swconfig broadband access

swconfig broadband access
JunosE™ Software
for E Series™ Broadband Services Routers
Broadband Access
Configuration Guide
Release
13.3.x
Published: 2012-09-20
Copyright © 2012, Juniper Networks, Inc.
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United
States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other
trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.
Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are
owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312,
6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
JunosE™ Software for E Series™ Broadband Services Routers Broadband Access Configuration Guide
Release 13.3.x
Copyright © 2012, Juniper Networks, Inc.
All rights reserved.
Revision History
October 2012—FRS JunosE 13.3.x
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the
year 2038. However, the NTP application is known to have some difficulty in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks
software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at
http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions
of that EULA.
ii
Copyright © 2012, Juniper Networks, Inc.
Abbreviated Table of Contents
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiii
Part 1
Managing Remote Access
Chapter 1
Remote Access Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Chapter 2
Configuring Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Chapter 3
Monitoring and Troubleshooting Remote Access . . . . . . . . . . . . . . . . . . . . . 103
Part 2
Managing RADIUS and TACACS+
Chapter 4
Configuring RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Chapter 5
Configuring RADIUS Dynamic-Request Server . . . . . . . . . . . . . . . . . . . . . . . 217
Chapter 6
Configuring RADIUS Relay Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Chapter 7
RADIUS Attribute Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Chapter 8
Application Terminate Reasons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Chapter 9
Monitoring RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Chapter 10
Configuring TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Chapter 11
Monitoring TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Part 3
Managing L2TP
Chapter 12
L2TP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Chapter 13
Configuring an L2TP LAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Chapter 14
Configuring an L2TP LNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Chapter 15
Configuring L2TP Dial-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Chapter 16
L2TP Disconnect Cause Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Chapter 17
Monitoring L2TP and L2TP Dial-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Part 4
Managing DHCP
Chapter 18
DHCP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Chapter 19
DHCP Local Server Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Chapter 20
Configuring DHCP Local Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Chapter 21
Configuring DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
Chapter 22
Configuring the DHCP External Server Application . . . . . . . . . . . . . . . . . . . 523
Chapter 23
Monitoring and Troubleshooting DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
Copyright © 2012, Juniper Networks, Inc.
iii
JunosE 13.3.x Broadband Access Configuration Guide
Part 5
Managing the Subscriber Environment
Chapter 24
Configuring Subscriber Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
Chapter 25
Monitoring Subscriber Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595
Chapter 26
Configuring Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
Chapter 27
Monitoring Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635
Part 6
Managing Subscriber Services
Chapter 28
Configuring Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641
Chapter 29
Monitoring Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725
Part 7
Index
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 753
iv
Copyright © 2012, Juniper Networks, Inc.
Table of Contents
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiii
E Series and JunosE Documentation and Release Notes . . . . . . . . . . . . . . . . . . xxxiii
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiii
E Series and JunosE Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . xxxiii
Obtaining Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxv
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxv
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxv
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxvi
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxvi
Part 1
Managing Remote Access
Chapter 1
Remote Access Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Remote Access Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
B-RAS Data Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Configuring IP Addresses for Remote Clients . . . . . . . . . . . . . . . . . . . . . . . . . . 5
AAA Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Remote Access Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
B-RAS Protocol Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Remote Access References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Overview of Mapping a User Domain to a Virtual Router . . . . . . . . . . . . . . . . . . . . . 6
Mapping User Requests Without a Valid Domain Name . . . . . . . . . . . . . . . . . . 7
Mapping User Requests Without a Configured Domain Name . . . . . . . . . . . . . 7
Using DNIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Redirected Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
IP Hinting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Domain Name and Realm Name Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Using the Realm Name as the Domain Name . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Using Delimiters Other Than @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Using Either the Domain or the Realm as the Domain Name . . . . . . . . . . . . . 10
Specifying the Domain Name or Realm Name Parse Direction . . . . . . . . . . . . 10
Stripping the Domain Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Stripping the Domain Name Per Virtual Router . . . . . . . . . . . . . . . . . . . . . . . . . 11
Subscriber User Name for RID, CoA Requests, and Lawful Intercepts
When Strip Domain Is Enabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Using the Strip Domain Functionality Per Virtual Router When Strip
Domain Is Enabled for an AAA Domain Map . . . . . . . . . . . . . . . . . . . . 11
Redirected Authentication When Strip Domain Is Enabled . . . . . . . . . . . 12
Example: Domain Name and Realm Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Example: Stripping Domain Name Per Virtual Router for RADIUS Server
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Copyright © 2012, Juniper Networks, Inc.
v
JunosE 13.3.x Broadband Access Configuration Guide
Single Name Specification for Users from a Domain Overview . . . . . . . . . . . . . . . 15
RADIUS Authentication and Accounting Servers Configuration Overview . . . . . . . 16
Server Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Server Request Processing Limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Authentication and Accounting Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Supporting Exchange of Extensible Authentication Protocol Messages . . . . . 18
Immediate Accounting Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Duplicate and Broadcast Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
UDP Checksums . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
SNMP Traps and System Log Messages Overview . . . . . . . . . . . . . . . . . . . . . . . . . 20
SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
System Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Local Authentication Servers Configuration Overview . . . . . . . . . . . . . . . . . . . . . . 21
Tunnel Subscriber Authentication Configuration Overview . . . . . . . . . . . . . . . . . . 22
Name Server Addresses Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Local Address Servers Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Local Address Pool Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Local Address Pool Aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Shared Local Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
SNMP Thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
DHCP Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Domain Name Aliases Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
AAA Profile Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
RADIUS Route-Download Server for Route Distribution Overview . . . . . . . . . . . . 27
Format of Downloaded Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Framed-Route (RADIUS attribute 22) . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Framed-IPv6-Route (RADIUS attribute 99) . . . . . . . . . . . . . . . . . . . . . . 28
Cisco AV-Pair (Cisco VSA 26-1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
How the Route-Download Server Downloads Routes . . . . . . . . . . . . . . . . . . 29
AAA Logical Line Identifier for Subscriber Tracking Overview . . . . . . . . . . . . . . . . 29
How the Router Obtains and Uses the LLID . . . . . . . . . . . . . . . . . . . . . . . . . . 29
RADIUS Attributes in Preauthentication Request . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Considerations for Using the LLID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
VSAs for Dynamic IP Interfaces Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Traffic Shaping for PPP over ATM Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Overview of Mapping Application Terminate Reasons and RADIUS Terminate
Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Timeout Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Limiting Active Subscribers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
AAA Failure Notification for RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Configuring AAA Session Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Standard RADIUS IPv6 Attributes for IPv6 Neighbor Discovery Router
Advertisements and DHCPv6 Prefix Delegation Configuration . . . . . . . . . . . . 37
Maximum Number of IPv6 Prefixes Assigned to Clients Using Only the DHCPv6
Local Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Maximum Number of IPv6 Prefixes Assigned to Clients Using Both DHPCv6
Local Server and Neighbor Discovery Router Advertisements . . . . . . . . . . . . 38
Delegation of a Unique IPv6 Prefix per Subscriber Example . . . . . . . . . . . . . 39
Delegation of the Same IPv6 Prefix for Multiple Subscribers Example . . . . . 39
vi
Copyright © 2012, Juniper Networks, Inc.
Table of Contents
Duplicate IPv6 Prefix Check Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Duplicate IPv6 Prefix Detection in the AAA User Profile Database Overview . . . . 40
Guidelines for Duplicate Address Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Propagation of LAG Subscriber Information to AAA and RADIUS . . . . . . . . . . . . . 43
SRC Client Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
SRC Client and COPS Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Retrieval of DSL Line Rate Information from Access Nodes Overview . . . . . . . . . 48
DHCPv6 Local Address Pools for Allocation of IPv6 Prefixes Overview . . . . . . . . 50
Example: Delegating the DHCPv6 Prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Order of Preference in Determining the Local Address Pool for Allocating
Prefixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Order of Preference in Allocating Prefixes and Assigning DNS Addresses to
Requesting Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
IPv6 Prefix Allocation Using Neighbor Discovery Router Advertisements from
IPv6 Address Pools Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Allocation of Neighbor Discovery Prefixes for IPv6 Subscribers over PPP
Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Order of Preference in Determining the Local Address Pool for Allocating
Prefixes for Neighbor Discovery Router Advertisements . . . . . . . . . . . . . 54
Order of Preference in Assigning Prefixes when Neighbor Discovery Router
Advertisements are Configured on an Interface . . . . . . . . . . . . . . . . . . . . 54
Guidelines for Allocating Neighbor Discovery Prefixes Using IPv6 Address
Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Understanding IPCP and IPv6CP Negotiations for IPv4 and IPv6 Clients Based
on RADIUS-Returned Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Chapter 2
Configuring Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Remote Access Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Configuring a B-RAS License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Configuring AAA Duplicate Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Configuring AAA Broadcast Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Overriding AAA Accounting NAS Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Collecting Accounting Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Configuring RADIUS AAA Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Configuring SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Creating the AAA Local Authentication Environment . . . . . . . . . . . . . . . . . . . . . . 68
Creating AAA Local User Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Adding AAA User Entries to Local User Databases . . . . . . . . . . . . . . . . . . . . . . . . . 70
Adding AAA User Entries to Default Local User Databases . . . . . . . . . . . . . . . . . . 70
Configuring AAA User Entries in Local User Databases . . . . . . . . . . . . . . . . . . . . . . 71
Assigning a Local User Database to a Virtual Router . . . . . . . . . . . . . . . . . . . . . . . 72
Enabling Local Authentication on the Virtual Router . . . . . . . . . . . . . . . . . . . . . . . 73
Example: Configuring AAA Local Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Configuring DNS Primary and Secondary NMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Configuring WINS Primary and Secondary NMS . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Configuring a Local Address Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Creating an IP Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Configuring Single PPP Clients per ATM Subinterface . . . . . . . . . . . . . . . . . . 79
Configuring Multiple PPP Clients per ATM Subinterface . . . . . . . . . . . . . . . . 80
Copyright © 2012, Juniper Networks, Inc.
vii
JunosE 13.3.x Broadband Access Configuration Guide
Controlling Access to Domain Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Example: Associating all Subscribers of a PPP Interface with a Specific Domain
Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Example: Associating Multiple Domain Names with a Specific Domain Name . . 83
Configuring an AAA Per-Profile Attribute List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Configuring the NAS-Port-Type Attribute Manually . . . . . . . . . . . . . . . . . . . . . . . . 85
Configuring a Service Description for the AAA Profile . . . . . . . . . . . . . . . . . . . . . . 86
Configuring the Route-Download Server to Download Routes . . . . . . . . . . . . . . . 86
Configuring the Router to Obtain the LLID for a Subscriber . . . . . . . . . . . . . . . . . . 88
Troubleshooting Subscriber Preauthentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Configuring Custom Mappings for PPP Terminate Reasons . . . . . . . . . . . . . . . . . 90
Configuring Duplicate IPv6 Prefix Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Configuring Detection of Duplicate IPv6 Prefixes in the AAA User Profile
Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Configuring the SRC Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Configuring the Forwarding of COPS Requests to the SRC Server Based on DCM
Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Configuring the DHCPv6 Local Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Example: Limiting the Number of Prefixes Used by DHCPv6 Clients . . . . . . . . . . 97
Example: Using DHCPv6 Local Address Pools for Prefix Delegation over non-PPP
Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Configuring IPv6 Neighbor Discovery Local Address Pools . . . . . . . . . . . . . . . . . . 99
Overriding AAA to Perform IPCP and IPv6CP Negotiations Based on
RADIUS-Returned Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Chapter 3
Monitoring and Troubleshooting Remote Access . . . . . . . . . . . . . . . . . . . . . 103
Setting Baselines for Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Setting a Baseline for AAA Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Setting a Baseline for AAA Route Downloads . . . . . . . . . . . . . . . . . . . . . . . . 105
Setting a Baseline for COPS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Setting a Baseline for Local Address Pool Statistics . . . . . . . . . . . . . . . . . . . 106
Setting a Baseline for RADIUS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Setting the Baseline for SRC Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
How to Monitor PPP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Monitoring the AAA Accounting Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Monitoring AAA Accounting Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Monitoring the AAA Accounting Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Monitoring AAA Specific Virtual Router Groups . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Monitoring the Default AAA Authentication Method List . . . . . . . . . . . . . . . . . . . 109
Monitoring AAA Domain Name Stripping for a Domain Per Virtual Router . . . . . 109
Monitoring Mapping Between User Domains and Virtual Routers . . . . . . . . . . . . 110
Monitoring Tunnel Subscriber Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Monitoring Routing Table Address Lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Monitoring the AAA Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Monitoring IP Addresses of Primary and Secondary DNS and WINS Name
Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Monitoring AAA Profile Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Monitoring Statistics about the RADIUS Route-Download Server . . . . . . . . . . . . 115
Monitoring Routes Downloaded by the RADIUS Route-Download Server . . . . . . 117
viii
Copyright © 2012, Juniper Networks, Inc.
Table of Contents
Monitoring Chassis-Wide Routes Downloaded by the RADIUS Route-Download
Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Monitoring AAA Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Monitoring the Number of Active Subscribers Per Port . . . . . . . . . . . . . . . . . . . . . 123
Monitoring the Maximum Number of Active Subscribers Per Virtual Router . . . . 123
Monitoring Session Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Monitoring Interim Accounting for Users on the Virtual Router . . . . . . . . . . . . . . . 124
Monitoring Virtual Router Groups Configured for AAA Broadcast Accounting . . . 124
Monitoring Configuration Information for AAA Local Authentication . . . . . . . . . . 125
Monitoring AAA Server Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Monitoring the COPS Layer Over SRC Connection . . . . . . . . . . . . . . . . . . . . . . . . 128
Monitoring Statistics About the COPS Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Monitoring Local Address Pool Aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Monitoring Local Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Monitoring Local Address Pool Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Monitoring Shared Local Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Monitoring the Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Monitoring the B-RAS License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Monitoring the RADIUS Server Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Monitoring RADIUS Override Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Monitoring the RADIUS Rollover Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Monitoring RADIUS Server Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Monitoring RADIUS Services Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Monitoring RADIUS SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Monitoring RADIUS Accounting for L2TP Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . 143
Monitoring RADIUS UDP Checksums . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Monitoring RADIUS Server IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Monitoring the RADIUS Attribute Used for IPv6 Neighbor Discovery Router
Advertisements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Monitoring the RADIUS Attribute Used for DHCPv6 Prefix Delegation . . . . . . . . 144
Monitoring Duplicate IPv6 Prefixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Monitoring Duplicate IPv6 Prefixes in the AAA User Profile Database . . . . . . . . . 145
Monitoring SRC Client Connection Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Monitoring SRC Client Connection Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Monitoring the SRC Client Version Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Monitoring the SRC Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Monitoring Subscriber Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Monitoring Application Terminate Reason Mappings . . . . . . . . . . . . . . . . . . . . . . 157
Monitoring IPv6 Local Pools for DHCP Prefix Delegation By All Configured
Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Monitoring IPv6 Local Pools for DHCP Prefix Delegation By Pool Name . . . . . . . 159
Monitoring IPv6 Local Pool Statistics for DHCP Prefix Delegation . . . . . . . . . . . . 160
Monitoring IPv6 Local Pools for Neighbor Discovery Router Advertisements for
all Configured Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Monitoring IPv6 Local Pools for Neighbor Discovery Router Advertisements by
Pool Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Monitoring IPv6 Local Pool Statistics for Neighbor Discovery Router
Advertisements Allocation of Prefixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Copyright © 2012, Juniper Networks, Inc.
ix
JunosE 13.3.x Broadband Access Configuration Guide
Monitoring the Status of the Override Feature to Initiate IPCP and IPv6CP
Negotiations Based on RADIUS-Returned Attributes . . . . . . . . . . . . . . . . . . 164
Part 2
Managing RADIUS and TACACS+
Chapter 4
Configuring RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
RADIUS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
RADIUS Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
RADIUS Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
RADIUS References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Subscriber AAA Access Messages Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
RADIUS IETF Attributes Supported for Subscriber AAA Access Messages . . . . . 173
Juniper Networks VSAs Supported for Subscriber AAA Access Messages . . . . . . 176
Processing DNS Addresses from Microsoft RADIUS VSAs for PPP Clients During
IPCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Subscriber AAA Accounting Messages Overview . . . . . . . . . . . . . . . . . . . . . . . . . 182
RADIUS IETF Attributes Supported for Subscriber AAA Accounting
Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Juniper Networks VSAs Supported for Subscriber AAA Accounting Messages . . 186
RADIUS IETF Attributes Supported for AAA Tunnel Accounting Messages . . . . . 190
AAA Access Messages During IPCP Negotiations for Dual-Stack Subscribers . . . 191
Access-Request Messages When an IPv4 Address is Renegotiated . . . . . . . 192
Access-Accept Messages When an IPv4 Address is Assigned . . . . . . . . . . . 192
AAA Accounting Messages During IPCP Negotiations for Dual-Stack
Subscribers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Interim-Acct Messages When an IPv4 Address is Assigned . . . . . . . . . . . . . 193
Interim-Acct Messages When an IPv4 Address is Not Assigned . . . . . . . . . . 194
Interim-Acct Messages During a Successful IPCP Renegotiation for IPv4
Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Interim-Acct Messages During a Failed IPCP Renegotiation for IPv4
Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Interim-Acct Messages When an IPv4 Address is Released . . . . . . . . . . . . . 195
DSL Forum VSAs in AAA Access and Accounting Messages Overview . . . . . . . . 196
DSL Forum VSAs Supported for AAA Access and Accounting Messages . . . . . . 196
RADIUS Attributes Supported for CLI AAA Messages . . . . . . . . . . . . . . . . . . . . . 198
CLI Commands Used to Modify RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . 199
CLI Commands Used to Configure RADIUS IETF Attributes . . . . . . . . . . . . . . . . . 199
CLI Commands Used to Configure Juniper Networks VSAs . . . . . . . . . . . . . . . . . 203
CLI Commands Used to Include ANCP-Related Juniper Networks VSAs in Access
and Accounting Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
CLI Commands Used to Include DSL Forum VSAs in Access and Accounting
Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
CLI Commands Used to Include or Exclude Attributes in RADIUS Messages . . . 208
CLI Commands Used to Ignore Attributes when Receiving Access-Accept
Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
RADIUS Per-Profile Attribute List Configuration Overview . . . . . . . . . . . . . . . . . . 213
Example: Configuring RADIUS-Specific Attributes . . . . . . . . . . . . . . . . . . . . . . . . 214
x
Copyright © 2012, Juniper Networks, Inc.
Table of Contents
Chapter 5
Configuring RADIUS Dynamic-Request Server . . . . . . . . . . . . . . . . . . . . . . . 217
RADIUS Dynamic-Request Server Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
RADIUS Dynamic-Request Server Platform Considerations . . . . . . . . . . . . . . . . 218
RADIUS Dynamic-Request Server References . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Understanding RADIUS-Initiated Disconnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Disconnect Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Message Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Supported Error-Cause Codes (RADIUS Attribute 101) . . . . . . . . . . . . . 220
Qualifications for Disconnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Security/Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Configuring RADIUS-Initiated Disconnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Understanding RADIUS-Initiated Change of Authorization . . . . . . . . . . . . . . . . . 222
Change-of-Authorization Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Message Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Supported Error-Cause Codes (RADIUS Attribute 101) . . . . . . . . . . . . . . . . . 222
Qualifications for Change of Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Security/Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Configuring RADIUS-Initiated Change of Authorization . . . . . . . . . . . . . . . . . . . . 224
Chapter 6
Configuring RADIUS Relay Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Understanding the RADIUS Relay Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
How RADIUS Relay Server Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Authentication and Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Terminating the Wireless Subscriber’s Connection . . . . . . . . . . . . . . . . 227
RADIUS Relay Server Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
RADIUS Relay Server References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
RADIUS Relay Server and the SRC Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Using the SRC Software for Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Using the SRC Software for Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Configuring RADIUS Relay Server Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Chapter 7
RADIUS Attribute Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
RADIUS IETF Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Juniper Networks VSAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
DSL Forum VSAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Pass Through RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
RADIUS Attributes References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Chapter 8
Application Terminate Reasons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
AAA Terminate Reasons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
L2TP Terminate Reasons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
PPP Terminate Reasons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
RADIUS Client Terminate Reasons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Chapter 9
Monitoring RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Monitoring Override Settings of RADIUS IETF Attributes . . . . . . . . . . . . . . . . . . . 281
Monitoring the NAS-Port-Format RADIUS Attribute . . . . . . . . . . . . . . . . . . . . . . 282
Monitoring the Calling-Station-Id RADIUS Attribute . . . . . . . . . . . . . . . . . . . . . . 283
Monitoring the NAS-Identifier RADIUS Attribute . . . . . . . . . . . . . . . . . . . . . . . . . 283
Copyright © 2012, Juniper Networks, Inc.
xi
JunosE 13.3.x Broadband Access Configuration Guide
Monitoring the Format of the Remote-Circuit-ID for RADIUS . . . . . . . . . . . . . . . 283
Monitoring the Delimiter Character in the Remote-Circuit-ID for RADIUS . . . . . 284
Monitoring the Acct-Session-Id RADIUS Attribute . . . . . . . . . . . . . . . . . . . . . . . . 284
Monitoring the DSL-Port-Type RADIUS Attribute . . . . . . . . . . . . . . . . . . . . . . . . 284
Monitoring the Connect-Info RADIUS Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Monitoring the NAS-Port-ID RADIUS Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Monitoring Included RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Monitoring Ignored RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Setting the Baseline for RADIUS Dynamic-Request Server Statistics . . . . . . . . . 288
Monitoring RADIUS Dynamic-Request Server Statistics . . . . . . . . . . . . . . . . . . . 288
Monitoring the Configuration of the RADIUS Dynamic-Request Server . . . . . . . 290
Setting a Baseline for RADIUS Relay Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Monitoring RADIUS Relay Server Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Monitoring the Configuration of the RADIUS Relay Server . . . . . . . . . . . . . . . . . . 292
Monitoring the Status of RADIUS Relay UDP Checksums . . . . . . . . . . . . . . . . . . 293
Monitoring the Status of ICR Partition Accounting . . . . . . . . . . . . . . . . . . . . . . . . 293
Chapter 10
Configuring TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Understanding TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
AAA Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Administrative Login Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Privilege Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Login Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
TACACS+ Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
TACACS+ References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Retry Attempts for Successful TCP Connection Overview . . . . . . . . . . . . . . . . . 300
Configuring TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Configuring TACACS+ Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Configuring Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Configuring Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Chapter 11
Monitoring TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Setting Baseline TACACS+ Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Monitoring TACACS+ Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Monitoring TACACS+ Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Part 3
Managing L2TP
Chapter 12
L2TP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
L2TP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
L2TP Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Implementing L2TP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Sequence of Events on the LAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Sequence of Events on the LNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Packet Fragmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
L2TP Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
L2TP Module Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
ERX7xx Models, ERX14xx Models, and the ERX310 Router . . . . . . . . . . . . . . 316
E120 Router and E320 Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
xii
Copyright © 2012, Juniper Networks, Inc.
Table of Contents
Sessions and Tunnels Supported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
L2TP References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Chapter 13
Configuring an L2TP LAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
LAC Configuration Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Modifying L2TP LAC Default Settings for Managing Destinations, Tunnels, and
Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Generating UDP Checksums in Packets to L2TP Peers . . . . . . . . . . . . . . . . . . . . . 321
Specifying a Destruct Timeout for L2TP Tunnels and Sessions . . . . . . . . . . . . . . 322
Preventing Creation of New Destinations, Tunnels, and Sessions . . . . . . . . . . . . 322
Preventing Creation of New Destinations, Tunnels, and Sessions on the
Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Preventing Creation of New Tunnels and Sessions at a Destination . . . . . . 323
Preventing Creation of New Sessions for a Tunnel . . . . . . . . . . . . . . . . . . . . 323
Specifying a Drain Timeout for a Disconnected Tunnel . . . . . . . . . . . . . . . . . 323
Shutting Down Destinations, Tunnels, and Sessions . . . . . . . . . . . . . . . . . . . . . . 324
Closing Existing and Preventing New Destinations, Tunnels, and Sessions
on the Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Closing Existing and Preventing New Tunnels and Sessions for a
Destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Closing Existing and Preventing New Sessions in a Specific Tunnel . . . . . . . 324
Closing a Specific Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Specifying the Number of Retransmission Attempts . . . . . . . . . . . . . . . . . . . . . . 325
Configuring Calling Number AVP Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Calling Number AVP 22 Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . 329
Configuring the Fallback Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Disabling the Calling Number AVP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Mapping a User Domain Name to an L2TP Tunnel Overview . . . . . . . . . . . . . . . 334
Mapping User Domain Names to L2TP Tunnels from Domain Map Tunnel
Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Mapping User Domain Names to L2TP Tunnels from Tunnel Group Tunnel
Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Transmission of the Subscriber Access Interface Speed to LNS Using the RX
Connect-Speed AVP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Configuring the RX Speed on the LAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Managing the L2TP Destination Lockout Process . . . . . . . . . . . . . . . . . . . . . . . . 344
Modifying the Lockout Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Verifying That a Locked-Out Destination Is Available . . . . . . . . . . . . . . . . . . 346
Configuring a Lockout Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Unlocking a Destination that is Currently Locked Out . . . . . . . . . . . . . . . . . . 346
Starting an Immediate Lockout Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Managing Address Changes Received from Remote Endpoints . . . . . . . . . . . . . 347
Configuring LAC Tunnel Selection Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Configuring the Failover Between Preference Levels Method . . . . . . . . . . . . 349
Configuring the Failover Within a Preference Level Method . . . . . . . . . . . . . 349
Configuring the Maximum Sessions per Tunnel . . . . . . . . . . . . . . . . . . . . . . 350
Configuring the Weighted Load Balancing Method . . . . . . . . . . . . . . . . . . . 350
Copyright © 2012, Juniper Networks, Inc.
xiii
JunosE 13.3.x Broadband Access Configuration Guide
Chapter 14
Configuring an L2TP LNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
LNS Configuration Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Configuring an LNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Creating an L2TP Destination Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Creating an L2TP Host Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Configuring the Maximum Number of LNS Sessions . . . . . . . . . . . . . . . . . . . . . . 358
Configuring Groups for LNS Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Configuring the RADIUS Connect-Info Attribute on the LNS . . . . . . . . . . . . . . . . 360
Overriding LNS Out-of-Resource Result Codes 4 and 5 . . . . . . . . . . . . . . . . . . . 360
Overriding the Result Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Displaying the Current Override Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Selecting Service Modules for LNS Sessions Using MLPPP . . . . . . . . . . . . . . . . . 362
Assigning Bundled Group Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Overriding All Endpoint Discriminators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Enabling Tunnel Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Creating Persistent Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Testing Tunnel Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Managing L2TP Destinations, Tunnels, and Sessions . . . . . . . . . . . . . . . . . . . . . 364
Configuring Disconnect Cause Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Generating the Disconnect Cause AVP Globally . . . . . . . . . . . . . . . . . . . . . . 365
Generating the Disconnect Cause AVP with a Host Profile . . . . . . . . . . . . . 366
Enabling RADIUS Accounting for Disconnect Cause . . . . . . . . . . . . . . . . . . 366
Displaying Disconnect Cause Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
Configuring the Receive Window Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Configuring the Default Receive Window Size . . . . . . . . . . . . . . . . . . . . . . . . 367
Configuring the Receive Window Size on the LAC . . . . . . . . . . . . . . . . . . . . 368
Configuring the Receive Window Size on the LNS . . . . . . . . . . . . . . . . . . . . 369
Configuring Peer Resynchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Configuring Peer Resynchronization for L2TP Host Profiles and AAA Domain
Map Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Configuring the Global L2TP Peer Resynchronization Method . . . . . . . . . . . 372
Using RADIUS to Configure Peer Resynchronization . . . . . . . . . . . . . . . . . . . 373
Configuring L2TP Tunnel Switch Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Applying the L2TP Tunnel Switch Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Configuring L2TP AVPs for Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Enabling Tunnel Switching on the Router . . . . . . . . . . . . . . . . . . . . . . . . 376
Configuring L2TP Tunnel Switch Profiles . . . . . . . . . . . . . . . . . . . . . . . . 376
Applying L2TP Tunnel Switch Profiles by Using AAA Domain Maps . . . 377
Applying L2TP Tunnel Switch Profiles by Using AAA Tunnel Groups . . . 377
Applying Default L2TP Tunnel Switch Profiles . . . . . . . . . . . . . . . . . . . . 378
Applying L2TP Tunnel Switch Profiles by Using RADIUS . . . . . . . . . . . . 379
Configuring the Transmit Connect Speed Calculation Method . . . . . . . . . . . . . . 379
Transmit Connect Speed Calculation Methods . . . . . . . . . . . . . . . . . . . . . . 380
Static Layer 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Dynamic Layer 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
xiv
Copyright © 2012, Juniper Networks, Inc.
Table of Contents
Actual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Transmit Connect Speed Calculation Examples . . . . . . . . . . . . . . . . . . . . . . 381
Example 1: L2TP Session over ATM 1483 Interface . . . . . . . . . . . . . . . . . 381
Example 2: L2TP Session over Ethernet VLAN Interface . . . . . . . . . . . . 382
Transmit Connect Speed Reporting Considerations . . . . . . . . . . . . . . . . . . . 383
Session Termination for Dynamic Speed Timeout . . . . . . . . . . . . . . . . . 383
Advisory Speed Precedence for VLANs over Bridged Ethernet . . . . . . . 383
Using AAA Domain Maps to Configure the Transmit Connect Speed
Calculation Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Using AAA Tunnel Groups to Configure the Transmit Connect Speed
Calculation Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Using AAA Default Tunnel Parameters to Configure the Transmit Connect
Speed Calculation Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Using RADIUS to Configure the Transmit Connect Speed Calculation
Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
PPP Accounting Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Stateful Line Module Switchover for LNS Sessions . . . . . . . . . . . . . . . . . . . . . . . 388
Chapter 15
Configuring L2TP Dial-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
L2TP Dial-Out Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
L2TP Dial-Out Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
L2TP Dial-Out Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
L2TP Dial-Out References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
L2TP Dial-Out Network Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
L2TP Dial-Out Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
L2TP Dial-Out Operational States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Virtual Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
L2TP Dial-Out Outgoing Call Setup Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Access-Request Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Access-Accept Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Outgoing Call . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Mutual Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Route Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Creating a Profile Before Configuring L2TP Dial-Out . . . . . . . . . . . . . . . . . . . . . . 400
Configuring L2TP Dial-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Creating an L2TP Dial-Out Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Specifying the Maximum Timeout Period for Establishing an L2TP Dial-Out
Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Specifying the Duration for an L2TP Dial-Out Session to Remain in Dormant
State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Specifying the Maximum Triggers to Buffer for an L2TP Dial-Out
Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Deleting an L2TP Dial-Out Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Resetting an L2TP Dial-Out Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Chapter 16
L2TP Disconnect Cause Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
L2TP Disconnect Cause Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Copyright © 2012, Juniper Networks, Inc.
xv
JunosE 13.3.x Broadband Access Configuration Guide
Chapter 17
Monitoring L2TP and L2TP Dial-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Monitoring the Mapping for User Domains and Virtual Routers with AAA . . . . . . 411
Monitoring Configured Tunnel Groups with AAA . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Monitoring Configuration of Tunnel Parameters with AAA . . . . . . . . . . . . . . . . . . 416
Monitoring Global Configuration Status on E Series Routers . . . . . . . . . . . . . . . . 417
Monitoring Detailed Configuration Information for Specified Destinations . . . . . 419
Monitoring Locked Out Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Monitoring Configured Destination Profiles or Host Profiles . . . . . . . . . . . . . . . . . 421
Monitoring Configured and Operational Status of all Destinations . . . . . . . . . . . 424
Monitoring Statistics on the Cause of a Session Disconnection . . . . . . . . . . . . . 425
Monitoring Detailed Configuration Information about Specified Sessions . . . . . 425
Monitoring Configured and Operational Summary Status . . . . . . . . . . . . . . . . . . 427
Monitoring Configured Switch Profiles on Router . . . . . . . . . . . . . . . . . . . . . . . . . 428
Monitoring Detailed Configuration Information about Specified Tunnels . . . . . . 428
Monitoring Configured and Operational Status of All Tunnels . . . . . . . . . . . . . . . 431
Monitoring Chassis-wide Configuration for L2TP Dial-out . . . . . . . . . . . . . . . . . . 432
Monitoring Status of Dial-out Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Monitoring Dial-out Targets within the Current VR Context . . . . . . . . . . . . . . . . 438
Monitoring Operational Status within the Current VR Context . . . . . . . . . . . . . . 439
Part 4
Managing DHCP
Chapter 18
DHCP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
DHCP Overview Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Session and Resource Control Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
DHCP Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
DHCP References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Configuring the DHCP Access Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Configuring DHCP Proxy Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Logging DHCP Packet Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Viewing and Deleting DHCP Client Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
DHCP Client Bindings and Duplicate MAC Addresses for Subinterfaces
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
Chapter 19
DHCP Local Server Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Embedded DHCP Local Server Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
DHCP Local Server and Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . 454
Equal-Access Mode Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
Local Pool Selection and Address Allocation . . . . . . . . . . . . . . . . . . . . . . . . 455
The Connection Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
Standalone Mode Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
Local Pool Selection and Address Allocation . . . . . . . . . . . . . . . . . . . . . . . . 457
Server Management Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
DHCP Local Server Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
DHCP Local Server Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
DHCP Unique ID for Clients and Servers Overview . . . . . . . . . . . . . . . . . . . . . . . 460
xvi
Copyright © 2012, Juniper Networks, Inc.
