Radius Listener

Parameters which can be used to configure Radius Listener:

Parameter	Type	Default	Description
`ack`	`boolean`	`true`	If false, RADIUS messages will not be acknowledged
`affinity`	`k8s:`Affinity		pod affinity (Kubernetes docs: Affinity and anti-affinity). If unset, a default anti-affinity is applied using `antiAffinityPreset` to spread pods across nodes
`agentLogLevel`	`string`	`"info"`	Verbosity of logging for the agent container. Available options: `"debug"` `"info"` `"warn"` `"error"`
`agentLogFormat`	`string`	`"text"`	Format of logging for the agent container. Available options: `"text"` `"json"`
`agentResources`	`k8s:`Resources	`limits: cpu: 250m memory: 256Mi`	Resources allocated to the agent container if `resourceDefaults` (global) is `true`
`antiAffinityPreset`	`string`	`"preferred"`	pod anti affinity preset. Available options: `"preferred"` `"required"`
`checkMessageTimestamps`	`boolean`	`false`	If true, check to ensure the time difference measured against a timestamp tracked in Redis does not exceed the maximum allowed skew (`checkMessageTimestampsAllowSkew`)
`checkMessageTimestampsAllowSkew`	`integer`	`1`	Number of seconds of skew allowed when `checkMessageTimestamps` is enabled
`containerSecurityContext`	`k8s:`SecurityContext	`allowPrivilegeEscalation: false readOnlyRootFilesystem: true seccompProfile: type: RuntimeDefault capabilities: drop: - "ALL"`	SecurityContext applied to each container
`enabled`	`boolean`	`false`	If true, enable deployment of Radius Listener & accompanying IP Mapper
`hostNetwork`	`boolean`	`false`	Use host networking for pods
`lua`	Lua		Lua script to parse and process each inbound RADIUS message. Note: This must be configured for Radius Listener to function properly
`nodeSelector`	`k8s:`NodeSelector	`{}`	Kubernetes pod nodeSelector
`podAnnotations`	`k8s:`Annotations	`{}`	Annotations to be added to each pod
`podDisruptionBudget`	`k8s:`PodDisruptionBudgetSpec	`{}`	Spec of PodDisruptionBudget to be applied to deployment
`podLabels`	`k8s:`Labels	`{}`	Labels to be added to each pod
`podSecurityContext`	`k8s:`PodSecurityContext	`fsGroup: 953 runAsUser: 953 runAsGroup: 953 runAsNonRoot: true`	SecurityContext applied to each pod
`radiusListenerSecretName`	`string`		Name of a Secret from which to grab the authentication secret. If not supplied a random password is generated and stored in a Secret
`radiusListenerSecretPasswordKey`	`string`	`"password"`	Name of the item in the `radiusListenerSecretName` Secret from which to grab the password
`redis`	Redis Configuration		If deployed in the Userplane: Configuration of the Redis read-write cluster used to store data parsed from RADIUS messages
`readyInterval`	`integer`	`5`	How often readiness of Radius Listener should be calculated in seconds
`remotes`	Map of Remote	`{}`	Map of remote RADIUS servers to apply authentication to RADIUS servers individually
`replicas`	`integer`	`1`	Default number of replicas in a Deployment
`resources`	`k8s:`Resources	`limits: cpu: 500m memory: 512Mi`	Resources allocated to the Radius Listener container if `resourceDefaults` (global) is `true`
`secretName`	`string`	`yes`
`secretKey`	`string`		`"secret"`
`service`	Service	`type: ClusterIP`	Radius Listener UDP Service configuration
`serviceLabels`	`k8s:`Labels	`{}`	Labels to be added to each service
`sessionExpireInterval`	`go:`DurationString	`24h`	Duration after which a RADIUS session expires. If set to 0, sessions never expire.
`tolerations`	List of `k8s:`Tolerations	`[]`	Kubernetes pod Tolerations
`topologySpreadConstraints`	List of `k8s:`TopologySpreadConstraint	`[]`	Kubernetes pod topology spread constraints

Lua

Radius Listener requires a lua script to be provided which will apply logic to the inbound RADIUS message to convert it to the data which you need for filtering policies. As these are dependent on the RADIUS implementation which is used and differ in each user's environment, we cannot supply a useful default.

