RADIUS Attributes Reference
88
RADIUS ATTRIBUTES REFERENCE GUIDE
RELEASE 14.0.R4
3HE 10793 AAAB TQZZA 01 Issue: 01
26-529-242 Ascend-Data-Filter A local configured filter policy can be extended with shared dynamic
filter entries. A dynamic copy of the base filter (filter associated to the
host via sla-profile or host filter override) is made and extended with the
set of filter rules per type (ipv4/ipv6) and direction (ingress/egress) in
the RADIUS message. If a dynamic copy with the same set of rules
already exists, no new copy is made but the existing copy is associated
with the host/session. If after host/session disconnection, no hosts/
sessions are associated with the dynamic filter copy, then the dynamic
copy is removed.
Shared filter entries are moved if the subscriber host filter policy is
changed (new SLA profile or ip filter policy override) and if the new filter
policy contains enough free reserved entries.
A range of entries must be reserved for shared entries in a filter policy:
configure filter ip-filter/ipv6 filter filter-id sub-insert-shared-radius
The function of the attribute is identical to [26-6527-158] Alc-Nas-Filter-
Rule-Shared but it has a different format. The format used to specify
shared filter entries (Alc-Nas-Filter-Rule-Shared format or Ascend-
Data-Filter format) cannot change during the lifetime of the subscriber
host.
Mixing formats in a single RADIUS message results in a failure.
Note that shared filter entries should only be used if many hosts share
the same set of filter rules that need to be controlled from RADIUS.
26-6527-134 Alc-Subscriber-Filter Subscriber host preconfigured ip/ipv6 ingress and egress filters to be
used instead of the filters defined in the sla-profile. Not relevant fields
will be ignored (example, IPv4 filters for an IPv6 host).
Note that the scope of the local preconfigured filter should be set to
template for correct operation (configure filter ip-filter/ipv6-filter filter-
id scope template). This is not enforced. For a RADIUS CoA message,
if the ingress or egress field is missing in the VSA, there will be no
change for that direction. For a RADIUS Access-Accept message, if the
ingress or egress field is missing in the VSA, then the IP-filters as
specified in the sla-profile will be active for that direction Applicable to
all dynamic host types, including L2TP LNS but excluding L2TP LAC.
Table 17 IP and IPv6 Filters (Description) (Continued)
Attribute ID Attribute Name Description
To Next Page
Loading...
