PolicyFlow. All Rights Reserved © Alcatel-Lucent 2007 2 | PolicyFlow Module Objectives PolicyFlow syntax and files Understand the way a PolicyChain is.

Slides:



Advertisements
Similar presentations
Using the SQL Access Advisor
Advertisements

Numbers Treasure Hunt Following each question, click on the answer. If correct, the next page will load with a graphic first – these can be used to check.
Variations of the Turing Machine
3rd Annual Plex/2E Worldwide Users Conference 13A Batch Processing in 2E Jeffrey A. Welsh, STAR BASE Consulting, Inc. September 20, 2007.
AP STUDY SESSION 2.
1
1 Copyright © 2002 Pearson Education, Inc.. 2 Chapter 2 Getting Started.
Chapter 7 Constructors and Other Tools. Copyright © 2006 Pearson Addison-Wesley. All rights reserved. 7-2 Learning Objectives Constructors Definitions.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Copyright © 2003 Pearson Education, Inc. Slide 7-1 Created by Cheryl M. Hughes The Web Wizards Guide to XML by Cheryl M. Hughes.
BASIC SKILLS AND TOOLS USING ACCESS
Processes and Operating Systems
Manuscript Central Training Author Center Module 2.
Slide 1 FastFacts Feature Presentation December 13 th, 2007 We are using audio during this session, so please dial in to our conference line… Phone number:
1 Hyades Command Routing Message flow and data translation.
David Burdett May 11, 2004 Package Binding for WS CDL.
Microsoft Access 2007 Advanced Level. © Cheltenham Courseware Pty. Ltd. Slide No 2 Forms Customisation.
Prepared by: Workforce Enterprise Services For: The Illinois Department of Commerce and Economic Opportunity Bureau of Workforce Development ENTRY OF EMPLOYER.
Local Customization Chapter 2. Local Customization 2-2 Objectives Customization Considerations Types of Data Elements Location for Locally Defined Data.
Process a Customer Chapter 2. Process a Customer 2-2 Objectives Understand what defines a Customer Learn how to check for an existing Customer Learn how.
1 Chapter 12 File Management Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
1 Advanced Tools for Account Searches and Portfolios Dawn Gamache Cindy Bylander.
1 Click here to End Presentation Software: Installation and Updates Internet Download CD release NACIS Updates.
© Tally Solutions Pvt. Ltd. All Rights Reserved Shoper 9 License Management December 09.
1.
Welcome. © 2008 ADP, Inc. 2 Overview A Look at the Web Site Question and Answer Session Agenda.
© SafeNet Confidential and Proprietary Administering SafeNet StorageSecure Smart Card Module 3: Lesson 5 SafeNet StorageSecure Storage Security Course.
Version 1.0 digitaloffice.intel.com Intel ® vPro Technology Intel ® Active Management Technology Setup and Configuration HP Laptop – Compaq 6910p Small.
Break Time Remaining 10:00.
Turing Machines.
Table 12.1: Cash Flows to a Cash and Carry Trading Strategy.
Database Performance Tuning and Query Optimization
PP Test Review Sections 6-1 to 6-6
What is access control list (ACL)?
User Friendly Price Book Maintenance A Family of Enhancements For iSeries 400 DMAS from Copyright I/O International, 2006, 2007, 2008, 2010 Skip Intro.
Chapter 7 Working with Databases and MySQL
MySQL Access Privilege System
EIS Bridge Tool and Staging Tables September 1, 2009 Instructor: Way Poteat Slide: 1.
Access Tables 1. Creating a Table Design View Define each field and its properties Data Sheet View Essentially spreadsheet Enter fields You must go to.
© Copyright by Deitel & Associates, Inc. and Pearson Education Inc. All Rights Reserved. 1 Outline 24.1 Test-Driving the Ticket Information Application.
Operating Systems Operating Systems - Winter 2010 Chapter 3 – Input/Output Vrije Universiteit Amsterdam.
Exarte Bezoek aan de Mediacampus Bachelor in de grafische en digitale media April 2014.
Sample Service Screenshots Enterprise Cloud Service 11.3.
Copyright © 2012, Elsevier Inc. All rights Reserved. 1 Chapter 7 Modeling Structure with Blocks.
Success with ModelSmart3D Pre-Engineering Software Corporation Written by: Robert A. Wolf III, P.E. Copyright 2001, Pre-Engineering Software Corporation,
 Copyright I/O International, 2013 Visit us at: A Feature Within from Item Class User Friendly Maintenance  Copyright.
4 Oracle Data Integrator First Project – Simple Transformations: One source, one target 3-1.
Mobility Tool Fremtidens afrapportering 2013 – Erasmus Mobilitet / IP 2014 – Erasmus+ aktioner.
CONTROL VISION Set-up. Step 1 Step 2 Step 3 Step 5 Step 4.
Adding Up In Chunks.
MaK_Full ahead loaded 1 Alarm Page Directory (F11)
GEtServices Services Training For Suppliers Requests/Proposals.
1 hi at no doifpi me be go we of at be do go hi if me no of pi we Inorder Traversal Inorder traversal. n Visit the left subtree. n Visit the node. n Visit.
Types of selection structures
Speak Up for Safety Dr. Susan Strauss Harassment & Bullying Consultant November 9, 2012.
To the Assignments – Work in Progress Online Training Course
Chapter 12 Working with Forms Principles of Web Design, 4 th Edition.
Essential Cell Biology
Converting a Fraction to %
Clock will move after 1 minute
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.1 Module 9 TCP/IP Protocol Suite and IP Addressing.
Chapter 11 Creating Framed Layouts Principles of Web Design, 4 th Edition.
Physics for Scientists & Engineers, 3rd Edition
Select a time to count down from the clock above
RefWorks: The Basics October 12, What is RefWorks? A personal bibliographic software manager –Manages citations –Creates bibliogaphies Accessible.
1 Atlas Copco Distribution Center DS Connect User’s Guide This document is uncontrolled if viewed or printed outside the IMS.
© Paradigm Publishing, Inc Excel 2013 Level 2 Unit 2Managing and Integrating Data and the Excel Environment Chapter 6Protecting and Sharing Workbooks.
Page 1 Orchard Harvest ™ LIS Find a Patient Training.
Presentation transcript:

PolicyFlow

All Rights Reserved © Alcatel-Lucent | PolicyFlow Module Objectives PolicyFlow syntax and files Understand the way a PolicyChain is executed and variables are created, used and modified Templates and advantages PolicyFlow configuration in the SMT Viewing PFs in a graph: PolicyGrapher PolicyAssistant

All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow Selection # Prot Type Code File Method radiusAuth Access-Request aaa readRadiusUser radiusAcct Accounting-Request aaa writeDetail method_dispatch readRadiusUser Method-Type = "ReadUserFile Method-On-Success = "checkPassword" ReadUserFile-Filename = "users" checkPassword Method-Type = "AuthLocal"Method-On-Success = "checkVerifications" checkVerifications Method-Type = "CheckItems writeDetailMethod-Type = "Classic" Classic-Filename = "radacct/${packet.Client-Name}/detail2" aaa.pf The line matched in the method_dispatch file determines the initial method to be executed

All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow TM Method Chains Success - The method succeeded (I.e. it found something or approved something). It did what was intended Each time a method executes, it can result one of the three following conditions: Fail - The method failed (I.e. something could not be found, did not match, etc.) Error - Method was unable to execute (I.e. uncertainty due to abnormal conditions, mis-configuration or timeout) and could not determine if it succeeded or failed.