An example of a very simple script:

<parent>:
  radiusListener:
    enabled: true
      lua:
        script: |
          local AcctSessionID = 44

          function handle()
              setSession(getString(AcctSessionID))
              setUsername(getClassWithPrefix('CCUSERNAME!'))
              setOpaqueID('-')
          end

Configuration options for Radius Listener lua script:

Parameter	Type	Default	Description
`options`	`dictionary`	`{}`	Set of `key:value` pairs to be exposed as options to the lua script at runtime. Example: `options: opt1: "some value" opt2: 39`
`script`	`string`	`"secret"`	Lua script, provided inline in the values overrides
`scriptConfigMap`	`integer`		Name of a ConfigMap holding the lua script
`scriptName`	`string`	`"radius.lua"`	Name of the data item within `scriptConfigMap` from which to attempt to grab the script

Remotes

You can configure Radius Listener to apply fine-grained access control to remotes, by specifying entries in the remotes map. Each inbound RADIUS message originating from a source matched to an entry in remotes has the authentication tested against the secret configured for that remote. For example:

<parent>:
  radiusListener:
    enabled: true

    remotes:
      remote1:
        address: 12.34.56.78
        port: 12345
        secretName: remote1-secret
      remote2:
        address: "fc00:cc:28:11:c975:4f54:c5e1:5479"
        secretName: remote2-secret
        secretKey: custom_item

Configuration options for remotes:

Parameter	Type	Required	Default	Description
`address`	`string`	`yes`		Source address of the incoming RADIUS messages to match against
`port`	`integer`			Source port of the incoming RADIUS messages to match against. If empty, any source port is matched
`secretName`	`string`	`yes`		Name of a Secret from which to grab the authentication secret
`secretKey`	`string`		`"secret"`	Name of the item in the `secretName` Secret from which to grab the secret

Service Configuration

Parameters to configure the service object for this deployment. For example:

<parent>:
  radiusListener:
    enabled: true

    service:
      type: LoadBalancer
      annotations:
        metallb.universe.tf/address-pool: name_of_pool

Parameter	Type	Default	Description
`allocateLoadBalancerNodePorts`	`boolean`	`true`	If true, services with type `LoadBalancer` automatically assign NodePorts. Can be set to `false` if the LoadBalancer provider does not rely on NodePorts
`annotations`	`k8s:`Annotations	`{}`	Annotations for the service
`clusterIP`	`string`		Static cluster IP, must be in the cluster's range of cluster IPs and not in use. Randomly assigned when not specified.
`clusterIPs`	List of `string`		List of static cluster IPs, must be in the cluster's range of cluster IPs and not in use.
`externalIPs`	List of `string`		List of IP addresses for which nodes in the cluster will also accept traffic for this service. These IPs are not managed by Kubernetes and must be user-defined on the cluster's nodes
`externalTrafficPolicy`	`string`	`Cluster`	Can be set to `Local` to let nodes distribute traffic received on one of the externally-facing addresses (`NodePort` and `LoadBalancer`) solely to endpoints on the node itself
`healthCheckNodePort`	`integer`		For services with type `LoadBalancer` and externalTrafficPolicy `Local` you can configure this value to choose a static port for the NodePort which external systems (LoadBalancer provider mainly) can use to determine which node holds endpoints for this service
`internalTrafficPolicy`	`string`	`Cluster`	Can be set to `Local` to let nodes distribute traffic received on the `ClusterIP` solely to endpoints on the node itself
`ipv4`	`boolean`	`false`	If true, force the Service to include support for IPv4, ignoring globally configured IP Family settings and/or cluster defaults. If `ipv4` is set to `true` and `ipv6` remains `false`, the result will be an `ipv4`-only SingleStack Service. If both are `false`, global settings and/or cluster defaults are used. If both are `true`, a PreferDualStack Service is created
`ipv6`	`boolean`	`false`	If true, force the Service to include support for IPv6, ignoring globally configured IP Family settings and/or cluster defaults. If `ipv6` is set to `true` and `ipv4` remains `false`, the result will be an `ipv6`-only SingleStack Service. If both are `false`, global settings and/or cluster defaults are used. If both are `true`, a PreferDualStack Service is created
`labels`	`k8s:`Labels	`{}`	Labels to be added to the service
`loadBalancerIP`	`string`		Deprecated Kubernetes feature, available for backwards compatibility: IP address to attempt to claim for use by this LoadBalancer. Replaced by `annotations` specific to each LoadBalancer provider
`loadBalancerSourceRanges`	List of `string`		If supported by the LoadBalancer provider, restrict traffic to this LoadBalancer to these ranges
`loadBalancerClass`	`string`		Used to select a non-default type of LoadBalancer class to ensure the appropriate LoadBalancer provisioner attempt to manage this LoadBalancer service
`publishNotReadyAddresses`	`boolean`	`false`	Service is populated with endpoints regardless of readiness state
`sessionAffinity`	`string`	`None`	Can be set to `ClientIP` to attempt to maintain session affinity.
`sessionAffinityConfig`	`k8s:`SessionAffinityConfig	`{}`	Configuration of session affinity
`type`	`string`	`ClusterIP`	Type of service. Available options: `"ClusterIP"` `"LoadBalancer"` `"NodePort"`