F5BigRadiusProtocolProfile¶
Overview¶
The F5BigRadiusProtocolProfile Custom Resource (CR) defines how BIG-IP Next CNF parses RADIUS Accounting messages and constructs a unique Subscriber ID (NAI, IMSI, or E164) for subscriber awareness. It specifies the set of RADIUS attributes to import per message type (Start, Interim, Stop), how to map those attributes into subscriber session fields, and the recipe used to build the Subscriber ID. When applied, the profile enables the TMM RADIUS module to validate, extract, and persist subscriber attributes so CGNAT/FWNAT logs can consistently include the Subscriber ID.
This document guides you through understanding, configuring and deploying a simple F5BigRadiusProtocolProfile CR.
Parameters¶
The following tables describe the F5BigRadiusProtocolProfile CR parameters.
metadata¶
| Parameter | Description |
|---|---|
name |
The name of the RADIUS Protocol Profile. This value is referenced by subscriber-aware configurations (for example, F5BigRadiusSubscriberAwareProfile) and Secure Contexts. |
namespace |
The Kubernetes namespace where the profile is installed. |
spec¶
The table below describes the CR’s spec parameters:
| Parameter | Description |
|---|---|
subscriberIdType |
Specifies the type of subscriber ID used in the radius protocol profile. The valid values are nai, imsi, e164. The default value is nai. |
subscriberIdList |
Specifies list of radius attributes and parameters using which subscriber ID will be created. |
subscriberIdList.name |
Specify the preferred name for a combination of array items based on the radius attribute. This value must be non-empty and can contain letter (a–z, A–Z), digits (0–9), the period (.), underscore (_), or hyphen (-). No spaces, slashes, at-signs, or other special characters are allowed. |
subscriberIdList.order |
Specifies the order in which RADIUS attributes are concatenated to create the subscriber ID. The order must be unique across subscriber ID array objects. |
subscriberIdList.prefix |
Specifies the string that needs to be appended at the beginning of the radius attribute. |
subscriberIdList.suffix |
Specifies the string that needs to be appended at the end of the radius attribute. |
subscriberIdList.radiusAttribute |
Specifies the RADIUS attribute used to create the subscriber ID. This attribute will have soft reference capability and must be unique across the list. This value must be non-empty and can contain letter (a–z, A–Z), digits (0–9), the period (.), underscore (_), or hyphen (-). No spaces, slashes, at-signs, or other special characters are allowed. |
radiusMessages |
Specifies the list of RADIUS messages that will be processed for this profile. This attribute will have soft reference capability. Each message defines its type (Start/Interim/Stop), optional direction, and the attributes to import/map. |
radiusMessages.name |
Specifies the type of subscriber ID used in the radius protocol profile. It Must be unique across radiusMessages. This value must be non-empty and can contain letter (a–z, A–Z), digits (0–9), the period (.), underscore (_), or hyphen (-). No spaces, slashes, at-signs, or other special characters are allowed. |
radiusMessages.direction |
Specifies the direction in which the radius module should process the packet. The allowed values are any, in, out. The default value is any. |
radiusMessages.messageType |
SSpecifies the type of the message according to RADIUS Accounting RFC. The allowed values are acc-start, acc-interim, acc-stop. |
radiusMessages.attributeList |
Specifies a list of radius attributes that need to be inspected in the RADIUS message of a specific type. |
radiusMessages.attributeList.name |
Specifies the type of subscriber ID used in the radius protocol profile. This value must be non-empty and can contain letter (a–z, A–Z), digits (0–9), the period (.), underscore (_), or hyphen (-). No spaces, slashes, at-signs, or other special characters are allowed. |
radiusMessages.attributeList.default |
Specifies the default value for the RADIUS attribute if it is not present in the RADIUS message of a specific type. This value must be a non-empty and can contain letter (a–z, A–Z), digits (0–9), the period (.), underscore (_), or hyphen (-). No spaces, slashes, at-signs, or other special characters are allowed. |
radiusMessages.attributeList.ingress |
Specifies whether to import the RADIUS attribute value or ignore it in the RADIUS message of a specific type. |
radiusMessages.attributeList.radiusAttribute |
Specifies the RADIUS atttibute to be processed in the RADIUS message. The value should radius attribute name. This attribute will have soft reference capability. This value must be a non-empty and can contain letter (a–z, A–Z), digits (0–9), the period (.), underscore (_), or hyphen (-). No spaces, slashes, at-signs, or other special characters are allowed. |
radiusMessages.attributeList.subscriberAttribute |
Specifies the name of the subscriber session attribute that is used to map to the RADIUS AVP. This value must be a non-empty and can contain letter (a–z, A–Z), digits (0–9), the period (.), underscore (_), or hyphen (-). No spaces, slashes, at-signs, or other special characters are allowed. |
CR Examples¶
apiVersion: apiextensions.k8s.io/v1
kind: "CustomResourceDefinition"
metadata:
name: <<name>>.k8s.f5net.com
# def_webhook_conversion_annotation
# alias_disable
spec:
group: k8s.f5net.com
versions:
- name: v1
served: true
storage: true
# en_status_subresource
schema:
openAPIV3Schema:
type: object
required:
- spec
properties:
# def_status_object
spec:
type: object
# CEL cross-attribute validation
x-kubernetes-validations:
# Ensure that 'order' is unique across all items in subscriberIdList
- rule: "self.subscriberIdList.all(i, self.subscriberIdList.filter(x, x.order == i.order).size() == 1)"
message: "Each 'order' in subscriberIdList must be unique."
