F5BigRadiusSubscriberAwareProfile¶
Overview¶
The F5BigRadiusSubscriberAwareProfile Custom Resource (CR) enables subscriber discovery and management for BIG-IP Next CNF based on RADIUS Accounting messages. It binds a RADIUS Protocol Profile to a set of trusted NAS sources (optional) and controls whether the system should create, update, and delete subscriber sessions. When referenced by a Secure Context listener (typically UDP/1813), this profile activates the TMM RADIUS processing path so subscriber sessions are built and maintained, allowing CGNAT/FWNAT logs to include a stable Subscriber ID.
This document guides you through understanding, configuring and deploying a simple F5BigRadiusSubscriberAwareProfile CR.
Parameters¶
The following tables describe the F5BigRadiusSubscriberAwareProfile CR parameters.
metadata¶
| Parameter | Description |
|---|---|
name |
The name of the Subscriber-Aware Profile. This value is referenced by Secure Contexts that ingest RADIUS Accounting. |
namespace |
The Kubernetes namespace where the profile is installed. |
spec¶
The table below describes the CR’s spec parameters:
| Parameter | Description |
|---|---|
subscriberDiscovery |
Enables subscriber discovery and session lifecycle management. The default value is true. When the value is set to true, the system creates/updates/deletes subscriber sessions according to the referenced RADIUS Protocol Profile. When set to false, RADIUS packets are ignored for subscriber creation. The radiusProtocolProfile field must be set when subscriberDiscovery is set to true. |
clientSpec |
Specify to check client-specific configuration. When configured, the specified client-specific configuration, such as the address list, will be validated. The allowed values are “not-configured” (default) or “specify”. Use “specify” to enforce an addressList of allowed NAS IPs/subnets. The addressList must be non-empty when clientSpec is “specify”. |
addressList |
Specify the allowed IPv4 and IPv6 addresses and subnets for subscriber-aware profile processing. Only RADIUS Accounting messages originating from these sources are accepted. For example, “192.0.2.10”, “192.0.2.0/24”, “2001:db8::1”, “2001:db8::/64”. |
radiusProtocolProfile |
Specifies the RADIUS protocol profile to be used for this subscriber-aware profile. This attribute will have soft reference capability. The value should radius protocol profile name. It must be set (non-empty) when subscriberDiscovery is true. |
CR Examples¶
apiVersion: apiextensions.k8s.io/v1
kind: "CustomResourceDefinition"
metadata:
name: <<name>>.k8s.f5net.com
# def_webhook_conversion_annotation
# alias_disable
spec:
group: k8s.f5net.com
versions:
- name: v1
served: true
storage: true
# en_status_subresource
schema:
openAPIV3Schema:
type: object
required:
- spec
properties:
# def_status_object
spec:
type: object
# CEL cross-attribute validation
x-kubernetes-validations:
- rule: "self.clientSpec == 'specify' ? size(self.addressList) > 0 : true"
message: "addressList must be non-empty when clientSpec is 'specify'"
- rule: "self.subscriberDiscovery == true ? self.radiusProtocolProfile != '' : true"
message: "radiusProtocolProfile must be set when subscriberDiscovery is true"
properties:
subscriberDiscovery:
description: >
Specify that when set to true, subscriber creation will happen based on
the radius protocol profile confgured. when set to false, the system will
ignore subscriber discovery will be skipped.
type: boolean
default: true
enum: [true, false]
clientSpec:
description: >
Specify whether to check client-specific configuration or not. When
configured, the specified client-specific configuration, such as the
address list, will be validated.
type: string
default: "not-configured"
enum: ["not-configured", "specify"]
addressList:
description: >
Specify the allowed IPv4 and IPv6 addresses and subnets for
subscriber-aware profile processing.
type: array
default: []
items:
description: >
Specify the IPv4 or IPv6 address and subnet that are allowed.
type: string
minLength: 0
maxLength: 255
default: ''
pattern: "^[0-9a-zA-Z._-]*$"
radiusProtocolProfile:
description: >
Specifies the RADIUS protocol profile to be used for this subscriber-aware
profile. The value should radius protocol profile name. This attribute will
have soft reference capability.
type: string
default: ""
maxLength: 255
pattern: "(^$)|(^\\d*[a-zA-Z._-]{1,}\\d*)$"
CR shortName¶
CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The F5BigRadiusSubscriberAwareProfile CR shortName is radiussubaware.
View CR instance:
oc get radiussubaware -n <namespace>
View CR configuration:
oc get radiussubaware -n <namespace> -o yaml
Deployment¶
Use the following steps to deploy the example F5BigRadiusSubscriberAwareProfile CR.
Copy the F5BigRadiusSubscriberAwareProfile CRs into a YAML file:
apiVersion: apiextensions.k8s.io/v1 kind: "CustomResourceDefinition" metadata: name: <<name>>.k8s.f5net.com # def_webhook_conversion_annotation # alias_disable spec: group: k8s.f5net.com versions: - name: v1 served: true storage: true # en_status_subresource schema: openAPIV3Schema: type: object required: - spec properties: # def_status_object spec: type: object # CEL cross-attribute validation x-kubernetes-validations: - rule: "self.clientSpec == 'specify' ? size(self.addressList) > 0 : true" message: "addressList must be non-empty when clientSpec is 'specify'" - rule: "self.subscriberDiscovery == true ? self.radiusProtocolProfile != '' : true" message: "radiusProtocolProfile must be set when subscriberDiscovery is true" properties: subscriberDiscovery: description: > Specify that when set to true, subscriber creation will happen based on the radius protocol profile confgured. when set to false, the system will ignore subscriber discovery will be skipped. type: boolean default: true enum: [true, false] clientSpec: description: > Specify whether to check client-specific configuration or not. When configured, the specified client-specific configuration, such as the address list, will be validated. type: string default: "not-configured" enum: ["not-configured", "specify"] addressList: description: > Specify the allowed IPv4 and IPv6 addresses and subnets for subscriber-aware profile processing. type: array default: [] items: description: > Specify the IPv4 or IPv6 address and subnet that are allowed. type: string minLength: 0 maxLength: 255 default: '' pattern: "^[0-9a-zA-Z._-]*$" radiusProtocolProfile: description: > Specifies the RADIUS protocol profile to be used for this subscriber-aware profile. The value should radius protocol profile name. This attribute will have soft reference capability. type: string default: "" maxLength: 255 pattern: "(^$)|(^\\d*[a-zA-Z._-]{1,}\\d*)$"
Install the CR:
oc apply -f cnf-radiussubaware.yaml
Feedback¶
Provide feedback to improve this document by emailing cnfdocs@f5.com.