Usage Scenario
The RADIUS server can send RADIUS authentication response or change-of-authorization (CoA) packets that carry the Hw-Data-Filter (26-82) attribute to deliver ACLs or dynamically change ACLs it previously delivered to the BRAS.
The RADIUS server can use a RADIUS authentication response or CoA packet to deliver a CoA action string to specify a dynamic ACL's operation types.
A RADIUS authentication response or CoA packet may carry the following operation types of a dynamic ACL:
- update-user-class (replacement of dynamic ACL information used by the user): The BRAS references the classifier-behavior pair delivered using the RADIUS authentication response or CoA packet for the user and no longer references the classifier-behavior pair that is being used for the user. If the RADIUS authentication response or CoA packet does not deliver any classifier-behavior pair, no dynamic ACL information is available for the user after the packet is successfully processed.
- add-user-class (addition of the classifier-behavior pair for the user): The BRAS references the classifier-behavior pair delivered using the RADIUS authentication response or CoA packet for the user.
- del-user-class (deletion of some classifier-behavior pairs for the user): The BRAS deletes the classifier-behavior pair delivered using the RADIUS authentication response or CoA packet from the classifier-behavior pairs that are being referenced for the user.
- add-rule (addition of rules to the classifier used by the user): The BRAS adds a rule to the classifier delivered using the RADIUS authentication response or CoA packet.
- update-class (replacement of rules and actions in the classifier-behavior pair used by the user): The BRAS replaces rules and actions in the classifier-behavior pair that is used by the user and specified in the RADIUS authentication response or CoA packet with those in the classifier-behavior pair delivered using the RADIUS authentication response or CoA packet.
The BRAS can parse the five operation types in a CoA packet. However, the BRAS supports only the update-user-class operation type in a RADIUS authentication response packet by default. When the BRAS receives other operation types in a dynamic ACL delivered using a RADIUS authentication response packet, it also takes the action specified by the update-user-class operation type.
To enable the BRAS to parse the five operation types in a RADIUS authentication response packet, run the remote-download acl support-all-operate access-accept command.
Prerequisites
The remote-download acl enable command has been run to enable the RADIUS server to create a dynamic ACL.
Precautions
In VS mode, this command is supported only by the admin VS.