# Ensure that each radiusAttribute in subscriberIdList is unique
- rule: "self.subscriberIdList.all(i, self.subscriberIdList.filter(x, x.radiusAttribute == i.radiusAttribute).size() == 1)"
message: "Each 'radiusAttribute' in subscriberIdList must be unique."
# Ensure that each name in radiusMessages is unique
- rule: "self.radiusMessages.all(i, self.radiusMessages.filter(x, x.name == i.name).size() == 1)"
message: "Each 'name' in radiusMessages must be unique."
properties:
subscriberIdType:
description: >
Specifies the type of subscriber ID used in the radius protocol profile.
type: string
default: "nai"
enum: ["nai", "imsi", "e164"]
subscriberIdList:
description: >
Specifies list of radius attributes and parameters using which
subscriber ID will be created.
type: array
default: []
maxItems: 16
items:
type: object
description: >
Specifies radius attributes and parameters using which
subscriber ID will be created.
required:
- name
- order
- radiusAttribute
properties:
name:
type: string
description: >
Specify the user's preferred name for a combination of array
items based on the radius attribute.
minLength: 1
maxLength: 255
pattern: "^[0-9a-zA-Z._-]+$"
order:
description: >
Specifies the order in which RADIUS attributes are concatenated
to create the subscriber ID. The order must be unique across
subscriber ID array objects.
type: integer
minimum: 1
maximum: 5
prefix:
description: >
Specifies the string that needs to be appended at the
beginning of the radius attribute.
type: string
default: ''
minLength: 0
maxLength: 15
pattern: "^[0-9a-zA-Z._-]*$"
suffix:
description: >
Specifies the string that needs to be appended at the
end of the radius attribute.
type: string
default: ''
minLength: 0
maxLength: 15
pattern: "^[0-9a-zA-Z._-]*$"
radiusAttribute:
description: >
Specifies the RADIUS attribute used to create the subscriber ID.
This attribute will have soft reference capability.
type: string
minLength: 1
maxLength: 255
pattern: "^[0-9a-zA-Z._-]+$"
radiusMessages:
description: >
Specifies the list of RADIUS messages that will be processed for
this profile. This attribute will have soft reference capability.
type: array
default: []
maxItems: 8
items:
type: object
description: >
Specifies the RADIUS messages that will be processed for this profile.
required:
- name
- messageType
properties:
name:
description: >
Specifies the type of subscriber ID used in the radius protocol profile.
type: string
minLength: 1
maxLength: 255
pattern: "^[0-9a-zA-Z._-]+$"
direction:
description: >
Specifies the direction in which the radius module should process the packet.
type: string
default: "any"
enum: ["any", "in", "out"]
messageType:
description: >
Specifies the type of the message according to RADIUS Accounting RFC.
type: string
enum: ["acc-start", "acc-stop", "acc-interim"]
attributeList:
description: >
Specifies a list of radius attributes that need to be inspected
in the RADIUS message of a specific type.
type: array
default: []
maxItems: 32
items:
type: object
description: >
Specify the radius attribute and whether it should be imported
from the radius message or not. Additionally, if the attribute
is not present in the radius message, define the default value.
required:
- name
- default
- radiusAttribute
- subscriberAttribute
properties:
name:
description: >
Specifies the type of subscriber ID used in the radius protocol profile.
type: string
minLength: 1
maxLength: 255
pattern: "^[0-9a-zA-Z._-]+$"
default:
description: >
Specifies the default value for the RADIUS attribute if it is not present
in the RADIUS message of a specific type.
type: string
minLength: 1
maxLength: 255
pattern: "^[0-9a-zA-Z._-]+$"
ingress:
description: >
Specifies whether to import the RADIUS attribute value or ignore it
in the RADIUS message of a specific type.
type: string
default: "import"
enum: ["import", "none"]
radiusAttribute:
description: >
Specifies the RADIUS atttibute to be processed in the RADIUS message.
The value should radius attibutename. This attribute will have soft
reference capability.
type: string
minLength: 1
maxLength: 255
pattern: "^[0-9a-zA-Z._-]+$"
subscriberAttribute:
description: >
Specifies the name of the subscriber session attribute that is used to map to the RADIUS AVP.
type: string
minLength: 1
maxLength: 255
pattern: "^[0-9a-zA-Z._-]+$"
CR shortName¶
CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The F5BigRadiusProtocolProfile CR shortName is radiusprotoprofile.
