PolicyFlow
Mar 26, 2015
PolicyFlow
2 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
Module Objectives PolicyFlow syntax and files
Understand the way a PolicyChain is executed and variables are created, used and modified
Templates and advantages
PolicyFlow configuration in the SMT
Viewing PF’s in a graph: PolicyGrapher
PolicyAssistant
3 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
PolicyFlow Selection
# Prot Type Code File Method radius Auth Access-Request aaa readRadiusUser
radius Acct Accounting-Request aaa writeDetail
method_dispatch
readRadiusUser Method-Type = "ReadUserFile“ Method-On-Success = "checkPassword" ReadUserFile-Filename = "users"
checkPassword Method-Type = "AuthLocal" Method-On-Success = "checkVerifications"
checkVerifications Method-Type = "CheckItems“
writeDetail Method-Type = "Classic"Classic-Filename = "radacct/${packet.Client-Name}/detail2"
aaa.pf
The line matched in the method_dispatch file determines the initial method to be executed
4 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
PolicyFlowTM Method Chains
Success - The method succeeded (I.e. it found something or approved something).
It did what was intended
Each time a method executes, it can result one of the three following conditions:
Fail - The method failed (I.e. something could not be found, did not match, etc.)
Error - Method was unable to execute (I.e. uncertainty due to abnormal conditions, mis-configuration or timeout) and could not determine if it succeeded or failed.
5 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
Method syntax (revisited)
method1 Unique name of the methodMethod-Type = “ReadUserFile“Method-Disabled = "FALSE" Type of plug-inMethod-On-Success = “[file:]checkPwd“Message-On-Success = “User found in file"Level-On-Success = “DEBUG“Channel-On-Success = "LogToFile“
What to do if the plug-in ends with success:• which other method to invoke (and in which file it is stored)• optionally to generate a log
Method-On-Failure = “method2“Message-On-Failure = “User not found in file“Level-On-Failure = “INFO“Channel-On-Failure = "LogToFile"Method-Timeout = 2000Method-On-Error = "“Message-On-Error = “File not found"Level-On-Error = "WARNING"Channel-On-Error = "LogToFile"ReadUserFile-Filename = "users"ReadUserFile-SearchKey = "${packet.Base-User-Name}"
Plug-in properties
PLUG-IN
•Success Failure Error
•Method
6 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
Default Actions Method-On-Success
If the method executes successfully and Method-On-Success is not defined, the PolicyFlow will end and an Access-Accept is sent. Or an Account-Response for accounting
Method-On-Fail If the method execution ends in failure and Method-On-Fail is not
defined, the PolicyFlow will end and an Access-Reject is sent. Or the packet will be discarded for accounting
–The NAS will not receive a response and will retransmit
Method-On-Error If the method execution ends in error and Method-On-Error is not
defined, the PolicyFlow will end and an Access-Reject is sent.–It can be configured in server_properties to discard the packet
Or the packet will be discarded for accounting –The server never receives a response and will retransmit
Method-Timeout If the method does not complete execution before the timeout
period, the PF ends and Method-On-Error is followed.
7 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
Optional actions at the end of the PF
When the PolicyFlow ends, VitalAAA can performs 2 checks…First, it looks to see if the Password has been checked (I.e. if $
{check.Password} is still defined) If the Password has not been checked, the AuthLocal plug-in can be
automatically invokedSecond, it checks if there are any check-items that still need to
be tested (I.e. if any attributes with the “check” prefix are still defined). If untested check-items are found, the CheckItems plug-in can be
automatically invoked.
These behaviors can be overridden by setting the Auto_CheckItem and or Auto_Password server properties to false Also configurable via the SMT: Server Properties
8 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
PolicyFlowSM Example 1 Example case #1
Look for a user record in user file #1 If the record is found, verify the password and check-items
If the password and check-items are OK send an Access-Accept,
Otherwise, send an Access-Reject
If no record is found, send an Access-Reject
9 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
Methoddispatch
PolicyFlowSM Example 1
ReadUserFile“users”
Accept
succeed CheckItems
succeed
succeed
AuthLocal
fail
Reject
fail
fail
Look up the user in “users” file
If we cannot find the user record,
reject the request
Verify the password
Check the CheckItems
If the Check-Items or
the password
do not match,
reject the request
Empty text
10 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
PolicyFlowSM Example 1
read-user-file Method-Type = ReadUserFile Method-On-Success = pass-check ReadUserFile-Filename = users
pass-check Method-Type = AuthLocal Method- On-Success = auth-check
auth-check Method-Type = CheckItems
Remember, the default action for Method-On-Fail is to send an Access-Reject.
