Application Assurance

Table: Application Assurance (description)
Attribute ID Attribute name Description

8

Framed-IP-Address

Mandatory IPv4 address attribute to create (CoA), delete (Delete) or audit (CoA) an IPv4 AA-transit subscriber. In case of an IPv4 host creation (CoA), if the host is already configured for another AA-transit subscriber with the same parent SAP, it is removed for this AA-subscriber and added to AA-subscriber, referred by the [26.6527.11] Alc-Subsc-ID-Str, in the CoA message. If the parent SAP, referred by the [87] NAS-Port-Id), is different, the host creation fails. An AA-transit subscriber can have up to 32 hosts (IPv4 or IPv6). A host cannot be added to a AA-transit subscriber if it is already configured for a static AA-transit subscriber with a different subscriber-ID. A Disconnect message sent with the last host of an AA-transit subscriber deletes the AA-transit subscriber.

87

NAS-Port-Id

A text string identifying the physical SAP or SDP serving the AA-transit subscriber (parent SAP or SDP). Mandatory attribute to create (CoA), delete (Disconnect) or audit (CoA) a transit-AA subscriber.

97

Framed-IPv6-Prefix

The IPv6 address for AA-Transit subscriber creation or removal (same use as [8] Framed-Ip-Address).

26.6527.11

Alc-Subsc-ID-Str

A mandatory attribute used in Access-Accept for AA subscriber creation (as in ESM host creation) or application-profile change (CoA) and for AA-transit subscriber creation (CoA), removal (Disconnect) or audit (CoA). Attribute values longer than the allowed string value are treated as setup failures.

26.6527.45

Alc-App-Prof-Str

Application Assurance for residential, business, or transit-AA subscribers is enabled through the assignment of an application profile as part of either enhanced subscriber management or static configuration. [26.6527.45] Alc-App-Prof-Str is a string that maps (configure subscriber-mgmt sub-ident-policy sub-ident-policy-name app-profile-map) to such an application profile (configure application-assurance group aa-group-id:partition-id policy app-profile app-profile-name). This attribute is used in access-accept (to assign an application profile during esm host creation) and CoA (to change the application profile of a AA-subscriber or to create transit AA-subscriber). Strings longer than the allowed maximum are treated as setup failures. Unreferenced strings (strings not mapping to an application profile) silently triggers a fallback to preconfigured default values if allowed. If no default value is preconfigured, the subscriber's application profile is silently disabled for the ESM AA-subscriber; in case of a transit AA-subscriber creation the CoA is rejected. The change of an application profile to one configured under a different group/partition or the modification of the application profile of a static AA-subscriber is not allowed and is treated as setup failures.

26.6527.130

Alc-AA-Transit-IP

Used to create (CoA), modify (CoA), delete (disconnect) or audit (CoA) an Application Assurance transit-ipv4 or v6-subscriber for business AA deployments and allows reporting and policy enforcement at IP address or prefix level within the parent SAP or spoke-SDP. Mandatory attributes to create(c), modify(m), delete(d) or audit(a) an AA-transit-ip-subscriber are: [8] Framed-IP-Address (c/m/d/a) or [97] Framed-IPv6-Prefix(c/m/d/a), [87] NAS-Port-Id(c/m/d/a), [26.6527.11] Alc-Subsc-ID-Str(c/m/d/a), [26.6527.45] Alc-App-Prof-Str(c/m/a) and [26.6527.130] Alc-AA-Transit-IP(c/m/d/a). The value of [26.6527.130] Alc-AA-Transit-IP must be an Integer, the value 1 (host) is used for host creation or deletion, 2 (audit-start) and 3 (audit-end) are used for the audit.

26.6527.182

Alc-AA-Sub-Http-Url-Param

Optional text string used to customize the URL used for HTTP In-Browser Notification and automatically appended at the end of the notification script URL as an argument. This text string can also be configured in the http-redirect URL policy using macro substitution.

The VSA string typically contains one or more argument names and values; there is no limit in the number of arguments besides the maximum length of the VSA. Each new argument must be preceded by ‟&” so as to be understood properly by a web server, the format for the Alc-AA-Sub-Http-Url-Param string must be for instance: "&arg1=value1" or "&arg1=value1&arg2=value2"

This VSA string can be overwritten through CoA.

26.6527.193

Alc-AA-App-Service-Options

Used to apply Application Service Option (ASO) overrides. These attributes can only be applied if an app-profile is also or has previously been associated with the AA-sub (explicitly or by default), or else the override is rejected. An Access-Accept or CoA message can send one or more of these VSAs, with each VSA containing a string with the characteristic name and the value name pair. To provide multiple ASO attributes, the message can include multiple ASO VSAs, in addition to an App-profile VSA.

The VSA string contains the characteristic name and the value name. The format for the Alc-AA-App-Service-Options string must be "char=value". An equal sign is used as the delimiter between characteristic string and value string.

