IP-Pool = 0 Framed-IP-Netmask = user2password = secret Service-Type = Framed-User Ascend-Assign-IP-Pool = 0 Framed-IP-Netmask = user3password = cant-tell Service-Type = Framed-User Ascend-Assign-IP-Pool = 0 Framed-IP-Netmask = user4password = dont-ask Service-Type = Framed-User Ascend-Assign-IP-Pool = 0 Framed-IP-Netmask = users
All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow SM Example 1 Given the request: We start the PolicyFlow with the following attribute settings User-Name = password = cant-tell NAS-IP-Address = NAS-Port = 24 Called-Station-Id = Service-Type = Framed-User request.User-Name = request.password = cant-tell request.NAS-IP-Address = request.NAS-Port = 24 request.Called-Station-Id = request.Service-Type = Framed-User packet.Base-User-Name = user3 packet.User-Realm = local Added Automatically before method_select
All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow SM Example 1 After reading the users file we now have: request.User-Name = request.password = cant-tell request.NAS-IP-Address = request.NAS-Port = 24 request.Called-Station-Id = request.Service-Type = Framed-User packet.Base-User-Name = user3 packet.User-Realm = local check.password = cant-tell check.Service-Type = Framed-User reply.Ascend-Assign-IP-Pool = 0 reply.Framed-IP-Netmask = Read from the users file
All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow SM Example 1 The auth-check method uses the AuthLocal plug-in. If the password from the request and the user record match, the password retrieved from the user record is deleted (I.e. it is removed from the check attributes): request.User-Name = request.password = cant-tell request.NAS-IP-Address = request.NAS-Port = 24 request.Called-Station-Id = request.Service-Type = Framed-User packet.Base-User-Name = user3 packet.User-Realm = local check.password = cant-tell check.Service-Type = Framed-User reply.Ascend-Assign-IP-Pool = 0 reply.Framed-IP-Netmask =
All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow SM Example 1 The pass-check method uses the CheckItem plug-in. If the Check Items from the user record are true, (I.e. they match items in the access request) they are removed: request.User-Name = request.password = cant-tell request.NAS-IP-Address = request.NAS-Port = 24 request.Called-Station-Id = request.Service-Type = Framed-User check.password = cant-tell check.Service-Type = Framed-User packet.Base-User-Name = user3 packet.User-Realm = local reply.Ascend-Assign-IP-Pool = 0 reply.Framed-IP-Netmask =
All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow SM Example 1 Finally the reply items (I.e. attributes with the reply prefix) are used to create an Access-Accept packet: The Access-Accept would be a RADIUS type 2 packet and would contain the following attributes: reply.Ascend-Assign-IP-Pool = 0 reply.Framed-IP-Netmask = Ascend-Assign-IP-Pool = 0 Framed-IP-Netmask =
All Rights Reserved © Alcatel-Lucent | PolicyFlow Templates - Introduction Templates are used to provide a common reference point for reply item or Check Items sets that are often used for many users. It is a way of grouping together common attributes for groups of users user1 user2 user3 user_N template_1 common attributes template_2 common attributes user4
All Rights Reserved © Alcatel-Lucent | PolicyFlow Templates - without a Template bob password = secret NAS-Port-Type = Async Time-of-Day = Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Framed-IP-Netmask = , Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP chuck password = canttell NAS-Port-Type = Async Time-of-Day = Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Framed-IP-Netmask = , Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP sara password = terces NAS-Port-Type = Async Time-of-Day = Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Framed-IP-Netmask = , Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP bob password = secret NAS-Port-Type = Async Time-of-Day = Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Framed-IP-Netmask = , Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP chuck password = canttell NAS-Port-Type = Async Time-of-Day = Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Framed-IP-Netmask = , Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP sara password = terces NAS-Port-Type = Async Time-of-Day = Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Framed-IP-Netmask = , Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP users