Table of Contents
Authentication and Accounting of IPv6 Subscribers Using the DHCPv6 Local
Server Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
Accounting for IPv6 Subscribers with DHCPv6 Local Server Standalone
Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Interoperation of Authentication of IPv6 Clients and Display of Active Subscriber
Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Limiting the Maximum Number of IPv6 Prefixes Delegated Per Interface by the
DHCPv6 Local Server Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
Chapter 20
Configuring DHCP Local Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Configuring the DHCP Local Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Basic Configuration of DHCP Local Server . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Limiting the Number of IP Addresses Supplied by DHCP Local Server . . . . 469
Excluding IP Addresses from Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . 469
Configuring DHCP Local Server to Support Creation of Dynamic Subscriber
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
Differentiating Between Clients with the Same Client ID or Hardware
Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
Logging Out DHCP Local Server Subscribers . . . . . . . . . . . . . . . . . . . . . . . . . 471
Clearing an IP DHCP Local Server Binding . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
Using SNMP Traps to Monitor DHCP Local Server Events . . . . . . . . . . . . . . . 472
Using DHCP Local Server Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Configuring DHCP Local Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Basic Configuration of DHCP Local Address Pools . . . . . . . . . . . . . . . . . . . . 474
Linking Local Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
Setting Grace Periods for Address Leases . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
Overview of Sending RADIUS Attributes to DHCP Subscribers . . . . . . . . . . . . . . 477
Dual-Stack Lite Tunnel Name Configuration with RADIUS and DHCPv6 . . . 477
PCP Server Name Configuration with RADIUS and DHCP or DHCPv6 . . . . . 478
Configuring AAA Authentication for DHCP Local Server Standalone Mode . . . . 479
Configuring AAA Authentication for DHCPv6 Local Server Standalone Mode . . 482
Configuring the DHCPv6 Local Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
Configuring the Type of DHCP Unique ID for DHCPv6 Local Servers . . . . . . . . . 486
Deleting DHCPv6 Client Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
Configuring the Router to Work with the SRC Software . . . . . . . . . . . . . . . . . . . 488
Chapter 21
Configuring DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
DHCP Relay and BOOTP Relay Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
Configuring DHCP Relay Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
Enabling DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
Removing Access Routes from Routing Tables and NVS . . . . . . . . . . . . . . . 493
Treating All Packets as Originating at Trusted Sources . . . . . . . . . . . . . . . . 494
Assigning the Giaddr to Source IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . 494
Protecting Against Spoofed Giaddr and Relay Agent Option Values . . . . . . 494
Using the Giaddr to Identify the Primary Interface for Dynamic Subscriber
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Using the Broadcast Flag Setting to Control Transmission of DHCP Reply
Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Interaction of DHCP Relay Broadcast Flag with the Layer 2 Unicast Transmission
Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Copyright © 2012, Juniper Networks, Inc.
xvii
JunosE 13.3.x Broadband Access Configuration Guide
Preventing DHCP Relay from Installing Host Routes by Default . . . . . . . . . . . . . 498
Example: Preventing Installation of Host Routes . . . . . . . . . . . . . . . . . . . . . . . . . 499
Including Relay Agent Option Values in the PPPoE Remote Circuit ID . . . . . . . . 500
Configuring the Layer 2 Unicast Transmission Method for Reply Packets to DHCP
Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Using Option 60 Strings to Forward Client Traffic to Specific DHCP Servers . . . 502
Configuring the DHCP Relay Option 60 Attribute for Traffic Forwarding . . . . . . 503
Relaying DHCP Packets That Originate from a Cable Modem . . . . . . . . . . . . . . 504
DHCP Relay Agent Information Option (Option 82) Suboption Values
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
Format of the JunosE Data Field in the Vendor-Specific Suboption for Option
82 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
Configuring the DHCP Relay Agent Option 82 Settings . . . . . . . . . . . . . . . . . . . . 509
Configuring Relay Agent Option 82 Information . . . . . . . . . . . . . . . . . . . . . . 509
Preventing Option 82 Information from Being Stripped from Trusted Client
Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Configuring Relay Agent Information Option (Option 82) Suboption
Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
Using the set dhcp relay agent sub-option Command to Enable Option 82
Suboption Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
Using the set dhcp relay agent Command to Enable Option 82 Suboption
Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
Example: Using DHCP Relay Option 82 to Pass IEEE 802.1p Values to DHCP
Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Rate of DHCP Client Packets Processed by DHCP Relay Overview . . . . . . . . . . . 518
Manually Configuring the Maximum Rate of Client Packets Processed Per
Second by DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
Configuring the Rate of Client Packets Processed by DHCP Relay . . . . . . . . . . . . 519
Configuring DHCP Relay Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
Enabling DHCP Relay Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
Use the First Offer from a DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
Set a Timeout for DHCP Client Renewal Messages . . . . . . . . . . . . . . . . . . . 520
Managing Host Routes Using DHCP Relay Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Selecting the DHCP Server Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Behavior for Bound Clients and Address Renewals . . . . . . . . . . . . . . . . . . . . 522
Chapter 22
Configuring the DHCP External Server Application . . . . . . . . . . . . . . . . . . . 523
DHCP External Server Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Preservation of Dynamic Subscriber Interfaces with DHCP External Server
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
DHCP External Server Identification of Clients with Duplicate MAC Addresses
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
Configuration Guidelines for Using Duplicate MAC Mode . . . . . . . . . . . . . . . 527
Restrictions for Using Duplicate MAC Mode to Manage Clients . . . . . . . . . . 527
DHCP External Server Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . 528
Enabling and Disabling the DHCP External Server Application . . . . . . . . . . . . . . 528
Monitoring DHCP Traffic Between Remote Clients and DHCP Servers . . . . . . . . 529
Synchronizing the DHCP External Application and the Router . . . . . . . . . . . . . . 529
Configuring Interoperation with Ethernet DSLAMs . . . . . . . . . . . . . . . . . . . . . . . 529
xviii
Copyright © 2012, Juniper Networks, Inc.
Table of Contents
Configuring the DHCP External Server to Support the Creation of Dynamic
Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
Configuring DHCP External Server to Control Preservation of Dynamic Subscriber
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
Configuring Dynamic Subscriber Interfaces for Interoperation with DHCP Relay
and DHCP Relay Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
Deleting Clients from a Virtual Router’s DHCP Binding Table . . . . . . . . . . . . . . . 534
Configuring DHCP External Server to Uniquely Identify Clients with Duplicate
MAC Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
Configuring DHCP External Server to Re-Authenticate Auto-Detected Dynamic
Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536
Chapter 23
Monitoring and Troubleshooting DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
Setting Baselines for DHCP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538
Setting a Baseline for DHCP Relay and Relay Proxy . . . . . . . . . . . . . . . . . . . 538
Setting a Baseline for DHCP Proxy Server Statistics . . . . . . . . . . . . . . . . . . . 538
Setting a Baseline for DHCP External Server Statistics . . . . . . . . . . . . . . . . 539
Setting a Baseline for DHCP Local Server Statistics . . . . . . . . . . . . . . . . . . . 539
Monitoring Addresses Excluded from DHCP Local Server Use . . . . . . . . . . . . . . 539
Monitoring DHCP Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540
Monitoring DHCP Binding Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540
Monitoring DHCP Binding Count Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
Monitoring DHCP Binding Host Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
Monitoring DHCP Bindings (Displaying IP Address-to-MAC Address
Bindings) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
Monitoring DHCP Bindings (Displaying DHCP Bindings Based on Binding ID) . . 548
Monitoring DHCP Bindings (Local Server Binding Information) . . . . . . . . . . . . . 549
Monitoring DHCP External Server Configuration Information . . . . . . . . . . . . . . . 550
Monitoring DHCP External Server Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551
Monitoring DHCP External Server Duplicate MAC Address Setting . . . . . . . . . . . 552
Monitoring DHCP Local Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552
Monitoring DHCP Local Server Authentication Information . . . . . . . . . . . . . . . . 555
Monitoring DHCP Local Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556
Monitoring DHCP Local Server Leases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
Monitoring DHCP Local Server Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
Monitoring DHCP Option 60 Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
Monitoring DHCP Packet Capture Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
Monitoring DHCP Relay Configuration Information . . . . . . . . . . . . . . . . . . . . . . . 563
Monitoring DHCP Relay Proxy Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
Monitoring DHCP Relay Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566
Monitoring DHCP Server and DHCP Relay Agent Statistics . . . . . . . . . . . . . . . . . 569
Monitoring DHCP Server and Proxy Client Information . . . . . . . . . . . . . . . . . . . . 570
Monitoring DHCPv6 Local Server Binding Information . . . . . . . . . . . . . . . . . . . . . 571
Monitoring DHCPv6 Local Server DNS Search Lists . . . . . . . . . . . . . . . . . . . . . . . 572
Monitoring DHCPv6 Local Server DNS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . 572
Monitoring DHCPv6 Local Server Prefix Lifetime . . . . . . . . . . . . . . . . . . . . . . . . . 573
Monitoring DHCPv6 Local Server Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573
Monitoring DHCPv6 Local Server Authentication Information . . . . . . . . . . . . . . . 574
Monitoring Duplicate MAC Addresses Use By DHCP Local Server Clients . . . . . . 575
Copyright © 2012, Juniper Networks, Inc.
xix
JunosE 13.3.x Broadband Access Configuration Guide
Monitoring the Maximum Number of Available Leases . . . . . . . . . . . . . . . . . . . . 576
Monitoring Static IP Address and MAC Address Pairs Supplied by DHCP Local
Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
Monitoring Status of DHCP Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578
Monitoring DHCP Proxy Client Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578
Monitoring the Maximum Number of IPv6 Prefixes Delegated Per Interface by
the DHCPv6 Local Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
Part 5
Managing the Subscriber Environment
Chapter 24
Configuring Subscriber Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
Understanding Subscriber Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
Subscriber Management Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . 586
Subscriber Management Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
Dynamic IP Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587
Subscriber Management Procedure Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 587
Configuring Subscriber Management with an External DHCP Server . . . . . . . . . 589
Subscriber Management Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . 590
Chapter 25
Monitoring Subscriber Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595
Monitoring IP Service Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595
Monitoring Active IP Subscribers Created by Subscriber Management . . . . . . . 596
Chapter 26
Configuring Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
Subscriber Interfaces Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
Dynamic Interfaces and Dynamic Subscriber Interfaces Overview . . . . . . . . . . 600
Subscriber Interfaces Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . 602
Interface Specifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602
Subscriber Interfaces References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
Characteristics of Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
Relationship to Shared IP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
Relationship to Primary IP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
Ethernet Interfaces and VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
Moving Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
Preventing IP Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
Policies and QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
Applications for Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606
Directing Traffic Toward Special Local Content . . . . . . . . . . . . . . . . . . . . . . 606
Differentiating Traffic for VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
Dynamic Creation of Subscriber Interfaces Overview . . . . . . . . . . . . . . . . . . . . . 608
Dynamic Subscriber Interfaces Using DHCP Events Overview . . . . . . . . . . . . . . 609
DHCP Local Server and Address Allocation . . . . . . . . . . . . . . . . . . . . . . . . . 609
DHCP External Server and Address Allocation . . . . . . . . . . . . . . . . . . . . . . . 610
DHCP Relay Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610
Supported Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610
Dynamic Subscriber Interfaces Using Packet Detection Overview . . . . . . . . . . . . 611
Designating Traffic for the Primary IP Interface . . . . . . . . . . . . . . . . . . . . . . . 611
Using Framed Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612
xx
Copyright © 2012, Juniper Networks, Inc.
Table of Contents
Inheritance of MAC Address Validation State for Dynamic Subscriber Interfaces
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612
How MAC Address Validation State Inheritance Works . . . . . . . . . . . . . . . . . . . . 613
Configuration of MAC Address Validation State Inheritance . . . . . . . . . . . . . 613
Verification of MAC Address Validation State Inheritance . . . . . . . . . . . . . . . 614
Example: Configuring Static Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . 615
Example: Using a Destination Address to Demultiplex Traffic . . . . . . . . . . . 615
Example: Using a Source Address to Demultiplex Traffic . . . . . . . . . . . . . . . 618
Example: Configuring Dynamic Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . 622
Example: Configuring Dynamic Subscriber Interfaces over Ethernet . . . . . . 622
Example: Configuring Dynamic Subscriber Interfaces over VLANs . . . . . . . 624
Example: Configuring Dynamic Subscriber Interfaces over Bridged
Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626
Example: Configuring Dynamic Subscriber Interfaces over GRE Tunnels . . 628
Example: Configuring Dynamic Subscriber Interfaces Using Loopback
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630
Chapter 27
Monitoring Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635
Monitoring Subscriber Interfaces Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635
Monitoring Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635
Monitoring Active IP Subscribers Created by Subscriber Management . . . . . . . 636
Part 6
Managing Subscriber Services
Chapter 28
Configuring Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641
Service Manager Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642
Service Manager Terms and Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643
Service Manager Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
Service Manager References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645
Configuring Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645
Service Definitions Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
Creating Service Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648
Managing Your Service Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651
Copying a Service Definition Macro File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651
Installing a Service Definition File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651
Uninstalling a Service Definition File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 652
Updating an Existing Service Definition File . . . . . . . . . . . . . . . . . . . . . . . . . 652
Overview of Referencing Policies in Service Definitions . . . . . . . . . . . . . . . . . . . . 653
Referencing QoS Configurations in Service Definitions . . . . . . . . . . . . . . . . . . . . 653
Specifying QoS Profiles in Service Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . 654
Configuring a QoS Profile for Service Manager . . . . . . . . . . . . . . . . . . . . . . . 654
Specifying QoS Profiles in a Service Definition . . . . . . . . . . . . . . . . . . . . . . . 655
Specifying QoS Parameter Instances in a Service Definition . . . . . . . . . . . . . . . . 655
Creating a Parameter Instance in a Profile . . . . . . . . . . . . . . . . . . . . . . . . . . 656
Specifying QoS Parameter Instances in a Service Definition . . . . . . . . . . . . 656
Modifying QoS Configurations with Service Manager . . . . . . . . . . . . . . . . . . . . . 657
Modifying Parameter Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657
Modifying QoS Configurations in a Single Service Manager Event . . . . . . . . 659
Modifying QoS Configurations Using Other Sources . . . . . . . . . . . . . . . . . . 659
Removing QoS Configurations Referenced by Service Manager . . . . . . . . . . . . . 661
Copyright © 2012, Juniper Networks, Inc.
xxi
JunosE 13.3.x Broadband Access Configuration Guide
QoS for Service Manager Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 662
RADIUS or Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 662
Interoperability with Other Service Components . . . . . . . . . . . . . . . . . . . . . 662
QoS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 662
Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 662
Configuring the Service Manager License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663
Overview of Managing and Activating Service Sessions . . . . . . . . . . . . . . . . . . . 664
Overview of Managing Subscriber Service Sessions Using RADIUS . . . . . . . . . . 664
Activating Subscriber Service Sessions Using RADIUS . . . . . . . . . . . . . . . . . . . . 665
Understanding Service Manager RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . 666
Using Tags with RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669
Deactivating Service Sessions Using RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . 670
Setting Time or Volume Thresholds for a Service . . . . . . . . . . . . . . . . . . . . . 670
Using the Deactivate-Service Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671
Overview of Activating and Deactivating Subscriber Services Using Mutex
Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 672
Activating and Deactivating Multiple Services . . . . . . . . . . . . . . . . . . . . . . . . . . . 672
Configuring a Mutex Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673
Combined and Independent IPv4 and IPv6 Services in a Dual Stack Overview . . 674
Activation and Deactivation of IPv4 and IPv6 Services in a Dual Stack . . . . . . . 676
Independent IPv4 and IPv6 Services in a Dual Stack . . . . . . . . . . . . . . . . . . 676
Combined IPv4 and IPv6 Service in a Dual Stack . . . . . . . . . . . . . . . . . . . . . 677
Performance Impact on the Router and Compatibility with Previous Releases
for an IPv4 and IPv6 Dual Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677
Understanding RADIUS Accounting for Service Manager . . . . . . . . . . . . . . . . . . 678
Service Interim Accounting Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 679
Configuring Service Interim Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 682
Specifying the Service Accounting Interval . . . . . . . . . . . . . . . . . . . . . . . . . . 682
Specifying the User Accounting Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683
Service Interim Accounting for IPv4 and IPv6 Services in a Dual Stack
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683
Overview of Managing Subscriber Service Sessions Using the CLI . . . . . . . . . . . 684
Overview of Activating Subscriber Service Sessions Using the CLI . . . . . . . . . . . 685
Activating Subscriber Sessions Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . 686
Activating a Service for an Existing Subscriber . . . . . . . . . . . . . . . . . . . . . . . 686
Creating and Activating a Service for a Subscriber . . . . . . . . . . . . . . . . . . . . 687
Preprovisioning Service Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 688
Service Session Profiles Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689
Working with Service Session Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690
Creating a New Service Session Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690
Specifying Statistics Collection Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 690
Specifying the Maximum Bandwidth for a Service Session . . . . . . . . . . . . . 691
Specifying the Interval for the Active State of a Service Session . . . . . . . . . 691
Overview of Deactivating Subscriber Service Sessions Using the CLI . . . . . . . . . 692
Gracefully Deactivating Subscriber Service Sessions . . . . . . . . . . . . . . . . . . . . . 693
Gracefully Deactivating Service Sessions Based on Owner Details . . . . . . . 693
Gracefully Deactivating Service Sessions Based on Subscriber Details . . . . 693
Forcing Immediate Deactivation of Subscriber Service Sessions . . . . . . . . . . . . 694
Using Service Session Profiles to Deactivate Service Sessions . . . . . . . . . . . . . . 694
xxii
Copyright © 2012, Juniper Networks, Inc.
Table of Contents
Configuring Service Manager Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695
Setting Up the Service Definition File for Statistics Collection . . . . . . . . . . . 696
Enabling Statistics Collection with RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . 697
Enabling Statistics Collection with the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . 698
Setting Up the External Parent Group Statistics Collection . . . . . . . . . . . . . 698
Service Manager Performance Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . 700
Example: Tiered Service Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701
Example: Video-on-Demand Service Definition . . . . . . . . . . . . . . . . . . . . . . . . . . 703
Example: Voice-over-IP Service Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705
Guided Entrance Service Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707
Example: Guided Entrance Service Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . 708
Using CoA Messages with Guided Entrance Services . . . . . . . . . . . . . . . . . . . . . . . 711
Configuring the HTTP Local Server to Support Guided Entrance . . . . . . . . . . . . . 712
Configuring the HTTP Local Server to Support Guided Entrance for IPv4
Subscribers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713
Configuring the HTTP Local Server to Support Guided Entrance for IPv6
Subscribers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714
Redirection of Subscriber Sessions When HTTP Local Server is Disabled or Not
Configured . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 716
Example: Combined IPv4 and IPv6 Service in a Dual Stack Service Definition . . 717
Preservation of the Original URL During Redirection of Subscriber Sessions . . . 723
Configuring the Preservation of the Original URL During Redirection of Subscriber
Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 724
Chapter 29
Monitoring Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725
Setting a Baseline for HTTP Local Server Statistics . . . . . . . . . . . . . . . . . . . . . . . 725
Monitoring the Connections to the HTTP Local Server . . . . . . . . . . . . . . . . . . . . 726
Monitoring the Configuration of the HTTP Local Server . . . . . . . . . . . . . . . . . . . . 726
Monitoring Statistics for Connections to the HTTP Local Server . . . . . . . . . . . . . 727
Monitoring Profiles for the HTTP Local Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 728
Monitoring the Default Interval for Interim Accounting of Services . . . . . . . . . . . 729
Monitoring the Status of the Service Manager License . . . . . . . . . . . . . . . . . . . . 729
Monitoring Profiles for Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 730
Monitoring IPv4 and IPv6 Interfaces for Service Manager . . . . . . . . . . . . . . . . . . . 731
Monitoring Service Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741
Monitoring Service Session Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 742
Monitoring Active Owner Sessions with Service Manager . . . . . . . . . . . . . . . . . . 743
Monitoring Active Subscriber Sessions with Service Manager . . . . . . . . . . . . . . . 746
Monitoring the Number of Active Subscriber and Service Sessions with
Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749
Part 7
Index
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 753
Copyright © 2012, Juniper Networks, Inc.
xxiii
JunosE 13.3.x Broadband Access Configuration Guide
xxiv
Copyright © 2012, Juniper Networks, Inc.
List of Figures
Part 1
Managing Remote Access
Chapter 1
Remote Access Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Figure 1: Local Address Pool Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Figure 2: Shared Local Address Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Chapter 2
Configuring Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Figure 3: Single PPP Clients per ATM Subinterface . . . . . . . . . . . . . . . . . . . . . . . . 79
Figure 4: Multiple PPP Clients per ATM Subinterface . . . . . . . . . . . . . . . . . . . . . . 80
Part 2
Managing RADIUS and TACACS+
Chapter 5
Configuring RADIUS Dynamic-Request Server . . . . . . . . . . . . . . . . . . . . . . . 217
Figure 5: Sample Remote Access Network Using RADIUS . . . . . . . . . . . . . . . . . . 218
Chapter 6
Configuring RADIUS Relay Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Figure 6: RADIUS Relay Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Part 3
Managing L2TP
Chapter 12
L2TP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Figure 7: Using the E Series Router as an LAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Figure 8: Using the E Series Router as an LNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Chapter 13
Configuring an L2TP LAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Figure 9: Lockout States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Chapter 15
Configuring L2TP Dial-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Figure 10: Network Model for Dial-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Part 4
Managing DHCP
Chapter 19
DHCP Local Server Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Figure 11: Non-PPP Equal Access via the Router . . . . . . . . . . . . . . . . . . . . . . . . . 456
Chapter 20
Configuring DHCP Local Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Figure 12: Non-PPP Equal-Access Configuration Example . . . . . . . . . . . . . . . . . 489
Chapter 21
Configuring DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
Figure 13: Passing 802.1p Values to the DHCP Server . . . . . . . . . . . . . . . . . . . . . . 516
Chapter 22
Configuring the DHCP External Server Application . . . . . . . . . . . . . . . . . . . 523
Figure 14: DHCP External Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Copyright © 2012, Juniper Networks, Inc.
xxv
JunosE 13.3.x Broadband Access Configuration Guide
Part 5
Managing the Subscriber Environment
Chapter 24
Configuring Subscriber Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
Figure 15: DHCP External Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
Chapter 26
Configuring Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
Figure 16: Example of a Dynamic Interface Stack . . . . . . . . . . . . . . . . . . . . . . . . . 601
Figure 17: Example of a Dynamic Subscriber Interface . . . . . . . . . . . . . . . . . . . . . 601
Figure 18: Subscriber Interfaces over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
Figure 19: Subscriber Interfaces in a Cable Modem Network . . . . . . . . . . . . . . . . 607
Figure 20: Associating Subnets with a VPN Using Subscriber Interfaces . . . . . . 608
Figure 21: IP over Ethernet Dynamic Subscriber Interface Configuration . . . . . . . 610
Figure 22: Subscriber Interfaces Using a Destination Address to Demultiplex
Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616
Figure 23: Subscriber Interfaces Using a Source Address to Demultiplex
Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619
Figure 24: IP over Ethernet Dynamic Subscriber Interface Configuration . . . . . . 623
Figure 25: IP over VLAN over Ethernet Dynamic Subscriber Interface
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625
Figure 26: IP over Bridged Ethernet over ATM Dynamic Subscriber Interface
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627
Figure 27: GRE Tunnel Dynamic Subscriber Interface Configuration . . . . . . . . . . 629
Part 6
Managing Subscriber Services
Chapter 28
Configuring Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641
Figure 28: Service Manager Configuration Flowchart . . . . . . . . . . . . . . . . . . . . . . 647
Figure 29: Sample Service Definition Macro File . . . . . . . . . . . . . . . . . . . . . . . . . 650
Figure 30: QoS Configuration Dependency Chain . . . . . . . . . . . . . . . . . . . . . . . . . 661
Figure 31: Comparing RADIUS Login and RADIUS CoA Methods . . . . . . . . . . . . . 665
Figure 32: Guided Entrance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 708
Figure 33: Input Traffic Flow with Rate-Limit Profile on an External Parent Group
for a Combined IPv4/IPv6 Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 718
Figure 34: Output Traffic Flow with Rate-Limit Profile on an External Parent
Group for a Combined IPv4/IPv6 Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . 718
xxvi
Copyright © 2012, Juniper Networks, Inc.
List of Tables
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiii
Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiv
Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiv
Part 1
Managing Remote Access
Chapter 1
Remote Access Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Table 3: Username and Domain Name Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Table 4: aaa strip-domain Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Table 5: Local UDP Port Ranges by RADIUS Request Type . . . . . . . . . . . . . . . . . . . 17
Table 6: RADIUS IETF Attributes in Preauthentication Request . . . . . . . . . . . . . . . 31
Table 7: VSAs That Apply to Dynamic IP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . 32
Table 8: Traffic-Shaping VSAs That Apply to Dynamic IP Interfaces . . . . . . . . . . . 34
Table 9: Supported RADIUS Acct-Terminate-Cause Codes . . . . . . . . . . . . . . . . . . 35
Table 10: RADIUS Attributes Specifying LAG Interface . . . . . . . . . . . . . . . . . . . . . . 44
Table 11: SRC Client and COPS Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Chapter 3
Monitoring and Troubleshooting Remote Access . . . . . . . . . . . . . . . . . . . . . 103
Table 12: show aaa accounting Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Table 13: show aaa accounting vr-group Output Fields . . . . . . . . . . . . . . . . . . . . 109
Table 14: show aaa strip-domain Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Table 15: show aaa domain-map Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Table 16: show aaa profile Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Table 17: show aaa route-download Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 116
Table 18: show aaa route-download routes Output Fields . . . . . . . . . . . . . . . . . . 118
Table 19: show aaa route-download routes global Output Fields . . . . . . . . . . . . 120
Table 20: show aaa statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Table 21: show configuration category aaa global-attributes Output Fields . . . . 125
Table 22: show configuration category aaa local-authentication Output
Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Table 23: show configuration category aaa server-attributes include-defaults
Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Table 24: show cops info Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Table 25: show cops statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Table 26: show ip local alias Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Table 27: show ip local pool Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Table 28: show ip local shared-pool Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 135
Table 29: show radius override Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Table 30: show radius servers Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Table 31: show radius statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Table 32: show sscc info Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Copyright © 2012, Juniper Networks, Inc.
xxvii
JunosE 13.3.x Broadband Access Configuration Guide
Table 33: show sscc statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Table 34: show sscc option Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Table 35: show subscribers Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Table 36: show terminate-code Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Table 37: show ipv6 local pool Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Table 38: show ipv6 local pool poolName Output Fields . . . . . . . . . . . . . . . . . . . 160
Table 39: show ipv6 local pool statistics Output Fields . . . . . . . . . . . . . . . . . . . . . 161
Table 40: show ipv6 local ndra-pool Output Fields . . . . . . . . . . . . . . . . . . . . . . . 162
Table 41: show ipv6 local ndra-pool poolName Output Fields . . . . . . . . . . . . . . . 163
Table 42: show ipv6 local ndra-pool statistics Output Fields . . . . . . . . . . . . . . . . 164
Part 2
Managing RADIUS and TACACS+
Chapter 4
Configuring RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Table 43: AAA Access Message RADIUS IETF Attributes Supported . . . . . . . . . . 173
Table 44: AAA Access Message Juniper Networks (Vendor ID 4874) VSAs
Supported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Table 45: AAA Accounting Message RADIUS IETF Attributes Supported . . . . . . 184
Table 46: AAA Accounting Message Juniper Network (Vendor ID 4874) VSAs
Supported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Table 47: AAA Accounting Tunnel Message RADIUS Attributes Supported . . . . 190
Table 48: DSL Forum (Vendor ID 3561) VSAs Supported in AAA Access and
Accounting Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Table 49: CLI AAA Access Message RADIUS Attributes Supported . . . . . . . . . . . 198
Table 50: CLI Commands Used to Configure RADIUS IETF Attributes . . . . . . . . 200
Table 51: CLI Commands Used to Configure Juniper Networks VSAs . . . . . . . . . 203
Table 52: ANCP (L2C)-Related Keywords for radius include Command . . . . . . 206
Table 53: RADIUS Attributes Included in Corresponding RADIUS Messages . . . 209
Chapter 5
Configuring RADIUS Dynamic-Request Server . . . . . . . . . . . . . . . . . . . . . . . 217
Table 54: Error-Cause Codes (RADIUS Attribute 101) . . . . . . . . . . . . . . . . . . . . . 220
Table 55: Error-Cause Codes (RADIUS Attribute 101) . . . . . . . . . . . . . . . . . . . . . . 223
Chapter 6
Configuring RADIUS Relay Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Table 56: Required RADIUS Access-Request Attributes . . . . . . . . . . . . . . . . . . . 226
Table 57: Required RADIUS Accounting Attributes . . . . . . . . . . . . . . . . . . . . . . . . 227
Chapter 7
RADIUS Attribute Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Table 58: RADIUS IETF Attributes Supported by JunosE Software . . . . . . . . . . . 231
Table 59: Juniper Networks (Vendor ID 4874) VSA Formats . . . . . . . . . . . . . . . . 238
Table 60: JunosE Software DSL Forum (Vendor ID 3561) VSA Formats . . . . . . . 251
Table 61: RADIUS Attribute Passed Through by JunosE Software . . . . . . . . . . . . 252
Chapter 8
Application Terminate Reasons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Table 62: Default AAA Mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Table 63: Default L2TP Mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Table 64: Default PPP Mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Table 65: Default RADIUS Client Mappings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Chapter 9
Monitoring RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Table 66: show radius override Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
xxviii
Copyright © 2012, Juniper Networks, Inc.
List of Tables
Table 67: show radius attributes-included Output Fields . . . . . . . . . . . . . . . . . . . 287
Table 68: show radius dynamic-request statistics Output Fields . . . . . . . . . . . . 289
Table 69: show radius dynamic-request servers Output Fields . . . . . . . . . . . . . 290
Table 70: show radius relay statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . 291
Table 71: show radius relay servers Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 293
Table 72: show radius relay udp-checksum Output Fields . . . . . . . . . . . . . . . . . . 293
Chapter 10
Configuring TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Table 73: TACACS-Related Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Table 74: TACACS+ Accounting Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Chapter 11
Monitoring TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Table 75: show statistics tacacs Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Table 76: show tacacs Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Part 3
Managing L2TP
Chapter 12
L2TP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Table 77: L2TP Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Chapter 14
Configuring an L2TP LNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Table 78: L2TP-Resynch-Method RADIUS Attribute . . . . . . . . . . . . . . . . . . . . . . 373
Table 79: Transmit Connect Speeds for L2TP over ATM 1483 Example . . . . . . . 382
Table 80: Transmit Connect Speeds for L2TP over Ethernet Example . . . . . . . . 382
Table 81: Tunnel--Tx-Speed-Method RADIUS Attribute . . . . . . . . . . . . . . . . . . . 386
Chapter 15
Configuring L2TP Dial-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Table 82: L2TP Dial-Out Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Table 83: Chassis Operational States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Table 84: Virtual Router Operational States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Table 85: Target Operational States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Table 86: Session Operational States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Table 87: Additions to RADIUS Attributes in Access-Accept Messages . . . . . . . 398
Chapter 16
L2TP Disconnect Cause Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Table 88: PPP Disconnect Cause Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Chapter 17
Monitoring L2TP and L2TP Dial-Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Table 89: show aaa domain-map Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Table 90: show aaa tunnel-group Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 414
Table 91: show aaa tunnel-parameters Output Fields . . . . . . . . . . . . . . . . . . . . . 416
Table 92: show l2tp Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
Table 93: show l2tp destination Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Table 94: show l2tp destination lockout Output Fields . . . . . . . . . . . . . . . . . . . . 421
Table 95: show l2tp destination profile Output Fields . . . . . . . . . . . . . . . . . . . . . 423
Table 96: show l2tp destination summary Output Fields . . . . . . . . . . . . . . . . . . 424
Table 97: show l2tp received-disconnect-cause-summary Output Fields . . . . . 425
Table 98: show l2tp session Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
Table 99: show l2tp session summary Output Fields . . . . . . . . . . . . . . . . . . . . . . 427
Table 100: show l2tp switch-profile Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 428
Table 101: show l2tp tunnel Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
Table 102: show l2tp tunnel summary Output Fields . . . . . . . . . . . . . . . . . . . . . . 432
Copyright © 2012, Juniper Networks, Inc.
xxix
JunosE 13.3.x Broadband Access Configuration Guide
Table 103: show l2tp dial-out Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Table 104: show l2tp dial-out session Output Fields . . . . . . . . . . . . . . . . . . . . . . 438
Table 105: show l2tp dial-out target Output Fields . . . . . . . . . . . . . . . . . . . . . . . 439
Table 106: show l2tp dial-out virtual-router Output Fields . . . . . . . . . . . . . . . . . 440
Part 4
Managing DHCP
Chapter 19
DHCP Local Server Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Table 107: Local Pool Selection in Equal-Access Mode . . . . . . . . . . . . . . . . . . . . 455
Table 108: Local Pool Selection in Standalone Mode Without AAA
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
Table 109: Local Pool Selection in Standalone Mode with AAA
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
Chapter 21
Configuring DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
Table 110: Router Configuration and Transmission of DHCP Reply Packets . . . . 497
Table 111: Effect of Commands on Option 82 Suboption Settings . . . . . . . . . . . 506
Chapter 23
Monitoring and Troubleshooting DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
Table 112: show ip dhcp-local excluded Output Fields . . . . . . . . . . . . . . . . . . . . . 540
Table 113: show dhcp binding Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542
Table 114: show dhcp count Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
Table 115: show dhcp host Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
Table 116: show ip dhcp-external binding Output Fields . . . . . . . . . . . . . . . . . . . 548
Table 117: show ip dhcp-external binding-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
Table 118: show ip dhcp-local binding Output Fields . . . . . . . . . . . . . . . . . . . . . . 550
Table 119: show ip dhcp-external configuration Output Fields . . . . . . . . . . . . . . 550
Table 120: show ip dhcp-external statistics Output Fields . . . . . . . . . . . . . . . . . . 551
Table 121: show dhcp-external Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552
Table 122: show ip dhcp-local pool Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 553
Table 123: show ip dhcp-local auth Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 556
Table 124: show ip dhcp-local Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
Table 125: show ip dhcp-local leases Output Fields . . . . . . . . . . . . . . . . . . . . . . . 558
Table 126: show ip dhcp-local statistics output fields. . . . . . . . . . . . . . . . . . . . . . 559
Table 127: show dhcp vendor-option Output Fields . . . . . . . . . . . . . . . . . . . . . . . 562
Table 128: show ip dhcp-capture Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 563
Table 129: show dhcp relay Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
Table 130: show dhcp relay proxy statistics Output Fields . . . . . . . . . . . . . . . . . . 565
Table 131: show dhcp relay statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . 567
Table 132: show dhcp server statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . 569
Table 133: show dhcp server Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570
Table 134: show ipv6 dhcpv6-local binding Output Fields . . . . . . . . . . . . . . . . . . 571
Table 135: show ipv6 dhcpv6-local dns-domain-searchlist Output Fields . . . . . 572
Table 136: show ipv6 dhcpv6-local dns-servers Output Fields . . . . . . . . . . . . . . 572
Table 137: show ipv6 dhcpv6-local prefix-lifetime Output Fields . . . . . . . . . . . . 573
Table 138: show ipv6 dhcpv6-local statistics Output Fields . . . . . . . . . . . . . . . . 574
Table 139: show ipv6 dhcpv6-local auth config Output Fields . . . . . . . . . . . . . . 575
Table 140: show ip dhcp-local duplicate-clients Output Fields . . . . . . . . . . . . . . 575
Table 141: show ip dhcp-local limits Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 577
Table 142: show ip dhcp-local reserved Output Fields . . . . . . . . . . . . . . . . . . . . . 578
xxx
Copyright © 2012, Juniper Networks, Inc.