All Rights Reserved © Alcatel-Lucent | PolicyFlow Method syntax (revisited) method1 Unique name of the method Method-Type = ReadUserFile Method-Disabled = "FALSE" Type of plug-in Method-On-Success = [file:]checkPwd Message-On-Success = User found in file" Level-On-Success = DEBUG Channel-On-Success = "LogToFile What to do if the plug-in ends with success: which other method to invoke (and in which file it is stored) optionally to generate a log Method-On-Failure = method2 Message-On-Failure = User not found in file Level-On-Failure = INFO Channel-On-Failure = "LogToFile" Method-Timeout = 2000 Method-On-Error = " Message-On-Error = File not found" Level-On-Error = "WARNING" Channel-On-Error = "LogToFile" ReadUserFile-Filename = "users" ReadUserFile-SearchKey = "${packet.Base-User-Name}" Plug-in properties PLUG-IN SuccessFailureError Method

All Rights Reserved © Alcatel-Lucent | PolicyFlow Default Actions Method-On-Success If the method executes successfully and Method-On-Success is not defined, the PolicyFlow will end and an Access-Accept is sent. Or an Account-Response for accounting Method-On-Fail If the method execution ends in failure and Method-On-Fail is not defined, the PolicyFlow will end and an Access-Reject is sent. Or the packet will be discarded for accounting –The NAS will not receive a response and will retransmit Method-On-Error If the method execution ends in error and Method-On-Error is not defined, the PolicyFlow will end and an Access-Reject is sent. –It can be configured in server_properties to discard the packet Or the packet will be discarded for accounting –The server never receives a response and will retransmit Method-Timeout If the method does not complete execution before the timeout period, the PF ends and Method-On-Error is followed.

All Rights Reserved © Alcatel-Lucent | PolicyFlow Optional actions at the end of the PF When the PolicyFlow ends, VitalAAA can performs 2 checks… First, it looks to see if the Password has been checked (I.e. if ${check.Password} is still defined) If the Password has not been checked, the AuthLocal plug-in can be automatically invoked Second, it checks if there are any check-items that still need to be tested (I.e. if any attributes with the check prefix are still defined). If untested check-items are found, the CheckItems plug-in can be automatically invoked. These behaviors can be overridden by setting the Auto_CheckItem and or Auto_Password server properties to false Also configurable via the SMT: Server Properties

All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlowSM Example 1 Example case #1 Look for a user record in user file #1 If the record is found, verify the password and check-items If the password and check-items are OK send an Access-Accept, Otherwise, send an Access-Reject If no record is found, send an Access-Reject

All Rights Reserved © Alcatel-Lucent | PolicyFlow Method dispatch PolicyFlow SM Example 1 ReadUserFile users Accept succeed CheckItems succeed AuthLocal fail Reject fail Look up the user in users file If we cannot find the user record, reject the request Verify the password Check the CheckItems If the Check- Items or the password do not match, reject the request Empty text

All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow SM Example 1 read-user-file Method-Type = ReadUserFile Method-On-Success = pass-check ReadUserFile-Filename = users pass-check Method-Type = AuthLocal Method- On-Success = auth-check auth-check Method-Type = CheckItems Remember, the default action for Method-On-Fail is to send an Access-Reject. If that behavior is desired (as it is in our example) the Method-On-Fail control tag does not need to be specified. aaa.pf

All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow SM Example 1 user1password = foobar Service-Type = Framed-User Ascend-Assign-IP-Pool = 0 Framed-IP-Netmask = user2password = secret Service-Type = Framed-User Ascend-Assign-IP-Pool = 0 Framed-IP-Netmask = user3password = cant-tell Service-Type = Framed-User Ascend-Assign-IP-Pool = 0 Framed-IP-Netmask = user4password = dont-ask Service-Type = Framed-User Ascend-Assign-IP-Pool = 0 Framed-IP-Netmask = user1password = foobar Service-Type = Framed-User Ascend-Assign-IP-Pool = 0 Framed-IP-Netmask = user2password = secret Service-Type = Framed-User Ascend-Assign-IP-Pool = 0 Framed-IP-Netmask = user3password = cant-tell Service-Type = Framed-User Ascend-Assign-IP-Pool = 0 Framed-IP-Netmask = user4password = dont-ask Service-Type = Framed-User Ascend-Assign-IP-Pool = 0 Framed-IP-Netmask = users