All Rights Reserved © Alcatel-Lucent | PolicyFlow No Templates - Disadvantages Note that except for the User-Name and Password, each entry is otherwise identical. It also suffers from a number of weaknesses It requires a lot of extra data entry work Is prone to input errors Wastes disk space Makes changes very difficult
All Rights Reserved © Alcatel-Lucent | PolicyFlow Templates - Advantages Using a template for the Check Items and Reply Items would make our task much easier. The file would look like this instead: bob password = secret Service-Template = Limited-Analog chuck password = canttell Service-Template = Limited-Analog sara password = terces Service-Template = Limited-Analog Etc… bob password = secret Service-Template = Limited-Analog chuck password = canttell Service-Template = Limited-Analog sara password = terces Service-Template = Limited-Analog Etc… user_accounts
All Rights Reserved © Alcatel-Lucent | PolicyFlow Templates - The Template File To make this all work we will create a file, called service- templates, with the following entries: Limited-Analog NAS-Port-Type = Async Time-of-Day = Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Framed-IP-Netmask = , Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP Session-Timeout = 3600 # 1 hour Gold-Analog NAS-Port-Type = Async Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Framed-IP-Netmask = , Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP Session-Timeout = # 12 hours Etc.
All Rights Reserved © Alcatel-Lucent | PolicyFlow Templates - Methods 1.- Read things that are different for every user: password and template name 2.- Read things that are common for a group of users: the parameters in that template read-user-file Method-Type = ReadUserFile Method-On-Success= get-template ReadUserFile-Filename = user-accounts get-template Method-Type = ReadUserFile Method-On-Success= pass-check ReadUserFile-Filename = service-templates ReadUserFile-SearchKey = ${reply.Service-Template} # Now, we should delete the non-dictionary reply item ReadUserFile-Map = delete ${reply.Service-Template}; pass-check Method-Type = AuthLocal Method-On-Success= auth-check auth-check Method-Type = CheckItems
All Rights Reserved © Alcatel-Lucent | PolicyFlow Templates - Final Thoughts Templates can be retrieved from any data source: Delimited files, Database records, LDAP, etc. However, standard users files usually make the best choice for template storage They are read into memory and cached at startup Can be reloaded without restarting the PolicyServer Check Item and Reply Item mapping is simplified Separate templates can be provided for Reply Items and Check Items Handy when users can have any combination of reply-items & check-items Specific reply-items and check-items could be used for each user
All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow Example 2 Example case #2 Look for a user record in the LDAP directory If the record is found, retrieve the template If the template is found, check the password and check-items If the password and check-items are OK send an Access-Accept, Otherwise, send an Access-Reject
All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow SM Example 2 Method dispatch Ldap RejectAccept succeed Checktems succeed AuthLocal fail fail/error ReadUser File fail Start by doing an LDAP query. Save the service type field contents in ${user.Service–Type} Lookup the service–type in a text file Finish up by checking the password and any check-items from the service–type entry Return the reply attributes from the service–type entry in an access accept packet. Reject the attempt if we fail to find the user in LDAP or if the Password or Check-Items tests fail.