List of Tables
Table 143: show dhcp summary Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 578
Table 144: show dhcp proxy-client binding Output Fields . . . . . . . . . . . . . . . . . . 579
Table 145: show ipv6 dhcpv6-local limits Output Fields . . . . . . . . . . . . . . . . . . . 580
Part 5
Managing the Subscriber Environment
Chapter 25
Monitoring Subscriber Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595
Table 146: show ip service-profile Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 595
Table 147: show ip-subscriber Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597
Chapter 27
Monitoring Subscriber Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635
Table 148: show ip demux interface Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 635
Table 149: show ip-subscriber Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637
Part 6
Managing Subscriber Services
Chapter 28
Configuring Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641
Table 150: Service Manager Terms and Acronyms . . . . . . . . . . . . . . . . . . . . . . . . 643
Table 151: JunosE Objects Tracked by Service Manager . . . . . . . . . . . . . . . . . . . . 649
Table 152: Sample Modifications Using the Add and Initial-Value Keywords . . . 658
Table 153: Sample Modifications Using Parameter Instances . . . . . . . . . . . . . . . 658
Table 154: Configuration Within a Single Service Manager Event . . . . . . . . . . . . 659
Table 155: Modifying QoS Configurations with Other Sources . . . . . . . . . . . . . . 660
Table 156: Service Manager RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . 667
Table 157: Sample RADIUS Access-Accept Packet . . . . . . . . . . . . . . . . . . . . . . . 668
Table 158: Using Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669
Table 159: Service Manager RADIUS Accounting Attributes . . . . . . . . . . . . . . . . 679
Table 160: Determining the Service Interim Accounting Interval . . . . . . . . . . . . . 680
Table 161: Sample Acct-Start Message for a Service Session . . . . . . . . . . . . . . . 680
Table 162: RADIUS-Enabled Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697
Table 163: Sample RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702
Table 164: Sample RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704
Table 165: Sample RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706
Table 166: Sample RADIUS Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711
Table 167: Deactivating a Guided Entrance Service . . . . . . . . . . . . . . . . . . . . . . . . 712
Chapter 29
Monitoring Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725
Table 168: show ip http scalar Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 726
Table 169: show ip http server Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 727
Table 170: show ip http statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 728
Table 171: show profile Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 729
Table 172: show aaa service accounting interval Output Fields . . . . . . . . . . . . . . 729
Table 173: show license service-management Output Fields . . . . . . . . . . . . . . . 730
Table 174: show profile Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 730
Table 175: show ip interface Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 733
Table 176: show ipv6 interface Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 736
Table 177: show service-management service-definition Output Fields . . . . . . . 742
Table 178: show service-management service-session-profile Output Fields . . 743
Table 179: show service-management owner-session Output Fields . . . . . . . . . 744
Table 180: show service-management subscriber-session Output Fields . . . . . 747
Copyright © 2012, Juniper Networks, Inc.
xxxi
JunosE 13.3.x Broadband Access Configuration Guide
Table 181: show service-management summary Output Fields . . . . . . . . . . . . . 749
xxxii
Copyright © 2012, Juniper Networks, Inc.
About the Documentation
•
E Series and JunosE Documentation and Release Notes on page xxxiii
•
Audience on page xxxiii
•
E Series and JunosE Text and Syntax Conventions on page xxxiii
•
Obtaining Documentation on page xxxv
•
Documentation Feedback on page xxxv
•
Requesting Technical Support on page xxxv
E Series and JunosE Documentation and Release Notes
For a list of related JunosE documentation, see
http://www.juniper.net/techpubs/software/index.html .
If the information in the latest release notes differs from the information in the
documentation, follow the JunosE Release Notes.
®
To obtain the most current version of all Juniper Networks technical documentation,
see the product documentation page on the Juniper Networks website at
http://www.juniper.net/techpubs/ .
Audience
This guide is intended for experienced system and network specialists working with
Juniper Networks E Series Broadband Services Routers in an Internet access environment.
E Series and JunosE Text and Syntax Conventions
Table 1 on page xxxiv defines notice icons used in this documentation.
Copyright © 2012, Juniper Networks, Inc.
xxxiii
JunosE 13.3.x Broadband Access Configuration Guide
Table 1: Notice Icons
Icon
Meaning
Description
Informational note
Indicates important features or instructions.
Caution
Indicates a situation that might result in loss of data or hardware damage.
Warning
Alerts you to the risk of personal injury or death.
Laser warning
Alerts you to the risk of personal injury from a laser.
Table 2 on page xxxiv defines text and syntax conventions that we use throughout the
E Series and JunosE documentation.
Table 2: Text and Syntax Conventions
Convention
Description
Examples
Bold text like this
Represents commands and keywords in text.
•
Issue the clock source command.
•
Specify the keyword exp-msg.
Bold text like this
Represents text that the user must type.
host1(config)#traffic class low-loss1
Fixed-width text like this
Represents information as displayed on your
terminal’s screen.
host1#show ip ospf 2
Routing Process OSPF 2 with Router
ID 5.5.0.250
Router is an Area Border Router
(ABR)
Italic text like this
Plus sign (+) linking key names
•
Emphasizes words.
•
Identifies variables.
•
Identifies chapter, appendix, and book
names.
Indicates that you must press two or more
keys simultaneously.
•
There are two levels of access: user and
privileged.
•
clusterId, ipAddress.
•
Appendix A, System Specifications
Press Ctrl + b.
Syntax Conventions in the Command Reference Guide
Plain text like this
Represents keywords.
terminal length
Italic text like this
Represents variables.
mask, accessListName
xxxiv
Copyright © 2012, Juniper Networks, Inc.
About the Documentation
Table 2: Text and Syntax Conventions (continued)
Convention
Description
Examples
| (pipe symbol)
Represents a choice to select one keyword
or variable to the left or to the right of this
symbol. (The keyword or variable can be
either optional or required.)
diagnostic | line
[ ] (brackets)
Represent optional keywords or variables.
[ internal | external ]
[ ]* (brackets and asterisk)
Represent optional keywords or variables
that can be entered more than once.
[ level1 | level2 | l1 ]*
{ } (braces)
Represent required keywords or variables.
{ permit | deny } { in | out }
{ clusterId | ipAddress }
Obtaining Documentation
To obtain the most current version of all Juniper Networks technical documentation, see
the Technical Documentation page on the Juniper Networks Web site at
http://www.juniper.net/.
To download complete sets of technical documentation to create your own
documentation CD-ROMs or DVD-ROMs, see the Portable Libraries page at
http://www.juniper.net/techpubs/resources/index.html
Copies of the Management Information Bases (MIBs) for a particular software release
are available for download in the software image bundle from the Juniper Networks Web
site athttp://www.juniper.net/.
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation to better meet your needs. Send your comments to
techpubs-comments@juniper.net, or fill out the documentation feedback form at
https://www.juniper.net/cgi-bin/docbugreport/. If you are using e-mail, be sure to include
the following information with your comments:
•
Document or topic name
•
URL or page number
•
Software release version
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical Assistance
Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,
Copyright © 2012, Juniper Networks, Inc.
xxxv
JunosE 13.3.x Broadband Access Configuration Guide
or are covered under warranty, and need post-sales technical support, you can access
our tools and resources online or open a case with JTAC.
•
JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf .
•
Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/ .
•
JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with the
following features:
•
Find CSC offerings: http://www.juniper.net/customers/support/
•
Search for known bugs: http://www2.juniper.net/kb/
•
Find product documentation: http://www.juniper.net/techpubs/
•
Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
•
Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
•
Search technical bulletins for relevant hardware and software notifications:
https://www.juniper.net/alerts/
•
Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
•
Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
To verify service entitlement by product serial number, use our Serial Number Entitlement
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
Opening a Case with JTAC
You can open a case with JTAC on the Web or by telephone.
•
Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .
•
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, see
http://www.juniper.net/support/requesting-support.html .
xxxvi
Copyright © 2012, Juniper Networks, Inc.
PART 1
Managing Remote Access
•
Remote Access Overview on page 3
•
Configuring Remote Access on page 61
•
Monitoring and Troubleshooting Remote Access on page 103
Copyright © 2012, Juniper Networks, Inc.
1
JunosE 13.3.x Broadband Access Configuration Guide
2
Copyright © 2012, Juniper Networks, Inc.
CHAPTER 1
Remote Access Overview
•
Remote Access Overview on page 4
•
Remote Access Platform Considerations on page 6
•
Remote Access References on page 6
•
Overview of Mapping a User Domain to a Virtual Router on page 6
•
Domain Name and Realm Name Overview on page 9
•
Example: Domain Name and Realm Name on page 12
•
Example: Stripping Domain Name Per Virtual Router for RADIUS Server
Authentication on page 13
•
Single Name Specification for Users from a Domain Overview on page 15
•
RADIUS Authentication and Accounting Servers Configuration Overview on page 16
•
SNMP Traps and System Log Messages Overview on page 20
•
Local Authentication Servers Configuration Overview on page 21
•
Tunnel Subscriber Authentication Configuration Overview on page 22
•
Name Server Addresses Configuration Overview on page 23
•
Local Address Servers Configuration Overview on page 23
•
DHCP Features on page 26
•
Domain Name Aliases Overview on page 26
•
AAA Profile Configuration Overview on page 27
•
RADIUS Route-Download Server for Route Distribution Overview on page 27
•
AAA Logical Line Identifier for Subscriber Tracking Overview on page 29
•
RADIUS Attributes in Preauthentication Request on page 31
•
Considerations for Using the LLID on page 31
•
VSAs for Dynamic IP Interfaces Overview on page 32
•
Overview of Mapping Application Terminate Reasons and RADIUS Terminate
Codes on page 34
•
Timeout Configuration Overview on page 36
•
Standard RADIUS IPv6 Attributes for IPv6 Neighbor Discovery Router Advertisements
and DHCPv6 Prefix Delegation Configuration on page 37
Copyright © 2012, Juniper Networks, Inc.
3
JunosE 13.3.x Broadband Access Configuration Guide
•
Maximum Number of IPv6 Prefixes Assigned to Clients Using Only the DHCPv6 Local
Server on page 38
•
Maximum Number of IPv6 Prefixes Assigned to Clients Using Both DHPCv6 Local
Server and Neighbor Discovery Router Advertisements on page 38
•
Duplicate IPv6 Prefix Check Overview on page 40
•
Duplicate IPv6 Prefix Detection in the AAA User Profile Database Overview on page 40
•
Guidelines for Duplicate Address Verification on page 41
•
Propagation of LAG Subscriber Information to AAA and RADIUS on page 43
•
SRC Client Configuration Overview on page 45
•
SRC Client and COPS Terminology on page 45
•
Retrieval of DSL Line Rate Information from Access Nodes Overview on page 48
•
DHCPv6 Local Address Pools for Allocation of IPv6 Prefixes Overview on page 50
•
Example: Delegating the DHCPv6 Prefix on page 52
•
IPv6 Prefix Allocation Using Neighbor Discovery Router Advertisements from IPv6
Address Pools Overview on page 54
•
Understanding IPCP and IPv6CP Negotiations for IPv4 and IPv6 Clients Based on
RADIUS-Returned Attributes on page 57
Remote Access Overview
Broadband Remote Access Server (B-RAS) is an application running on your router that:
•
Aggregates the output from digital subscriber line access multiplexers (DSLAMs)
•
Provides user Point-to-Point Protocol (PPP) sessions or IP-over-Asynchronous Transfer
Mode (ATM) sessions
•
Enforces quality of service (QoS) policies
•
Routes traffic into an Internet service provider’s (ISP’s) backbone network
A DSLAM collects data traffic from multiple subscribers into a centralized point so that
it can be uploaded to the router over an ATM connection via a DS3, OC3, E3, or OC12 link.
The router provides the logical termination for PPP sessions, as well as the interface to
authentication and accounting systems.
The following sections provide an overview of remote access:
•
B-RAS Data Flow on page 4
•
Configuring IP Addresses for Remote Clients on page 5
•
AAA Overview on page 5
B-RAS Data Flow
The router performs several tasks for a digital subscriber line (DSL) PPP user to establish
a PPP connection. This is an example of the way B-RAS data might flow:
4
Copyright © 2012, Juniper Networks, Inc.
Chapter 1: Remote Access Overview
1.
Authenticate the subscriber using RADIUS authentication.
2. Assign an IP address to the PPP/IP session via RADIUS, local address pools, or Dynamic
Host Configuration Protocol (DHCP).
3. Terminate the PPP encapsulation or tunnel a PPP session.
4. Provide user accounting via RADIUS.
NOTE: For information about configuring RADIUS attributes see the
Configuring RADIUS Attributes chapter..
Configuring IP Addresses for Remote Clients
A remote client can obtain an IP address from one of the following:
•
RADIUS server
•
Local address server
•
DHCP proxy client and server
•
DHCP relay agent (Bridged IP only)
•
DHCP local server
•
DHCP external server
For information about configuring DHCP support on the E Series router, see the DHCP
Overview chapter.
For information about how to configure a RADIUS server, see your RADIUS server
documentation.
AAA Overview
Collectively, authentication, authorization, and accounting are referred to as AAA. Each
has an important but separate function.
•
Authentication—Determines who the user is, then determines whether that user should
be granted access to the network. The primary purpose is to prevent intruders from
networks. It uses a database of users and passwords.
•
Authorization—Determines what the user is allowed to do by giving network managers
the ability to limit network services to different users.
•
Accounting—Tracks what the user did and when they did it. You can use accounting
for an audit trail or for billing for connection time or resources used.
Central management of AAA means the information is in a single, centralized, secure
database, which is much easier to administer than information distributed across
numerous devices.
Related
Documentation
•
Remote Access Configuration Tasks on page 62
Copyright © 2012, Juniper Networks, Inc.
5
JunosE 13.3.x Broadband Access Configuration Guide
Remote Access Platform Considerations
B-RAS services are supported on all E Series routers.
For information about the modules supported on E Series routers:
•
See the ERX Module Guide for modules supported on ERX7xx models, ERX14xx models,
and the ERX310 Broadband Services Router.
•
See the E120 and E320 Module Guide for modules supported on the Juniper Networks
E120 and E320 Broadband Services Routers.
•
B-RAS Protocol Support on page 6
B-RAS Protocol Support
The E Series router supports the following protocols for B-RAS services:
•
PPP
•
PPP over Ethernet (PPPoE)
•
Bridged Ethernet
•
Layer 2 Tunneling Protocol (L2TP), both L2TP access concentrator (LAC) and L2TP
network server (LNS)
Remote Access References
For more information about the topics covered in this chapter, see the following
documents:
•
RFC 2748—The COPS (Common Open Policy Service) Protocol (January 2000)
•
RFC 2865—Remote Authentication Dial In User Service (RADIUS) (June 2000)
•
RFC 3084—COPS Usage for Policy Provisioning (COPS-PR) (March 2001)
•
RFC 3159—Structure of Policy Provisioning Information (SPPI) (August 2001)
•
RFC 3198—Terminology for Policy-Based Management (November 2001)
•
RFC 3317—Differentiated Services Quality of Service Policy Information Base
(DIFFSERV-PIB)
•
RFC 3318—Framework Policy Information Base (March 2003)
JunosE Release Notes, Appendix A, System Maximums—Refer to the Release Notes
corresponding to your software release for information about the number of concurrent
RADIUS requests that the router supports for authentication and accounting servers.
Overview of Mapping a User Domain to a Virtual Router
You can configure RADIUS authentication, accounting, and local address pools for a
specific virtual router and then map a user domain to that virtual router.
6
Copyright © 2012, Juniper Networks, Inc.
Chapter 1: Remote Access Overview
The router keeps track of the mapping between domain names and virtual-routers. Use
the aaa domain-map command to map a user domain to a virtual router.
NOTE: This domain name is not the NT domain sometimes found on the
Dialup Networking dialog box.
When the router is configured to require authentication of a PPP user, the router checks
for the appropriate user domain-name-to-virtual-router mapping. If it finds a match, the
router sends a RADIUS authentication request to the RADIUS server configured for the
specific virtual router.
The following sections describe how to map a user domain to a virtual router:
•
Mapping User Requests Without a Valid Domain Name on page 7
•
Mapping User Requests Without a Configured Domain Name on page 7
•
Using DNIS on page 7
•
Redirected Authentication on page 8
•
IP Hinting on page 8
Mapping User Requests Without a Valid Domain Name
You can create a mapping between a domain name called default and a specific virtual
router so that the router can map user names that contain a domain name that does not
have an explicit map.
If a user request is submitted with a domain name for which the router cannot find a
match, the router looks for a mapping between the domain name default and a virtual
router. If a match is found, the user’s request is processed according to the RADIUS server
configured for the named virtual router. If no entry is found that maps default to a specific
virtual router, the router sends the request to the RADIUS server configured on the default
virtual router.
Mapping User Requests Without a Configured Domain Name
You can map a domain name called none to a specific virtual router so that the router
can map user names that do not contain a domain name.
If a user request is submitted without a domain name, the router looks for a mapping
between the domain name none and a virtual router. If a match is found, the user’s request
is processed according to the RADIUS server configured for the named virtual router. If
the router does not find the domain name none, it checks for the domain name default.
If no matching entries are found, the router sends the request to the server configured
on the default virtual router.
Using DNIS
The E Series router supports dialed number identification service (DNIS). With DNIS, if
users have a called number associated with them, the router searches the domain map
for the called number. If it finds a match, the router uses the matching domain map entry
Copyright © 2012, Juniper Networks, Inc.
7
JunosE 13.3.x Broadband Access Configuration Guide
information to authenticate the user. If the router does not find a match, it searches the
domain map using normal processing.
NOTE: For DNIS to work, the router must be acting as the LNS. Also, the
phone number configured in the aaa domain-map command must be an
exact match to the value passed by L2TP in the called number AVP (AVP
21).
For example, as specified in the following sequence, a user calling 9785551212 would be
terminated in vrouter_88, while a user calling 8005554433 is terminated in vrouter_100.
host1(config)#aaa domain-map 9785551212 vrouter_88
host1(config)#aaa domain-map 8005554433 vrouter_100
Redirected Authentication
Redirected authentication provides a way to offload AAA activity on the router, by
providing the domain-mapping-like feature remotely on the RADIUS server. Redirected
authentication works as follows:
1.
The router sends an authentication request (in the form of a RADIUS access-request
message) to the RADIUS server that is configured in the default VR.
2. The RADIUS server determines the user’s AAA VR context and returns this information
in a RADIUS response message to the router.
3. The router then behaves in similar fashion as if it had received the VR context from
the local domain map.
To maintain local control, the only VR allowed to redirect authentication is the default
VR. Also, to prevent loopbacks, the redirection may occur only once to a non-default VR.
To maintain flexibility, the redirection response may include idle time or session attributes
that are considered as default unless the redirected authentication server overrides them.
For example, if the RADIUS server returns the VR context along with an idle timeout
attribute with the value set to 20 minutes, the router uses this idle timeout value unless
the RADIUS server configured in the VR context returns a different value.
Since the router supports the RADIUS User-Name attribute [1] in the RADIUS response
message, the default VR RADIUS server may override the user’s name (this can be a
stripped name or an entirely different name). Overriding is useful for the case when the
user enters a login name containing a domain name that is significant only to the RADIUS
server in the default VR.
IP Hinting
You can allocate an address before authentication of PPP sessions. This address is
included in the Access-Request sent to the authentication server as an IP address hint.
Related
Documentation
8
•
Domain Name and Realm Name Overview on page 9
Copyright © 2012, Juniper Networks, Inc.
Chapter 1: Remote Access Overview
Domain Name and Realm Name Overview
To provide flexibility in how the router handles different types of usernames, the software
lets you specify the part of a username to use as the domain name, how the domain
name is designated, and how the router parses names. It also allows you to set whether
or not the router strips the domain name from the username before it sends the username
to the RADIUS server.
By default, the router parses usernames as follows:
realmName/personalName@domainName
The string to the left of the forward slash (/) is the realm name, and the string to the right
of the at-symbol (@) is the domain name. For example, in the username
juniper/jill@abc.com, juniper is the realm name and abc.com is the domain name.
The router allows you to:
•
Use the realm name as the domain name.
•
Use delimiters other than / to designate the realm name.
•
Use delimiters other than @ to designate the domain name.
•
Use either the domain or the realm as the domain name when the username contains
both a realm and domain name.
•
Change the direction in which the router searches for the domain name or the realm
name.
To provide these features, the router allows you to specify delimiters for the domain
name and realm name. You can use up to eight one-character delimiters each for domain
and realm names. The router also lets you specify how it parses usernames to determine
which part of a username to use as the domain name.
The following sections describe domain name and realm name:
•
Using the Realm Name as the Domain Name on page 9
•
Using Delimiters Other Than @ on page 10
•
Using Either the Domain or the Realm as the Domain Name on page 10
•
Specifying the Domain Name or Realm Name Parse Direction on page 10
•
Stripping the Domain Name on page 11
•
Stripping the Domain Name Per Virtual Router on page 11
Using the Realm Name as the Domain Name
Typically, a realm appears before the user field and is separated with the / character; for
example, usEast/jill@abc.com. To use the realm name usEast rather than abc.com as
the domain name, set the realm name delimiter to /. For example:
host1(config)#aaa delimiter realmName /
Copyright © 2012, Juniper Networks, Inc.
9
JunosE 13.3.x Broadband Access Configuration Guide
This command causes the router to use the string to the left of the / as the domain name.
If the realm name delimiter is null (the default), the router will not search for the realm
name.
Using Delimiters Other Than @
You can set up the router to recognize delimiters other than @ to designate the domain
name. Suppose there are two users: bob@abc.com and pete!xyz.com, and you want to
use both of their domain names. In this case you would set the domain name delimiter
to @ and !. For example:
host1(config)#aaa delimiter domainName @!
Using Either the Domain or the Realm as the Domain Name
If the username contains both a realm name and a domain name delimiter, you can use
either the domain name or the realm name as the domain name. As previously mentioned,
the router treats usernames with multiple delimiters as though the realm name is to the
left of the realm delimiter and the domain name is to the right of the domain delimiter.
If you set the parse order to:
•
domain-first—The router searches for a domain name first. For example, for username
usEast/lori@abc.com, the domain name is abc.com.
•
realm-first—The router searches for a realm name first and uses the realm name as
the user’s domain name. For username usEast/lori@abc.com, the domain is usEast.
For example, if you set the delimiter for the realm name to / and set the delimiter for the
domain name to @, the router parses the realm first by default. The username
usEast/lori@abc.com results in a domain name of usEast. To cause the parsing to return
abc.com as the domain, enter the aaa parse-order domain-first command.
Specifying the Domain Name or Realm Name Parse Direction
You can specify the direction—either left to right or right to left—in which the router
performs the parsing operation when identifying the realm name or domain name. This
feature is particularly useful if the username contains nested realm or domain names.
For example, for a username of userjohn@abc.com@xyz.com, you can identify the domain
as either abc.com@xyz.com or as xyz.com, depending on the parse direction that you
specify.
You use either the left-to-right or right-to-left keywords with one of the following
keywords to specify the type of search and parsing that the router performs:
10
•
domainName—The router searches for the next domain delimiter value in the direction
specified. When it reaches a delimiter, the router uses anything to the right of the
delimiter as the domain name. Domain parsing is from right to left by default.
•
realmName—The router searches for the next realm delimiter value in the direction
specified. When it reaches a delimiter, the router uses anything to the left of the delimiter
as the realm name. Realm parsing is from left to right by default.
•
Example
Copyright © 2012, Juniper Networks, Inc.
Chapter 1: Remote Access Overview
host1(config)#aaa parse-direction domainName left-to-right
Stripping the Domain Name
The router provides feature that strips the domain name from the username before it
sends the name to the RADIUS server in an Access-Request message. You can enable
or disable this feature using the strip-domain command.
By default, the domain name is the text after the last @ character. However, if you changed
the domain name parsing using the aaa delimiter, aaa parse-order, or aaa parse direction
commands, the router strips the domain name and delimiter that result from the parsing.
Stripping the Domain Name Per Virtual Router
The aaa domain-map command maps a domain name to a virtual router. It determines
the authentication and accounting access for all subscribers belonging to a particular
domain. However, if a subscriber profile is configured for a virtual router using the ppp
authentication command, the authentication for the virtual router configured at the
profile level takes priority over the one configured at the domain level. If multiple profiles
from the same domain are being used, the subscribers may end up in different virtual
routers for authentication.
In such a scenario, you can use the aaa strip-domain command to strip a part of the user
name of the subscriber. The resulting user name is then used as the new user name for
that subscriber for RADIUS authentication and accounting.
NOTE: The aaa strip-domain command can be configured on non-default
virtual routers only.
Subscriber User Name for RID, CoA Requests, and Lawful Intercepts When Strip
Domain Is Enabled
When strip domain is enabled for a virtual router, the user name used to identify the
subscriber session for RADIUS Initiated Disconnect (RID), Change of Authorization (CoA),
and lawful intercepts requests is the same as the subscriber user name sent to RADIUS
server for authentication.
For example, if a subscriber with user name user1@123.com$test1 has a resulting user
name of user1@123.com due to the strip domain configuration, then the user name for
all the incoming RID and CoA requests and the lawful intercept requests is user1@123.com.
This new user name, which has been used for RADIUS server authentication, is used for
displaying subscriber information using show subscribers and logout subscribers
commands.
Using the Strip Domain Functionality Per Virtual Router When Strip Domain Is
Enabled for an AAA Domain Map
When strip domain is enabled for an AAA domain map using the strip-domain enable
command in the Domain Map Configuration mode, the strip domain configured for a
Copyright © 2012, Juniper Networks, Inc.
11
JunosE 13.3.x Broadband Access Configuration Guide
virtual router may cause the user name stripping to happen twice depending on the
configuration.
For example, consider a subscriber with user name user1@test.com$test1$test2. Consider
the following configurations for a domain map:
host1(config)#aaa domain-map test2
host1(config-domain-map)#strip-domain enable
The following has also been configured on the non-default virtual router:
host1(config)#aaa strip-domain enable
host1(config)#aaa strip-domain delimiter domainname $
In this example, when the domain name is stripped for the subscriber with user name
user1@test.com$test1$test2, the resulting string that is sent for RADIUS authentication
is user1. Thus, when strip domain is configured for a domain map as well as a non-default
virtual router, depending on the configurations, the domain name may get stripped twice,
once at the virtual router level and then at the domain map level.
In order to prevent the domain name from being stripped twice for the same subscriber,
you must ensure that the strip domain functionality is configured appropriately for the
domain map and for the non-default virtual router.
Redirected Authentication When Strip Domain Is Enabled
Strip domain configured on a virtual router does not work in case of a redirected
authentication. In an authentication redirection, the RADIUS server sends an
access-accept message for a subscriber from the virtual router on which the subscriber
is already authenticated.
For example, on a virtual router vr1, we have configured the aaa strip-domain. A subscriber
with user name user1@123.com is already authenticated on vr1 using the RADIUS server
authentication. Now, if you send an access request message trying to authenticate the
same subscriber on vr1, the access request message carries the original user name,
user1@123.com, and renders strip domain ineffective during authentication redirection.
Related
Documentation
•
Example: Domain Name and Realm Name on page 12
•
Example: Stripping Domain Name Per Virtual Router for RADIUS Server Authentication
on page 13
Example: Domain Name and Realm Name
This section provides examples of possible domain or realm name results that you might
obtain, depending on the commands and options you specify. This example uses the
following username:
username: usEast/userjohn@abc.com@xyz.com
The router is configured with the following commands:
host1(config)#aaa delimiter domainName @!
host1(config)#aaa delimiter realmName /
12
Copyright © 2012, Juniper Networks, Inc.
Chapter 1: Remote Access Overview
Table 3 on page 13 shows the username and domain name that result from the parsing
action of the various commands.
Table 3: Username and Domain Name Examples
Related
Documentation
•
Command
Resulting Username
Resulting Domain
Name
aaa parse-order realm-first
userjohn@abc.com@xyz.com
usEast
aaa parse-order domain-first
userjohn@abc.com
xyz.com
aaa parse-direction domainName
right-to-left
userjohn@abc.com
xyz.com
aaa parse-direction domainName
left-to-right
userjohn
abc.com@xyz.com
aaa parse-direction realmName
right-to-left
userjohn@abc.com@xyz.com
usEast
aaa parse-direction realmName
left-to-right
userjohn@abc.com@xyz.com
usEast
Domain Name and Realm Name Overview on page 9
Example: Stripping Domain Name Per Virtual Router for RADIUS Server Authentication
This example illustrates the final user name for a subscriber, based on the virtual router
applied.
1.
Configure the five virtual routers.
host(config)#profile VR1
host(config-profile)#ppp authentication virtual-router vr1 pap chap
host(config-profile)#exit
host(config)#profile VR2
host(config-profile)#ppp authentication virtual-router vr2 pap chap
host(config-profile)#exit
host(config)#profile VR3
host(config-profile)#ppp authentication virtual-router vr3 pap chap
host(config-profile)#exit
host(config)#profile VR4
host(config-profile)#ppp authentication virtual-router vr4 pap chap
host(config-profile)#exit
host(config)#profile VR5
host(config-profile)#ppp authentication virtual-router vr2 pap chap
host(config-profile)#exit
2. Access the context of a previously created virtual router and enable the strip domain
functionality for each virtual router
host(config)#virtual-router vr1
Copyright © 2012, Juniper Networks, Inc.
13
JunosE 13.3.x Broadband Access Configuration Guide
host:vr1(config)#aaa strip-domain enable
host:vr1(config)#aaa strip-domain delimiter domainName $
host:vr1(config)#aaa strip-domain parse-direction domainName left-to-right
host:vr1(config)#radius authentication server 10.209.154.193
host:vr1(config)#key bras
host:vr1(config)#exit
host:vr1(config)#radius accounting server 10.209.154.193
host:vr1(config-radius)#key bras
host:vr1(config-radius)#exit
host:vr1(config)#virtual-router vr2
host:vr2(config)#aaa strip-domain enable
host:vr2(config)#aaa strip-domain parse-direction domainName left-to-right
host:vr2(config)#radius authentication server 10.209.154.194
host:vr2(config-radius)#key bras
host:vr2(config-radius)#exit
host:vr2(config)#radius accounting server 10.209.154.194
host:vr2(config-radius)#key bras
host:vr2(config-radius)#exit
host:vr2(config)#virtual-router vr3
host:vr3(config)#radius authentication server 10.209.154.193
host:vr3(config-radius)#key bras
host:vr3(config-radius)#exit
host:vr3(config)#radius accounting server 10.209.154.193
host:vr3(config-radius)#key bras
host:vr3(config-radius)#exit
host:vr3(config)#virtual-router vr4
host:vr4(config)#aaa strip-domain enable
host:vr4(config)#aaa strip-domain delimiter domainName %
host:vr4(config)#radius authentication server 10.209.154.194
host:vr4(config-radius)#key bras
host:vr4(config-radius)#exit
host:vr4(config)#radius accounting server 10.209.154.195
host:vr4(config-radius)#key bras
host:vr4(config-radius)#exit
host:vr4(config)#virtual-router vr5
host:vr5(config)#aaa strip-domain enable
host:vr5(config)#radius authentication server 10.209.154.193
host:vr5(config-radius)#key bras
host:vr5(config-radius)#exit
host:vr5(config)#radius accounting server 10.209.154.192
host:vr5(config-radius)#key bras
host:vr5(config-radius)#exit
Based on the virtual routers configuration, the Table 4 on page 15 below lists the final
user name for each virtual router applied.
14
Copyright © 2012, Juniper Networks, Inc.
Chapter 1: Remote Access Overview
Table 4: aaa strip-domain Example
Subscribers
Virtual Router Applied
Final User Name
user1@123.com$test
VR1
user1@123.com
user2@123.com$test
VR2
user2
user3@123.com$test
VR3
user3@123.com$test
user4@123.com%test
VR4
user4@123.com
user5@123.com@test$test
VR5
user5@123.com
Related
Documentation
•
Overview of Mapping a User Domain to a Virtual Router on page 6
•
Domain Name and Realm Name Overview on page 9
Single Name Specification for Users from a Domain Overview
Assigning a single username and a single password for all users associated with a domain
provides better compatibility with some RADIUS servers. You can use this feature for
domains that require the router to tunnel, but not terminate, PPP sessions.
When users request a PPP session, they specify usernames and passwords. During the
negotiations for the PPP session, the router authenticates legitimate users.
NOTE: This feature works only for users authenticated by Password
Authentication Protocol (PAP) and not by Challenge Handshake
Authentication Protocol (CHAP).
If you configure this feature, the router substitutes the specified username and password
for all authenticated usernames and passwords associated with that domain.
There are two options for this feature. The router can:
•
Substitute the domain name for each username and one new password for each
existing password.
For example, if the domain name is xyz.com and you specify the password xyz_domain,
the router associates the username xyz.com and the password xyz_domain with all
users from xyz.com.
•
Substitute one new username for each username and one new password for each
existing password.
For example, if the domain name is xyz.com and you specify the username xyz_group
and the password xyz_domain, the router associates these identifiers with all users
from xyz.com.
Copyright © 2012, Juniper Networks, Inc.
15
JunosE 13.3.x Broadband Access Configuration Guide
To use a single username and a single password for all users from a domain:
1.
Access Domain Map Configuration mode using the aaa domain-map command.
2. Specify the new username and password using the override-user command.
Related
Documentation
•
Example: Associating all Subscribers of a PPP Interface with a Specific Domain Name
on page 82
RADIUS Authentication and Accounting Servers Configuration Overview
The number of RADIUS servers you can configure depends on available memory.
The order in which you configure servers determines the order in which the router contacts
those servers on behalf of clients.
Initially, a RADIUS client sends a request to a RADIUS authentication or accounting server.
The RADIUS server uses the configured IP address, the UDP port number, and the secret
key to make the connection. The RADIUS client waits for a response for a configurable
timeout period and then retransmits the request. The RADIUS client retransmits the
request for a user-configurable retry limit.
•
If there is no response from the primary RADIUS server, the RADIUS client submits the
request to the secondary RADIUS server using the timeout period and retry limit
configured for the secondary RADIUS server.
•
If the connection attempt fails for the secondary RADIUS server, the router submits
the request to the tertiary server and so on until it either is granted access on behalf
of the client or there are no more configured servers.
•
If another authentication server is not configured, the router attempts the next method
in the method list; for accounting server requests, the information is dropped.
For example, suppose that you have configured the following authentication servers:
Auth1, Auth2, Auth3, Auth4, and Auth5. Your router attempts to send an authentication
request to Auth1. If Auth1 is unavailable, the router submits the request to Auth2, then
Auth3, and so on until an available server is found. If Auth5, the last configured
authentication server, is not available, the router attempts the next method in the methods
list. If the only method configured is RADIUS, then the router notifies the client that the
request has been denied.
The following sections explain how to configure RADIUS authentication and accounting
servers:
16
•
Server Access on page 17
•
Server Request Processing Limit on page 17
•
Authentication and Accounting Methods on page 18
•
Supporting Exchange of Extensible Authentication Protocol Messages on page 18
•
Immediate Accounting Updates on page 19
•
Duplicate and Broadcast Accounting on page 19
Copyright © 2012, Juniper Networks, Inc.
Chapter 1: Remote Access Overview
Server Access
The router offers two options by which servers are accessed:
•
Direct—The first authentication or accounting server that you configure is treated as
the primary authentication or accounting server, the next server configured is the
secondary, and so on.
•
Round-robin—The first configured server is treated as a primary for the first request,
the second server configured as primary for the second request, and so on. When the
router reaches the end of the list of servers, it starts again at the top of the list until it
comes full cycle through the list.
Use the radius algorithm command to specify the server access method.