If that behavior is desired (as it is in our example) the Method-On-Fail control tag does not need to be specified.
aaa.pf
11 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
PolicyFlowSM Example 1
user1 password = foobar Service-Type = Framed-UserAscend-Assign-IP-Pool = 0 Framed-IP-Netmask = 255.255.255.255
user2 password = secret Service-Type = Framed-UserAscend-Assign-IP-Pool = 0 Framed-IP-Netmask = 255.255.255.255
user3 password = cant-tell Service-Type = Framed-UserAscend-Assign-IP-Pool = 0 Framed-IP-Netmask = 255.255.255.255
user4 password = don’t-ask Service-Type = Framed-UserAscend-Assign-IP-Pool = 0 Framed-IP-Netmask = 255.255.255.255
user1 password = foobar Service-Type = Framed-UserAscend-Assign-IP-Pool = 0 Framed-IP-Netmask = 255.255.255.255
user2 password = secret Service-Type = Framed-UserAscend-Assign-IP-Pool = 0 Framed-IP-Netmask = 255.255.255.255
user3 password = cant-tell Service-Type = Framed-UserAscend-Assign-IP-Pool = 0 Framed-IP-Netmask = 255.255.255.255
user4 password = don’t-ask Service-Type = Framed-UserAscend-Assign-IP-Pool = 0 Framed-IP-Netmask = 255.255.255.255
users
12 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
PolicyFlowSM Example 1
Given the request:
We start the PolicyFlow with the following attribute settings
User-Name = user3@localpassword = cant-tellNAS-IP-Address = 192.12.43.56NAS-Port = 24Called-Station-Id = 5105551212Service-Type = Framed-User
request.User-Name = [email protected] = cant-tellrequest.NAS-IP-Address = 192.12.43.56request.NAS-Port = 24request.Called-Station-Id = 5105551212request.Service-Type = Framed-User
packet.Base-User-Name = user3packet.User-Realm = local
Added Automatically before method_select
13 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
PolicyFlowSM Example 1 After reading the “users” file we now have:
request.User-Name = [email protected] = cant-tellrequest.NAS-IP-Address = 192.12.43.56request.NAS-Port = 24request.Called-Station-Id = 5105551212request.Service-Type = Framed-User
packet.Base-User-Name = user3packet.User-Realm = local
check.password = cant-tellcheck.Service-Type = Framed-User
reply.Ascend-Assign-IP-Pool = 0 reply.Framed-IP-Netmask = 255.255.255.255
Read from the “users” file
14 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
PolicyFlowSM Example 1The auth-check method uses the AuthLocal plug-in.
If the password from the request and the user record match, the password retrieved from the user record is deleted (I.e. it is removed from the “check” attributes):
request.User-Name = [email protected] = cant-tellrequest.NAS-IP-Address = 192.12.43.56request.NAS-Port = 24request.Called-Station-Id = 5105551212request.Service-Type = Framed-User
packet.Base-User-Name = user3packet.User-Realm = local
check.password = cant-tellcheck.Service-Type = Framed-User
reply.Ascend-Assign-IP-Pool = 0 reply.Framed-IP-Netmask = 255.255.255.255
15 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
PolicyFlowSM Example 1The pass-check method uses the CheckItem plug-in.
If the Check Items from the user record are “true”, (I.e. they match items in the access request) they are removed:
request.User-Name = [email protected] = cant-tellrequest.NAS-IP-Address = 192.12.43.56request.NAS-Port = 24request.Called-Station-Id = 5105551212 request.Service-Type = Framed-User
check.password = cant-tell check.Service-Type = Framed-User
packet.Base-User-Name = user3packet.User-Realm = local
reply.Ascend-Assign-IP-Pool = 0 reply.Framed-IP-Netmask = 255.255.255.255
16 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
PolicyFlowSM Example 1
Finally the reply items (I.e. attributes with the reply prefix) are used to create an Access-Accept packet:
The Access-Accept would be a RADIUS type 2 packet and would contain the following attributes:
reply.Ascend-Assign-IP-Pool = 0 reply.Framed-IP-Netmask = 255.255.255.255
Ascend-Assign-IP-Pool = 0 Framed-IP-Netmask = 255.255.255.255
17 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
Templates - Introduction Templates are used to provide a common reference point for
reply item or Check Items sets that are often used for many users.