All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow SM Example 2 ldap-query Method-Type = Ldap Method-On-Success= get-template Method-Timeout = 2000 Ldap-Host = directory.isp1.net Ldap-Operation = SEARCH Ldap-BindDN = " cn = dir_man, o = isp1, c = US " Ldap-BindPasswd = 7olleh-44 Ldap-SearchBase = " o = isp1, c = US Ldap-SearchFilter = "uid = ${packet.Base-User-Name} " Ldap-Map = " ${check.Password} = ${Password}; " Ldap-Map = " ${user.Service-Class} = ${Service-Type}; " get-template Method-Type = ReadUserFile Method-On-Success= pass-check ReadUserFile-Filename = template-file ReadUserFile-SearchKey = ${user.Service-Class} pass-check Method-Type = AuthLocal Method-On-Success= auth-check auth-check Method-Type = CheckItems
All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow SM Example 2 An example LDAP entry o = isp1 c = US uid = happy Password = secret Service-Type = basic-analog template-file basic-analogProhibit-NAS-Port-Type = Sync Ascend-Assign-IP-Pool = 0 Framed-IP-Netmask = isdn#Note there are no check items Ascend-Assign-IP-Pool = 0 Framed-IP-Netmask = Port-Limit = 2
All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlowSM Example 2 Given the request: User-Name = password = secret NAS-IP-Address = NAS-Port = 24 NAS-Port-Type = Async Called-Station-Id = Service-Type = Framed-User
All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlowSM Example 2 We start the PolicyFlow with the following attribute settings request.User-Name = request.password = secret request.NAS-IP-Address = request.NAS-Port = 24 request.NAS-Port-Type = Async request.Called-Station-Id = request.Service-Type = Framed-User packet.Base-User-Name = happy packet.User-Realm = isp1
All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlowSM Example 2 After performing a successful LDAP query, we now have the following data saved in the internal attributes: request.User-Name = request.password = secret request.NAS-IP-Address = request.NAS-Port = 24 request.NAS-Port-Type = Async request.Called-Station-Id = request.Service-Type = Framed-User packet.Base-User-Name = happy packet.User-Realm = isp1 check.Password = secret user.Service-Class = basic-analog
All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlowSM Example 2 Next we lookup the basic-analog template. Now the internal attribute list looks like this: request.User-Name = request.password = secret request.NAS-IP-Address = request.NAS-Port = 24 request.NAS-Port-Type = Async request.Called-Station-Id = request.Service-Type = Framed-User packet.Base-User-Name = user3 packet.User-Realm = isp1 check.password = secret check.Prohibit-NAS-Port-Type = Sync user.Service-Class = basic-analog reply.Ascend-Assign-IP-Pool = 0 reply.Framed-IP-Netmask =
All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlowSM Example 2 If the password from the request and the user record match, the password retrieved from the user record is deleted from the check items: request.User-Name = request.password = secret request.NAS-IP-Address = request.NAS-Port = 24 request.NAS-Port-Type = Async request.Called-Station-Id = request.Service-Type = Framed-User packet.Base-User-Name = user3 packet.User-Realm = isp1 check.password = secret check.Prohibit-NAS-Port-Type = Sync user.template = basic-analog reply.Ascend-Assign-IP-Pool = 0 reply.Framed-IP-Netmask =
All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlowSM Example 2 If the Check Items from the user record are true, (I.e. they match items in the access request) they are removed request.User-Name = request.password = secret request.NAS-IP-Address = request.NAS-Port = 24 request.NAS-Port-Type = Async request.Called-Station-Id = request.Service-Type = Framed-User packet.Base-User-Name = user3 packet.User-Realm = isp1 check.password = secret check.Prohibit-NAS-Port-Type = Sync user.template = basic-analog reply.Ascend-Assign-IP-Pool = 0 reply.Framed-IP-Netmask =
All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow SM Example 2 Finally the reply items are used to create an Access-Accept packet: The Access-Accept would be a RADIUS type 2 packet and would contain the following attributes: reply.Ascend-Assign-IP-Pool = 0 reply.Framed-IP-Netmask = Ascend-Assign-IP-Pool = 0 Framed-IP-Netmask =
All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlows Linkage (I) Reject Accept RejectAccept ReadUserFile Ldap realm = local realm = isp1 Branch