When you configure the first RADIUS accounting server, a RADIUS Acct-On message is
sent. When you delete the last accounting server, a RADIUS Acct-Off message is sent.
Server Request Processing Limit
You can configure RADIUS authentication servers and accounting servers to use different
UDP ports on the router. This enables the same IP address to be used for both an
authentication server and an accounting server. However, you cannot use the same IP
address for multiple authentication servers or for multiple accounting servers.rs.
NOTE: For information about the number of concurrent RADIUS requests
that the router supports for authentication and accounting servers, see JunosE
Release Notes, Appendix A, System Maximums.
The E Series router listens to a range of UDP source (or local) ports for RADIUS responses.
Each UDP source port supports a maximum of 255 RADIUS requests. When the 255
per-port limit is reached, the router opens the next source port. When the max-sessions
command limit is reached, the router submits the request to the next configured server.
Table 5 on page 17 lists the range of UDP ports the router uses for each type of RADIUS
request.
Table 5: Local UDP Port Ranges by RADIUS Request Type
RADIUS Request Type
ERX310, ERX710, ERX1410, and
E120 Broadband Services
Routers
ERX1440 and E320
Broadband Services Routers
RADIUS authentication
50000–50124
50000–50124
RADIUS accounting
50125–50249
50125–50499
RADIUS preauthentication
50250–50374
50500–50624
RADIUS route-download
50375–50500
50625–50749
Copyright © 2012, Juniper Networks, Inc.
17
JunosE 13.3.x Broadband Access Configuration Guide
Authentication and Accounting Methods
When you configure AAA authentication and accounting services for your B-RAS
environment, one important task is to specify the authentication and accounting method
used. The JunosE Software gives you the flexibility to configure authentication or
accounting methods based on the type of subscriber. This feature allows you to enable
RADIUS authentication for some subscribers, while disabling authentication completely
for other subscribers. Similarly, you can enable RADIUS accounting for some subscribers,
but no accounting for others. For example, you might use RADIUS authentication for ATM
1483 subscribers, while granting IP subscriber management interfaces access without
authentication (using the none keyword).
You can specify the authentication or accounting method you want to use, or you can
specify multiple methods in the order in which you want them used. For example, if you
specify the radius keyword followed by the none keyword when configuring authentication,
AAA initially attempts to use RADIUS authentication. If no RADIUS servers are available,
AAA uses no authentication. The JunosE Software currently supports radius and none
as accounting methods and radius, none, and local as authentication methods. See
“Local Authentication Servers Configuration Overview” on page 21 for information about
local authentication.
You can configure authentication and accounting methods based on the following types
of subscribers:
•
ATM 1483
•
Tunnels (for example, L2TP tunnels)
•
PPP
•
RADIUS relay server
•
IP subscriber management interfaces
NOTE: IP subscriber management interfaces are static or dynamic
interfaces that are created or managed by the JunosE Software’s subscriber
management feature.
Supporting Exchange of Extensible Authentication Protocol Messages
Extensible Authentication Protocol (EAP) is a protocol that supports multiple methods
for authenticating a peer before allowing network layer protocols to transmit over the
link. JunosE Software supports the exchange of EAP messages between JunosE
applications, such as PPP, and an external RADIUS authentication server.
The JunosE Software’s AAA service accepts and passes EAP messages between the
JunosE application and the router’s internal RADIUS authentication server. The internal
RADIUS authentication server, which is a RADIUS client, provides EAP pass-through—the
RADIUS client accepts the EAP messages from AAA, and sends the messages to the
external RADIUS server for authentication. The RADIUS client then passes the response
18
Copyright © 2012, Juniper Networks, Inc.
Chapter 1: Remote Access Overview
from the external RADIUS authentication server back to the AAA service, which then
sends a response to the JunosE application. The AAA service and the internal RADIUS
authentication service do not process EAP information—both simply act as pass-through
devices for the EAP message.
The router’s local authentication server and TACACS+ authentication servers do not
support the exchange of EAP messages. These type of servers deny access if they receive
an authentication request from AAA that includes an EAP message. EAP messages do
not affect the none authentication configuration, which always grants access.
The local RADIUS authentication server uses the following RADIUS attributes when
exchanging EAP messages with the external RADIUS authentication server:
•
Framed-MTU (attribute 12)—Used if AAA passes an MTU value to the internal RADIUS
client
•
State (attribute 24)—Used in Challenge-Response messages from the external server
and returned to the external server on the subsequent Access-Request
•
Session-Timeout (attribute 27)—Used in Challenge-Response messages from the
external server
•
EAP-Message (attribute 79)—Used to fragment EAP strings into 253-byte fragments
(the RADIUS limit)
•
Message-Authenticator (attribute 80)—Used to authenticate messages that include
an EAP-Message attribute
For additional information on configuring PPP to use EAP authentication, see JunosE Link
Layer Configuration Guide .
Immediate Accounting Updates
You can use the aaa accounting immediate-update command to configure immediate
accounting updates on a per-VR basis. If you enable this feature, the E Series router sends
an Acct-Update message to the accounting server immediately on receipt of a response
(ACK or timeout) to the Acct-Start message.
This feature is disabled by default. Use the enable keyword to enable immediate updates
and the disable keyword to halt them.
The accounting update contains 0 (zero) values for the input/output octets/packets
and 0 (zero) for uptime. If you have enabled duplicate or broadcast accounting, the
accounting update goes to both the primary virtual router context and the duplicate or
broadcast virtual router context.
Duplicate and Broadcast Accounting
Normally, the JunosE Software sends subscriber-related AAA accounting information to
the virtual router that authenticates the subscriber. If an operational virtual router is
configured that is different from the authentication router, it also receives the accounting
information. You can optionally configure duplicate or broadcast AAA accounting, which
sends the accounting information to additional virtual routers simultaneously. The
accounting information is always sent to the authenticating virtual router. The accounting
Copyright © 2012, Juniper Networks, Inc.
19
JunosE 13.3.x Broadband Access Configuration Guide
information is sent to the operational virtual router only if duplicate accounting is not
enabled and if authenticating virtual router is different than the operational virtual router.
Both the duplicate and broadcast accounting features are supported on a per-virtual
router context, and enable you to specify particular accounting servers that you want to
receive the accounting information.
For example, you might use broadcast accounting to send accounting information to a
group of your private accounting servers. Or you might use duplicate accounting to send
the accounting information to a customer’s accounting server.
•
Duplicate accounting—Sends the accounting information to a particular virtual router
•
Broadcast accounting—Sends the accounting information to a group of virtual routers.
An accounting virtual router group can contain up to four virtual routers and the E Series
router supports a maximum of 100 virtual router groups. The accounting information
continues to be sent to the duplicate accounting virtual router, if one is configured.
UDP Checksums
Each virtual router on which you configure B-RAS is enabled to perform UDP checksums
by default. You can disable and reenable UDP checksums.
Related
Documentation
•
Remote Access Configuration Tasks on page 62
SNMP Traps and System Log Messages Overview
The router can send Simple Network Management Protocol (SNMP) traps to alert network
managers when:
•
A RADIUS server fails to respond to a request.
•
A RADIUS server that previously failed to respond to a request (and was consequently
removed from the list of active servers) returns to active service.
Returning to active service means that the E Series RADIUS client receives a valid
response to an outstanding RADIUS request after the server is marked unavailable.
•
All RADIUS servers within a VR context fail to respond to a request.
The router also generates system log messages when RADIUS servers fail to respond or
when they return to active service; no configuration is required for system log messages.
The following sections describe SNMP Traps and system log messages:
•
SNMP Traps on page 20
•
System Log Messages on page 21
SNMP Traps
The router generates SNMP traps and system log messages as follows:
20
Copyright © 2012, Juniper Networks, Inc.
Chapter 1: Remote Access Overview
•
If the first RADIUS server fails to respond to the RADIUS request, the E Series RADIUS
client issues a system log message and, if configured, an SNMP trap indicating that
the RADIUS server timed out. The E Series RADIUS client will not issue another system
log message or SNMP trap regarding this RADIUS server until the deadtime expires, if
configured, or for 3 minutes if deadtime is not configured.
•
The E Series RADIUS client then sends the RADIUS request to the second configured
RADIUS server. If the second RADIUS server fails to respond to the RADIUS request,
the E Series RADIUS client again issues a system log message and, if configured, an
SNMP trap indicating that the RADIUS server timed out.
•
This process continues until either the E Series RADIUS client receives a valid response
from a RADIUS server or the list of configured RADIUS servers is exhausted. If the list
of RADIUS servers is exhausted, the E Series RADIUS client issues a system log message
and, if configured, an SNMP trap indicating that all RADIUS servers have timed out.
If the E Series RADIUS client receives a RADIUS response from a “dead” RADIUS server
during the deadtime period, the RADIUS server is restored to active status.
If the router receives a valid RADIUS response to an outstanding RADIUS request, the
E Series client issues a system log message and, if configured, an SNMP trap indicating
that the RADIUS server is now available.
System Log Messages
You do not need to configure system log messages. The router automatically sends them
when individual servers do not respond to RADIUS requests and when all servers on a
VR fail to respond to requests. The following are the formats of the warning level system
log messages:
RADIUS [ authentication | accounting ] server serverAddress unavailable in VR
virtualRouterName [; trying nextServerAddress]
RADIUS no [ authentication | accounting ] servers responding in VR virtualRouterName
RADIUS [ authentication | accounting ] server serverAddress available in VR
virtualRouterName
Related
Documentation
•
Configuring SNMP Traps on page 67
Local Authentication Servers Configuration Overview
The AAA local authentication server enables the E Series router to provide local PAP and
CHAP user authentication for subscribers. The router also provides limited authorization,
using the IP address, IP address pool, and operational virtual router parameters. When
a subscriber logs on to the E Series router that is using local authentication, the subscriber
is authenticated against user entries in a local user database; the optional parameters
are assigned to subscribers after the subscriber is authenticated.
Related
Documentation
•
Creating the AAA Local Authentication Environment on page 68
•
Creating AAA Local User Databases on page 69
Copyright © 2012, Juniper Networks, Inc.
21
JunosE 13.3.x Broadband Access Configuration Guide
Tunnel Subscriber Authentication Configuration Overview
When a AAA domain map includes any tunnel configuration, users in this domain are
considered to be tunnel subscribers. By default, any such subscriber is granted access
without being authenticated by the authentication server. Access is granted even when
the user provides an invalid username and password. The tunnel configuration for the
subscriber comes from the AAA domain map.
For example, if the authentication protocol for a AAA domain map is RADIUS, AAA grants
access to subscribers from this domain immediately without sending access requests
to the configured RADIUS server. Because of this behavior, these subscribers cannot get
any additional control attributes from the authentication server. This reduces your ability
to manage the tunnel subscribers.
In this default situation, if you want the domain subscribers to be managed by the
authentication server for any control attribute, then that domain map cannot have any
tunnel configuration. Typically, this means you must configure the subscriber individually.
You can use the tunnel-subscriber authentication command to get around this limitation.
When you enable authentication with this command, access requests for the tunnel
subscribers in the domain are sent to the configured authentication server. When the
access replies from authentication server are processed, various user attributes from the
server can be applied to the subscribers.
When the authentication server returns tunnel attributes, these returned values take
precedence over the corresponding local tunnel configuration values in the AAA domain
map. If the server does not return any tunnel attributes, then the tunnel subscriber’s
tunnel settings are configured according to the domain map’s tunnel settings.
If the authentication server returns a redirect VSA and the corresponding AAA domain
map has local tunnel configurations, the VSA is ignored. Access is denied to the user
when the authentication server rejects the access request.
The tunnel-subscriber authentication command has no effect on subscribers in a domain
with no tunnel configuration. When a AAA domain map has no tunnel configuration,
subscribers in the domain are authenticated by the authentication server. If the server
grants access, then the subscribers get their tunnel settings only from the authentication
server.
By default, tunnel subscribers in the domain are granted access with no external
authentication. Use the enable keyword to enable authentication. Use the disable keyword
to restore disable user authentication.
To configure authentication of tunnel subscribers within a AAA domain by an external
authentication server.
•
Example
host1(config-domain-map)#tunnel-subscriber authentication enable
22
Copyright © 2012, Juniper Networks, Inc.
Chapter 1: Remote Access Overview
Related
Documentation
•
Overview of Mapping a User Domain to a Virtual Router on page 6
•
tunnel-subscriber authentication
Name Server Addresses Configuration Overview
You can assign IP or IPv6 addresses for DNS and IP addresses for WINS name servers.
During setup negotiations between the router and remote PC clients using PPP (Internet
Protocol Control Protocol [IPCP] specifically), the remote client may request the DNS
and WINS server IP addresses. If the IP addresses passed to the router by the remote PC
client are different from the ones configured on your router, the router returns the values
that you configured as the correct values to the remote PC client. This behavior is
controlled by the ppp peer dns and ppp peer wins interface commands.
If a PPP client request contains address values of 0.0.0.0 for the name servers, the router
considers that the remote PC client is not configured and returns the configured values
as the correct values to the remote PC client.
The DNS and WINS addresses are considered as part of the PPP user information. These
addresses are provided to the PPP client as part of the IPCP negotiations between PPP
peers. For details, see RFC 1877—PPP Internet Protocol Control Protocol Extensions for
Name Server Addresses (December 1995).
NOTE: All name server address parameters are defined in the context of a
virtual router.
Related
Documentation
•
ppp peer
Local Address Servers Configuration Overview
The local address server allocates IP addresses from a pool of addresses stored locally
on the router. You can optionally configure shared local address pools to obtain addresses
from a DHCP local address pool that is in the same virtual router. Addresses are provided
automatically to client sessions requiring an IP address from a virtual router that is
configured to use a local address pool.
A local address server is defined in the context of a virtual router. You create a local
address server when you configure the first local pool. Local address servers exist as long
as the virtual router exists or until you remove them by deleting all configured pools.
Figure 1 on page 24 illustrates the local address pool hierarchy. Multiple local address
server instances, one per virtual router. can exist. Each local address server can have one
or more local address pools. Each pool can contain a number of IP addresses that are
available for allocation and used by clients, such as PPP sessions.
Copyright © 2012, Juniper Networks, Inc.
23
JunosE 13.3.x Broadband Access Configuration Guide
Figure 1: Local Address Pool Hierarchy
The following sections describe local address servers:
•
Local Address Pool Ranges on page 24
•
Local Address Pool Aliases on page 24
•
Shared Local Address Pools on page 25
•
SNMP Thresholds on page 26
Local Address Pool Ranges
As shown in Figure 1 on page 24, each local address pool is named and contains ranges
of sequentially ordered IP addresses. These addresses are allocated when the AAA server
makes a request for an IP address.
If a local address pool range is exhausted, the next range of addresses is used. If all pool
ranges are exhausted, you can configure a new range to extend or supplement the existing
range of addresses, or you can create a new pool. The newly created pool range is then
used for future address allocation. If addresses allocated from the first pool range are
released, then subsequent requests for addresses are taken from the first pool range.
Addresses are assigned sequentially from a range within a pool. If a range has no
addresses available, the next range within that pool is used. If a pool has no addresses
available, the next configured pool is used, unless a specific pool is indicated.
Local Address Pool Aliases
An alias is an alternate name for an existing local address pool. It comprises an alias
name and a pool name.
When the AAA server requests an IP address from a specific local address pool, the local
address server first verifies whether an alias exists for the requested pool. If an alias exists,
the IP address is allocated from the pool specified by the alias. If no alias exists, the IP
address is allocated from the pool originally specified in the request.
The use of aliases simplifies management of subscribers. For example, you can use an
alias to migrate subscribers from one local address pool to another. Instead of having to
modify countless subscriber records on the AAA server, you create an alias to make the
configuration change.
24
Copyright © 2012, Juniper Networks, Inc.
Chapter 1: Remote Access Overview
Shared Local Address Pools
Typically, the local address server allocates IP addresses from a pool of addresses that
is stored locally on the router. However, shared local address pools enable a local address
server to hand out addresses that are allocated from DHCP local server address pools
within the same virtual router. The addresses are configured and managed within DHCP.
Therefore, thresholds are not configured on the shared pool, but are instead managed
by the referenced DHCP local server pool.
A shared local address pool references one DHCP address pool. The shared local address
pool can then obtain addresses from the referenced DHCP address pool and from any
DHCP address pools that are linked to the referenced DHCP address pool.
Figure 2 on page 25 illustrates a shared local address pool environment that includes
four linked DHCP address pools. In the figure, both Shared_LAS_Pool_A and
Shared_LAS_Pool_B reference DHCP_Pool_1, and can therefore obtain addresses from
all four DHCP address pools. Shared_LAS_Pool_C references DHCP_Pool_3 and can get
addresses from DHCP_Pool_3 and DHCP_Pool_4.
Figure 2: Shared Local Address Pools
When the local address server requests an address from a shared address pool, the
address is returned from the referenced DHCP pool or a subsequent linked pool. If no
address is available, DHCP notifies the local address server and the search is ended.
Keep the following guidelines in mind when using shared local address pools:
•
The DHCP attributes do not apply to shared local address pools; for example, the lease
time for shared local address pools is infinite.
•
When you delete the referenced DHCP address pool, DHCP notifies the local address
server and logs out all subscribers that are using addresses from the deleted pool.
•
When you delete a shared local address pool, the local address server logs out the
subscribers that are using addresses from the deleted pool, then notifies DHCP and
releases the addresses.
•
If the chain of linked DHCP address pools is broken, no action is taken and the existing
subscribers retain their address. However, the DHCP local address pools that are no
longer part of the chain are now unable to provide any new addresses.
The following commands create the shared address pools in Figure 2 on page 25:
host1(config)#ip local shared-pool Shared_LAS_Pool_A DHCP_Pool_1
host1(config)#ip local shared-pool Shared_LAS_Pool_B DHCP_Pool_1
Copyright © 2012, Juniper Networks, Inc.
25
JunosE 13.3.x Broadband Access Configuration Guide
host1(config)#ip local shared-pool Shared_LAS_Pool_C DHCP_Pool_3
SNMP Thresholds
A local address pool has SNMP thresholds associated with it that enable the local address
server to signal SNMP traps when certain conditions exist. These thresholds include high
utilization threshold and abated utilization threshold. If the outstanding addresses of a
pool or a pool group exceed the high utilization threshold and the SNMP trap signaling
is enabled, SNMP is notified. Likewise, when a pool’s utilization drops below the abated
utilization threshold, SNMP is notified.
A local address pool can be linked to a second local address pool so that when the first
pool utilization reaches 100%, the DHCP local server uses the second pool. For generation
of SNMP traps, the utilization of addresses is calculated for all the pools that are in the
linked pools and they are collectively considered as an aggregated pool group.
Related
Documentation
•
Configuring a Local Address Server on page 77
DHCP Features
DHCP provides a mechanism through which computers using Transmission Control
Protocol/IP (TCP/IP) can obtain an IP address and protocol configuration parameters
automatically from a DHCP server on the network.
The E Series router provides support for the following DHCP features:
Related
Documentation
•
DHCP proxy client
•
DHCP relay agent
•
DHCP relay proxy
•
DHCP local server
•
DHCP external server
•
DHCP Overview Information on page 443
Domain Name Aliases Overview
You can translate an original domain name to a new domain name via the translate
command. The command allows you to create domain name aliases; that is, the grouping
of multiple domain names into a single domain name. You can partition PPP subscribers
with the same domain into separate domains, based on the PPP interface.
NOTE: Partitioning subscribers does not cause modification of a user’s name
or domain.
26
Copyright © 2012, Juniper Networks, Inc.
Chapter 1: Remote Access Overview
When you use aliases, you greatly simplify the configuration process. When there are a
large number of domains and you use aliases, it reduces the configuration volume, thus
requiring less NVS and memory usage.
AAA Profile Configuration Overview
An AAA profile is a set of characteristics that act as a pattern that you can assign to
domain names. Once you create an AAA profile, you can map it between a PPP client’s
domain name and certain AAA services on given interfaces. Using AAA profiles, you can:
•
Allow or deny a domain name access to AAA authentication
•
Map the original domain name to the mapped domain name for domain name lookup
•
Use domain name aliases
•
Force tunneling whenever a domain map contains tunnel attributes
•
Manually set the NAS-Port-Type attribute (RADIUS attribute 61) for ATM and Ethernet
interfaces
•
Set the Service-Description attribute (RADIUS attribute 26-53)
An AAA profile contains a set of commands to control access for the incoming PPP
subscriber. If no AAA profile is used, AAA continues as normal. The user’s name and
domain name are not changed as a result of an AAA profile mapping.
NOTE: There are two domain names with special meaning. The domain name
none indicates that there is no domain name present in the subscriber’s name.
The domain name default indicates that no other match occurs.
Related
Documentation
•
Single Name Specification for Users from a Domain Overview on page 15
•
Example: Configuring AAA Local Authentication on page 73
RADIUS Route-Download Server for Route Distribution Overview
The JunosE RADIUS route-download server provides periodic automatic distribution of
IPv4 and IPv6 access routes, which enables preconfiguration and preadvertising of access
routes before they are assigned to clients. Using the route-download server helps eliminate
routing protocol storms and other delays in client service activation that can be caused
by protocol convergence or a large number of simultaneous customer activations.
The RADIUS route-download server periodically sends a RADIUS Access-Request
message to the RADIUS server to request that routes be downloaded. The RADIUS server
then responds with an Access-Accept message and downloads the configured routes.
When the download operation is complete, the route-download server installs the access
routes in the routing table.
Copyright © 2012, Juniper Networks, Inc.
27
JunosE 13.3.x Broadband Access Configuration Guide
JunosE Software supports the creation of one RADIUS route-download server per chassis.
•
Format of Downloaded Routes on page 28
•
How the Route-Download Server Downloads Routes on page 29
Format of Downloaded Routes
The RADIUS server sends the downloaded routes to the RADIUS route-download server
in the following format:
[ { vir | virtual-router } virtualRouterName ] [ vrf vrfName ] prefix-mask [ { null0 | null 0 } [
cost ] ] [ tag tagValue ]
For IPv4 routes, the route-download server accepts downloaded routes in either the
Framed-Route attribute (RADIUS attribute 22) or the Cisco AV-pair attribute (Cisco VSA
26-1).
For IPv6 routes, the route-download server accepts downloaded routes in either the
Framed-IPv6-Route attribute (RADIUS attribute 99) or the Cisco AV-pair attribute (Cisco
VSA 26-1).
Framed-Route (RADIUS attribute 22)
NAS-1 Password = “14raddlsvr” User-Service-Type = Outbound-User
Framed-Route = “192.168.3.0 255.255.255.0 null0”
Framed-Route = “vrf vrfboston 192.168.1.0/24 null 0 0 tag 6”
Framed-Route = “vir host1 vrf vrfsunny 192.168.0.0/16 null0 0 tag 8”
Framed-IPv6-Route (RADIUS attribute 99)
NAS-1 Password = “14raddlsvr” User-Service-Type = Outbound-User
Framed-IPv6-Route = “2001:DB8:cc00:1::/48 null0"
Framed-IPv6-Route = “vrf test 2001:DB8:cc00:1::/48 null 0 0 tag 6"
Framed-IPv6-Route = "vir zzz vrf test1 2001:DB8:cc00:1::/48 null0 0 tag 8”
Cisco AV-Pair (Cisco VSA 26-1)
•
NAS-1 Password = “14raddlsvr” User-Service-Type = Outbound-User
cisco-avpair = “ip:route = 192.168.3.0 255.255.255.0 null0”
cisco-avpair = “ip:route = vrf vrfboston 192.168.1.0/24 null 0 0 tag 6”
cisco-avpair = “ip:route = vir host1 vrf vrfsunny 192.168.0.0/16 null0 0 tag 8”
•
NAS-1 Password = “14raddlsvr” User-Service-Type = Outbound-User
cisco-avpair = "ipv6:route=2001:DB8:cc00:1::/48 null0"
cisco-avpair = "ipv6:route=vrf test 2001:DB8:cc00:1::/48 null 0 0 tag 6"
cisco-avpair = "ipv6:route=vir zzz vrf test1 2001:DB8:cc00:1::/48 null0 0 tag 8”
NOTE: The prefix-mask entry in downloaded routes can be in the form of
prefix length, prefix mask, or prefix. If prefix is used, the mask is determined
by the IP address class of the prefix.
28
Copyright © 2012, Juniper Networks, Inc.
Chapter 1: Remote Access Overview
How the Route-Download Server Downloads Routes
The route-download server starts the initial route-download operation (for example,
after a system reboot or the first time the route-download server is enabled) as soon as
IP is established in the virtual router in which the download is performed. After the initial
route-download process is established, the router repeats the route download operation
based on either the default download schedule or the schedule you specify. You can also
initiate an immediate route download at any time.
The RADIUS route-download server downloads routes in two stages—first, all routes are
downloaded from the RADIUS server to the router’s download database and examined
for errors. Next, the router updates the routing table with the new routes, using the
following guidelines:
Related
Documentation
•
Adds all downloaded routes that are not already installed in the routing table
•
Does not add downloaded routes that are already installed in the routing table
•
Deletes routes from the routing table that do not appear in the newly downloaded
group
•
Configuring RADIUS AAA Servers on page 65
•
Configuring the Route-Download Server to Download Routes on page 86
AAA Logical Line Identifier for Subscriber Tracking Overview
You can configure the router to support the AAA logical line identification feature. This
feature enables service providers to track subscribers on the basis of a virtual port known
as the logical line ID (LLID).
The LLID is an alphanumeric string that logically identifies a subscriber line. The service
provider maps each subscriber to an LLID based on the user name and circuit ID from
which the customer’s calls originate. When a subscriber moves to a new physical line,
the service provider’s customer profile database is updated to map to the same LLID.
Because a subscriber’s LLID remains the same regardless of the subscriber’s physical
location, using the LLID gives service providers a more secure mechanism for tracking
subscribers and maintaining the customer database.
The following section explains how the router obtains and uses the LLID:
•
How the Router Obtains and Uses the LLID on page 29
How the Router Obtains and Uses the LLID
To obtain an LLID for a subscriber, the router must issue two RADIUS access requests:
a preauthentication request to obtain the LLID, followed by an authentication request
encoded with the LLID returned in response to the preauthentication request.
To configure this feature, you:
Copyright © 2012, Juniper Networks, Inc.
29
JunosE 13.3.x Broadband Access Configuration Guide
1.
Create an AAA profile that supports preauthentication (by using the pre-authenticate
command in AAA Profile Configuration mode).
2. Specify the IP address of a RADIUS preauthentication server (by using the radius
pre-authentication server command in Global Configuration mode) and of an
authentication server (by using the radius authentication server command in Global
Configuration mode).
The following steps describe how the router uses RADIUS to obtain and use the LLID. It
is assumed that you have already configured an AAA profile for preauthentication and
have defined both a RADIUS preauthentication server and a RADIUS authentication
server. Typically, the preauthentication server and the authentication server reside in the
same virtual router context in which the PPP subscriber is authenticated.
The router obtains and uses the LLID as follows:
1.
A PPP subscriber requests authentication through RADIUS.
2. The router sends an Access-Request message to the RADIUS preauthentication server
to obtain an LLID for the subscriber.
This step is referred to as the preauthentication request because it occurs before user
authentication and authorization.
3. The preauthentication server returns the LLID to the router in the Calling-Station-Id
(RADIUS attribute 31) of an Access-Accept message.
The router ignores any RADIUS attributes other than the Calling-Station-Id that are
returned in the preauthentication Access-Accept message.
4. The router encodes the LLID in the RADIUS Calling-Station-Id and sends an
Access-Request message to the RADIUS authentication server.
This step is referred to as the authentication request.
5. The RADIUS authentication server returns an Access-Accept message to the router
that includes the tunnel attributes for the subscriber session.
6. For tunneled PPP subscribers, the router, acting as an L2TP access concentrator
(LAC), encodes the LLID into L2TP Calling Number AVP 22 and sends this to the L2TP
network server (LNS) in an incoming-call request (ICRQ) packet.
After a successful preauthentication request, the router always encodes the LLID in
Calling Number AVP 22. The use of aaa commands such as aaa tunnel
calling-number-format to control or change the inclusion of the LLID in Calling Number
AVP 22 has no effect.
Related
Documentation
30
•
Configuring RADIUS AAA Servers on page 65
•
Configuring the Router to Obtain the LLID for a Subscriber on page 88
Copyright © 2012, Juniper Networks, Inc.
Chapter 1: Remote Access Overview
RADIUS Attributes in Preauthentication Request
Table 6 on page 31 describes the RADIUS IETF attributes that are always included in a
preauthentication request to obtain the LLID. The attributes are listed in ascending order
by standard number.
Table 6: RADIUS IETF Attributes in Preauthentication Request
Attribute
Number
Attribute Name
Description
[1]
User-Name
Name of the user associated with the LLID, in the format:
NAS-Port:<NAS-IP-Address>:<Nas-Port-Id>
For example, nas-port:172.28.30.117:atm 4/1.104:2.104
[2]
User-Password
Password of the user to be authenticated; always set to “
juniper”
[4]
NAS-IP-Address
IP address of the network access server (NAS) that is
requesting authentication of the user; for example,
172.28.30.117
[5]
NAS-Port
Physical port number of the NAS that is authenticating the
user; this is always interpreted as a bit field
[6]
Service-Type
Type of service the user has requested or the type of service
to be provided; for example, framed
[61]
NAS-Port-Type
Type of physical port the NAS is using to authenticate the
user
[77]
Connect-Info
Actual user name; for example, jdoe@xyzcorp.east.com
[87]
NAS-Port-Id
Text string that identifies the physical interface of the NAS
that is authenticating the user; for example,
atm 4/1.104:2.104
The use of radius commands such as radius calling-station-format or radius override
calling-station-id to control or change the inclusion of these attributes in the
preauthentication request has no effect.
Related
Documentation
•
RADIUS IETF Attributes on page 231
•
Troubleshooting Subscriber Preauthentication on page 89
Considerations for Using the LLID
The following considerations apply when you configure the router for subscriber
preauthentication:
Copyright © 2012, Juniper Networks, Inc.
31
JunosE 13.3.x Broadband Access Configuration Guide
Related
Documentation
•
Only PPP subscribers authenticating through RADIUS can use the AAA LLID feature
on the router. PPP subscribers tunneled through domain maps cannot take advantage
of this feature.
•
The Calling-Station-Id [31] attribute is typically sent in RADIUS Access-Request
messages, not in Access-Accept messages as is the case for this feature. As a result,
your RADIUS server might require special configuration procedures to enable the
Calling-Station-Id attribute to be returned in Access-Accept messages. See the
documentation that came with your RADIUS server for information.
•
The router ignores any RADIUS attributes other than the Calling-Station-Id that are
returned in the preauthentication Access-Accept message.
•
If a preauthentication request fails due to misconfiguration of the preauthentication
server, timeout of the preauthentication server, or rejection of the preauthentication
request by the preauthentication server, the authentication process continues normally
and the preauthentication request is ignored.
•
The router preserves the LLID value for established subscribers after a stateful SRP
switchover.
•
The radius rollover-on-reject enable command has no effect for a RADIUS
preauthentication server. That is, you cannot use the radius rollover-on-reject enable
command to configure the router to roll over to the next RADIUS preauthentication
server when the router receives an Access-Reject message for the user it is
authenticating.
•
Configuring RADIUS AAA Servers on page 65
VSAs for Dynamic IP Interfaces Overview
Table 7 on page 32 describes the VSAs that apply to dynamic IP interfaces and are
supported on a per-user basis from RADIUS. For details, see JunosE Link Layer Configuration
Guide.
Table 7: VSAs That Apply to Dynamic IP Interfaces
32
VSA
Description
Type
Length
Subtype
Subtype
Length
Ingress-Policy-Name
Specifies the
name of the
input
(ingress)
policy
26
len
10
sublen
string:
input-policy-name
Egress-Policy-Name
Specifies the
name of the
output
(egress)
policy
26
len
11
sublen
string:
output-policy-name
Value
Copyright © 2012, Juniper Networks, Inc.
Chapter 1: Remote Access Overview
Table 7: VSAs That Apply to Dynamic IP Interfaces (continued)
VSA
Description
Type
Length
Subtype
Subtype
Length
Ingress-Statistics
Indicates
whether
statistics are
collected on
input
26
12
12
6
integer: 0 – disable,
1 – enable
Egress-Statistics
Indicates
whether
statistics are
collected on
output
26
12
13
6
integer: 0 – disable,
1 – enable
QoS-Profile-Name
Specifies the
name of the
QoS profile
to attach to
the interface
26
len
26
sublen
string:
qos-profile-name
Value
To use the VSAs shown in Table 7 on page 32:
•
Specify the policy, or one or more QoS VSAs in the desired RADIUS user entries.
•
Create the ingress or egress policy, or the QoS profile. Policies minimally consist of one
or more policy commands and may include classifier control lists and rate limit profiles.
See the JunosE Policy Management Configuration Guide for more information about
policies and policy routing. See the JunosE Quality of Service Configuration Guide for
information about creating QoS profiles.
When a dynamic interface is created according to a profile, the router checks with RADIUS
to determine whether an input or output policy or a QoS profile must be applied to the
interface. The VSA, if present, provides the name, enabling policy or QoS profile lookup.
If found, the policy or QoS profile is applied to the dynamic interface.
The router also determines whether the creation profile specifies any policies to be applied
to the interface. Policies specified by the RADIUS VSA supersede any specified by the
profile, as described in the following example:
The RADIUS user entry includes an Ingress-Policy-Name VSA that specifies the policy
input5. The profile specifies two policies, input7 and output1. In this case, the
RADIUS-specified input policy (input5) and the profile-specified output policy (output1)
are applied to the dynamic interface.
For information about assigning policies via profiles, see the JunosE Policy Management
Configuration Guide. Only attributes assigned by RADIUS appear in RADIUS Acct-Start
messages. RADIUS attributes specified by a profile for dynamic interfaces do not appear
in RADIUS Acct-Start messages because the profile is not active when the Acct-Start
message is generated. These attributes appear in RADIUS Acct-Stop messages for a
profile that is active when the session is terminated.
Copyright © 2012, Juniper Networks, Inc.
33
JunosE 13.3.x Broadband Access Configuration Guide
The following section explains traffic shaping for PPP over ATM interfaces:
•
Traffic Shaping for PPP over ATM Interfaces on page 34
Traffic Shaping for PPP over ATM Interfaces
The router supports the configuration of traffic shaping parameters for PPP over ATM
(PPPoA) via domain-based profiles and RADIUS. In connection with this feature, Table
8 on page 34 describes VSAs that apply to dynamic IP interfaces and are supported on
a per-user basis from RADIUS.