View CR instance:
oc get radiusprotoprofile -n <namespace>
View CR configuration:
oc get radiusprotoprofile -n <namespace> -o yaml
Deployment¶
Use the following steps to deploy the example F5BigRadiusProtocolProfile CR.
Copy the F5BigRadiusProtocolProfile CRs into a YAML file:
apiVersion: apiextensions.k8s.io/v1 kind: "CustomResourceDefinition" metadata: name: <<name>>.k8s.f5net.com # def_webhook_conversion_annotation # alias_disable spec: group: k8s.f5net.com versions: - name: v1 served: true storage: true # en_status_subresource schema: openAPIV3Schema: type: object required: - spec properties: # def_status_object spec: type: object # CEL cross-attribute validation x-kubernetes-validations: # Ensure that 'order' is unique across all items in subscriberIdList - rule: "self.subscriberIdList.all(i, self.subscriberIdList.filter(x, x.order == i.order).size() == 1)" message: "Each 'order' in subscriberIdList must be unique." # Ensure that each radiusAttribute in subscriberIdList is unique - rule: "self.subscriberIdList.all(i, self.subscriberIdList.filter(x, x.radiusAttribute == i.radiusAttribute).size() == 1)" message: "Each 'radiusAttribute' in subscriberIdList must be unique." # Ensure that each name in radiusMessages is unique - rule: "self.radiusMessages.all(i, self.radiusMessages.filter(x, x.name == i.name).size() == 1)" message: "Each 'name' in radiusMessages must be unique." properties: subscriberIdType: description: > Specifies the type of subscriber ID used in the radius protocol profile. type: string default: "nai" enum: ["nai", "imsi", "e164"] subscriberIdList: description: > Specifies list of radius attributes and parameters using which subscriber ID will be created. type: array default: [] maxItems: 16 items: type: object description: > Specifies radius attributes and parameters using which subscriber ID will be created. required: - name - order - radiusAttribute properties: name: type: string description: > Specify the user's preferred name for a combination of array items based on the radius attribute. minLength: 1 maxLength: 255 pattern: "^[0-9a-zA-Z._-]+$" order: description: > Specifies the order in which RADIUS attributes are concatenated to create the subscriber ID. The order must be unique across subscriber ID array objects. type: integer minimum: 1 maximum: 5 prefix: description: > Specifies the string that needs to be appended at the beginning of the radius attribute. type: string default: '' minLength: 0 maxLength: 15 pattern: "^[0-9a-zA-Z._-]*$" suffix: description: > Specifies the string that needs to be appended at the end of the radius attribute. type: string default: '' minLength: 0 maxLength: 15 pattern: "^[0-9a-zA-Z._-]*$" radiusAttribute: description: > Specifies the RADIUS attribute used to create the subscriber ID. This attribute will have soft reference capability. type: string minLength: 1 maxLength: 255 pattern: "^[0-9a-zA-Z._-]+$" radiusMessages: description: > Specifies the list of RADIUS messages that will be processed for this profile. This attribute will have soft reference capability. type: array default: [] maxItems: 8 items: type: object description: > Specifies the RADIUS messages that will be processed for this profile. required: - name - messageType properties: name: description: > Specifies the type of subscriber ID used in the radius protocol profile. type: string minLength: 1 maxLength: 255 pattern: "^[0-9a-zA-Z._-]+$" direction: description: > Specifies the direction in which the radius module should process the packet. type: string default: "any" enum: ["any", "in", "out"] messageType: description: > Specifies the type of the message according to RADIUS Accounting RFC. type: string enum: ["acc-start", "acc-stop", "acc-interim"] attributeList: description: > Specifies a list of radius attributes that need to be inspected in the RADIUS message of a specific type. type: array default: [] maxItems: 32 items: type: object description: > Specify the radius attribute and whether it should be imported from the radius message or not. Additionally, if the attribute is not present in the radius message, define the default value. required: - name - default - radiusAttribute - subscriberAttribute properties: name: description: > Specifies the type of subscriber ID used in the radius protocol profile. type: string minLength: 1 maxLength: 255 pattern: "^[0-9a-zA-Z._-]+$" default: description: > Specifies the default value for the RADIUS attribute if it is not present in the RADIUS message of a specific type. type: string minLength: 1 maxLength: 255 pattern: "^[0-9a-zA-Z._-]+$" ingress: description: > Specifies whether to import the RADIUS attribute value or ignore it in the RADIUS message of a specific type. type: string default: "import" enum: ["import", "none"] radiusAttribute: description: > Specifies the RADIUS atttibute to be processed in the RADIUS message. The value should radius attibutename. This attribute will have soft reference capability. type: string minLength: 1 maxLength: 255 pattern: "^[0-9a-zA-Z._-]+$" subscriberAttribute: description: > Specifies the name of the subscriber session attribute that is used to map to the RADIUS AVP. type: string minLength: 1 maxLength: 255 pattern: "^[0-9a-zA-Z._-]+$"Install the CR:
oc apply -f cnf-radiusprotoprofile.yaml
Feedback¶
Provide feedback to improve this document by emailing cnfdocs@f5.com.