All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlows SM linkage (II) # Prot Type Code File Method radiusAuth Access-Request aaa Branch4realms radiusAcct Accounting-Request aaa writeDetail method_dispatch Branch4realmsMethod-Type = "Branch" Branch-Case = "local read-user-file Branch-Case = isp1 ldap-query" Branch-SelectMode = "KEY" Branch-SearchKey = "${packet.User-Realm}" Branch-IgnoreCase = "TRUE" ldap-query Method-Type = ReadLdap ……. read-user-file Method-Type = ReadUserFile ….. aaa.pf
All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow linkage (III) The initial branch can be made on any VA variable: Service-Type = ${request.Service-Type} Framed - for PPP users Call-Check- for pre-auth in dial-up Outbound- for pseudo-users Administrative- for routers/NAS administrators Client Class = ${client.Client-Class} Calling or Called station id Type of accounting packet = ${request.Acct-Status-Type} Start, stop, interim, accounting-on, accounting-off Also a WILDCARD select mode can be used Branch-SearchKey = "${request.Called-Station-Id} Branch-Case = 909* check_calling Branch-Case = 908* accept_call
All Rights Reserved © Alcatel-Lucent | PolicyFlow Cron-based PolicyFlows It is also possible to start a PF based on time Similar to UNIX crontabs The ${request.*} variables can be specified New 5.2 # Protocol Type CodeFileMethod # radius auth 1 aaa readRadiusUser cron "0 * * * *" aaa WriteLog radius acct 4 aaa updateLocalLimits # Protocol Type CodeFileMethod # radius auth 1 aaa readRadiusUser cron "0 * * * *" aaa WriteLog radius acct 4 aaa updateLocalLimits method_dispatch *
All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow - Method Dispatch
All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow – PF files We can see all configured methods, create/delete others, configure the Method-On-Success/Fail/Error Also add extra PF files
All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow - Methods Configuration
All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyGrapher (I) There is a tool to represent a PF in a graphical format Using a 3rd party software, called GraphViz from AT&T This software must be installed separately from VA The PolicyGraph can be: Viewed from the SMT Saved to a gif file xxx.pf xxx.dot xxx.gif|jpg… SMT GraphViz
All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyGrapher (II) It has to be configured: the grapher program to use: recommended dot.exe and the directory where it has been installed extra parameters related to colors, shape, and to explicitly graph success, failure or error nodes representing the end of the PF Properties stored in /run/policygrap h.properties file
All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyGrapher (III)
All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow Editor vs. PolicyAssistant PolicyFlow Editor To edit the method_dispatch file and the *.pf files Only viewable if not using the PolicyAssistant PolicyAssistant To create simple policies using a Wizard Only viewable if not configuring a PolicyFlow The SMT knows which option to show based on the server property: provisioningInstalled = FALSE => PF provisioningInstalled = TRUE => PA Configuration Time What can be done PF PA
All Rights Reserved © Alcatel-Lucent | PolicyFlow Policy Assistant (I) A graphical wizard to configure simple AAA policies It has a predefined policyflow (PF) reading configuration information from some text files data.config-info, data.dnis-info.csv, data.realm-info.csv, policyassistant_properties The PolicyAssistant (PA) wizard populates data in these files *
All Rights Reserved © Alcatel-Lucent | PolicyFlow Policy Assistant (II): Users Authentication
All Rights Reserved © Alcatel-Lucent | PolicyFlow Policy Assistant (III): Accounting info and USS for limits
All Rights Reserved © Alcatel-Lucent | PolicyFlow Policy Assistant (IV): Extra info and templates for authorization
All Rights Reserved © Alcatel-Lucent | PolicyFlow Policy Assistant (& V): Policy to realm mapping Finally, a realm must be assigned to a Policy Extra parameters can be configured related to the USS where it is located (in case it is on a different host) extra limits based on DNIS and for the whole policy
All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyAssistant Accounting DB schema When selecting to store the acct records in the internal DB (Hypersonic SQL), there are 2 tables to store the information: ACTIVE: stores the active connections in that moment ACCOUNTING: stores the already ended connections Historical data, for reporting, statistics, billing, etc
All Rights Reserved © Alcatel-Lucent | PolicyFlow Changing PolicySet At any moment, we can change to the PolicyAssistant or to install any of the predefined sample PolicyFlows These PFs are under the /run/samples directory They are just copied to the /run directory