Table 8: Traffic-Shaping VSAs That Apply to Dynamic IP Interfaces
VSA
Description
Type
Length
Subtype
Subtype
Length
Service-Category
Specifies the
type of service
26
12
14
6
integer:
1 – UBR
2 – UBR PCR
3 – NRT VBR
4 – CBR
5 – RT VBR
PCR
Specifies the
value for the
peak cell
rate (PCR)
26
12
15
6
integer
SCR
Specifies the
value for the
sustained cell
rate (SCR)
26
12
16
6
integer
MBS
Specifies the
maximum burst
size (MBS)
26
12
17
6
integer
Value
To configure traffic-shaping parameters for PPPoA via domain maps, use the atm
command in Domain Map Configuration mode.
Related
Documentation
•
Creating an IP Interface on page 79
Overview of Mapping Application Terminate Reasons and RADIUS Terminate Codes
The JunosE Software uses a default configuration that maps terminate reasons to RADIUS
Acct-Terminate-Cause attributes. You can optionally create customized mappings
between a terminate reason and a RADIUS Acct-Terminate-Cause attribute—these
mappings enable you to provide different information about the cause of a termination.
When a subscriber’s L2TP or PPP session is terminated, the router logs a message for
the internal terminate reason and logs another message for the RADIUS
Acct-Terminate-Cause attribute (RADIUS attribute 49). RADIUS attribute 49 is also
34
Copyright © 2012, Juniper Networks, Inc.
Chapter 1: Remote Access Overview
included in RADIUS Acct-Off and Acct-Stop messages. You can use the logged
information to help monitor and troubleshoot terminated sessions.
Use the show terminate-code command to display information about the mappings
between application terminate reasons and RADIUS Acct-Terminate-Cause attributes.
Table 9 on page 35 lists the IETF RADIUS Acct-Terminate-Cause codes that you can use
to map application terminate reasons. In addition, you can also configure and use
proprietary codes for values beyond 22.
Table 9: Supported RADIUS Acct-Terminate-Cause Codes
Code
Name
Description
1
User Request
User initiated the disconnect (log out)
2
Lost Carrier
DCD was dropped on the port
3
Lost Service
Service can no longer be provided; for example, the user’s
connection to a host was interrupted
4
Idle Timeout
Idle timer expired
5
Session Timeout
Subscriber reached the maximum continuous time allowed for
the service or session
6
Admin Reset
System administrator reset the port or session
7
Admin Reboot
System administrator terminated the session on the NAS; for
example, prior to rebooting the NAS
8
Port Error
NAS detected an error on the port that required ending the session
9
NAS Error
NAS detected an error (other than on the port) that required
ending the session
10
NAS Request
NAS ended the session for a non-error reason
11
NAS Reboot
NAS ended the session due to a non-administrative reboot
12
Port Unneeded
NAS ended the session because the resource usage fell below
the low threshold; for example, the bandwidth-on-demand
algorithm determined that the port was no longer needed
13
Port Preempted
NAS ended the session to allocate the port to a higher-priority
use
14
Port Suspended
NAS ended the session to suspend a virtual session
15
Service Unavailable
NAS was unable to provide the requested service
16
Callback
NAS is terminating the current session in order to perform callback
for a new session
Copyright © 2012, Juniper Networks, Inc.
35
JunosE 13.3.x Broadband Access Configuration Guide
Table 9: Supported RADIUS Acct-Terminate-Cause Codes (continued)
Related
Documentation
•
Code
Name
Description
17
User Error
An error in the user input caused the session to be terminated
18
Host Request
The login host terminated the session normally
19
Supplicant Restart
Supplicant state machine was reinitialized
20
Reauthentication
Failure
A previously authenticated supplicant failed to reauthenticate
successfully following expiration of the reauthentication timer or
explicit reauthentication request by management action
21
Port Reinitialized
The port's MAC has been reinitialized
22
Port Administratively
Disabled
The port has been administratively disabled
Configuring Custom Mappings for PPP Terminate Reasons on page 90
Timeout Configuration Overview
You can configure an idle timeout or a session timeout. The values you set are the default
values for Point-to-Point Protocol Broadband Remote Access Server users. Attributes
returned by RADIUS override these default settings on a per-user basis.
When you set an idle timeout, the PPP application on the router monitors both ingress
(inbound) traffic and egress (outbound) traffic by default for the configured idle timeout
period to determine whether to disconnect an inactive PPP session. If there is no activity
in either direction on the interfaces for more than the configured idle timeout period, the
router terminates the PPP session.
You can optionally configure the router to monitor only ingress traffic for the configured
idle timeout period to determine session inactivity and subsequent disconnection of an
inactive PPP session. Monitoring only ingress traffic for the idle timeout is useful for
networks in which the PPP keepalive timer is disabled for wireless subscribers. Without
the keepalive timer, the router cannot detect whether a wireless subscriber has been
disconnected. Monitoring egress traffic does not indicate inactivity for wireless subscribers
because egress traffic is always flowing. Enabling the router to monitor only ingress traffic
enables you to selectively disconnect subscribers, including wireless subscribers, if no
traffic is received for the configured idle timeout period.
If you do not configure a session timeout, or you set its value to 0, the session remains
active for an infinite lifetime. You can use the show ppp session-To-Thirteen-Years
command along with show ppp interface full in Privileged Exec or User Exec mode to
verify whether the capability to preserve PPP sessions for a timeout duration of 13 years
is enabled. If the show ppp session-To-Thirteen-Years command is not executed, the
session timeout value is set to the maximum session timeout value of 366 days.
36
Copyright © 2012, Juniper Networks, Inc.
Chapter 1: Remote Access Overview
If the RADIUS server returns the value 0 for the Session-Timeout attribute, then the
session remains active for an infinite lifetime even if a value is configured through the
CLI.
The following sections describe timeout configuration:
•
Limiting Active Subscribers on page 37
•
AAA Failure Notification for RADIUS on page 37
•
Configuring AAA Session Timeout on page 37
Limiting Active Subscribers
You can limit the number of active subscribers on a port or virtual router.
AAA Failure Notification for RADIUS
If a user passes RADIUS authentication, but fails AAA authentication, the RADIUS server
may still allocate an address for the user from its internal address pool. To indicate to
the RADIUS server to free the address, you can set up the router to send an Acct-Stop
message if a user fails AAA.
Configuring AAA Session Timeout
You can use the aaa timeout session sessionTimeout command to configure a session
timeout. Restoring the session timeout to the default value causes the PPP B-RAS session
to remain active for an infinite lifetime.
Related
Documentation
•
Configuring RADIUS AAA Servers on page 65
•
Configuring Custom Mappings for PPP Terminate Reasons on page 90
Standard RADIUS IPv6 Attributes for IPv6 Neighbor Discovery Router Advertisements
and DHCPv6 Prefix Delegation Configuration
When an E Series router is configured for IP version 6, it uses router advertisements to
announce its presence to other nodes connected to it. Hosts discover the addresses of
their neighboring routers by listening for these advertisements. When the routing protocol
process first starts on the server router, the server sends router advertisement packets
every few seconds. Then, the server sends these packets less frequently. The server
responds to route solicitation packets it receives from a client. The response is sent
unicast, unless a router advertisement packet is due to be sent out momentarily. IPv6
supports the following router advertisement mechanisms:
•
ICMPv6 Neighbor Discovery router advertisements
•
DHCPv6 Prefix Delegation
•
ICMPv6 Neighbor Discovery router advertisements followed by DHCPv6 Prefix
Delegation
The AAA service on the router stores the prefixes that it receives from the RADIUS server
during the PPPv6 authentication phase. After the PPPv6 link is established between the
Copyright © 2012, Juniper Networks, Inc.
37
JunosE 13.3.x Broadband Access Configuration Guide
subscriber and the B-RAS application running on the router, the router receives the ICMPv6
router solicitation message, the DHCPv6 Solicit message, or both of them based on the
prefix advertisement mechanism. In previous releases, you were not able to configure
the RADIUS attribute or VSA to be used for IPv6 Neighbor Discovery router advertisements
and DHCPv6 Prefix Delegation through the CLI. As a result, the IPv6-NdRa-Prefix attribute
returned in the Access-Accept message was used for IPv6 Neighbor Discovery router
advertisements and the Framed-IPv6-Prefix RADIUS attribute in the Access-Accept
message was used for DHCPv6 Prefix Delegation.
In this release, you can control the RADIUS IETF attribute or VSA to be used for IPv6
Neighbor Discovery router advertisements and DHCPv6 Prefix Delegation by using aaa
ipv6-nd-ra-prefix framed-ipv6-prefix and aaa dhcpv6-delegated-prefix
delegated-ipv6-prefix commands, respectively, in Global Configuration mode on each
virtual router.
Maximum Number of IPv6 Prefixes Assigned to Clients Using Only the DHCPv6 Local
Server
IPv6 prefixes are delegated to subscribers using two mechanisms: ICMPv6 Neighbor
Discovery router advertisements and DHCPv6 Prefix Delegation. When the router receives
the ICMPv6 router solicitation message, the DHCPv6 Solicit message, or both the
messages based on the prefix advertisement mechanism, a prefix is assigned to the
requesting router, which is the customer premises equipment (CPE) at the edge of the
remote client site that acts as the DHCP client. Consider a scenario in which the CPE
device uses the Prefix Delegation feature alone to obtain IPv6 prefixes from the delegating
router, which is the DHCPv6 local server. Also, assume that IPv6 Neighbor Discovery is
not configured for allocation of prefixes to the client. In such an environment, each IPv6
subscriber uses only a single route entry and the maximum number of subscribers to
which IPv6 prefixes can be delegated from the DHCPv6 local server is 48,000.
Related
Documentation
•
Maximum Number of IPv6 Prefixes Assigned to Clients Using Both DHPCv6 Local
Server and Neighbor Discovery Router Advertisements on page 38
Maximum Number of IPv6 Prefixes Assigned to Clients Using Both DHPCv6 Local
Server and Neighbor Discovery Router Advertisements
When both IPv6 Neighbor Discovery router advertisements and DHCPv6 Prefix Delegation
methods are used to assign IPv6 prefixes to clients, either two or three host routes for
IPv6 might be consumed from the routing table depending on the way in which the router
advertisement prefix is determined. The following sections describe sample configuration
scenarios to illustrate how a maximum of 48,000 subscribers can be handled for
delegation of IPv6 prefixes, based on whether a unique IPv6 prefix is allocated to a client
or the same IPv6 prefix is allocated to multiple clients:
38
•
Delegation of a Unique IPv6 Prefix per Subscriber Example on page 39
•
Delegation of the Same IPv6 Prefix for Multiple Subscribers Example on page 39
Copyright © 2012, Juniper Networks, Inc.
Chapter 1: Remote Access Overview
Delegation of a Unique IPv6 Prefix per Subscriber Example
Consider a scenario in which the RADIUS server is configured to assign a unique router
advertisement prefix route to each IPv6 subscriber. In such a case, two routes are used
for Neighbor Discovery and one IPv6 route is consumed for Prefix Delegation, which
results in a total of three routes being utilized for each subscriber. If such a method for
allocating prefixes to subscribers is configured, approximately 33,333 IPv6 bindings can
be supported before the maximum IPv6 static route limit of 100,000 routes is reached.
Therefore, in such a deployment, it is not possible to handle 48,000 subscribers for
delegation of IPv6 prefixes using the DHCPv6 local server Prefix Delegation and Neighbor
Discovery methods.
The following output of the show ipv6 route command displays how three routes are
used by the same subscriber, as can be seen from the Interface field in the output. The
routes are assigned using Prefix Delegation, Neighbor Discovery, and the access-internal
route, such as the DHCP and AAA/PPP host route, which is a host route to directly
connected clients. Access routes, also known as AAA framed routes, are sourced by AAA.
host1#show ipv6 route
Prefix/Length
-------------------------------1111:1111:1111:1111::/64
1111:1111:2222:2222::/64
1111:1111:2222:2222:21b:c0ff:fe4
Type
Dst/Met
--------- -------Access
3/0
AccIntern 2/0
AccIntern 2/0
Interface
---------------GigabitEthernet0/2.600.6
GigabitEthernet0/2.600.6
GigabitEthernet0/2.600.6 b:9d00/128
Delegation of the Same IPv6 Prefix for Multiple Subscribers Example
Consider a scenario in which the same prefix with a length of /64 for ICMPv6 Neighbor
Discovery router advertisements is assigned to all subscribers by configuring the prefix
in the profile or by configuring the RADIUS server to send the same prefix in the
Framed-IPv6-Prefix attribute (RADIUS IETF attribute 97) of the RADIUS-Access-Accept
message. In such a topology, a unique /64 IPv6 route is not present per subscriber. Instead,
one /64 prefix with multiple next-hops is assigned for all the subscribers.
If you use this method for allocating IPv6 prefixes of /64 length to subscribers, Neighbor
Discovery consumes one IPv6 route and Prefix Delegation consumes one IPv6 route,
which results in a total of two IPv6 routes per subscriber being used. Therefore, it is
possible to scale up to a maximum of 48,000 subscribers for delegation of IPv6 prefixes.
The increased scaling limit of support for delegation of IPv6 prefixes using the DHCPv6
local server Prefix Delegation mechanism for 48,000 subscribers applies only to E120
and E320 routers and not to ERX14xx models, ERX7xx models, and the ERX310 router
because the binding information is stored in the SRP modules of E120 and E320 routers.
Also, a limitation exists on the number of IPv6 interfaces and the IPv6 routing table size
supported by ERX routers that prevents the support for 48,000 subscribers for Prefix
Delegation on DHCPv6 local servers running on those routers.
To enable support for 48,000 subscribers for IPv6 Prefix Delegation, about 5.5 MB of
memory on the SRP module is consumed additionally.
Copyright © 2012, Juniper Networks, Inc.
39
JunosE 13.3.x Broadband Access Configuration Guide
Related
Documentation
•
Maximum Number of IPv6 Prefixes Assigned to Clients Using Only the DHCPv6 Local
Server on page 38
Duplicate IPv6 Prefix Check Overview
You can configure AAA service to detect duplicates of IPv6 Neighbor Discovery router
advertisement prefixes and DHCPv6 delegated prefixes. If a non-unique IPv6 prefix is
detected by AAA, the subscriber session corresponding to the duplicate prefix is
terminated.
In some network environments where the same customer logs in from multiple locations,
terminating sessions with duplicate IPv6 prefixes might result in breaking subscriber
setup. The duplicate IPv6 prefix-check capability is disabled by default.
If a duplicate prefix is detected by AAA before a subscriber is granted access, the
subscriber is denied access. However in some cases, when two subscribers having the
same IPv6 prefix log in simultaneously, the duplicate might be detected only after access
is granted to both subscribers. AAA terminates the duplicate subscriber session
immediately upon detecting the duplicate IPv6 prefix.
NOTE: AAA cannot detect duplicates of overlapping IPv6 prefixes.
Related
Documentation
•
Configuring Duplicate IPv6 Prefix Check on page 91
•
Standard RADIUS IPv6 Attributes for IPv6 Neighbor Discovery Router Advertisements
and DHCPv6 Prefix Delegation Configuration on page 37
Duplicate IPv6 Prefix Detection in the AAA User Profile Database Overview
You can configure AAA service to detect duplicates of both IP and IPv6 Neighbor Discovery
router advertisement prefixes, Framed-IPv6-Prefixes, and DHCPv6 delegated prefixes
by validating the prefixes against the AAA database instead of the IP route table. If AAA
detects a non-unique IP address or IPv6 prefix, the corresponding subscriber session is
terminated.
In some network environments where the same customer logs in from multiple locations,
terminating sessions with duplicate IP addresses and IPv6 prefixes might result in breaking
subscriber setup. The enhanced duplicate prefix detection capability is disabled by
default. Because the prefix is validated against the AAA table, enabling the enhanced
prefix detection capability may impact performance.
AAA maintains a new table for IPv6 prefixes and Framed-IP-Address information for
subscribers. The AAA service checks for duplication of IP addresses and prefixes in this
new table after PPP authorization. If a duplicate address or prefix is detected by AAA
before a subscriber is granted access, the subscriber is denied access. However, in some
cases, when two subscribers with the same IPv6 prefix log in simultaneously, the duplicate
40
Copyright © 2012, Juniper Networks, Inc.
Chapter 1: Remote Access Overview
might be detected only after access is granted to both subscribers. AAA terminates the
duplicate subscriber session immediately upon detecting the duplicate IPv6 prefix.
The following scenarios can occur during the establishment of subscriber sessions:
•
When the RADIUS server assigns the same IPv6-NdRa-Prefix or Delegated-IPv6-Prefix
to two subscribers, the second subscriber that contains the same prefix as the first
subscriber is disconnected.
•
When the RADIUS server assigns the same Framed-IPv6-Prefix to two dual-stack
subscribers, the second subscriber session is rejected.
•
When the RADIUS server assigns the same Framed-IP-Address and different IPv6
prefixes to two subscribers, the second subscriber session is terminated.
NOTE: AAA cannot detect duplicates of overlapping IPv6 prefixes. Also, the
aaa duplicate-prefix-check-extension command detects duplicate prefixes
globally for all VRs and is not limited to detecting duplicates on a per-VR
basis.
Related
Documentation
•
Configuring Detection of Duplicate IPv6 Prefixes in the AAA User Profile Database on
page 91
•
Monitoring Duplicate IPv6 Prefixes in the AAA User Profile Database on page 145
•
Standard RADIUS IPv6 Attributes for IPv6 Neighbor Discovery Router Advertisements
and DHCPv6 Prefix Delegation Configuration on page 37
•
aaa duplicate-prefix-check-extension
•
show aaa duplicate-prefix-check-extension
Guidelines for Duplicate Address Verification
In dual-stack networks in which both IPv4 and IPv6 subscribers are available, the
subscribers might be granted the same IPv4 and IPv6 addresses if one user logs in quickly
after another user has logged in. To avoid the problem of two sessions containing the
same address, when you enable detection of duplicate addresses, the subscriber is
completely terminated when a duplicate IPv4 or IPv6 address is detected. The duplicate
check operation is performed for 32-bit IPv4 subnet masks and IPv6 addresses with a
prefix length of 128.
The value of the Framed-IPv6-Address attribute is determined using the
Framed-IPv6-Prefix and Framed-Interface-Id attributes, normally obtained from the
MAC addresses of clients in the PPP Network Control Protocol (NCP) phase in the PPP
link connection process. Because the Framed-IPv6-Address attribute is not available to
AAA during the authentication phase (before NCP negotiation occurs), the duplicate
address detection mechanism performed for IPv4 cannot be adopted for IPv6. To achieve
this functionality, if IPv6 detects a duplicate address while adding the route, it notifies
AAA about the duplicate and AAA terminates the subscriber.
Copyright © 2012, Juniper Networks, Inc.
41
JunosE 13.3.x Broadband Access Configuration Guide
To correctly enable duplicate address detection when subscribers log in simultaneously,
the IP and AAA applications examine the access-route table instead of the route table.
In certain scenarios, AAA cannot detect whether a subscriber requesting access uses the
same address as another subscriber. When the IP application detects a duplicate address
while adding the route, the IP application notifies AAA about the duplication to terminate
the connection for that subscriber.
In certain cases, when two subscribers with the same address attempt to log in, the
duplicate might be detected only after access is granted to both subscribers. AAA
terminates the duplicate subscriber session immediately upon detecting the duplicate
address.
If AAA cannot determine the virtual router (VR) context configured in the profile during
subscriber authentication, the subscriber that uses the same address as another subscriber
is terminated immediately after the IP application detects the duplicate address. Such
a disconnection of subscribers occurs even if the duplicate subscriber was granted access
previously when the VR context was not available to AAA for processing.
In a dual-stack environment in which both IPv4 and IPv6 subscribers are present, if a
subscriber that uses a duplicate IPv6 address is detected, the subscriber is denied access
even if the IPv4 interface address is unique. This method of terminating subscriber sessions
occurs to avoid duplicate sessions from being established in scenarios in which the IPv6
interface address is the same as another client, whereas the IPv4 interface address is
unique.
The following scenarios can occur during the establishment of subscriber sessions in a
dual-stack network in which clients using both IPv4 and IPv6 protocols are present, and
when detection of duplicate addresses is enabled on the router that delegates addresses
to requesting clients. These scenarios assume that the RADIUS server is configured on
a VR other than the default VR and that the AAA domain name is mapped to a non-default
VR.
42
•
When the VR context for subscribers is configured in the AAA domain map or obtained
from the RADIUS server, and the same IP address is returned for two dual-stack
subscribers from the RADIUS server, only the first subscriber session is configured and
the second client session is terminated.
•
When the same IP address is returned from the RADIUS server or the domain map for
two dual-stack subscribers that log in simultaneously, only the first subscriber session
is established and the second subscriber that contains the same address or prefix as
the first subscriber is disconnected. Termination of the second subscriber occurs even
if detection of the duplicate address occurs only after access is granted.
•
When the VR context for subscribers is configured in the AAA profile, and the same IP
address is returned from the RADIUS server or the domain map for two dual-stack
subscribers, only the first subscriber session is configured and the second client session
is terminated.
•
If you disable the routing table address lookup for duplicate addresses by using the no
aaa duplicate-address-check command, define the VR context for subscribers in the
profile, and the same address is returned for two dual-stack subscribers, both the
subscriber sessions are brought up successfully. However, for the second subscriber,
Copyright © 2012, Juniper Networks, Inc.
Chapter 1: Remote Access Overview
which contains the same address as the first client, only the IPv6 interface is enabled
and the IPv4 interface is not brought up.
Related
Documentation
•
If the same IPv6-NdRa-Prefix (VSA 26-129) and Framed-Interface-Id (VSA 26-96)
attributes are returned in the Access-Accept message from the RADIUS server for two
dual-stack subscribers, and the VR context for the subscribers is specified in the profile,
only the first subscriber is brought up and the second subscriber session is rejected.
•
If you set the Framed-IPv6-Prefix RADIUS attribute for IPv6 Neighbor Discovery router
advertisements by using the aaa ipv6-nd-ra-prefix framed-ipv6-prefix command,
the same Framed-IPv6-Prefix (VSA 26-129) and Framed-Interface-Id (VSA 26-96)
attributes are returned in the Access-Accept message from the RADIUS server for two
dual-stack subscribers, and the VR context for the subscribers is specified in the profile
or the domain map, only the first subscriber is brought up and the second subscriber
session is rejected.
•
If you set the Framed-IPv6-Prefix RADIUS attribute for IPv6 Neighbor Discovery router
advertisements by using the aaa ipv6-nd-ra-prefix framed-ipv6-prefix command,
disable the routing table address lookup for duplicate addresses, specify the VR context
for subscribers in the domain map, and the same Framed-IPv6-Prefix (VSA 26-129)
and Framed-Interface-Id (VSA 26-96) attributes are returned in the Access-Accept
message from the RADIUS server for two dual-stack subscribers, only the first subscriber
is brought up and the second subscriber session is rejected.
•
Configuring Duplicate IPv6 Prefix Check on page 91
Propagation of LAG Subscriber Information to AAA and RADIUS
The RADIUS application sends the link aggregation group (LAG) interface ID to the
RADIUS server when the subscriber is connected over LAG in DHCP standalone
authenticate mode. In DHCP standalone authenticate mode, the DHCP local server
enables you to configure AAA-based authentication of standalone mode DHCP clients.
In addition to providing increased security, AAA authentication also provides
RADIUS-based input to IP address pool selection for standalone mode clients. The
RADIUS applications use the LAG interface ID to create the Acct-Session-Id,
Nas-Port-Type, Nas-Port-Id, Nas-Port, and Calling-Station-Id attributes and send them
to the RADIUS server in the Access-Request, Acct-Start, and Acct-Stop messages.
The RADIUS client uses one of the following LAG interface ID formats:
lag lag-name [.subinterface [:vlan]]
or
lag lag-name [.subinterface [:svlan-vlan]]
where:
•
lag-name—Name of the LAG bundle
•
subinterface—Number of the LAG subinterface, in the range 1–2147483647
Copyright © 2012, Juniper Networks, Inc.
43
JunosE 13.3.x Broadband Access Configuration Guide
•
vlan—VLAN ID number
•
svlan-vlan—S-VLAN ID number in the range 0–4095
The RADIUS application sends the LAG interface ID to the RADIUS server only when the
subscribers in DHCP standalone authenticate mode are initialized. When other subscribers
such as PPP subscribers and DHCP equal-access mode subscribers initialize over a LAG
interface, the RADIUS application sends only the name of the first Ethernet interface in
the LAG bundle, and not the LAG interface ID. In this case, the Ethernet interface ID is
displayed in the output of the show subscribers interface command.
The RADIUS client application creates the following RADIUS attributes based on the
LAG interface ID:
[44] Acct-Session-Id—When you issue the radius acct-session-id-format description
command, the RADIUS client uses the generic format: erx <interface type> <interface
identifier>: <hex number> with the LAG interface ID as the interface identifier.
[61] Nas-Port-Type— When you issue the radius ethernet-port-type command from
Global Configuration mode or the nas-port-type ethernet command from AAA Profile
Configuration mode, RADIUS calculates the value of the Nas-Port-Type attribute. If you
use neither of these commands, RADIUS uses the default [15] Nas-Port-Ethernet value
for this attribute.
[5] Nas-Port— RADIUS derives a unique value from the subscriber’s profileHandle and
uses the value for the Nas-Port attribute. The radius nas-port-format, radius vlan
nas-port-format stacked, and radius pppoe nas-port-format commands do not affect
the value of the Nas-Port attribute.
[87] Nas-Port-Id— The radius override nas-port-id remote-circuit-id command
configures RADIUS to use the PPPoE remote circuit ID for the Nas-Port-Id attribute. By
default, RADIUS uses the LAG interface ID for the Nas-Port-Id attribute. Use the aaa
intf-desc-format include sub-intf disable command to exclude the subinterface and
S-VLAN ID in the LAG interface ID. By default, the subinterface and S-VLAN ID are included
in the LAG interface ID.
[31] Calling-Station-Id—The radius override calling-station-id remote-circuit-id
command enables RADIUS to use the PPPoE remote circuit ID for the Calling-Station-Id
attribute. By default, RADIUS uses a delimited format for the interface description. The
radius calling-station-format command does not affect the value of the
Calling-Station-Id attribute.
For example, a subscriber with the default AAA or RADIUS configuration who is connected
over a LAG interface lag1, with subinterface-1, VLAN ID 10, S-VLAN ID 1, and router named
asterix uses the following values for RADIUS attributes in RADIUS authentication and
accounting messages:
Table 10: RADIUS Attributes Specifying LAG Interface
44
Field Name
Field Description
Acct-Session-Id
erx lag lag1.1:1-10:0001048620
Copyright © 2012, Juniper Networks, Inc.
Chapter 1: Remote Access Overview
Table 10: RADIUS Attributes Specifying LAG Interface (continued)
Related
Documentation
Field Name
Field Description
Nas-Port-Type
15
Nas-Port
2148532268
Nas-Port-Id
lag lag1.1:1-10
Calling-Station-Id
#asterix#lag1#10
•
Monitoring and Troubleshooting Remote Access chapter
•
CLI Commands Used to Configure RADIUS IETF Attributes on page 199
•
Configuring AAA Authentication for DHCP Local Server Standalone Mode on page 479
•
show subscribers
SRC Client Configuration Overview
The JunosE Software has an embedded client that interacts with the Juniper Networks
Session and Resource Control (SRC) software, enabling the SRC software to manage
the router’s policy and QoS configuration.
The connection between the router and the SRC software uses the Common Open Policy
Service (COPS) protocol and is fully compliant with the COPS usage for policy provisioning
(COPS-PR) specification. The router’s SRC client functions as the COPS client, or policy
enforcement point (PEP). The SRC software functions as the COPS server, or policy
decision point (PDP).
Rate limiters are aggregated for dual-stack subscribers (IPv4 and IPv6) managed by the
SRC software, using external parent groups and hierarchical policy parameters. The
external parent groups and policy parameters are pushed to lower interfaces from the
SRC software through the Siemens Selection Switch or Service Selection Center client.
NOTE: You cannot override aggregation node values while attaching policies
to the interface.
Related
Documentation
•
Configuring the SRC Client on page 92
SRC Client and COPS Terminology
Table 11 on page 46 provides common terms used in the COPS environment.
Copyright © 2012, Juniper Networks, Inc.
45
JunosE 13.3.x Broadband Access Configuration Guide
Table 11: SRC Client and COPS Terminology
Term
Description
COPS
Common Open Policy Service; query-and-response protocol used to exchange policy
information between a policy server and its clients.
COPS-PR
COPS usage for policy provisioning; the PEP requests policy provisioning when the
operational state of interface and DHCP addresses changes.
PDP
Policy decision point; the COPS server. which makes policy decisions for itself and
for clients that request decisions. The SRC software is the PDP.
PEP
Policy enforcement point; the COPS client, which enforces policy decisions. The
JunosE COPS interface is a PEP.
PIB
Policy Information Base; a collection of sets of attributes that represent configuration
information for a device.
SRC
Session and Resource Control (SRC) software, formerly the Service Deployment
System (SDX) software; functions as a COPS PDP.
The JunosE Software COPS-PR implementation uses the outsourcing model that is
described in RFC 3084. In this model, the PEP delegates responsibility to the PDP to
make provisioning decisions on the PEP’s behalf.
NOTE: When you upgrade from an earlier JunosE release, the software
removes the instance of SSCC that was configured with XDR.
If you are going to perform a unified ISSU from a JunosE release numbered
lower than Release 10.0.0 and you have an XDR configuration, unified ISSU
is not supported while an XDR configuration is presented.
The provisioning is event-driven and is based on policy requests rather than on an action
taken by an administrator—the provisioning is initiated when the PDP receives external
requests and PEP events. Provisioning can be performed in bulk (for example, an entire
QoS configuration) or in smaller segments (for example, updating a marking filter). The
following list shows the interaction between the PEP and the PDP during the COPS-PR
operation.
1.
Initial connection
a. PEP starts the COPS-PR connection with the PDP.
b. PDP requests synchronization.
c. PEP sends all currently provisioned policies to PDP.
2. Change of interface state
a. PEP requests provisioning of an interface from the PDP.
46
Copyright © 2012, Juniper Networks, Inc.
Chapter 1: Remote Access Overview
b. PDP determines policies and sends provisioning data to the PEP.
c. PEP provisions the policies.
3. PDP requests policy provisioning
a. PDP determines new policies and sends provisioning data to the PEP.
b. PEP provisions the policies.
The information exchange between the PDP and PEP consists of data that is modeled
in Policy Information Bases (PIBs) and is encoded using the standard ASN.1 basic encoding
rules (BERs).
JunosE Software uses the following PIBs:
Proprietary PIB
•
JunosE-IP-PIB—This PIB defines the data model for manipulating IP service policies
and addresses offered through DHCP in JunosE Software.
Non-proprietary PIBs
•
COPS-PR-SPPI
•
COPS-PR-SPPI-TC
•
DIFFSERV-PIB
•
FRAMEWORK-FEEDBACK-PIB
•
FRAMEWORK-PIB
•
FRAMEWORK-TC-PIB
The COPS-PR support in JunosE Software uses the proprietary PIB. This PIB consists of
a series of tables that is supported in previous JunosE Software releases, including the
proprietary accounting and address assignment mechanisms.
You can force the router to restart a COPS connection to, and resynchronize with, a PDP,
without disabling the SRC client’s COPS support. The SRC software and the SRC client
maintain common state information in PIBs that both the SRC software and the SRC
client use. Previously, you disabled the SRC client and reenabled it to start synchronization.
The disabling of the SRC client’s COPS support was undesirable for the applications that
required resynchronization in addition to maintaining the COPS support. If the state of
the SRC software is not synchronized with the router, the SRC software may be required
to initiate resynchronization from the router.
The proprietary PIB provides the Policy Manager and QoS Manager functionality shown
in the following lists.
•
Policy Manager
•
Committed access rate
•
Packet filtering
Copyright © 2012, Juniper Networks, Inc.
47
JunosE 13.3.x Broadband Access Configuration Guide
•
•
Policy routing
•
QoS classification and marking
•
Rate limiting
•
Traffic class
QoS Manager
•
Queues
•
Schedulers
•
Traffic classes
The JunosE-IP-PIB file is updated with each JunosE release. Since the PIB is implemented
by both Juniper Networks SRC and JunosE devices, distribution of the PIB file to customers
is not necessary. Customers can access the proprietary PIB file, on approval from Juniper
Networks, through Juniper support.
Retrieval of DSL Line Rate Information from Access Nodes Overview
You can retrieve updated DSL line rate information from the Access Node Control Protocol
(ANCP) and report this information to the SRC software with corresponding COPS
messages. ANCP is also known as Layer 2 Control (L2C). To enable the router that
functions as the SRC client to obtain updated line rate parameters from ANCP and
transmit them to the COPS server, use the sscc update-policy-request enable command
in Global Configuration mode. You can configure this setting on a per-virtual-router basis.
In networks with digital subscriber line access multiplexers (DSLAMs), after a connection
is established between an subscriber and a routing gateway, the access node or DSLAM
obtains the line rate information of the subscriber using a synchronization process. The
line rate parameters are transferred in the COPS interface request by using the ANCP
topology discovery message to the router that functions as the network access server
(NAS). Typically, a COPS interface request is sent from the access node to the SRC client
whenever an interface becomes operational.
You can configure the SRC client to obtain the line rate details from the access node
whenever any change in the values of the parameters occurs. The capability to receive
line rate data, when it changes on the access node, is disabled by default on the SRC
client.
The access node passes the DSL line rate parameters, whenever they change, to the SRC
client. The SRC client appends updated parameters to the COPS messages that it sends
to the COPS server or SRC server. A COPS server processes the following topology
parameters that it receives from the SRC client in the updated COPS messages:
48
•
JunosEIpInterfaceMode
•
JunosEIpInterfaceUpstreamRate
•
JunosEIpInterfaceDownstreamRate
Copyright © 2012, Juniper Networks, Inc.
Chapter 1: Remote Access Overview
•
JunosEIpInterfaceMinimumDataRateUpstream
•
JunosEIpInterfaceMinimumDataRateDownstream
•
JunosEIpInterfaceAttainableDataRateUpstream
•
JunosEIpInterfaceAttainableDataRateDownstream
•
JunosEIpInterfaceMaximumDataRateUpstream
•
JunosEIpInterfaceMaximumDataRateDownstream
•
JunosEIpInterfaceMinimumLowPowerDataRateUpstream
•
JunosEIpInterfaceMinimumLowPowerDataRateDownstream
•
JunosEIpInterfaceMaximumInterleavingDelayUpstream
•
JunosEIpInterfaceActualInterleavingDelayUpstream
•
JunosEIpInterfaceMaximumInterleavingDelayDownstream
•
JunosEIpInterfaceActualInterleavingDelayDownstream
•
JunosEIpInterfaceDSLlinestate
A COPS server that runs an SRC software release earlier than Release 3.0.0 does not
support and process the preceding topology parameters that are appended to the COPS
messages. Such COPS servers analyze the information, other than the parameters that
describe updated DSL line rate details, that they receive in the COPS messages for policy
management. Therefore, the COPS-PR operation ensures backward compatibility of the
SRC clients with the COPS servers running SRC software releases earlier than Release
3.0.0 by ignoring the received line rate details.