All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow SM Example 1 Given the request: We start the PolicyFlow with the following attribute settings User-Name = password = cant-tell NAS-IP-Address = NAS-Port = 24 Called-Station-Id = Service-Type = Framed-User request.User-Name = request.password = cant-tell request.NAS-IP-Address = request.NAS-Port = 24 request.Called-Station-Id = request.Service-Type = Framed-User packet.Base-User-Name = user3 packet.User-Realm = local Added Automatically before method_select

All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow SM Example 1 After reading the users file we now have: request.User-Name = request.password = cant-tell request.NAS-IP-Address = request.NAS-Port = 24 request.Called-Station-Id = request.Service-Type = Framed-User packet.Base-User-Name = user3 packet.User-Realm = local check.password = cant-tell check.Service-Type = Framed-User reply.Ascend-Assign-IP-Pool = 0 reply.Framed-IP-Netmask = Read from the users file

All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow SM Example 1 The auth-check method uses the AuthLocal plug-in. If the password from the request and the user record match, the password retrieved from the user record is deleted (I.e. it is removed from the check attributes): request.User-Name = request.password = cant-tell request.NAS-IP-Address = request.NAS-Port = 24 request.Called-Station-Id = request.Service-Type = Framed-User packet.Base-User-Name = user3 packet.User-Realm = local check.password = cant-tell check.Service-Type = Framed-User reply.Ascend-Assign-IP-Pool = 0 reply.Framed-IP-Netmask =

All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow SM Example 1 The pass-check method uses the CheckItem plug-in. If the Check Items from the user record are true, (I.e. they match items in the access request) they are removed: request.User-Name = request.password = cant-tell request.NAS-IP-Address = request.NAS-Port = 24 request.Called-Station-Id = request.Service-Type = Framed-User check.password = cant-tell check.Service-Type = Framed-User packet.Base-User-Name = user3 packet.User-Realm = local reply.Ascend-Assign-IP-Pool = 0 reply.Framed-IP-Netmask =

All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow SM Example 1 Finally the reply items (I.e. attributes with the reply prefix) are used to create an Access-Accept packet: The Access-Accept would be a RADIUS type 2 packet and would contain the following attributes: reply.Ascend-Assign-IP-Pool = 0 reply.Framed-IP-Netmask = Ascend-Assign-IP-Pool = 0 Framed-IP-Netmask =

All Rights Reserved © Alcatel-Lucent | PolicyFlow Templates - Introduction Templates are used to provide a common reference point for reply item or Check Items sets that are often used for many users. It is a way of grouping together common attributes for groups of users user1 user2 user3 user_N template_1 common attributes template_2 common attributes user4

All Rights Reserved © Alcatel-Lucent | PolicyFlow Templates - without a Template bob password = secret NAS-Port-Type = Async Time-of-Day = Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Framed-IP-Netmask = , Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP chuck password = canttell NAS-Port-Type = Async Time-of-Day = Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Framed-IP-Netmask = , Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP sara password = terces NAS-Port-Type = Async Time-of-Day = Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Framed-IP-Netmask = , Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP bob password = secret NAS-Port-Type = Async Time-of-Day = Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Framed-IP-Netmask = , Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP chuck password = canttell NAS-Port-Type = Async Time-of-Day = Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Framed-IP-Netmask = , Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP sara password = terces NAS-Port-Type = Async Time-of-Day = Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Framed-IP-Netmask = , Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP users

All Rights Reserved © Alcatel-Lucent | PolicyFlow No Templates - Disadvantages Note that except for the User-Name and Password, each entry is otherwise identical. It also suffers from a number of weaknesses It requires a lot of extra data entry work Is prone to input errors Wastes disk space Makes changes very difficult