It is a way of grouping together common attributes for groups of users
user1
user2
user3
user_N
template_1
common attributes
template_2
common attributesuser4
18 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
Templates - without a Template
bob password = “secret” NAS-Port-Type = Async Time-of-Day = “1800-0800”Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Framed-IP-Netmask = 255.255.255.0, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP
chuck password = “canttell” NAS-Port-Type = Async Time-of-Day = “1800-0800”Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Framed-IP-Netmask = 255.255.255.0, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP
sara password = “terces” NAS-Port-Type = Async Time-of-Day = “1800-0800”Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Framed-IP-Netmask = 255.255.255.0, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP
bob password = “secret” NAS-Port-Type = Async Time-of-Day = “1800-0800”Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Framed-IP-Netmask = 255.255.255.0, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP
chuck password = “canttell” NAS-Port-Type = Async Time-of-Day = “1800-0800”Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Framed-IP-Netmask = 255.255.255.0, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP
sara password = “terces” NAS-Port-Type = Async Time-of-Day = “1800-0800”Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Framed-IP-Netmask = 255.255.255.0, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP
users
19 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
No Templates - Disadvantages Note that except for the User-Name and Password, each entry is
otherwise identical.
It also suffers from a number of weaknesses It requires a lot of extra data entry work Is prone to input errors Wastes disk space Makes changes very difficult
20 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
Templates - Advantages Using a “template” for the Check Items and Reply Items would
make our task much easier.
The file would look like this instead:
bob password = “secret” Service-Template = Limited-Analog
chuck password = “canttell” Service-Template = Limited-Analog
sara password = “terces” Service-Template = Limited-Analog
Etc…
bob password = “secret” Service-Template = Limited-Analog
chuck password = “canttell” Service-Template = Limited-Analog
sara password = “terces” Service-Template = Limited-Analog
Etc…
user_accounts
21 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
Templates - The Template File To make this all work we will create a file, called service-templates, with the following entries:
Limited-Analog NAS-Port-Type = Async Time-of-Day = “1800-0800”Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Framed-IP-Netmask = 255.255.255.255, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IPSession-Timeout = 3600 # 1 hour
Gold-Analog NAS-Port-Type = Async
Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Framed-IP-Netmask = 255.255.255.255, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IPSession-Timeout = 42300 # 12 hours
Etc.
Limited-Analog NAS-Port-Type = Async Time-of-Day = “1800-0800”Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Framed-IP-Netmask = 255.255.255.255, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IPSession-Timeout = 3600 # 1 hour
Gold-Analog NAS-Port-Type = Async
Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Framed-IP-Netmask = 255.255.255.255, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IPSession-Timeout = 42300 # 12 hours
Etc.
22 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
Templates - Methods 1.- Read things that are different for every user: password and
template name
2.- Read things that are common for a group of users: the parameters in that template
read-user-file Method-Type = ReadUserFile Method-On-Success= get-template ReadUserFile-Filename = user-accounts
get-template Method-Type = ReadUserFile Method-On-Success= pass-checkReadUserFile-Filename = service-templates
ReadUserFile-SearchKey = ${reply.Service-Template}# Now, we should delete the non-dictionary reply item
ReadUserFile-Map = “delete ${reply.Service-Template};”
pass-check Method-Type = AuthLocal Method-On-Success= auth-check
auth-check Method-Type = CheckItems
23 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
Templates - Final Thoughts Templates can be retrieved from any data source:
Delimited files, Database records, LDAP, etc.
However, standard “users” files usually make the best choice for template storage They are read into memory and cached at startup
Can be reloaded without restarting the PolicyServer
Check Item and Reply Item mapping is simplified
Separate templates can be provided for Reply Items and Check Items Handy when users can have any combination of reply-items & check-
items
Specific reply-items and check-items could be used for each user
24 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
PolicyFlow Example 2 Example case #2
Look for a user record in the LDAP directory If the record is found, retrieve the template If the template is found, check the password and check-items
If the password and check-items are OK send an Access-Accept,
Otherwise, send an Access-Reject
25 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
PolicyFlowSM Example 2
Methoddispatch
Ldap
Reject
Accept
succeed Checktems
succeed
succeed
AuthLocalfail
fail
fail/error
ReadUserFile fail
Start by doing an LDAP query. Save the “service type” field contents in $
{user.Service–Type}
Lookup the “service–type” in a
text file
Finish up by checking the password and any check-items from the “service–type” entry
Return the reply attributes from the
“service–type” entry in an access
accept packet.
Reject the attempt if we fail to find the user in LDAP or if the Password or
Check-Items tests fail.