Each name can have any character including spaces, except ‛=’. Everything before the '=' is interpreted as the character string and everything after the '=' is interpreted as the value string. One ASO char=value pair is supported per VSA, If an ASO char=value pair is not found in a VSA, the message is rejected. If an ASO char=value does not match a provisioned ASO for the group/partition for that subscriber, the message is rejected.

An app profile is a defined set of ASO values. App-profiles interact with ASO overrides in this way:

  • The Alc-AA-App-Service-Options VSA is optional on sub create (with app-profile assignment) and may be used later to modify policy.

  • On a CoA, if an app-profile VSA is not present, all ASO VSAs are applied on top of the current policy of the sub.

  • On a CoA, if an app-profile VSA is present, even if it is the same app-profile as currently applied, all previous ASO override policy is removed. Any ASO VSAs in the same CoA message as the new app-profile are applied on top of the app-profile policy. In this way, re-sending app-profile resets all ASO state history. On a CoA, if the app-profile changes, and no ASO VSAs exist, all current ASO overrides are removed.

  • If the app-profile changes, and ASO VSAs exist, all current ASO overrides are removed, and the new ASO overrides are applied to this new app-profile.

  • A new aa-sub characteristic can be applied, or an existing characteristic modified, by an ASO VSA.

  • When an ASO VSA is received any existing overrides remain and the new overrides are cumulative.

If there are multiple ASO VSAs for the same characteristic in the CoA, the last one takes effect.

241.26.6527.26

Alc-Aa-Sub-Scope

This attribute is used to define the scope of the [26.6527.45] Alc-App-Prof-Str attribute and the related [26.6527.193] Alc-AA-App-Service-Options attributes to affect either the subscriber (all hosts) or to affect only the specific host IP addresses used by a unique MAC address. The absence of this attribute defaults to using subscriber scope.
Table: Application Assurance (limits)
Attribute ID Attribute name Type Limits SR OS format

8

Framed-IP-Address

ipaddr

4 bytes

# Example: ipv4 transit-AA-subscriber 10.0.200.1

Framed-IP-Address = ‟10.0.200.1”

87

NAS-Port-Id

string

253 bytes

# Depends on the parent port type

# Example for sap

NAS-Port-Id = 1/1/4:501.1001

# Example for spoke-sdp

NAS-Port-Id = 4:100

97

Framed-IPv6-Prefix

ipv6prefix

max. 16 bytes for prefix + 1 byte for length

# Example: Framed-IPv6-Prefix = 2001:db8:cafe:1::/64

26.6527.11

Alc-Subsc-ID-Str

string

32 chars

# Example: Alc-Subsc-ID-Str = transit-sub-radius1

26.6527.45

Alc-App-Prof-Str

string

16 bytes

# Example: Alc-App-Prof-Str = MyAppProfile

26.6527.130

Alc-AA-Transit-IP

integer

4 bytes

1=host, 2=audit-start, 3=audit-end

For example:

# CoA create AA transit subscriber on SAP 4/1/1, IP address 10.0.200.1

Alc-AA-Transit-IP = host

NAS-Port-ID = 4/1/1

framed-ip-address = 10.0.200.1

Alc-Subsc-ID-Str = transit-sub-radius1

Alc-App-Prof-Str = MyAppProfile

26.6527.182

Alc-AA-Sub-Http-Url-Param

string

247 chars

(DSM)

32 chars (ESM)

# For example:

Alc-AA-Sub-Http-Url-Param = "&Provider=ISPname&Location=Station21"

26.6527.193

Alc-AA-App-Service-Options

string

65 bytes per VSA (char. 32bytes + 1 byte + value 32bytes)

32 VSAs per message

Format: characteristic=value,

# For example:

Alc-AA-App- Service-Options = ‟ServiceTier=Bronze”

241.26.6527.26

Alc-Aa-Sub-Scope

integer

4 bytes

1=subscriber, 2=mac

For example:

To set the scope of the application profile to subscriber hosts with the same MAC address:

Alc-Aa-Sub-Scope = 2

To set the scope of the application profile to all subscriber hosts belonging to the same ESM subscriber:

Alc-Aa-Sub-Scope = 1
Table: Application Assurance (applicability)
Attribute ID Attribute name Access Request Access Accept CoA request

8

Framed-IP-Address

0

0

0-1

87

NAS-Port-Id

0

0

0-1

97

Framed-IPv6-Prefix

0

0

0-1

26.6527.11

Alc-Subsc-ID-Str

0

0-1

0-1

26.6527.45

Alc-App-Prof-Str

0

0-1

0-1

26.6527.130

Alc-AA-Transit-IP

0

0

0-1

26.6527.182

Alc-AA-Sub-Http-Url-Param

0

0-1

0-1

26.6527.193

Alc-AA-App-Service-Options

0

0+

0+

241.26.6527.26

Alc-Aa-Sub-Scope

0

0-1

0-1
Parent topic: RADIUS authentication attributes