All Rights Reserved © Alcatel-Lucent | PolicyFlow Templates - Advantages Using a template for the Check Items and Reply Items would make our task much easier. The file would look like this instead: bob password = secret Service-Template = Limited-Analog chuck password = canttell Service-Template = Limited-Analog sara password = terces Service-Template = Limited-Analog Etc… bob password = secret Service-Template = Limited-Analog chuck password = canttell Service-Template = Limited-Analog sara password = terces Service-Template = Limited-Analog Etc… user_accounts

All Rights Reserved © Alcatel-Lucent | PolicyFlow Templates - The Template File To make this all work we will create a file, called service- templates, with the following entries: Limited-Analog NAS-Port-Type = Async Time-of-Day = Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Framed-IP-Netmask = , Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP Session-Timeout = 3600 # 1 hour Gold-Analog NAS-Port-Type = Async Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Framed-IP-Netmask = , Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP Session-Timeout = # 12 hours Etc.

All Rights Reserved © Alcatel-Lucent | PolicyFlow Templates - Methods 1.- Read things that are different for every user: password and template name 2.- Read things that are common for a group of users: the parameters in that template read-user-file Method-Type = ReadUserFile Method-On-Success= get-template ReadUserFile-Filename = user-accounts get-template Method-Type = ReadUserFile Method-On-Success= pass-check ReadUserFile-Filename = service-templates ReadUserFile-SearchKey = ${reply.Service-Template} # Now, we should delete the non-dictionary reply item ReadUserFile-Map = delete ${reply.Service-Template}; pass-check Method-Type = AuthLocal Method-On-Success= auth-check auth-check Method-Type = CheckItems

All Rights Reserved © Alcatel-Lucent | PolicyFlow Templates - Final Thoughts Templates can be retrieved from any data source: Delimited files, Database records, LDAP, etc. However, standard users files usually make the best choice for template storage They are read into memory and cached at startup Can be reloaded without restarting the PolicyServer Check Item and Reply Item mapping is simplified Separate templates can be provided for Reply Items and Check Items Handy when users can have any combination of reply-items & check-items Specific reply-items and check-items could be used for each user

All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow Example 2 Example case #2 Look for a user record in the LDAP directory If the record is found, retrieve the template If the template is found, check the password and check-items If the password and check-items are OK send an Access-Accept, Otherwise, send an Access-Reject

All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow SM Example 2 Method dispatch Ldap RejectAccept succeed Checktems succeed AuthLocal fail fail/error ReadUser File fail Start by doing an LDAP query. Save the service type field contents in ${user.Service–Type} Lookup the service–type in a text file Finish up by checking the password and any check-items from the service–type entry Return the reply attributes from the service–type entry in an access accept packet. Reject the attempt if we fail to find the user in LDAP or if the Password or Check-Items tests fail.

All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow SM Example 2 ldap-query Method-Type = Ldap Method-On-Success= get-template Method-Timeout = 2000 Ldap-Host = directory.isp1.net Ldap-Operation = SEARCH Ldap-BindDN = " cn = dir_man, o = isp1, c = US " Ldap-BindPasswd = 7olleh-44 Ldap-SearchBase = " o = isp1, c = US Ldap-SearchFilter = "uid = ${packet.Base-User-Name} " Ldap-Map = " ${check.Password} = ${Password}; " Ldap-Map = " ${user.Service-Class} = ${Service-Type}; " get-template Method-Type = ReadUserFile Method-On-Success= pass-check ReadUserFile-Filename = template-file ReadUserFile-SearchKey = ${user.Service-Class} pass-check Method-Type = AuthLocal Method-On-Success= auth-check auth-check Method-Type = CheckItems