26 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
PolicyFlowSM Example 2
ldap-query Method-Type = Ldap Method-On-Success= get-template Method-Timeout = 2000 Ldap-Host = directory.isp1.net Ldap-Operation = SEARCH Ldap-BindDN = " cn = dir_man, o = isp1, c = US " Ldap-BindPasswd = 7olleh-44 Ldap-SearchBase = " o = isp1, c = US” Ldap-SearchFilter = "uid = ${packet.Base-User-Name} " Ldap-Map = " ${check.Password} = ${Password}; "
Ldap-Map = " ${user.Service-Class} = ${Service-Type}; "
get-template Method-Type = ReadUserFile Method-On-Success= pass-check
ReadUserFile-Filename = template-fileReadUserFile-SearchKey = ${user.Service-Class}
pass-check Method-Type = AuthLocal Method-On-Success= auth-check
auth-check Method-Type = CheckItems
27 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
PolicyFlowSM Example 2 An example LDAP entry
o = isp1c = US uid = happy Password = secretService-Type = basic-analog
template-file
basic-analog Prohibit-NAS-Port-Type = SyncAscend-Assign-IP-Pool = 0Framed-IP-Netmask = 255.255.255.0
isdn #Note there are no check itemsAscend-Assign-IP-Pool = 0 Framed-IP-Netmask = 255.255.255.0Port-Limit = 2
28 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
PolicyFlowSM Example 2 Given the request:
User-Name = happy@isp1password = secretNAS-IP-Address = 192.12.43.56NAS-Port = 24NAS-Port-Type = AsyncCalled-Station-Id = 5105551212Service-Type = Framed-User
29 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
PolicyFlowSM Example 2 We start the PolicyFlow with the following attribute settings
request.User-Name = [email protected] = secretrequest.NAS-IP-Address = 192.12.43.56request.NAS-Port = 24request.NAS-Port-Type = Asyncrequest.Called-Station-Id = 5105551212request.Service-Type = Framed-User
packet.Base-User-Name = happypacket.User-Realm = isp1
30 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
PolicyFlowSM Example 2 After performing a successful LDAP query, we now have the
following data saved in the internal attributes:
request.User-Name = [email protected] = secretrequest.NAS-IP-Address = 192.12.43.56request.NAS-Port = 24request.NAS-Port-Type = Asyncrequest.Called-Station-Id = 5105551212request.Service-Type = Framed-User
packet.Base-User-Name = happypacket.User-Realm = isp1
check.Password = secret
user.Service-Class = basic-analog
31 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
PolicyFlowSM Example 2 Next we lookup the “basic-analog” template. Now the internal
attribute list looks like this:
request.User-Name = [email protected] = secretrequest.NAS-IP-Address = 192.12.43.56request.NAS-Port = 24request.NAS-Port-Type = Asyncrequest.Called-Station-Id = 5105551212request.Service-Type = Framed-User
packet.Base-User-Name = user3packet.User-Realm = isp1
check.password = secretcheck.Prohibit-NAS-Port-Type = Sync
user.Service-Class = basic-analog
reply.Ascend-Assign-IP-Pool = 0reply.Framed-IP-Netmask = 255.255.255.0
32 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
PolicyFlowSM Example 2 If the password from the request and the user record match, the
password retrieved from the user record is deleted from the check items:
request.User-Name = [email protected] = secretrequest.NAS-IP-Address = 192.12.43.56request.NAS-Port = 24request.NAS-Port-Type = Asyncrequest.Called-Station-Id = 5105551212request.Service-Type = Framed-User
packet.Base-User-Name = user3packet.User-Realm = isp1
check.password = secretcheck.Prohibit-NAS-Port-Type = Sync
user.template = basic-analog
reply.Ascend-Assign-IP-Pool = 0reply.Framed-IP-Netmask = 255.255.255.0
33 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
PolicyFlowSM Example 2 If the Check Items from the user record are “true”, (I.e. they
match items in the access request) they are removed
request.User-Name = [email protected] = secretrequest.NAS-IP-Address = 192.12.43.56request.NAS-Port = 24request.NAS-Port-Type = Asyncrequest.Called-Station-Id = 5105551212request.Service-Type = Framed-User
packet.Base-User-Name = user3packet.User-Realm = isp1
check.password = secretcheck.Prohibit-NAS-Port-Type = Sync
user.template = basic-analog
reply.Ascend-Assign-IP-Pool = 0reply.Framed-IP-Netmask = 255.255.255.0
34 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
PolicyFlowSM Example 2
Finally the reply items are used to create an Access-Accept packet:
The Access-Accept would be a RADIUS type 2 packet and would contain the following attributes:
reply.Ascend-Assign-IP-Pool = 0 reply.Framed-IP-Netmask = 255.255.255.0
Ascend-Assign-IP-Pool = 0 Framed-IP-Netmask = 255.255.255.0
35 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
PolicyFlows Linkage (I)
RejectAccept
Reject
Accept
ReadUserFile Ldap
realm = local realm = isp1Branch
36 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
PolicyFlowsSM linkage (II)
# Prot Type Code File Method radius Auth Access-Request aaa Branch4realms
radius Acct Accounting-Request aaa writeDetail
method_dispatch
Branch4realms Method-Type = "Branch"Branch-Case = "local read-user-file“Branch-Case = “isp1 ldap-query"Branch-SelectMode = "KEY"Branch-SearchKey = "${packet.User-Realm}"Branch-IgnoreCase = "TRUE"
ldap-query Method-Type = ReadLdap …….