When you configure the sscc update-policy-request enable command, a warning
message is displayed, prompting you to confirm whether you want to enable the router
that functions as the SRC client to forcibly send line rate information parameters to the
COPS server, which is running a release of SRC software earlier than Release 3.0.0 that
is not compatible with the line rate message format.
Even if you confirm the prompt to enable the SRC client to forcibly send updated DSL
line rate parameters to the COPS server, the COPS server that is running a release of SRC
software earlier than Release 3.0.0 ignores the updated line rate details that it receives
and processes only the other information in the COPS messages.
The Policy Information Base (PIB) is modified to extend the JunosEIpInterfaceEntry
object. ANCP now notifies the SRC software about any change in the ANCP parameters.
If this change in rate is greater than 10 percent or a change in mode, SRC software reports
this upgrade to the service activation engine (SAE) in SRC version 3.0.0 and later.
Related
Documentation
•
SRC Client Configuration Overview on page 45
•
Monitoring SRC Client Connection Status on page 145
•
sscc update-policy-request enable
Copyright © 2012, Juniper Networks, Inc.
49
JunosE 13.3.x Broadband Access Configuration Guide
DHCPv6 Local Address Pools for Allocation of IPv6 Prefixes Overview
In previous releases, you configured DHCPv6 local servers on a virtual router to delegate
IPv6 prefixes to DHCPv6 clients. In this release, you can configure IPv6 local address
pools to allocate IPv6 prefixes to clients in networks that use DHCPv6. These pools can
be used to assign prefixes from a delegating router, which is an E Series router configured
as a DHCPv6 local server, to the requesting router, which is the customer premises
equipment (CPE) at the edge of the remote client site that acts as the DHCP client.
The DHCPv6 prefix delegation feature is useful in scenarios in which the delegating router
does not have information about the topology of the networks in which the customer
edge device or requesting router is located. In such cases, the delegating router requires
only the identity of the requesting router to choose a prefix for delegation. An IPv6 local
pool is configured on the delegating router, which contains information about the prefixes,
their validity periods, and other parameters to control their assignment to the requesting
routers. The delegating router is configured with a set of prefixes that is used to assign
to a CPE or DHCPv6 client, when it first establishes a connection with an Internet service
provider (ISP).
When the delegating router receives a request from a DHCPv6 client, it selects an available
prefix and delegates it to the client. The DHCPv6 client subnets the delegated prefix and
assigns the prefixes to links at the customer edge.
Keep the following points in mind when you configure IPv6 local address pools to assign
prefixes to requesting routers:
50
•
You must enable the IPv6 local address pool feature to be able to configure IPv6 local
address pools.
•
You can configure IPv6 local address pools for DHCP to allocate prefixes to client
requests that are received over PPP or non-PPP links, such as VLAN, S-VLAN, or
Ethernet.
•
You can configure multiple local address pools on a single virtual router, up to a
maximum of 500 pools per virtual router.
•
You can also configure multiple address pools on multiple virtual routers. Each IPv6
local address pool must have a unique name.
•
You can configure a valid and preferred lifetime for each IPv6 prefix, which determines
the length of time the requesting router can use the prefix.
•
You can configure multiple prefix ranges in an IPv6 local pool. The ranges can have
the same or different assigned prefix lengths.
•
You cannot configure overlapping prefix ranges in an IPv6 local pool. If you try to
configure a prefix range that overlaps with an existing prefix range in the IPv6 local
pool, an error message is displayed stating that the prefix range could not be configured.
Similarly, an error message is displayed if you try to configure a prefix range in an IPv6
local pool that overlaps with a prefix range in another IPv6 local pool on the same
virtual router.
Copyright © 2012, Juniper Networks, Inc.
Chapter 1: Remote Access Overview
•
You can configure certain prefix ranges to be excluded from being used for delegation
to the requesting router.
•
You can configure the IPv6 addresses of a primary and secondary DNS server in an
IPv6 local pool. The DNS server addresses are returned to the client in DHCPv6
responses as part of the DNS Recursive Name Server option.
•
You can configure a list of up to four domain names in an IPv6 local pool to be used
during the resolution of hostnames to IP addresses. These domain names are returned
to clients in the DHCPv6 responses as part of the Domain Search List option.
•
You can configure an IPv6 local address pool in an AAA domain map to assign prefixes
to requesting DHCPv6 clients using the ipv6 prefix-pool-name command in Domain
Map Configuration mode. If the authentication server returns the IPv6 local address
pool name in the Framed-IPv6-Pool attribute of the RADIUS-Access-Accept message,
this pool overrides the IPv6 local address pool configured in the domain map.
•
You cannot delete a pool or a prefix range from which prefixes have been allocated to
requesting routers or DHCPv6 clients. However, you can forcibly delete such a pool or
prefix range by using the force keyword in the ipv6 local pool poolName and prefix
commands. If a pool is deleted or the prefix range associated with the pool is deleted,
and prefixes have been assigned to DHCPv6 clients or requesting routers, the
corresponding DHCPv6 bindings are also deleted.
•
When multiple prefix ranges are configured in a pool, the DHCPv6 prefix delegation
feature allocates prefixes from the configured ranges in the order of the assigned prefix
length. The delegating router or the DHCv6 server attempts to allocate a prefix from
the range with lowest assigned prefix length. If this attempt fails because the pool has
been fully allocated, the server tries to allocate a prefix from the subsequent prefix
ranges. These ranges could have the same prefix length as the first one or a higher
length.
NOTE: Although you can configure an IPv6 local pool with the assigned
prefix length as /128, which implies a full IPv6 address, this assignment is
not useful for the DHCPv6 prefix delegation feature because it assigns a
prefix with a length of only /64 or less. A pool with an assigned prefix length
of /128 is useful when complete IPv6 addresses are assigned to the DHCPv6
clients.
•
When an IPv6 client that is connected to the requesting router using a PPP link is
delegated a prefix by the DHCPv6 server, the client binding is removed when the PPP
interface goes down and is not retained until the lease time expires. A new client binding
is created for the PPP subscriber in response to a renew or rebind request sent to the
DHCP server. This method of re-creating the client binding ensures that the client
receives a new authentication configuration and is assigned a prefix when it sends a
rebind or renew request after the PPP interface flaps (constantly goes up and down).
When a PPP user establishes a PPP connection with the E Series router functioning as
a remote access server, the subscriber is first authenticated using the RADIUS protocol.
The Access-Accept message returned from the RADIUS server can contain different IPv6
attributes, including the Framed-IPv6-Pool attribute, which contains the name of the
Copyright © 2012, Juniper Networks, Inc.
51
JunosE 13.3.x Broadband Access Configuration Guide
IPv6 pool from which a prefix needs to be assigned to the subscriber. The prefix is assigned
to the subscriber using the DHCPv6 prefix delegation feature, which is covered in the
next section.
Related
Documentation
•
Example: Delegating the DHCPv6 Prefix on page 52
Example: Delegating the DHCPv6 Prefix
Consider a scenario in which a number of devices on a home network are connected to
a customer premises equipment, CPE1, which is the requesting router. CPE1 is connected
using a PPP link to the provider edge device, PE1, which is an E Series router operating as
the DHCPv6 server or delegating router. After the IPv6 link is formed between CPE1 and
PE1 and the IPv6 link-local address is created, CPE1 requests and obtains prefixes that
are shorter than /64 (usually of length, /48) from PE1.
CPE1 is connected to the home network. CPE1 divides the single delegated prefix that it
received from PE1 into multiple /64 prefixes and assigns one /64 prefix to each of the
links in the home network. The address allocation mechanism in the subscriber network
can be performed using ICMPv6 Neighbor Discovery in router advertisements, DHCPv6,
or a combination of these two methods.
When PE1 receives a request for prefix delegation from CPE1, PE1 assigns prefixes from
the list of unallocated prefixes in the IPv6 local pool.
The following sections of this example show how to delegate the DHCPv6 prefix:
•
Order of Preference in Determining the Local Address Pool for Allocating
Prefixes on page 52
•
Order of Preference in Allocating Prefixes and Assigning DNS Addresses to Requesting
Routers on page 53
Order of Preference in Determining the Local Address Pool for Allocating Prefixes
You can configure multiple local address pools on a virtual router. When multiple pools
are configured, the pool that is used to allocate the prefix to the requesting router is
selected using the following order of preference:
52
•
If a pool name is returned by the RADIUS server in the Framed-IPv6-Pool attribute or
in the Delegated-Ipv6-Pool attribute (VSA 26-161), that pool is used to delegate the
prefix to the client.
•
If the aaa dhcpv6-ndra-pool override command is not configured, and if the RADIUS
server returns a pool name in the Framed-IPv6-Pool attribute, that pool name is used
to delegate the prefix to the client.
•
If the aaa dhcpv6-ndra-pool override command is configured, and if the RADIUS server
returns a pool name in the Delegated-Ipv6-Pool attribute (VSA 26-161), that pool name
is used to delegate the prefix to the client.
•
If the RADIUS server does not return the pool name, the pool name configured in the
AAA domain map (Ipv6-Prefix-Pool-Name) is used to delegate the prefix to the client.
Copyright © 2012, Juniper Networks, Inc.
Chapter 1: Remote Access Overview
•
If no local address pool name is configured in the AAA domain map, the IPv6 address
of the interface on which the request was received is used to determine the pool.
•
If the interface address matches with any of the prefix ranges configured in the IPv6
local address pool on the router, that pool is used to delegate the prefix to the client.
Order of Preference in Allocating Prefixes and Assigning DNS Addresses to Requesting Routers
Prefix delegation can be configured at the interface level and at the router level. Also,
certain VSA attributes returned in the RADIUS Access-Accept message from the
authentication server can impact the selection of the prefix to be assigned to the
requesting router. The level of preference attached to each of these prefix delegation
configurations is crucial. The delegating router uses the following order of preference to
determine the source from which the DHCPv6 prefix is delegated to the requesting router
from the DHCPv6 server:
1.
An interface that is configured for prefix delegation is given priority over the RADIUS
attributes returned in the Access-Accept message or the prefixes configured in the
IPv6 local address pool on the delegating router.
2. The RADIUS server might return one or more of the following attributes in the
Access-Accept message in response to the client authentication request:
•
Ipv6-NdRa-Prefix (VSA 26-129)
•
Framed-IPv6-Prefix (RADIUS IETF attribute 97)
•
Delegated-IPv6-Prefix (RADIUS IETF attribute 123)
•
Framed-IPv6-Pool (RADIUS IETF attribute 100)
•
Delegated-Ipv6-Pool (VSA 26-161)
If any of the first three attributes are returned, then the prefix contained in those
attributes is used and the pool name in the Framed-IPv6-Pool/Delegated-Ipv6-Pool
attribute is ignored. For example, if both the Delegated-IPv6-Prefix or
Framed-IPv6-Prefix, and Framed-IPv6-Pool/Delegated-Ipv6-Pool attributes are
returned from the RADIUS server, the DHCPv6 prefix delegation mechanism uses the
Delegated-IPv6-Prefix attribute to advertise the prefix to clients.
3. If prefix delegation is not configured at the interface level and if no prefix is returned
from the attribute in the RADIUS Access-Accept message, the prefix configured in
the IPv6 local pool is delegated to the requesting router.
If you configured a list of IPv6 DNS servers and a string of domain names in the IPv6 local
address pool, the order of preference in returning the DNS server address or domain name
to the requesting client in the DHCPv6 response is as follows:
•
Information returned from the RADIUS server for DNS servers only
•
Information from the pool
•
Locally configured DNS attributes
Copyright © 2012, Juniper Networks, Inc.
53
JunosE 13.3.x Broadband Access Configuration Guide
Related
Documentation
•
Example: Limiting the Number of Prefixes Used by DHCPv6 Clients on page 97
•
DHCPv6 Local Address Pools for Allocation of IPv6 Prefixes Overview on page 50
IPv6 Prefix Allocation Using Neighbor Discovery Router Advertisements from IPv6
Address Pools Overview
You can configure IPv6 local address pools for Neighbor Discovery router advertisements
on a virtual router in order to allocate prefixes to Neighbor Discovery clients. These pools
can be used to assign prefixes from the E Series router.
An IPv6 local address pool for Neighbor Discovery router advertisements is configured
on the router running the B-RAS application, which contains information about the
prefixes. When the B-RAS application running on the E Series router receives a request
from a PPP IPv6 client, it selects an available prefix and allocates it to the client.
Allocation of Neighbor Discovery Prefixes for IPv6 Subscribers over PPP Links
When a PPP user establishes a PPP connection with the E Series router functioning as
a remote access server, the subscriber is first authenticated using the RADIUS protocol.
The Access-Accept message returned from the RADIUS server can contain different IPv6
attributes, including the IPv6-NdRa-Pool attribute, which contains the name of the IPv6
pool from which a prefix needs to be assigned to the subscriber. The prefix is assigned
to the subscriber using the Neighbor Discovery router advertisements feature.
Order of Preference in Determining the Local Address Pool for Allocating Prefixes for Neighbor
Discovery Router Advertisements
You can configure multiple local address pools for Neighbor Discovery router
advertisements on a virtual router. When multiple pools are configured, the pool that is
used to allocate the prefix to the requesting PPPv6 subscriber is selected using the
following order of preference:
1.
If the aaa dhcpv6-ndra-pool override command is not configured and a pool name
is returned by the RADIUS server in the IPv6-Ndra-Pool attribute, that pool is used to
allocate the prefix to the client.
2. If the aaa dhcpv6-ndra-pool override command is configured and a pool name is
returned by the RADIUS server in the Framed-Ipv6-Pool attribute, that pool is used
to allocate the prefix to the client.
3. If the RADIUS server does not return a pool name in either of the above-mentioned
points, based on the aaa dhcpv6-ndra-pool override command, the pool name
configured in the AAA domain map is used.
Order of Preference in Assigning Prefixes when Neighbor Discovery Router Advertisements are
Configured on an Interface
The router running the B-RAS application uses the following order of preference to
determine the source from which the Neighbor Discovery router advertisements prefix
54
Copyright © 2012, Juniper Networks, Inc.
Chapter 1: Remote Access Overview
is allocated to the requesting PPPv6 subscriber from the Neighbor Discovery Router
Advertisements server:
1.
An interface that is configured for the Neighbor Discovery router advertisements prefix
is given priority over the RADIUS attributes returned in the Access-Accept message
or the prefixes configured in the IPv6 local address pool for Neighbor Discovery router
advertisements on the router running the B-RAS application.
2. The RADIUS server might return one or more of the following attributes in the
Access-Accept message in response to the client authentication request:
•
Ipv6-NdRa-Prefix (VSA 26-129)
•
Framed-IPv6-Prefix (RADIUS IETF attribute 97)
•
Framed-IPv6-Pool (RADIUS IETF attribute 100)
•
IPv6-Ndra-Pool (VSA 26-157)
If either of the first two attributes are returned, then the prefix contained in those
attributes is used, and the pool name in the Framed-IPv6-Pool or Ipv6-Ndra-Pool
attribute is ignored.
3. If the RADIUS server does not return any of the above-mentioned attributes, the IPv6
prefix pool name of the Neighbor Discovery router advertisements mentioned in the
AAA domain map will be used to allocate the prefix to the requesting PPPv6 subscriber.
Guidelines for Allocating Neighbor Discovery Prefixes Using IPv6 Address Pools
The following are guidelines for allocating prefixes using IPv6 address pools for Neighbor
Discovery router advertisements:
•
You must enable the IPv6 local address pool for the Neighbor Discovery router
advertisements feature to be able to configure IPv6 local address pools for Neighbor
Discovery router advertisements.
•
You can configure IPv6 local address pools for Neighbor Discovery router advertisements
to allocate prefixes to client requests that are received over PPP.
•
You can configure multiple local address pools on a single virtual router up to a
maximum of 500 pools per virtual router.
•
You can also configure multiple address pools on multiple virtual routers. Each IPv6
local address pool must have a unique name.
•
You can configure up to ten prefix ranges in an IPv6 local address pool. The ranges can
have only /64 prefix length.
•
You can configure a maximum of 1,048,576 prefixes per prefix range to be used for
allocation of prefixes to clients using Neighbor Discovery router advertisements. If you
attempt to configure prefixes after the maximum limit of prefixes per prefix range is
exceeded, a warning message stating that automatic truncation will be performed is
displayed.
•
You can configure a maximum of 400,000,000 prefixes throughout the system for
allocation of prefixes using Neighbor Discovery router advertisements. An error message
Copyright © 2012, Juniper Networks, Inc.
55
JunosE 13.3.x Broadband Access Configuration Guide
is displayed if you attempt to configure a prefix for a pool when this maximum
system-wide limit is exceeded.
•
If you configure the maximum number of IPv6 prefixes, which is 1,048,576 per prefix
range, for the first 383 local address pools for Neighbor Discovery router advertisements
by using the ipv6 local ndra-pool poolName command, the system-wide maximum
limitation of 400,000,000 is reached. In such a case, if you attempt to configure the
IPv6 prefix ranges to be allocated for the 384th pool, an error message is displayed
stating that the prefix cannot be configured. Although all of the 500 IPv6 local address
pools are configured correctly, you cannot configure prefixes for Neighbor Discovery
from the 384th pool through the 500th pool because the maximum number of prefixes
supported for the entire system is reached with the 383rd pool.
•
You cannot configure overlapping prefix ranges in an IPv6 local pool. If you try to
configure a prefix range that overlaps with an existing prefix range in the IPv6 local
pool, an error message is displayed stating that the prefix range could not be configured.
Similarly, an error message is displayed if you try to configure a prefix range in an IPv6
local pool that overlaps with a prefix range in another IPv6 local pool on the same
virtual router.
•
You can configure certain prefix ranges to be excluded from being used for allocation
to the requesting subscriber.
•
You can configure the name of an IPv6 local address pool in an AAA domain map using
the ipv6-ndra-pool-name command in Domain Map Configuration mode. If the
authentication server returns the IPv6 local address pool name in the Framed-IPv6-Pool
attribute or Ipv6-NdRa-Pool attribute of the RADIUS-Access-Accept message, this
pool overrides the IPv6 local address pool configured in the domain map.
•
You cannot delete a pool or a prefix range from which prefixes have been allocated to
requesting routers or Neighbor Discovery router advertisements clients. However, you
can forcibly delete such a pool or prefix range by using the force keyword in the ipv6
local ndra-pool poolName and ndraprefix commands. If a pool is deleted or the prefix
range associated with the pool is deleted forcibly, corresponding subscribers will be
logged out forcibly.
•
Two new RADIUS attributes are added: Ipv6-Ndra-Pool and Delegated-Ipv6-Pool. For
more information on these attributes see “Juniper Networks VSAs” on page 238.
•
You can issue the aaa dhcpv6-ndra-pool override command to use Framed-Ipv6-Pool
attribute for IPv6 Neighbor Discovery router advertisements and the
Delegated-Ipv6-Pool attribute for DHCPv6 Prefix Delegation. The no version of this
command causes the Ipv6-NdRa-Pool attribute to be used for IPv6 Neighbor Discovery
router advertisements and the Framed-Ipv6-Pool attribute to be used for DHCPv6
Prefix Delegation.
•
If you want the IPv6-NdRa-Prefix attribute to be included in the Acct-Start messages
that the router sends to the RADIUS server, you can use the radius include
ipv6-ndra-prefix acct-start enable command. In such a case, the prefix allocated to
the subscriber from the IPv6 local address pool for Neighbor Discovery is included in
the Ipv6-NdRa-Prefix attribute or the Framed-Ipv6-Prefix attribute.
Similarly, to cause the Ipv6-NdRa-Prefix attribute to be included in the Acct-Stop
messages sent to the RADIUS server, you can use the radius include ipv6-ndra-prefix
56
Copyright © 2012, Juniper Networks, Inc.
Chapter 1: Remote Access Overview
acct-stop enable command. You can use the disable keyword with the radius include
ipv6-ndra-prefix acct-start and radius include ipv6-ndra-prefix acct-stop commands
to prevent the Ipv6-NdRa-Prefix attribute to be sent in the Acct-Start or Acct-Stop
messages.
Related
Documentation
•
Configuring the DHCPv6 Local Address Pools on page 95
•
Configuring IPv6 Neighbor Discovery Local Address Pools on page 99
•
aaa dhcpv6-ndra-pool override
•
ipv6 address-pool ndra
•
ipv6 local ndra-pool
Understanding IPCP and IPv6CP Negotiations for IPv4 and IPv6 Clients Based on
RADIUS-Returned Attributes
Point-to-Point Protocol (PPP) uses Internet Protocol Control Protocol (IPCP) and Internet
Protocol version 6 Control Protocol (IPv6CP) negotiations for assigning IP version 4
(IPv4) and IP version 6 (IPv6) addresses to authenticated PPP Broadband Remote
Access Server (B-RAS) subscribers by using RADIUS-returned attributes or the local
address pool configured on the router.
You can now enable IPCP and IPv6CP negotiations for IPv4 and IPv6 clients based only
on the RADIUS attributes present in the Access-Accept message returned from the
RADIUS server.
IPCP negotiation is initiated for IPv4 clients only when the Framed-Ip-Address [8] attribute
or Framed-Pool [88] attribute is returned from the RADIUS server. IPv6CP negotiation
is initiated for IPv6 clients only when the Framed-Interface-Id [96] attribute, IPv6 prefix
attributes, or IPv6 pool name attributes are returned from the RADIUS server.
You can issue the aaa radius-override-ncp-negotiation command with the enable
keyword to enable IPCP and IPv6CP negotiations based on RADIUS-returned attributes.
NOTE: You can enable IPCP and IPv6CP negotiations based on
RADIUS-returned attributes only for Point-to-Point Protocol (PPP) Broadband
Remote Access Server (B-RAS) subscribers.
When you enable IPCP and IPv6CP negotiations based on RADIUS-returned attributes,
IPCP negotiation is initiated for IPv4 clients only if one of the following conditions is
satisfied:
•
Framed-Ip-Address [8] attribute is returned from the RADIUS server in the
Access-Accept message.
•
Framed-Pool [88] attribute is returned from the RADIUS server in the Access-Accept
message and the B-RAS successfully allocates an IP address to a PPP B-RAS subscriber
from the received pool.
Copyright © 2012, Juniper Networks, Inc.
57
JunosE 13.3.x Broadband Access Configuration Guide
When you enable IPCP and IPv6CP negotiations based on RADIUS-returned attributes,
IPv6CP negotiation is initiated for IPv6 clients only if one of the following conditions is
satisfied:
•
Framed-Ipv6-Prefix [97] attribute is returned from the RADIUS server in the
Access-Accept message and the aaa ipv6-nd-ra-prefix framed-ipv6-prefix command
is configured.
•
Ipv6-NdRa-Prefix [26-129] VSA is returned from the RADIUS server in the
Access-Accept message and the aaa ipv6-nd-ra-prefix framed-ipv6-prefix command
is not configured or the no aaa ipv6-nd-ra-prefix framed-ipv6-prefix command is
configured.
•
Framed-Ipv6-Pool [100] attribute is returned from the RADIUS server in the
Access-Accept message, the aaa dhcpv6-ndra-pool override command is configured,
and the B-RAS successfully allocates a prefix to a PPP B-RAS subscriber from the IPv6
neighbor discovery route advertisement pool for neighbor discovery.
•
Ipv6-Ndra-Pool [26-157] VSA is returned from the RADIUS server in the Access-Accept
message, the aaa dhcpv6-ndra-pool override command is not configured or the no
aaa dhcpv6-ndra-pool override command is configured, and the B-RAS successfully
allocates a prefix to a PPP B-RAS subscriber from the IPv6 neighbor discovery route
advertisement pool for neighbor discovery.
•
Framed-Interface-Id [96] attribute is returned from the RADIUS server in the
Access-Accept message.
•
Delegated-Ipv6-Prefix [123] attribute is returned from the RADIUS server in the
Access-Accept message.
You can issue the aaa radius-override-ncp-negotiation command with the disable
keyword or the no aaa radius-override-ncp-negotiation command to enable IPCP and
IPv6CP negotiations based on RADIUS-returned attributes and configurations done on
the subscriber domain map, which is the default behavior of the router.
When IPCP and IPv6CP negotiations are based on RADIUS-returned attributes and
configurations done on the subscriber domain map, IPCP negotiation is initiated for IPv4
clients only if one of the following conditions is satisfied:
58
•
Framed-Ip-Address [8] attribute is returned from the RADIUS server in the
Access-Accept message.
•
Framed-Pool [88] attribute is returned from the RADIUS server in the Access-Accept
message and the B-RAS successfully allocates an IP address to a PPP B-RAS subscriber
from the received pool.
•
You have issued the address-pool-name command to configure an address pool name
on the subscriber domain map and the B-RAS successfully allocates an IP address to
a PPP B-RAS subscriber from the configured pool name.
•
You have configured an IP local pool for the subscriber virtual router and the B-RAS
allocates an IP address to a PPP B-RAS subscriber from the configured pool.
Copyright © 2012, Juniper Networks, Inc.
Chapter 1: Remote Access Overview
When IPCP and IPv6CP negotiations are based on RADIUS-returned attributes and
configurations done on the subscriber domain map, IPv6CP negotiation is initiated for
IPv6 clients only if one of the following conditions is satisfied:
Related
Documentation
•
Framed-Ipv6-Prefix [97] attribute is returned from the RADIUS server in the
Access-Accept message.
•
Ipv6-NdRa-Prefix [26-129] VSA is returned from the RADIUS server in the
Access-Accept message.
•
Framed-Ipv6-Pool [100] attribute is returned from the RADIUS server in the
Access-Accept message.
•
Ipv6-Ndra-Pool [26-157] VSA is returned from the RADIUS server in the Access-Accept
message.
•
Delegated-Ipv6-Pool [26-161] VSA is returned from the RADIUS server in the
Access-Accept message.
•
Delegated-Ipv6-Prefix [123] attribute is returned from the RADIUS server in the
Access-Accept message.
•
You have issued the ipv6-prefix-pool-name command to configure an IPv6 local prefix
pool on the subscriber domain map.
•
You have issued the ipv6-ndra-pool-name command to configure an IPv6 neighbor
discovery router advertisement pool on the subscriber domain map and the B-RAS
allocates a neighbor discovery router advertisement prefix to a PPP B-RAS subscriber
from the configured pool.
•
Understanding PPP
•
Overriding AAA to Perform IPCP and IPv6CP Negotiations Based on RADIUS-Returned
Attributes on page 101
•
aaa dhcpv6-ndra-pool override
•
aaa ipv6-nd-ra-prefix framed-ipv6-prefix
•
aaa radius-override-ncp-negotiation
•
address-pool-name
•
ipv6-ndra-pool-name
•
ipv6-prefix-pool-name
Copyright © 2012, Juniper Networks, Inc.
59
JunosE 13.3.x Broadband Access Configuration Guide
60
Copyright © 2012, Juniper Networks, Inc.
CHAPTER 2
Configuring Remote Access
•
Remote Access Configuration Tasks on page 62
•
Configuring a B-RAS License on page 63
•
Configuring AAA Duplicate Accounting on page 63
•
Configuring AAA Broadcast Accounting on page 64
•
Overriding AAA Accounting NAS Information on page 64
•
Collecting Accounting Statistics on page 65
•
Configuring RADIUS AAA Servers on page 65
•
Configuring SNMP Traps on page 67
•
Creating the AAA Local Authentication Environment on page 68
•
Creating AAA Local User Databases on page 69
•
Adding AAA User Entries to Local User Databases on page 70
•
Adding AAA User Entries to Default Local User Databases on page 70
•
Configuring AAA User Entries in Local User Databases on page 71
•
Assigning a Local User Database to a Virtual Router on page 72
•
Enabling Local Authentication on the Virtual Router on page 73
•
Example: Configuring AAA Local Authentication on page 73
•
Configuring DNS Primary and Secondary NMS on page 77
•
Configuring WINS Primary and Secondary NMS on page 77
•
Configuring a Local Address Server on page 77
•
Creating an IP Interface on page 79
•
Controlling Access to Domain Names on page 81
•
Example: Associating all Subscribers of a PPP Interface with a Specific Domain
Name on page 82
•
Example: Associating Multiple Domain Names with a Specific Domain Name on page 83
•
Configuring an AAA Per-Profile Attribute List on page 84
•
Configuring the NAS-Port-Type Attribute Manually on page 85
•
Configuring a Service Description for the AAA Profile on page 86
•
Configuring the Route-Download Server to Download Routes on page 86
Copyright © 2012, Juniper Networks, Inc.
61
JunosE 13.3.x Broadband Access Configuration Guide
•
Configuring the Router to Obtain the LLID for a Subscriber on page 88
•
Troubleshooting Subscriber Preauthentication on page 89
•
Configuring Custom Mappings for PPP Terminate Reasons on page 90
•
Configuring Duplicate IPv6 Prefix Check on page 91
•
Configuring Detection of Duplicate IPv6 Prefixes in the AAA User Profile
Database on page 91
•
Configuring the SRC Client on page 92
•
Configuring the Forwarding of COPS Requests to the SRC Server Based on DCM
Profiles on page 94
•
Configuring the DHCPv6 Local Address Pools on page 95
•
Example: Limiting the Number of Prefixes Used by DHCPv6 Clients on page 97
•
Example: Using DHCPv6 Local Address Pools for Prefix Delegation over non-PPP
Links on page 98
•
Configuring IPv6 Neighbor Discovery Local Address Pools on page 99
•
Overriding AAA to Perform IPCP and IPv6CP Negotiations Based on RADIUS-Returned
Attributes on page 101
Remote Access Configuration Tasks
Before you begin to configure B-RAS, you need to collect the following information for
the RADIUS authentication and accounting servers:
•
IP addresses
•
User Datagram Protocol (UDP) port numbers
•
Secret keys
Each configuration task is presented in a separate section in this chapter. Most of the
B-RAS configuration tasks are optional.
To configure B-RAS, perform the following tasks:
1.
Configure a B-RAS license.
2. (Optional) Map a user domain name to a virtual router. By default, all requests go
through a default router.
3. (Optional) Set up domain name and realm name usage.
4. (Optional) Specify a single name for users from a domain.
5. Configure an authentication server on the router.
6. (Optional) Configure UDP checksums.
7. (Optional) Configure an accounting server on the router.
8. (Optional) Configure Domain Name System (DNS) and Windows Internet Name
Service (WINS) name server addresses.
9. (Optional) Configure a local address pool for remote clients.
62
Copyright © 2012, Juniper Networks, Inc.
Chapter 2: Configuring Remote Access
10. (Optional) Configure one or more DHCP servers.
11. Create a PPP interface on which the router can dynamically create an IP interface.
12. (Optional) Configure AAA profiles.
13. (Optional) Use vendor-specific attributes (VSAs) for Dynamic Interfaces.
14. (Optional) Set idle or session timeout.
15. (Optional) Limit the number of active subscribers on a virtual router (VR) or port.
16. (Optional) Set up the router to notify RADIUS when a user fails AAA.
17. (Optional) Configure a RADIUS download server on the router.
18. (Optional) Configure the Session and Resource Control (SRC) client (formerly the
SDX client).
19. (Optional) Set baselines for AAA statistics or RADIUS authentication and accounting
statistics.
Related
Documentation
•
Remote Access Overview on page 4
Configuring a B-RAS License
From Global Configuration mode, configure a B-RAS license:
host1(config)#license b-ras k3n91s6gvtj
B-RAS licenses are available in various sizes to enable subscriber access for up to one
of the following maximum number of simultaneous active IP, LAC, and bridged Ethernet
interfaces:
•
4000
•
8000
•
16,000
•
32,000
•
48,000
NOTE: To use a B-RAS license for 16,000 or more interfaces, each of your
SRP modules must have 1 gigabyte (GB) of memory.
Related
Documentation
•
license b-ras
Configuring AAA Duplicate Accounting
To configure and enable duplicate accounting on a virtual router, you use the aaa
accounting duplication command with the name of the accounting server that will
Copyright © 2012, Juniper Networks, Inc.
63
JunosE 13.3.x Broadband Access Configuration Guide
receive the information. For example, to enable duplicate accounting for the default
virtual router:
host1(config)#aaa accounting duplication xyzCompanyServer
Related
Documentation
•
aaa accounting duplication
Configuring AAA Broadcast Accounting
To configure and enable broadcast accounting on a virtual router:
1.
Create the virtual router group and enter VR Group Configuration mode:
host1(config)#aaa accounting vr-group groupXyzCompany
host1(vr-group-config)#
2. Add up to four virtual routers to the group. The accounting information will be sent to
all virtual routers in the group.
host1(vr-group-config)#aaa virtual-router 1 vrXyz1
host1(vr-group-config)#aaa virtual-router 2 vrXyz2
host1(vr-group-config)#aaa virtual-router 3 vrXyz3
host1(vr-group-config)#exit
host1(config)#
3. Enable broadcast accounting. Enter the correct virtual router context, and specify the
virtual router group whose virtual routers will receive the accounting information.
host1(config)#virtual-router opVr100
host1:opVr100(config)#aaa accounting broadcast groupXyzCompany
Related
Documentation
•
aaa accounting broadcast
•
aaa accounting vr-group
•
virtual-router
Overriding AAA Accounting NAS Information
AAA accounting packets normally include two RADIUS attributes—NAS-IP-Address [4]
and NAS-Identifier [32]—of the virtual router that generates the accounting information.
You can override the default configuration and specify that accounting packets from
particular broadcast virtual routers instead include the NAS-IP-Address and NAS-Identifier
attributes of the authenticating virtual router.
To override the normal AAA accounting NAS information, access the correct virtual router
context, and use the radius override nas-info command. For example:
host1(config)#virtual-router vrXyz1
host1:vrXyz1(config)#radius override nas-info
host1:vrXyz1(config)#virtual-router vrXyz2
host1:vrXyz2(config)#radius override nas-info
host1:vrXyz3(config)#exit
host1(config)#
64
Copyright © 2012, Juniper Networks, Inc.
Chapter 2: Configuring Remote Access
Related
Documentation
•
radius override nas-info
•
virtual-router
Collecting Accounting Statistics
You can use the aaa accounting statistics command to specify how the AAA server
collects statistics on the sessions it manages. Use the volume-time keyword to specify
that AAA notifies applications to collect a full set of statistics from each of their
connections. Use the time keyword to specify that only the uptime status is collected
for each connection. Collecting only uptime information reduces the amount of data sent
to AAA and is a more efficient use of system resources for customers that do not need
a full set of statistics. The router collects a full set of statistics by default.