All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow SM Example 2 An example LDAP entry o = isp1 c = US uid = happy Password = secret Service-Type = basic-analog template-file basic-analogProhibit-NAS-Port-Type = Sync Ascend-Assign-IP-Pool = 0 Framed-IP-Netmask = isdn#Note there are no check items Ascend-Assign-IP-Pool = 0 Framed-IP-Netmask = Port-Limit = 2

All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlowSM Example 2 Given the request: User-Name = password = secret NAS-IP-Address = NAS-Port = 24 NAS-Port-Type = Async Called-Station-Id = Service-Type = Framed-User

All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlowSM Example 2 We start the PolicyFlow with the following attribute settings request.User-Name = request.password = secret request.NAS-IP-Address = request.NAS-Port = 24 request.NAS-Port-Type = Async request.Called-Station-Id = request.Service-Type = Framed-User packet.Base-User-Name = happy packet.User-Realm = isp1

All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlowSM Example 2 After performing a successful LDAP query, we now have the following data saved in the internal attributes: request.User-Name = request.password = secret request.NAS-IP-Address = request.NAS-Port = 24 request.NAS-Port-Type = Async request.Called-Station-Id = request.Service-Type = Framed-User packet.Base-User-Name = happy packet.User-Realm = isp1 check.Password = secret user.Service-Class = basic-analog

All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlowSM Example 2 Next we lookup the basic-analog template. Now the internal attribute list looks like this: request.User-Name = request.password = secret request.NAS-IP-Address = request.NAS-Port = 24 request.NAS-Port-Type = Async request.Called-Station-Id = request.Service-Type = Framed-User packet.Base-User-Name = user3 packet.User-Realm = isp1 check.password = secret check.Prohibit-NAS-Port-Type = Sync user.Service-Class = basic-analog reply.Ascend-Assign-IP-Pool = 0 reply.Framed-IP-Netmask =

All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlowSM Example 2 If the password from the request and the user record match, the password retrieved from the user record is deleted from the check items: request.User-Name = request.password = secret request.NAS-IP-Address = request.NAS-Port = 24 request.NAS-Port-Type = Async request.Called-Station-Id = request.Service-Type = Framed-User packet.Base-User-Name = user3 packet.User-Realm = isp1 check.password = secret check.Prohibit-NAS-Port-Type = Sync user.template = basic-analog reply.Ascend-Assign-IP-Pool = 0 reply.Framed-IP-Netmask =

All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlowSM Example 2 If the Check Items from the user record are true, (I.e. they match items in the access request) they are removed request.User-Name = request.password = secret request.NAS-IP-Address = request.NAS-Port = 24 request.NAS-Port-Type = Async request.Called-Station-Id = request.Service-Type = Framed-User packet.Base-User-Name = user3 packet.User-Realm = isp1 check.password = secret check.Prohibit-NAS-Port-Type = Sync user.template = basic-analog reply.Ascend-Assign-IP-Pool = 0 reply.Framed-IP-Netmask =

All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow SM Example 2 Finally the reply items are used to create an Access-Accept packet: The Access-Accept would be a RADIUS type 2 packet and would contain the following attributes: reply.Ascend-Assign-IP-Pool = 0 reply.Framed-IP-Netmask = Ascend-Assign-IP-Pool = 0 Framed-IP-Netmask =

All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlows Linkage (I) Reject Accept RejectAccept ReadUserFile Ldap realm = local realm = isp1 Branch

All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlows SM linkage (II) # Prot Type Code File Method radiusAuth Access-Request aaa Branch4realms radiusAcct Accounting-Request aaa writeDetail method_dispatch Branch4realmsMethod-Type = "Branch" Branch-Case = "local read-user-file Branch-Case = isp1 ldap-query" Branch-SelectMode = "KEY" Branch-SearchKey = "${packet.User-Realm}" Branch-IgnoreCase = "TRUE" ldap-query Method-Type = ReadLdap ……. read-user-file Method-Type = ReadUserFile ….. aaa.pf