read-user-file Method-Type = ReadUserFile …..
aaa.pf
john@local
john@isp1
37 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
PolicyFlow linkage (III)
The initial branch can be made on any VA variable: Service-Type = ${request.Service-Type}
Framed - for PPP users Call-Check - for pre-auth in dial-up Outbound - for pseudo-users Administrative - for routers/NAS administrators
Client Class = ${client.Client-Class} Calling or Called station id Type of accounting packet = ${request.Acct-Status-Type}
Start, stop, interim, accounting-on, accounting-off
Also a WILDCARD select mode can be used Branch-SearchKey = "${request.Called-Station-Id}“ Branch-Case = “909* check_calling” Branch-Case = “908* accept_call”
38 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
Cron-based PolicyFlows It is also possible to start a PF based on time
Similar to UNIX crontabs The ${request.*} variables can be specified
New 5.2
# Protocol Type Code File Method# --------- --- ------- ---- ------radius auth 1 aaa readRadiusUsercron "0 * * * *" User-Name=nobody@norealm aaa WriteLogradius acct 4 aaa updateLocalLimits
# Protocol Type Code File Method# --------- --- ------- ---- ------radius auth 1 aaa readRadiusUsercron "0 * * * *" User-Name=nobody@norealm aaa WriteLogradius acct 4 aaa updateLocalLimits
method_dispatch
*
39 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
PolicyFlow - Method Dispatch
40 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
PolicyFlow – PF files We can see all configured methods, create/delete others,
configure the Method-On-Success/Fail/Error
Also add extra PF files
41 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
PolicyFlow - Methods Configuration
42 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
PolicyGrapher (I) There is a tool to represent a PF in a graphical format
Using a 3rd party software, called “GraphViz” from AT&T This software must be installed separately from VA
The PolicyGraph can be: Viewed from the SMT Saved to a gif file
xxx.pf xxx.dot xxx.gif|jpg…
SMT GraphViz
43 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
PolicyGrapher (II)
It has to be configured: the grapher program to
use: recommended dot.exe and the directory where it
has been installed
extra parameters related to colors, shape, and to explicitly graph success, failure or error nodes representing the end of the PF
Properties stored in <$VA>/run/policygraph.properties file
44 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
PolicyGrapher (III)
45 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
PolicyFlow Editor vs. PolicyAssistant PolicyFlow Editor
To edit the method_dispatch file and the *.pf files Only viewable if not using the PolicyAssistant
PolicyAssistant To create simple policies using a Wizard Only viewable if not configuring a PolicyFlow
The SMT knows which option to show based on the server property: provisioningInstalled = FALSE => PF provisioningInstalled = TRUE => PA
Configuration Time
What can be done PF
PA
46 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
Policy Assistant (I)
A graphical wizard to configure “simple” AAA policies It has a predefined policyflow (PF) reading configuration information
from some text files data.config-info, data.dnis-info.csv, data.realm-info.csv,
policyassistant_properties
The PolicyAssistant (PA) wizard populates data in these files
*
47 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
Policy Assistant (II):Users Authentication
48 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
Policy Assistant (III):Accounting info and USS for limits
49 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
Policy Assistant (IV):Extra info and templates for authorization
50 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
Policy Assistant (& V):Policy to realm mapping
Finally, a realm must be assigned to a Policy
Extra parameters can be configured related to the USS where it is located (in case it is on a different host) extra limits based on DNIS and for the whole policy
51 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
PolicyAssistant Accounting DB schema
When selecting to store the acct records in the internal DB (Hypersonic SQL), there are 2 tables to store the information: ACTIVE: stores the active connections in that moment ACCOUNTING: stores the already ended connections
Historical data, for reporting, statistics, billing, etc
52 | PolicyFlow All Rights Reserved © Alcatel-Lucent 2007
Changing PolicySet At any moment, we can change to the PolicyAssistant or to install
any of the predefined sample PolicyFlows These PF’s are under the <$VA>/run/samples directory They are just copied to the <$VA>/run directory