Related
Documentation
•
aaa accounting statistics
Configuring RADIUS AAA Servers
The number of RADIUS servers you can configure depends on available memory. The
router has an embedded RADIUS client for authentication and accounting.
NOTE: You can configure B-RAS with RADIUS accounting, but without
RADIUS authentication. In this configuration, the username and password
on the remote end are not authenticated and can be set to any value.
You must assign an IP address to a RADIUS authentication or accounting server to
configure it.
If you do not configure a primary authentication or accounting server, all authentication
and accounting requests will fail. You can configure other servers as backup in the event
that the primary server cannot be reached. Configure each server individually.
To configure an authentication or accounting RADIUS server:
1.
Specify the authentication or accounting server address.
host1(config)#radius authentication server 10.10.10.1
host1(config-radius)#
or
host1(config)#radius accounting server 10.10.10.6
host1(config-radius)#
2. (Optional) Specify a UDP port for RADIUS authentication or accounting server requests.
host1(config-radius)#udp-port 1645
3. Specify an authentication or accounting server secret.
host1(config-radius)#key gismo
Copyright © 2012, Juniper Networks, Inc.
65
JunosE 13.3.x Broadband Access Configuration Guide
4. (Optional) Specify the number of retries the router makes to an authentication or
accounting server before it attempts to contact another server.
host1(config-radius)#retransmit 2
5. (Optional) Specify the number of seconds between retries.
host1(config-radius)#timeout 5
6. (Optional) Specify the maximum number of outstanding requests.
host1(config-radius)#max-sessions 100
7. (Optional) Specify the amount of time to remove a server from the available list when
a timeout occurs.
host1(config-radius)#deadtime 10
8. (Optional) In Global Configuration mode, specify whether the E Series router should
move on to the next RADIUS server when the router receives an Access-Reject message
for the user it is authenticating.
host1(config)#radius rollover-on-reject enable
9. (Optional) Enable duplicate address checking.
host1(config)aaa duplicate-address-check enable
10. (Optional) Specify that duplicate accounting records be sent to the accounting server
for a virtual router.
host1(config)#aaa accounting duplication routerBoston
11. (Optional) Enter the correct virtual router context, and specify the virtual router group
to which broadcast accounting records are sent.
host1(config)#virtual-router vrSouth25
host1:vrSouth25(config)#aaa accounting broadcast westVrGroup38
host1:vrSouth25(config)#exit
12. (Optional) Specify that immediate accounting updates be sent to the accounting
server when a response is received to an Acct-Start message.
host1(config)#aaa accounting immediate-update
13. (Optional) Specify whether the router collects all statistics or only the uptime status.
host1(config)#aaa accounting time
14. (Optional) Specify that tunnel accounting be enabled or disabled.
host1(config)#radius tunnel-accounting enable
15. (Optional) Specify the default authentication and accounting methods for the
subscribers.
host1(config)#aaa authentication ppp default radius none
16. (Optional) Disable UDP checksums on virtual routers you configure for B-RAS.
host1:(config)#virtual router boston
host1:boston(config)#radius udp-checksum disable
66
Copyright © 2012, Juniper Networks, Inc.
Chapter 2: Configuring Remote Access
Related
Documentation
•
aaa accounting broadcast
•
aaa accounting duplication
•
aaa accounting immediate-update
•
aaa authentication default
•
aaa duplicate-address-check
•
key
•
max-sessions
•
radius accounting server
•
radius authentication server
•
radius rollover-on-reject
•
radius tunnel-accounting
•
radius udp-checksum
•
retransmit
•
timeout
•
udp-port
•
virtual-router
Configuring SNMP Traps
This section describes how to configure the router to send traps to SNMP when RADIUS
servers fail to respond to messages, and how to configure SNMP to receive the traps.
To set up the router to send traps:
1.
(Optional) Enable SNMP traps when a particular RADIUS authentication server fails
to respond to Access-Request messages.
host1(config)#radius trap auth-server-not-responding enable
2. (Optional) Enable SNMP traps when all of the configured RADIUS authentication
servers on a VR fail to respond to Access-Request messages.
host1(config)#radius trap no-auth-server-responding enable
3. (Optional) Enable SNMP traps when a RADIUS authentication server returns to active
service.
host1(config)#radius trap auth-server-responding enable
4. (Optional) Enable SNMP traps when a RADIUS accounting server fails to respond to
a RADIUS accounting request.
host1(config)#radius trap acct-server-not-responding enable
5. (Optional) Enable SNMP traps when all of the RADIUS accounting servers on a VR
fail to respond to a RADIUS accounting request.
Copyright © 2012, Juniper Networks, Inc.
67
JunosE 13.3.x Broadband Access Configuration Guide
host1(config)#radius trap no-acct-server-responding enable
6. (Optional) Enable SNMP traps when a RADIUS accounting server returns to active
service.
host1(config)#radius trap acct-server-responding enable
To set up SNMP to receive RADIUS traps:
1.
Set up the appropriate SNMP community strings.
host1(config)#snmp-server community admin view everything rw
host1(config)#snmp-server community private view user rw
host1(config)#snmp-server community public view everything ro
2. Specify the interface whose IP address is the source address for SNMP traps.
host1(config)#snmp-server trap-source fastEthernet 0/0
3. Configure the host that should receive the SNMP traps.
host1(config)#snmp-server host 10.10.132.93 version 2c 3 udp-port 162 radius
4. Enable the SNMP router agent to receive and forward RADIUS traps.
host1(config)#snmp-server enable traps radius
5. Enable the SNMP on the router.
host1(config)#snmp-server
NOTE: For more information about these SNMP commands, see JunosE
System Basics Configuration Guide.
Related
Documentation
•
radius trap acct-server-responding
•
radius trap acct-server-not-responding
•
radius trap no-acct-server-responding
•
radius trap auth-server-responding
•
radius trap auth-server-not-responding
•
radius trap no-auth-server-responding
•
snmp-server
•
snmp-server community
•
snmp-server enable traps
•
snmp-server host
•
snmp-server trap-source
Creating the AAA Local Authentication Environment
To create your local authentication environment:
68
Copyright © 2012, Juniper Networks, Inc.
Chapter 2: Configuring Remote Access
1.
Create local user databases—Create the default database or a named database.
2. Add entries to local user databases—Add user entries to the database. A database
can contain information for multiple users.
3. Assign a local user database to the virtual router—Specify the database that the virtual
router will use to authenticate subscribers.
4. Enable local authentication on the virtual router—Specify the local method as an AAA
authentication method used by the virtual router.
Related
Documentation
•
Creating AAA Local User Databases on page 69
•
Adding AAA User Entries to Local User Databases on page 70
•
Adding AAA User Entries to Default Local User Databases on page 70
•
Configuring AAA User Entries in Local User Databases on page 71
•
Assigning a Local User Database to a Virtual Router on page 72
•
Enabling Local Authentication on the Virtual Router on page 73
Creating AAA Local User Databases
When a subscriber connects to an E Series router that is using local authentication, the
local authentication server uses the entries in the local user database selected by the
virtual router to authenticate the subscriber.
A local authentication server can have multiple local user databases, and each database
can have entries for multiple subscribers. The default local user database, if it exists, is
used for local authentication by default. The E Series router supports a maximum of 100
user entries. A maximum of 100 databases can be configured.
To create a local user database, use the aaa local database command and the name
of the database; use the name default to create the default local user database:
host1(config)#aaa local database westLocal40
Related
Documentation
•
Adding AAA User Entries to Local User Databases on page 70
•
Adding AAA User Entries to Default Local User Databases on page 70
•
Configuring AAA User Entries in Local User Databases on page 71
•
Assigning a Local User Database to a Virtual Router on page 72
•
Enabling Local Authentication on the Virtual Router on page 73
•
aaa local database
Copyright © 2012, Juniper Networks, Inc.
69
JunosE 13.3.x Broadband Access Configuration Guide
Adding AAA User Entries to Local User Databases
The local authentication server uses the information in a local user database to
authenticate a subscriber. A local user database can contain information for multiple
users.
The E Series router provides two commands for adding entries to local user databases:
the username command and the aaa local username command. You can specify the
following parameters:
Related
Documentation
•
Username—Name associated with the subscriber.
•
Passwords and secrets—Single words that can be encrypted or unencrypted. Passwords
use two-way encryption, and secrets use one-way encryption. Both passwords and
secrets can be used with PAP authentication; however, only passwords can be used
with CHAP authentication.
•
IP address—The IP address to assign to the subscriber (aaa local username command
only).
•
IP address pool—The IP address pool used to assign the subscriber’s IP address (aaa
local username command only).
•
Operational virtual router—The virtual router to which the subscriber is assigned. This
parameter is applicable only if the subscriber is authenticated by the default virtual
router (aaa local username command only).
•
Creating AAA Local User Databases on page 69
•
Adding AAA User Entries to Default Local User Databases on page 70
•
Configuring AAA User Entries in Local User Databases on page 71
•
Assigning a Local User Database to a Virtual Router on page 72
•
Enabling Local Authentication on the Virtual Router on page 73
•
aaa local username
•
username
Adding AAA User Entries to Default Local User Databases
The username command is similar to the command used by some third-party vendors.
The command can be used to add entries in the default local user database; it is not
supported for named local user databases. The IP address, IP address pool, and
operational virtual router parameters are not supported in the username command.
However, after the user is added to the default local user database, you can use the aaa
local username command with a database name default to enter Local User
Configuration mode and add the additional parameters.
70
Copyright © 2012, Juniper Networks, Inc.
Chapter 2: Configuring Remote Access
NOTE: If the default local user database does not exist, the username
command creates this database and adds the user entry to the database.
To add a subscriber and password or secret to the default local user database, complete
the following step:
host1(config)#username rockyB password rockyPassword
Related
Documentation
•
Creating AAA Local User Databases on page 69
•
Adding AAA User Entries to Local User Databases on page 70
•
Configuring AAA User Entries in Local User Databases on page 71
•
Assigning a Local User Database to a Virtual Router on page 72
•
Enabling Local Authentication on the Virtual Router on page 73
•
username
Configuring AAA User Entries in Local User Databases
To enter Local User Configuration mode and add user entries to a local user database,
use the following commands:
1.
Specify the subscriber’s username and the database you want to use. Use the database
name default to specify the default local user database. This command also puts the
router into Local User Configuration mode.
host1(config)# aaa local username cksmith database westLocal40
host1(config-local-user)#
NOTE: You can use the aaa local username command to add or modify
user entries to a default database that was created by the username
command.
2. (Optional) Specify the type of encryption algorithm and the password or secret that
the subscriber must use to connect to the router. A subscriber can be assigned either
a password or a secret, but not both. For example:
host1(config-local-user)#password 8 iTtakes2%
3. (Optional) Specify the IP address to assign to the subscriber.
host1(config-local-user)#ip-address 192.168.101.19
4. (Optional) Specify the IP address pool used to assign the subscriber’s IP address.
host1(config-local-user)#ip-address-pool svPool2
5. (Optional) Assign the subscriber to an operational virtual router. This parameter is
applicable only if the subscriber is authenticated in the default virtual router.
host1(config-local-user)#operational-virtual-router boston2
Copyright © 2012, Juniper Networks, Inc.
71
JunosE 13.3.x Broadband Access Configuration Guide
Related
Documentation
•
Creating AAA Local User Databases on page 69
•
Adding AAA User Entries to Local User Databases on page 70
•
Adding AAA User Entries to Default Local User Databases on page 70
•
Assigning a Local User Database to a Virtual Router on page 72
•
Enabling Local Authentication on the Virtual Router on page 73
•
aaa local username
•
ip-address
•
ip-address-pool
•
operational-virtual-router
•
password
Assigning a Local User Database to a Virtual Router
Use the procedure in this section to assign a local user database to a virtual router. The
virtual router uses the database for local authentication when the subscriber connects
to the E Series router. Use the following commands in Global Configuration mode:
NOTE: If you do not specify a local user database, the virtual router selects
the default database by default. This applies to all virtual routers.
1.
Specify the virtual router name.
host1(config)# virtual-router cleveland
2. Specify the database to use for authentication on this virtual router.
host1:cleveland(config)# aaa local select database westLocal40
Related
Documentation
72
•
Creating AAA Local User Databases on page 69
•
Adding AAA User Entries to Local User Databases on page 70
•
Adding AAA User Entries to Default Local User Databases on page 70
•
Configuring AAA User Entries in Local User Databases on page 71
•
Enabling Local Authentication on the Virtual Router on page 73
•
aaa local select database
•
virtual-router
Copyright © 2012, Juniper Networks, Inc.
Chapter 2: Configuring Remote Access
Enabling Local Authentication on the Virtual Router
On the E Series router, RADIUS is the default AAA authentication method for PPP
subscribers. Use the commands in this section to specify that the local authentication
method is used.
To enable local authentication on the default router, use the following command:
host1(config)# aaa authentication ppp default local
To enable local authentication on a specific virtual router, first select the virtual router:
host1(config)# virtual-router cleveland
host1:cleveland(config)# aaa authentication ppp default local
Related
Documentation
•
Creating AAA Local User Databases on page 69
•
Adding AAA User Entries to Local User Databases on page 70
•
Adding AAA User Entries to Default Local User Databases on page 70
•
Configuring AAA User Entries in Local User Databases on page 71
•
Assigning a Local User Database to a Virtual Router on page 72
•
aaa authentication default
•
virtual-router
Example: Configuring AAA Local Authentication
This example creates a sample local authentication environment. The steps in this
example:
1.
Create a named local user database (westfordLocal40).
2. Configure the database westfordLocal40.
•
Add users btjones and maryrdavis and their attributes to the database.
3. Create the default local database using the optional username command.
•
Add optional subscriber parameters for user cksmith to the default database.
4. Assign the default local user database to virtual router cleveland; assign database
westfordLocal40 to the default virtual router and to virtual router chicago.
5. Enable AAA authentication methods local and none on all virtual routers.
6. Use the show commands to display information for the local authentication
environment (various show command displays are listed after the example).
Example 1
This example shows the commands you use to create the AAA local authentication
environment.
host1(config)#aaa local database westfordLocal40
Copyright © 2012, Juniper Networks, Inc.
73
JunosE 13.3.x Broadband Access Configuration Guide
host1(config)#aaa local username btjones database westfordLocal40
host1(config-local-user)#secret 38schillCy
host1(config-local-user)#ip-address-pool addressPoolA
host1(config-local-user)#operational-virtual-router boston2
host1(config-local-user)#exit
host1(config)#aaa local username maryrdavis database westfordLocal40
host1(config-local-user)#secret 0 dav1sSecret99
host1(config-local-user)#ip-address 192.168.20.106
host1(config-local-user)#operational-virtual-router boston1
host1(config-local-user)#exit
host1(config)#username cksmith password 0 yourPassword1
host1(config)#aaa local username cksmith database default
host1(config-local-user)#ip-address-pool addressPoolA
host1(config-local-user)#operational-virtual-router boston2
host1(config-local-user)#exit
host1(config)#virtual-router cleveland
host1(config)#aaa local select database default
host1(config)#virtual-router default
host1(config)#aaa local select database westfordLocal40
host1(config)#virtual-router chicago
host1(config)#aaa local select database westfordLocal40
host1(config)#virtual-router default
host1(config)#aaa authentication ppp default local none
Example 2
This example verifies that local authentication is configured on the router.
host1#show aaa authentication ppp default
local none
Example 3
This example uses the show configuration category aaa local-authentication command
with the databases keyword to show the local user databases that are configured on
the router.
host1# show configuration category aaa local-authentication databases
! Configuration script being generated on TUE NOV 09 2004 12:50:18 UTC
! Juniper Edge Routing Switch ERX1400
! Version: 6.1.0 (November 8, 2004 18:31)
! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved.
!
! Commands displayed are limited to those available at privilege level 15
!
! NOTE: This script represents only a subset of the full system configuration.
! The category displayed is: aaa local-authentication databases
!
hostname host1
aaa new-model
aaa local database default
aaa local database westfordLocal40
Example 4
This example uses the local-authentication users keywords to show the configured
users and their parameters. The password for username cksmith is displayed unencrypted
because the default setting of disabled or no for the service password-encryption
command is used for the example. Secrets are always displayed encrypted.
host1# show configuration category aaa local-authentication users
! Configuration script being generated on THU NOV 11 2004 13:40:41 UTC
! Juniper Edge Routing Switch ERX1400
74
Copyright © 2012, Juniper Networks, Inc.
Chapter 2: Configuring Remote Access
! Version: 6.1.0 (November 10, 2004 21:15)
! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved.
!
! Commands displayed are limited to those available at privilege level 15
!
! NOTE: This script represents only a subset of the full system configuration.
! The category displayed is: aaa local-authentication users
!
hostname host1
aaa new-model
aaa local username cksmith database default
password yourPassword1
operational-virtual-router boston2
ip-address-pool addressPoolA
!
aaa local username btjones database westfordLocal40
secret 5 }9s7-4N<WK2)2=)^!6~#
operational-virtual-router boston2
ip-address-pool addressPoolA
!
aaa local username maryrdavis database westfordLocal40
secret 5 E@A:nDXJJ<irb\`mF#[j
operational-virtual-router boston1
ip-address 192.168.20.106
Example 5
This example uses the users include-defaults keywords to show the configured users
and their parameters, including the default parameters no-ip-address and no
ip-address-pool.
host1# show configuration category aaa local-authentication users include-defaults
! Configuration script being generated on TUE NOV 09 2004 13:09:03 UTC
! Juniper Edge Routing Switch ERX1400
! Version: 6.1.0 (November 8, 2004 18:31)
! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved.
!
! Commands displayed are limited to those available at privilege level 15
!
! NOTE: This script represents only a subset of the full system configuration.
! The category displayed is: aaa local-authentication users
!
hostname host1
aaa new-model
aaa local username cksmith database default
password yourPassword1
operational-virtual-router boston2
no ip-address
ip-address-pool addressPoolA
!
aaa local username btjones database westfordLocal40
secret 5 }9s7-4N<WK2)2=)^!6~#
operational-virtual-router boston2
no ip-address
ip-address-pool addressPoolA
!
aaa local username maryrdavis database westfordLocal40
secret 5 E@A:nDXJJ<irb\`mF#[j
operational-virtual-router boston1
ip-address 192.168.20.106
no ip-address-pool
Copyright © 2012, Juniper Networks, Inc.
75
JunosE 13.3.x Broadband Access Configuration Guide
Example 6
This example uses the virtual-router keyword with the default specification to show the
local user database that is used by the default virtual router.
host1# show configuration category aaa local-authentication virtual-router default
! Configuration script being generated on TUE NOV 09 2004 13:09:45 UTC
! Juniper Edge Routing Switch ERX1400
! Version: 6.1.0 (November 8, 2004 18:31)
! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved.
!
! Commands displayed are limited to those available at privilege level 15
!
! NOTE: This script represents only a subset of the full system configuration.
! The category displayed is: aaa local-authentication
!
virtual-router default
aaa local select database westfordLocal40
Example 7
This example uses the virtual-router keyword with a named virtual router. The
include-defaults keyword shows the default configuration, including the line showing
that there is no named local user database selected.
host1# show configuration category aaa local-authentication virtual-router cleveland include-defaults
! Configuration script being generated on TUE NOV 09 2004 13:09:25 UTC
! Juniper Edge Routing Switch ERX1400
! Version: 6.1.0 (November 8, 2004 18:31)
! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved.
!
! Commands displayed are limited to those available at privilege level 15
!
! NOTE: This script represents only a subset of the full system configuration.
! The category displayed is: aaa local-authentication
!
virtual-router cleveland
no aaa local select
Related
Documentation
76
•
aaa authentication default
•
aaa local database
•
aaa local select database
•
aaa local username
•
ip-address
•
ip-address-pool
•
operational-virtual-router
•
password
•
secret
•
show aaa authentication default
•
show configuration
•
virtual-router
Copyright © 2012, Juniper Networks, Inc.
Chapter 2: Configuring Remote Access
Configuring DNS Primary and Secondary NMS
To configure the DNS primary and secondary name server addresses:
1.
Specify the IP address of the DNS primary name server.
host1(config)#aaa dns primary 10.10.10.5
or, for IPv6,
host1(config)#aaa ipv6-dns primary 2001:db8::8001
2. Specify the IP address of the DNS secondary name server.
host1(config)#aaa dns secondary 10.10.10.6
or, for IPv6,
host1(config)#aaa ipv6-dns secondary 2001:db8::8002
NOTE: The router uses name server addresses exclusively for PPP clients
and not for domain name server resolution.
Related
Documentation
•
aaa dns
•
aaa ipv6-dns
Configuring WINS Primary and Secondary NMS
To configure the WINS primary and secondary name server addresses:
1.
Specify the IP address of the WINS primary name server.
host1(config)#aaa wins primary 192.168.10.05
2. Specify the IP address of the WINS secondary name server.
host1(config)#aaa wins secondary 192.168.10.40
NOTE: The router uses name server addresses exclusively for PPP clients
and not for domain name server resolution.
Related
Documentation
•
aaa wins
Configuring a Local Address Server
You can create, modify, and delete address pools. You can display address pool
information or status with the show ip local pool command. The following are examples
of tasks you can configure:
Copyright © 2012, Juniper Networks, Inc.
77
JunosE 13.3.x Broadband Access Configuration Guide
•
Specify an addressing scheme.
host1(config)#ip address-pool local
•
Map an address pool name to a range of local addresses. You can also use this
command to add additional ranges to a pool.
host1(config)#ip local pool addrpool_10 192.168.56.10 192.168.56.15
•
Map a primary local address pool name to a domain name.
host1(config)#aaa domain-map westford.com
host1(config-domain-map)#address-pool-name poolA
•
(Optional) Map a backup address pool to a domain name, which is used for address
allocation if the primary local address pool is fully allocated.
host1(config)#aaa domain-map westford.com
host1(config-domain-map)#backup-address-pool-name backup_poolB
•
(Optional) Map the domain name to the IPv6 local address pool, which is used for
prefix delegation. If the authentication server returns the prefix pool name in the
Framed-Ipv6-Pool attribute of the RADIUS-Accept-Request message, this value
overrides the IPv6 local pool configured using the ipv6-prefix-pool-name command.
host1(config)#aaa domain-map westford.com
host1(config-domain-map)#ipv6-prefix-pool-name local_addr_pool
•
Delete an address pool.
host1(config)#no ip local pool addrpool_10
NOTE: If a pool or range is deleted and addresses are outstanding, the
AAA server logs out the clients using the addresses.
•
Create a shared local address pool.
host1(config)#ip local shared-pool Shared_LAS_Pool_A DHCP_Pool_1
•
Delete a shared local address pool.
host1(config)#no ip local shared-pool Shared_LAS_Pool_C
•
Set SNMP variables by specifying an existing pool name and values.
host1(config)#ip local pool addrpool_10 warning 90 80
Related
Documentation
78
•
aaa domain-map
•
address-pool-name
•
backup-address-pool-name
•
ip address-pool
•
ip local pool
•
ip local shared-pool
•
ipv6-prefix-pool-name
Copyright © 2012, Juniper Networks, Inc.
Chapter 2: Configuring Remote Access
Creating an IP Interface
You can configure IP interfaces that support the following configurations:
•
Configuring Single PPP Clients per ATM Subinterface on page 79
•
Configuring Multiple PPP Clients per ATM Subinterface on page 80
Configuring Single PPP Clients per ATM Subinterface
Figure 3 on page 79 shows a conceptual view of the configuration of a single PPP client
per ATM subinterface.
Figure 3: Single PPP Clients per ATM Subinterface
Configure an ATM interface by entering Configuration mode and performing the following
tasks. For more information about configuring ATM interfaces, see JunosE Link Layer
Configuration Guide.
1.
Configure a physical interface.
host1(config)#interface atm 0/1
2. Configure the subinterface.
host1(config-if)#interface atm 0/1.20
3. Configure a permanent virtual circuit (PVC) by specifying the vcd (virtual circuit
descriptor), the vci (virtual channel identifier), the vpi (virtual path identifier), and the
encapsulation type.
host1(config-if)#atm pvc 10 22 100 aal5snap
4. Configure PPP encapsulation.
host1(config-if)#encapsulation ppp
5. Configure PAP or CHAP authentication.
host1((config-if))#ppp authentication chap
6. Assign a profile to the PPP interface.
host1(config-subif)#profile foo
Copyright © 2012, Juniper Networks, Inc.
79
JunosE 13.3.x Broadband Access Configuration Guide
Configuring Multiple PPP Clients per ATM Subinterface
Figure 4 on page 80 shows how PPPoE supports multiplexing of multiple PPP sessions
per ATM subinterface.
Figure 4: Multiple PPP Clients per ATM Subinterface
Configure an ATM interface by entering Configuration mode and performing the following
tasks. For more information about configuring ATM interfaces, see JunosE Link Layer
Configuration Guide.
1.
Configure a physical interface.
host1(config)#interface atm 0/1
2. Configure the subinterface.
host1(config-if)#interface atm 0/1.20
3. Configure a PVC by specifying the vcd (virtual circuit descriptor), the vci (virtual channel
identifier), the vpi (virtual path identifier), and the encapsulation type.
host1(config-if)#atm pvc 10 22 100 aal5snap
4. Configure PPPoE encapsulation.
host1(config-if)#encapsulation pppoe
5. Configure the subinterface for one PPP client.
host1(config-if)#interface atm 0/1.20.1
6. Configure PPP encapsulation.
host1(config-if)#encapsulation ppp
7. Configure PAP or CHAP authentication.
host1((config-if))#ppp authentication chap
8. Apply the profile to the PPP interface.
host1(config-subif)#profile foo2
9. Configure the subinterface for a second PPP client.
host1(config-if)#interface atm 0/1.20.2
10. Configure PPP encapsulation.
80
Copyright © 2012, Juniper Networks, Inc.
Chapter 2: Configuring Remote Access
host1(config-if)#encapsulation ppp
11. Configure PAP or CHAP authentication.
host1((config-if))#ppp authentication chap
12. Apply the profile to the PPP interface.
host1(config-subif)#profile foo2
Related
Documentation
•
atm pvc
•
encapsulation ppp
•
interface
•
ppp authentication
•
profile
Controlling Access to Domain Names
You can control a PPP subscriber’s access to certain domains on given interfaces. As the
administrator, you can use the deny command to prevent PPP subscribers from using
unauthorized domain names. Using the allow command, you can allow PPP subscribers
to use authorized domain names.
In this example, the administrator wants to restrict access of a PPP interface to the
specific domain abc.com.
Create an AAA profile.
1.
host1(config)#aaa profile restrictToABC
2. Specify the domain name you want to allow.
host1(config-aaa-profile)#allow abc.com
3. Specify the domain name you want to restrict.
host1(config-aaa-profile)#deny default
4. Associate the AAA profile to the designated PPP interface.
host1(config-if)#ppp aaa-profile restrictToABC
When configured as such, the following is a likely scenario:
•
PPP passes the AAA profile restrictToABC to AAA in the authentication request.
•
AAA performs the following:
•
Receives the authentication request from PPP with the subscriber’s name
will@xyz.com.
•
Parses the domain name xyz.com and examines the specified AAA profile
restrictToABC.
•
Determines that the AAA profile restrictToABC is valid.
Copyright © 2012, Juniper Networks, Inc.
81
JunosE 13.3.x Broadband Access Configuration Guide
Related
Documentation
•
Searches restrictToABC for a match on the PPP subscriber’s domain name and
finds no match.
•
Searches restrictToABC for a match on the domain name default.
•
Finds a match and denies the user access.
•
aaa profile
•
allow
•
deny
•
ppp aaa-profile
Example: Associating all Subscribers of a PPP Interface with a Specific Domain Name
In this example, an administrator wants to associate all subscribers of a PPP interface
with a specific domain name.
Create an AAA profile.
1.
host1(config)#aaa profile forwardToXyz
2. Map the original domain name to the mapped domain name for domain map lookup.
host1(config-aaa-profile)#translate default xyz.com
3. Associate the AAA profile with the designated PPP interface.
host1(config-if)#ppp aaa-profile forwardToXyz
When configured as such, the following scenario is typical:
82
•
PPP passes the AAA profile forwardToXyz to AAA in the authentication request.
•
AAA performs the following tasks:
•
Receives the authentication request from PPP with the subscriber’s name
morris@abc.com.
•
Parses the domain name abc.com and examines the specified AAA profile
forwardToXyz.
•
Determines that the AAA profile forwardToXyz is valid.
•
Searches forwardToXyz for a match on the PPP subscriber’s domain name and
finds no match.
•
Searches forwardToXyz for a match on the domain name default.
•
Finds a match and continues as normal using the domain name xyz.com.
Copyright © 2012, Juniper Networks, Inc.
Chapter 2: Configuring Remote Access
NOTE: If there is no matching entry in the AAA profile for the user’s
domain name or for the domain name default, then AAA continues
processing as if there were no AAA profile.
If the user’s name does not contain a domain name, then AAA attempts
to match to the domain name none in the AAA profile. If there is no entry
for none, then AAA attempts to match for the domain name default in
the AAA profile. If there is no entry for either none or default, then AAA
continues processing as if there were no AAA profile.
Related
Documentation
•
aaa profile
•
allow
•
deny
•
ppp aaa-profile
•
translate
Example: Associating Multiple Domain Names with a Specific Domain Name
In this example, an administrator wants to use aliases; that is, to associate multiple
domain names with a specific domain name and not allow other domain names.
Create an AAA profile.
1.
host1(config)#aaa profile toAbc
2. Map the original domain name to the mapped domain name for domain map lookup.
host1(config-aaa-profile)#translate abc1.com abc.com
host1(config-aaa-profile)#translate abc2.com abc.com
host1(config-aaa-profile)#translate abc3.com abc.com
3. Specify the domain name you want to restrict.
host1(config-aaa-profile)#deny default
4. Associate the AAA profile with the designated PPP interface.
host1(config-if)#ppp aaa-profile toAbc
When configured as such, the following scenario is typical:
•
PPP passes the AAA profile toAbc to AAA in the authentication request.
•
AAA:
•
Receives the authentication request from PPP with the subscriber’s name
jane@abc1.com
•
Parses the domain name abc1.com and examines the specified AAA profile toAbc
•
Determines that the AAA profile toAbc is valid
Copyright © 2012, Juniper Networks, Inc.
83
JunosE 13.3.x Broadband Access Configuration Guide
•
Searches toAbc for a match on the PPP subscriber’s domain name and finds a match
•
Continues as normal using the domain name abc.com
NOTE: If there is no matching entry in the AAA profile for the user’s
domain name or for the domain name default, then AAA continues
processing as if there were no AAA profile.
If the user’s name does not contain a domain name, then AAA attempts
to match to the domain name none in the AAA profile. If there is no entry
for none, then AAA attempts to match for the domain name default in
the AAA profile. If there is no entry for either none or default, then AAA
continues processing as if there were no AAA profile.
Related
Documentation
•
aaa profile
•
allow
•
deny
•
ppp aaa-profile
•
translate
Configuring an AAA Per-Profile Attribute List
JunosE Software enables you to configure AAA-specific attributes for subscribers attached
to a specific PPP profile. If a per-profile list is configured, then only the attributes specified
in the per-profile list are processed. If the per-profile list is not configured, then the existing
standard attributes are configured.
NOTE: The attributes supported by the per-profile list take precedence over
the standard AAA attribute configuration. By default, the inclusion of all
attributes is disabled in the per-profile list.
This feature enables you to configure the following AAA attributes:
•
tunnel ignore nas-port
•
tunnel ignore nas-port-type
In this example, AAA-specific attributes are configured for subscribers attached to a
specific PPP profile. You can configure this as follows:
1.
Create an AAA per-profile attribute list, and configure the required AAA attributes in
the list.
host1(config)#aaa per-profile-attr-list abc
host1 (config-perprofile-list)#action-type enable
84
Copyright © 2012, Juniper Networks, Inc.
Chapter 2: Configuring Remote Access
host1 (config-perprofile-list)#attributes tunnel-ignore-nasport
tunnel-ignore-nasport-type
2. Create an AAA profile.
host1(config)#aaa profile aaaprofile1
3. Specify the AAA attribute list in the AAA profile.
host1(config-aaa-profile)#aaa-perprofilelist-name abc
4. Create a PPP profile.
host1(config)#profile pppprofile1
5. Attach the AAA profile name to the PPP profile.
host1(config-profile)#ppp aaa-profile aaaprofile1
6. To view the attributes configured in the AAA per-profile attribute list, issue the show
aaa per-profile-attr-list command.
host1#show aaa per-profile-attr-list abc
Profile name: abc
Attribute Name
Status
–––––––––––––––
––––––––
tunnel-ignore-nasport
enabled
tunnel-ignore-nasport-type enabled
Related
Documentation
•
aaa profile
•
aaa-perprofilelist-name
•
aaa per-profile-attr-list (For Global Configuration)
•
action-type
•
attributes (AAA)
•
ppp aaa-profile
•
profile
•
show aaa per-profile-attr-list
Configuring the NAS-Port-Type Attribute Manually
You can manually configure the NAS-Port-Type RADIUS attribute (attribute 61) in AAA
profiles for ATM and Ethernet interfaces. Doing so allows AAA profiles to determine the
NAS port type for a given connection.
To set the NAS-Port-Type attribute for ATM or Ethernet interfaces:
1.
Create an AAA profile.
host1(config)#aaa profile nasPortType
2. (Optional) Set the NAS-Port-Type attribute for ATM interfaces.
host1(config-aaa-profile)#nas-port-type atm wireless-80211
Copyright © 2012, Juniper Networks, Inc.
85
JunosE 13.3.x Broadband Access Configuration Guide
3. (Optional) Set the NAS-Port-Type attribute for Ethernet interfaces.
host1(config-aaa-profile)#nas-port-type ethernet wireless-cable
Related
Documentation
•
aaa profile
•
nas-port-type atm
•
nas-port-type ethernet
Configuring a Service Description for the AAA Profile
You can specify a service description that will be associated with an AAA profile. The
description can then be exported through RADIUS by the Service-Description attribute
(RADIUS attribute 26-53) in AAA profiles.
To set the Service-Description attribute:
1.
Create the AAA profile.
host1(config)#aaa profile xyzCorpPro2
2. Set the Service-Description attribute.
host1(config-aaa-profile)#service-description bos-xyzcorp
Related
Documentation
•
aaa profile
•
service-description
Configuring the Route-Download Server to Download Routes
When you configure the E Series router as a route-download server, you specify the
RADIUS server that you want to download the routes to your router. You can also modify
the route-download server’s default configuration parameters, such as when to start the
download process each day, how often to downloaded routes, and how long to wait
after a download error before retrying the process.
•
To configure a RADIUS route-download server to download IPv4 routes:
1.