All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow linkage (III) The initial branch can be made on any VA variable: Service-Type = ${request.Service-Type} Framed - for PPP users Call-Check- for pre-auth in dial-up Outbound- for pseudo-users Administrative- for routers/NAS administrators Client Class = ${client.Client-Class} Calling or Called station id Type of accounting packet = ${request.Acct-Status-Type} Start, stop, interim, accounting-on, accounting-off Also a WILDCARD select mode can be used Branch-SearchKey = "${request.Called-Station-Id} Branch-Case = 909* check_calling Branch-Case = 908* accept_call

All Rights Reserved © Alcatel-Lucent | PolicyFlow Cron-based PolicyFlows It is also possible to start a PF based on time Similar to UNIX crontabs The ${request.*} variables can be specified New 5.2 # Protocol Type CodeFileMethod # radius auth 1 aaa readRadiusUser cron "0 * * * *" aaa WriteLog radius acct 4 aaa updateLocalLimits # Protocol Type CodeFileMethod # radius auth 1 aaa readRadiusUser cron "0 * * * *" aaa WriteLog radius acct 4 aaa updateLocalLimits method_dispatch *

All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow - Method Dispatch

All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow – PF files We can see all configured methods, create/delete others, configure the Method-On-Success/Fail/Error Also add extra PF files

All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow - Methods Configuration

All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyGrapher (I) There is a tool to represent a PF in a graphical format Using a 3rd party software, called GraphViz from AT&T This software must be installed separately from VA The PolicyGraph can be: Viewed from the SMT Saved to a gif file xxx.pf xxx.dot xxx.gif|jpg… SMT GraphViz

All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyGrapher (II) It has to be configured: the grapher program to use: recommended dot.exe and the directory where it has been installed extra parameters related to colors, shape, and to explicitly graph success, failure or error nodes representing the end of the PF Properties stored in /run/policygrap h.properties file

All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyGrapher (III)

All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyFlow Editor vs. PolicyAssistant PolicyFlow Editor To edit the method_dispatch file and the *.pf files Only viewable if not using the PolicyAssistant PolicyAssistant To create simple policies using a Wizard Only viewable if not configuring a PolicyFlow The SMT knows which option to show based on the server property: provisioningInstalled = FALSE => PF provisioningInstalled = TRUE => PA Configuration Time What can be done PF PA

All Rights Reserved © Alcatel-Lucent | PolicyFlow Policy Assistant (I) A graphical wizard to configure simple AAA policies It has a predefined policyflow (PF) reading configuration information from some text files data.config-info, data.dnis-info.csv, data.realm-info.csv, policyassistant_properties The PolicyAssistant (PA) wizard populates data in these files *

All Rights Reserved © Alcatel-Lucent | PolicyFlow Policy Assistant (II): Users Authentication

All Rights Reserved © Alcatel-Lucent | PolicyFlow Policy Assistant (III): Accounting info and USS for limits

All Rights Reserved © Alcatel-Lucent | PolicyFlow Policy Assistant (IV): Extra info and templates for authorization

All Rights Reserved © Alcatel-Lucent | PolicyFlow Policy Assistant (& V): Policy to realm mapping Finally, a realm must be assigned to a Policy Extra parameters can be configured related to the USS where it is located (in case it is on a different host) extra limits based on DNIS and for the whole policy

All Rights Reserved © Alcatel-Lucent | PolicyFlow PolicyAssistant Accounting DB schema When selecting to store the acct records in the internal DB (Hypersonic SQL), there are 2 tables to store the information: ACTIVE: stores the active connections in that moment ACCOUNTING: stores the already ended connections Historical data, for reporting, statistics, billing, etc

All Rights Reserved © Alcatel-Lucent | PolicyFlow Changing PolicySet At any moment, we can change to the PolicyAssistant or to install any of the predefined sample PolicyFlows These PFs are under the /run/samples directory They are just copied to the /run directory

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.