Specify the IP address and the key of the RADIUS server that you want to download
routes.
host1(config)#radius route-download server 192.168.1.17
host1(config-radius)#key 35radsrv92
2. (Optional) Specify the UDP port used for RADIUS route-download server requests.
host1(config-radius)#udp-port 1812
host1(config-radius)#exit
host1(config)#
3. Enable the route-download feature and optionally modify default parameters as
needed.
86
Copyright © 2012, Juniper Networks, Inc.
Chapter 2: Configuring Remote Access
host1(config)#aaa route-download 1200 retry-interval 25 password Configured
synchronization 03:45:00
4. (Optional) Verify your route-download configuration:
host1(config)#exit
host1#show aaa route-download
•
AAA Route Downloader:
Download Interval:
Retry Interval:
Default Cost:
Default Tag:
Base User Name:
Password:
Synchronization:
configured in virtual router default
1200 minutes
25 minutes
2
0
<HOSTNAME>
Configured
03:45:00
Status:
Last Download Attempt:
Last Download Success:
Last Regular Download:
Next Download Scheduled:
Next Regular Download:
downloading
TUE FEB 9 22:07:30 2007
<NEVER>
not complete
<DOWNLOAD ACTIVE>
WED FEB 9 22:27:00 2007
To configure a RADIUS route-download server to download IPv6 routes:
1.
Specify the IPv6 address and the key of the RADIUS server that you want to
download routes.
host1(config)#radius route-download server 192.168.1.17
host1(config-radius)#key 35radsrv92
2. (Optional) Specify the UDP port used for RADIUS route-download server requests.
host1(config-radius)#udp-port 1812
host1(config-radius)#exit
host1(config)#exit
3. Enable the route-download feature and optionally modify default parameters as
needed.
host1(config)#aaa route-download ipv6
4. (Optional) Verify your route-download configuration:
host1(config)#exit
host1#show aaa route-download ipv6
AAA Route Downloader:
Download Interval:
Retry Interval:
Default Cost:
Default Tag:
Base User Name:
Password:
Synchronization:
configured in virtual router default
720 minutes
10 minutes
2
0
<HOSTNAME>
<DEFAULT>
<NOT SET>
Status:
Last Download Attempt:
Last Download Success:
Last Regular Download:
Next Download Scheduled:
Next Regular Download:
idle
TUE DEC 13
TUE DEC 13
complete
TUE DEC 13
TUE DEC 13
Copyright © 2012, Juniper Networks, Inc.
2011 00:05:43 UTC
2011 00:05:43 UTC
2011 12:05:42 UTC
2011 12:05:42 UTC
87
JunosE 13.3.x Broadband Access Configuration Guide
NOTE: If optional parameters such as retry-interval, synchronization, tag,
cost, and download interval are configured for either IPv4 or IPv6 route
downloads, they are applied to both IPv4 and IPv6 route downloads.
However, the username and password are configured separately for IPv4
and IPv6 routes.
Related
Documentation
•
aaa route-download
•
aaa route-download ipv6
•
key
•
radius route-download server
•
show aaa route-download
•
udp-port
Configuring the Router to Obtain the LLID for a Subscriber
To configure the router to obtain the LLID for a subscriber:
1.
Create an AAA profile that supports subscriber preauthentication.
host1(config)#aaa profile preAuthLlid
host1(config-aaa-profile)#pre-authenticate
host1(config-aaa-profile)#exit
2. Define a RADIUS preauthentication server.
host1(config)#radius pre-authentication server 10.10.10.1
host1(config-radius)#key abc123
host1(config-radius)#exit
3. Associate the AAA profile with the designated PPP interface.
host1(config)#interface atm 4/3.101
host1(config-subif)#ppp aaa-profile preAuthLlid
4. (Optional) Verify that preauthentication support is configured for the AAA profile.
host1(config-subif)#run show aaa profile name PreAuthLlid
preAuthLlid:
atm nas-port-type: ADLSL-CAP
ethernet nas-port-type: Cable
profile-service-description: xyzService
pre-authenticate
allow xyz.com
deny default
translate xyz1.com abc.com
For information, see “Setting Baselines for Remote Access” on page 105.
5. (Optional) Verify configuration of the RADIUS preauthentication server.
88
Copyright © 2012, Juniper Networks, Inc.
Chapter 2: Configuring Remote Access
host1(config-subif)#run show radius pre-authentication servers
IP Address
------------10.10.10.1
RADIUS Pre-Authentication Configuration
--------------------------------------Udp
Retry
Maximum
Dead
Port
Count
Timeout
Sessions
Time
-----------------------1812
3
3
255
0
Secret
-----radius
You can also display configuration information for preauthentication servers by using
the show radius servers command. For information, see “Setting Baselines for Remote
Access” on page 105.
6. (Optional) Display statistics for the RADIUS preauthentication server.
To display preauthentication statistics, use the show radius pre-authentication
statistics command. For information, see “Setting Baselines for Remote Access” on
page 105.
To display a count of preauthentication requests and responses, use the show aaa
statistics command. For information, see “Setting Baselines for Remote Access” on
page 105.
Related
Documentation
•
aaa profile
•
interface
•
key
•
ppp aaa-profile
•
pre-authenticate
•
radius pre-authentication server
•
show aaa profile
•
show radius servers
Troubleshooting Subscriber Preauthentication
Problem
You can configure the router to send traps to SNMP when a RADIUS preauthentication
server fails to respond to messages. To do so, you use the same procedure and commands
as you do to configure SNMP traps for a RADIUS authentication server.
Solution
For example, to enable SNMP traps when a particular RADIUS preauthentication server
fails to respond to Access-Request messages, use the radius trap
auth-server-not-responding enable command.
Related
Documentation
•
Configuring SNMP Traps on page 67
•
radius trap auth-server-not-responding
Copyright © 2012, Juniper Networks, Inc.
89
JunosE 13.3.x Broadband Access Configuration Guide
Configuring Custom Mappings for PPP Terminate Reasons
This example describes a sample configuration procedure that creates custom mappings
for PPP terminate reasons.
1.
Configure the router to include the Acct-Terminate-Cause attribute in RADIUS Acct-Off
messages.
host1(config)#radius include acct-terminate-cause acct-off enable
2. (Optional) Display the current PPP terminate-cause mappings.
host1(config)# run show terminate-code ppp
Apps
Terminate Reason
--------- -------------------------ppp
authenticate-authenticator
-timeout
ppp
authenticate-challenge-tim
eout
ppp
authenticate-chap-no-resou
rces
ppp
authenticate-chap-peer-aut
henticator-timeout
ppp
authenticate-deny-by-peer
ppp
authenticate-inactivity-ti
meout
--More--
Description
-------------------------authenticate authenticator
timeout
authenticate challenge tim
eout
authenticate chap no resou
rces
authenticate chap peer aut
henticator timeout
authenticate deny by peer
authenticate inactivity ti
meout
Radius
Code
-----17
10
10
17
17
4
3. (Optional) Display all PPP terminate reasons.
host1(config)# terminate-code ppp ?
authenticate-authenticator-timeout
authenticate-challenge-timeout
authenticate-chap-no-resources
authenticate-chap-peerauthenticator-timeout
authenticate-deny-by-peer
Configure authenticate
authenticator timeout
translation
Configure authenticate
challenge timeout translation
Configure authenticate chap no
resources translation
Configure authenticate chap
peer authenticator timeout
translation
Configure authenticate deny by
peer translation
--More-4. Configure your customized PPP terminate-cause to RADIUS Acct-Terminate-Cause
code mappings.
host1(config)#terminate-code ppp authenticate-authenticator-timeout radius 3
host1(config)#terminate-code ppp authenticate-challenge-timeout radius 4
5. Verify the new terminate-cause mappings.
host1(config)#run show terminate-code ppp
Apps
--------ppp
90
Terminate Reason
-------------------------authenticate-authenticator
-timeout
Radius
Description
Code
-------------------------- -----authenticate authenticator
3
timeout
Copyright © 2012, Juniper Networks, Inc.
Chapter 2: Configuring Remote Access
ppp
ppp
ppp
ppp
ppp
ppp
--More--
Related
Documentation
authenticate-challenge-tim
eout
authenticate-chap-no-resou
rces
authenticate-chap-peer-aut
henticator-timeout
authenticate-deny-by-peer
authenticate-inactivity-ti
meout
authenticate-max-requests
•
radius include
•
show terminate-code
•
terminate-code
authenticate challenge tim
eout
authenticate chap no resou
rces
authenticate chap peer aut
henticator timeout
authenticate deny by peer
authenticate inactivity ti
meout
authenticate max requests
4
10
17
17
4
10
Configuring Duplicate IPv6 Prefix Check
You can enable detection of duplicates of IPv6 Neighbor Discovery router advertisement
prefixes and DHCPv6 delegated prefixes.
To enable detection of duplicate IPv6 prefixes:
From Global Configuration mode, enable the prefix-checking capability
host1(config)#aaa duplicate-prefix-check enable
Related
Documentation
•
Duplicate IPv6 Prefix Check Overview on page 40
•
aaa duplicate-prefix-check
Configuring Detection of Duplicate IPv6 Prefixes in the AAA User Profile Database
You can enable detection of duplicates of IPv6 Neighbor Discovery router advertisement
prefixes and DHCPv6 delegated prefixes in the AAA user profile database.
To enable enhanced detection of duplicate IPv6 prefixes:
•
From Global Configuration mode, enable the enhanced duplicate IPv6 prefix-checking
capability.
host1(config)#aaa duplicate-prefix-check-extension enable
Related
Documentation
•
Duplicate IPv6 Prefix Detection in the AAA User Profile Database Overview on page 40
•
Monitoring Duplicate IPv6 Prefixes in the AAA User Profile Database on page 145
•
aaa duplicate-prefix-check-extension
Copyright © 2012, Juniper Networks, Inc.
91
JunosE 13.3.x Broadband Access Configuration Guide
Configuring the SRC Client
You can configure SRC clients on a per-virtual-router basis. To configure the SRC client:
1.
Enable the SRC client. With the CLI sscc enable command you can specify
BER-encoded information exchange for COPS-PR.
host1(config)#sscc enable cops-pr
2. Specify the IP addresses of up to three service activation engines (SAEs) (primary,
secondary, and tertiary). You can optionally specify the port on which the SAEs listen
for activity.
host1(config)#sscc primary address
host1(config)#sscc secondary address 192.168.12.1 port 3288
3. (Optional) Enable policy and QoS configuration support for IPv6 interfaces.
host1(config)#sscc protocol ipv6
4. (Optional) Enable policy and QoS configuration support for L2TP interfaces on an
L2TP access concentrator (LAC).
host1(config)#sscc protocol lac
5. (Optional) Specify on which router the TCP/COPS connection is to be established.
host1(config)#sscc transportRouter chicago
NOTE: If a COPS connection is in the open state (displayed in the “The
Connection State is” field in the output of the show sscc info command),
the router that you configure on which the COPS connection is to be
established by using the sscc transportRouter name command does not
take effect.
6. (Optional) Specify a fixed source address for the TCP/COPS connection created for
an SRC client session.
host1(config)#sscc sourceAddress 10.9.123.8
7. (Optional) Specify a fixed source interface for the TCP/COPS connection.
host1(config)#sscc sourceInterface atm 3/0
8. (Optional) Specify the delay period during which the SRC client waits for a response
from the SAE.
host1(config)#sscc retryTimer 120
9. (Optional) Enable the user IP address mask to be sent to a Policy Decision Point (PDP)
in place of the interface IP address mask for a virtual router.
host1(config)#sscc option user-ip-mask-override
10. (Optional) Enable the calling station ID to be sent to a PDP for a virtual router.
host1(config)#sscc option send-calling-station-id
92
Copyright © 2012, Juniper Networks, Inc.
Chapter 2: Configuring Remote Access
You can configure a virtual router to send the default calling station ID or the overridden
calling station ID to the SRC Server irrespective of the RADIUS settings. If you want
to enable the SRC client to send the Calling-Station-Id [31] RADIUS attribute to the
COPS server only if this attribute is included in the RADIUS Access-Request, Acct-Start,
or Acct- Stop messages, you can use the radius-default-value attribute with the sscc
option send-calling-station-id command.
host1(config)#sscc option send-calling-station-id radius-default-value
If you want to enable the SRC client to send the Calling-Station-Id [31] RADIUS
attribute to the COPS server, regardless of whether this attribute is included in the
RADIUS Access-Request, Acct-Start, or Acct- Stop messages, you can use the
radius-overridden-value attribute with the sscc option send-calling-station-id
command.
host1(config)#sscc option send-calling-station-id radius-overridden-value
You must configure either the radius calling-station-format command or the radius
override calling-station-id remote-circuit-id before you enable the functionality to
cause the calling station ID to be always sent to the PDP for a virtual router, regardless
of whether the ID is included or excluded from the Access-Request and Acct-Start
messages.
NOTE: If you did not configure Calling-Station-Id attribute format using
the radius calling-station-format command or did not configure the PPPoE
remote circuit ID to be used in RADIUS messages instead of
Calling-Station-Id using the radius override calling-station-id command,
the Calling-Station-Id attribute is sent to the COPS server from the SRC
client only if this attribute is contained in the RADIUS messages. In such
a scenario, the attribute is not sent from the SRC client to the COPS server
even if you configured the sscc option send-calling-station-id
radius-overridden-value command.
11. (Optional) Enable the local QoS profile attachment information to be sent to a PDP
for a virtual router.
host1(config)#sscc option send-local-qos-profile-config
12. (Optional) Enable the LAC side NAS-IP address information to be sent to a PDP for
a virtual router.
host1(config)#sscc option send-lac-nas-ip
13. (Optional) Enable the LAC side NAS-Port information to be sent to a PDP for a virtual
router.
host1(config)#sscc option send-lac-nas-port
14. (Optional) Enable the SRC client to obtain updated line rate parameters from ANCP
and transmit them to the COPS server.
host1(config)#sscc update-policy-request enable
15. (Optional) Restart a COPS connection to, and resynchronize with, a PDP.
Copyright © 2012, Juniper Networks, Inc.
93
JunosE 13.3.x Broadband Access Configuration Guide
host1#sscc restart
Related
Documentation
•
sscc address
•
sscc enable
•
sscc option
•
sscc protocol ipv6
•
sscc protocol lac
•
sscc restart
•
sscc retryTimer
•
sscc sourceAddress
•
sscc sourceInterface
•
sscc transportRouter
•
sscc update-policy-request enable
Configuring the Forwarding of COPS Requests to the SRC Server Based on DCM Profiles
You can configure the SRC client on an E Series router, which functions as the Common
Open Policy Service (COPS) client, to send COPS messages to the SRC server or the
COPS server based on the dynamic configuration manager (DCM) profile. For subscribers
that use PPP links to establish sessions with the router or the SRC client and for which
subscriber policies are managed by the SRC software, you can configure the setting in
the PPP profiles to enable the SRC client to send COPS messages to the SRC server.
This method of transmission of COPS request messages to the SRC server facilitates
effective, optimal control of subscriber login events in the SRC software.
To configure a PPP profile with the setting to send COPS requests to the SRC server:
1.
Create a PPP profile.
host1(config)#profile pppprofile1
2. Configure the transmission of COPS request messages to the SRC server for all
subscribers that are assigned this PPP profile.
host1(config)#ip send-cops-request
By default, COPS messages are sent to the SRC server. You must configure at least
one IP configuration parameter in the PPP profile to enable the default behavior of
the command to be effective. This functionality is applicable in environments where
PPP links between the customer premises equipment (CPE) and the provider edge
(PE) device or the router are configured for IPv4 or IPv6 subscriber sessions, either as
independent or combined sessions. Also, this capability is effective only for dynamic
PPP subscribers and not for DHCP and static subscriber sessions.
Use the no version to disable the transmission of COPS messages from the SRC client
to the SRC server for PPP subscribers.
94
Copyright © 2012, Juniper Networks, Inc.
Chapter 2: Configuring Remote Access
Related
Documentation
•
ip send-cops-request
Configuring the DHCPv6 Local Address Pools
The IPv6 local address pool for DHCP is an object that contains information about prefix
configuration parameters and guidelines that govern the assignment of these prefixes
to requesting routers. If you configured an interface for prefix delegation, the prefix
assigned to that interface takes precedence over the prefix or range of prefixes configured
at the router level in an IPv6 local pool.
To configure an IPv6 local address pool to be used for DHCPv6 prefix delegation:
1.
Enable the IPv6 local address pool for to assign prefixes to the requesting router.
host1(config)#ipv6 address-pool local
2. Configure the name of the IPv6 local address pool from which the delegating router
assigns prefixes to the DHCPv6 client or requesting router.
host1(config)#ipv6 local pool dhcpv6pd_pool
NOTE: You must enable the IPv6 local address pool feature to be able to
configure IPv6 local address pools.
3. Specify the IPv6 prefix range from which prefixes can be delegated to the DHCPv6
client. You can specify the prefix range in one of the following ways:
•
Configure the prefix range by specifying an IPv6 prefix and the length of the prefix
to be delegated. This prefix length is also called the assigned prefix length.
host1(config-v6-local)#prefix 2002:2002::/32 48
In this case, the starting and ending prefixes of the range are implicitly specified. In
this example, the start of the range is 2002:2002::/48 and the end of the range is
2002:2002:ffff::/48. All prefixes assigned from this range have 48 as the prefix
length.
•
Alternatively, configure the prefix range by specifying the starting and ending IPv6
prefixes of the range.
host1(config-v6-local)#prefix 3003:3003::/56 3003:3003:0:1000::/56
In this case, the starting and ending prefixes of the range are explicitly specified. In
the preceding example, a prefix range is configured with 16 prefixes that can be
allocated to clients. All prefixes assigned from this range have 56 as the prefix
length. When you specify the prefix range in this way, you must ensure that the
starting and ending prefixes are of the same length.
4. Specify the time period when the requesting router can use the prefix. You can configure
a preferred lifetime or a valid lifetime for the requesting router to use when you
configure the prefix range. If no lifetime is specified when you configure the prefix
range, the default lifetime of 1 day is assigned.
Copyright © 2012, Juniper Networks, Inc.
95
JunosE 13.3.x Broadband Access Configuration Guide
NOTE: The preferred lifetime must be less than or equal to the valid
lifetime.
•
Specify the number of days and, optionally, the number of hours, minutes, and
seconds. You cannot specify a lifetime of zero (that is, you cannot set the days,
hours, minutes, and seconds fields all to zero).
host1(config-v6-local)#prefix 5005:5005::/32 48 preferred 1 2 3 4
In this example, the preferred lifetime is set to 1 day, 2 hours, 3 minutes, and 4
seconds. Because the valid lifetime is not configured, the default value of 1 day is
assigned.
•
Use the infinite keyword to specify a lifetime that does not expire.
host1(config-v6-local)#prefix 5005:5005::/32 48 valid infinite
In this example, the period for which the prefix remains valid indefinitely for the
requesting router to use after it has been delegated by the DHCPv6 server. In this
case, the preferred lifetime is set to 1 day by default.
5. Specify the IPv6 address of the DNS servers to be returned to the client. You can
configure a primary and secondary DNS server. The DNS server addresses are returned
to the client in DHCPv6 responses as part of the DNS Recursive Name Server option.
host1(config-v6-local)#dns-server 3001::1 3001::2
If the DNS server is not configured in the IPv6 local address pool, the DNS server
configured on the DHCPv6 local server is used to delegate prefixes. However, if DNS
servers are configured both in the IPv6 local pool and on the DHCPv6 local server, the
values configured in the IPv6 local pool take precedence.
6. Specify the name of a DNS domain in the IPv6 local pool to be returned to clients in
the DHCPv6 responses as part of the Domain Search List option. The client uses this
domain name for DNS resolution. You can specify a maximum of four DNS domains
for an IPv6 local pool’s search list.
host1(config-v6-local)#dns-domain-search test1.com
host1(config-v6-local)#dns-domain-search test2.com
You can configure one domain name per line. Enter the command on separate lines
to configure additional domain names.
7. Set certain prefixes to be excluded from being allocated to the requesting router. You
can exclude those addresses that are assigned to local interfaces. You can exclude
specific prefixes or a range of prefixes from delegation to clients.
host1(config-v6-local)#exclude-prefix 5005:5005:2::/48 5005:5005:a::/48
In this example, all prefixes between the starting prefix of the range, 5005:5005:2::/48,
and the ending prefix of the range, 5005:5005:a::/48 are excluded from allocation
to clients.
8. Map the domain name to the IPv6 local address pool, which is used for prefix
delegation. If the authentication server returns the prefix pool name in the
96
Copyright © 2012, Juniper Networks, Inc.
Chapter 2: Configuring Remote Access
Framed-Ipv6-Pool attribute of the RADIUS-Accept-Request message, this value
overrides the IPv6 local pool configured using the ipv6-prefix-pool-name command.
host1(config)#aaa domain-map westford.com
host1(config-domain-map)#ipv6-prefix-pool-name local_addr_pool
For more information about mapping domain names to the IPv6 local address pool,
see ipv6-prefix-pool-name.
Related
Documentation
•
aaa domain-map
•
dns-domain-search
•
dns-server
•
exclude-prefix
•
prefix
•
ipv6 address-pool local
•
ipv6 local pool
•
ipv6-prefix-pool-name
Example: Limiting the Number of Prefixes Used by DHCPv6 Clients
If you a configure a very large prefix range in an IPv6 local address pool, the number of
prefixes that can be used from that range by DHCPv6 clients is limited to 1048576.
Consider the following example in which an IPv6 local address pool, largePrefixRange,
is configured. The prefix range is specified by the starting prefix and its length as
3003:3003::/32.
host1(config)#ipv6 local pool largePrefixRange
host1(config-v6-local)#prefix 3003:3003::/32 64
host1(config-v6-local)#end
The Total field of the output of the following show ipv6 local pool largePrefixRange
and show ipv6 local pool commands indicates the number of prefixes that can be
allocated to DHCPv6 clients: 1048756.
host1#show ipv6 local pool largePrefixRange
Pool : largePrefixRange
----------------------Utilization : 0
Start
------------------------3003:3003::/64
Start
-------------------------
End
Total
In Use
------------------------------------3003:3003:ffff:ffff::/64
1048576
0
Preferred
Valid
Exclude
Util
Lifetime
Lifetime
----------------------------
Copyright © 2012, Juniper Networks, Inc.
97
JunosE 13.3.x Broadband Access Configuration Guide
3003:3003::/64
0
0
1 day
1 day
host1#show ipv6 local pool
Pool
---------------largePrefixRange
Pool
---------------largePrefixRange
IPv6 Local Address Pools
-----------------------Start
End
------------------------------------------------3003:3003::/64
3003:3003:ffff:ffff::/64
Total
In Use
------------1048576
0
Related
Documentation
•
show ipv6 local pool
Example: Using DHCPv6 Local Address Pools for Prefix Delegation over non-PPP Links
When a customer premises equipment (CPE) or requesting router and the provider edge
(PE) router are connected using a PPP link, one of the following pool names is used to
determine the IPV6 local address pool to be used for DHCPv6 Prefix Delegation to the
CPE:
•
The pool name returned by the RADIUS server in the Framed-IPv6-Pool attribute
•
The pool name configured in the AAA domain map
However, for a CPE that is connected to the PE router using a non-PPP link, such as
Ethernet, VLAN, or S-VLAN, the method for authentication of clients for DHCPv6 Prefix
Delegation is not available in JunosE Release 10.1.x. In such cases, you can select the pool
to be used for delegation of prefixes to the CPE by ensuring that the address of the
interface over which the DHCPv6 request is received corresponds to any one of the prefix
ranges in the configured local address pool.
The following example shows how you can configure an interface with an IPv6 address
that matches a prefix configured in an IPv6 local address pool to enable allocation of
prefixes from the configured pool for client requests over non-PPP links.
! Configure an IPv6 local address pool named example. Specify the IPv6 prefix
! range from which prefixes can be delegated to DHCPv6 clients by specifying an
! IPv6 prefix and the assigned prefix length. Configure the prefix 4004:4004::/48
! to be excluded from being allocated to the requesting client. Exit the IPv6 Local
! Pool Configuration mode.
host1(config)#ipv6 local pool example
host1(config-v6-local)#prefix 4004:4004::/32 48
host1(config-v6-local)#exclude-prefix 4004:4004::/48
host1(config-v6-local)#exit
!
! Create a loopback interface with the IPv6 address matching that of a prefix range
! configured in the example local pool. Exit the Interface Configuration mode.
host1(config)#interface loopback 1
host1(config-if)#ipv6 address 4004:4004::1/48
host1(config-if)#exit
!
! Create a Gigabit Ethernet interface and assign VLAN as the encapsulation
98
Copyright © 2012, Juniper Networks, Inc.
Chapter 2: Configuring Remote Access
! method. Exit the Interface Configuration mode.
host1(config)#interface gigabitEthernet 2/1/4
host1(config-if)#encapsulation vlan
host1(config-if)#exit
!
! Create a VLAN subinterface, assign a loopback address to it, and enable
! IPv6 Neighbor Discovery. Exit the Interface Configuration mode.
host1(config)#interface gigabitEthernet 2/1/4.100
host1(config-if)#vlan id 100
host1(config-if)#ipv6 unnumbered loopback 1
host1(config-if)#ipv6 nd
host1(config-if)#exit
When the PE router receives a request for DHCPv6 Prefix Delegation over the gigabit
Ethernet interface 2/1/4.100, prefixes are allocated to the client from the example local
pool. In this example, the local pool to use for allocation of prefixes is selected based on
the IPv6 address of the interface over which the request is received.
Related
Documentation
•
dns-domain-search
•
dns-server
•
exclude-prefix
•
interface
•
interface loopback
•
ipv6 address
•
ipv6 nd
•
ipv6 unnumbered
•
prefix
•
ipv6 address-pool local
•
ipv6 local pool
•
ipv6-prefix-pool-name
•
vlan id
Configuring IPv6 Neighbor Discovery Local Address Pools
The IPv6 local address pool for Neighbor Discovery router advertisements is an object
that contains information about prefix configuration parameters and guidelines that
govern the assignment of these prefixes to requesting PPPv6 subscribers. If you configured
an interface for the Neighbor Discovery router advertisements prefix, the prefix assigned
to that interface takes precedence over the prefix or range of prefixes configured at the
router level in an IPv6 local address pool.
To configure an IPv6 local address pool to be used for Neighbor Discovery router
advertisements:
1.
Enable the IPv6 local address pool for Neighbor Discovery router advertisements to
assign prefixes to the requesting PPPv6 subscribers.
Copyright © 2012, Juniper Networks, Inc.
99
JunosE 13.3.x Broadband Access Configuration Guide
host1(config)#ipv6 address-pool ndra
2. Configure the name of the IPv6 local address pool for Neighbor Discovery router
advertisements from which the delegating router assigns prefixes to the Neighbor
Discovery router advertisements client or requesting router.
host1(config)#ipv6 local ndra-pool ndra-pool1
NOTE: You must enable the IPv6 local address for Neighbor Discovery
router advertisements feature to be able to configure IPv6 local address
pools.
3. Specify the IPv6 Neighbor Discovery router advertisements prefix range from which
prefixes can be allocated to the Neighbor Discovery router advertisements client.
Configure the prefix range by specifying the starting and ending IPv6 prefixes of the
range. The prefix length should be /64. Any attempt to configure a prefix length other
than /64 will show an error message.
host1(config-v6-NdRa)#ndraprefix 3003:3003::/64 3003:3003:0:1000::/64
4. Set certain prefixes for Neighbor Discovery router advertisements to be excluded from
being allocated to the requesting PPPv6 subscribers. You can exclude addresses that
are assigned to local interfaces. You can exclude specific prefixes or a range of prefixes
from allocation to clients.
host1(config-v6-NdRa)#exclude-ndraprefix 5005:5005:2::/64 5005:5005:a::/64
In this example, all prefixes between the starting prefix of the range 5005:5005:2::/64,
and the ending prefix of the range 5005:5005:a::/64, are excluded from allocation
to clients.
5. Map the domain name to the IPv6 local address pool, which is used for Neighbor
Discovery router advertisements. If the authentication server returns the prefix pool
name in the Framed-Ipv6-Pool attribute of the RADIUS-Accept-Request message,
this value overrides the IPv6 local pool configured using the ipv6-ndra-pool-name
command.
host1(config)#aaa domain-map westford.com
host1(config-domain-map)#ipv6-ndra-pool-name local_addr_pool
For more information about mapping domain names to the IPv6 local address pool,
see ipv6-ndra-pool-name.
Related
Documentation
100
•
IPv6 Prefix Allocation Using Neighbor Discovery Router Advertisements from IPv6
Address Pools Overview on page 54
•
aaa dhcpv6-ndra-pool override
•
exclude-ndraprefix
•
ipv6 address-pool ndra
•
ipv6 local ndra-pool
•
ndraprefix
Copyright © 2012, Juniper Networks, Inc.
Chapter 2: Configuring Remote Access
Overriding AAA to Perform IPCP and IPv6CP Negotiations Based on RADIUS-Returned
Attributes
Normally, AAA performs IPCP and IPv6CP negotiations based on the RADIUS attributes
returned from the RADIUS server and the subscriber domain map configurations. You
can override the standard IPCP and IPv6CP negotiations by using the aaa
radius-override-ncp-negotiation command, which allows you to enable or disable IPCP
and IPv6CP negotiations only when one of the following RADIUS attributes is returned
in the Access-Accept message:
•
Framed-Ip-Address [8]
•
Framed-Pool [88]
•
Framed-Ipv6-Prefix [97]
•
Ipv6-NdRa-Prefix [26-129]
•
Framed-Ipv6-Pool [100]
•
Ipv6-Ndra-Pool [26-157]
•
Framed-Interface-Id [96]
•
Delegated-Ipv6-Prefix [123]
To enable IPCP and IPv6CP negotiations for IP and IPv6 clients based on RADIUS-returned
attributes:
•
Issue the aaa radius-override-ncp-negotiation command with the enable keyword
in Global Configuration mode.
host1(config)#aaa radius-override-ncp-negotiation enable
To disable IPCP and IPv6CP negotiations for IP and IPv6 clients based on
RADIUS-returned attributes:
•
Issue the aaa radius-override-ncp-negotiation command with the disable keyword
in Global Configuration mode.
host1(config)#aaa radius-override-ncp-negotiation disable
Use the no version to disable IPCP and IPv6CP negotiations based on RADIUS-returned
attributes, which is the default behavior. IPCP and IPv6CP negotiations are initiated on
the basis of RADIUS-returned attributes and configurations done on the subscriber
domain map.
Related
Documentation
•
Understanding IPCP and IPv6CP Negotiations for IPv4 and IPv6 Clients Based on
RADIUS-Returned Attributes on page 57
•
Monitoring the Status of the Override Feature to Initiate IPCP and IPv6CP Negotiations
Based on RADIUS-Returned Attributes on page 164
•
aaa radius-override-ncp-negotiation
Copyright © 2012, Juniper Networks, Inc.
101
JunosE 13.3.x Broadband Access Configuration Guide
102
Copyright © 2012, Juniper Networks, Inc.
CHAPTER 3
Monitoring and Troubleshooting Remote
Access
Use the commands in this chapter to set baselines for and to monitor remote access.
•
Setting Baselines for Remote Access on page 105
•
How to Monitor PPP Interfaces on page 106
•
Monitoring the AAA Accounting Configuration on page 107
•
Monitoring AAA Accounting Default on page 108
•
Monitoring the AAA Accounting Interval on page 108
•
Monitoring AAA Specific Virtual Router Groups on page 108
•
Monitoring the Default AAA Authentication Method List on page 109
•
Monitoring AAA Domain Name Stripping for a Domain Per Virtual Router on page 109
•
Monitoring Mapping Between User Domains and Virtual Routers on page 110
•
Monitoring Tunnel Subscriber Authentication on page 112
•
Monitoring Routing Table Address Lookup on page 113
•
Monitoring the AAA Model on page 113
•
Monitoring IP Addresses of Primary and Secondary DNS and WINS Name
Servers on page 113
•
Monitoring AAA Profile Configuration on page 114
•
Monitoring Statistics about the RADIUS Route-Download Server on page 115
•
Monitoring Routes Downloaded by the RADIUS Route-Download Server on page 117
•
Monitoring Chassis-Wide Routes Downloaded by the RADIUS Route-Download
Server on page 119
•
Monitoring AAA Statistics on page 121
•
Monitoring the Number of Active Subscribers Per Port on page 123
•
Monitoring the Maximum Number of Active Subscribers Per Virtual Router on page 123
•
Monitoring Session Timeouts on page 124
•
Monitoring Interim Accounting for Users on the Virtual Router on page 124
•
Monitoring Virtual Router Groups Configured for AAA Broadcast Accounting on page 124
•
Monitoring Configuration Information for AAA Local Authentication on page 125
Copyright © 2012, Juniper Networks, Inc.
103
JunosE 13.3.x Broadband Access Configuration Guide
104
•
Monitoring AAA Server Attributes on page 126
•
Monitoring the COPS Layer Over SRC Connection on page 128
•
Monitoring Statistics About the COPS Layer on page 130
•
Monitoring Local Address Pool Aliases on page 132
•
Monitoring Local Address Pools on page 133
•
Monitoring Local Address Pool Statistics on page 134
•
Monitoring Shared Local Address Pools on page 135
•
Monitoring the Routing Table on page 135
•
Monitoring the B-RAS License on page 136
•
Monitoring the RADIUS Server Algorithm on page 136
•
Monitoring RADIUS Override Settings on page 136
•
Monitoring the RADIUS Rollover Configuration on page 137
•
Monitoring RADIUS Server Information on page 137
•
Monitoring RADIUS Services Statistics on page 139
•
Monitoring RADIUS SNMP Traps on page 143
•
Monitoring RADIUS Accounting for L2TP Tunnels on page 143
•
Monitoring RADIUS UDP Checksums on page 143
•
Monitoring RADIUS Server IP Addresses on page 144
•
Monitoring the RADIUS Attribute Used for IPv6 Neighbor Discovery Router
Advertisements on page 144
•
Monitoring the RADIUS Attribute Used for DHCPv6 Prefix Delegation on page 144
•
Monitoring Duplicate IPv6 Prefixes on page 144
•
Monitoring Duplicate IPv6 Prefixes in the AAA User Profile Database on page 145
•
Monitoring SRC Client Connection Status on page 145
•
Monitoring SRC Client Connection Statistics on page 147
•
Monitoring the SRC Client Version Number on page 149
•
Monitoring the SRC Option on page 149
•
Monitoring Subscriber Information on page 150
•
Monitoring Application Terminate Reason Mappings on page 157
•
Monitoring IPv6 Local Pools for DHCP Prefix Delegation By All Configured
Pools on page 158
•
Monitoring IPv6 Local Pools for DHCP Prefix Delegation By Pool Name on page 159
•
Monitoring IPv6 Local Pool Statistics for DHCP Prefix Delegation on page 160
•
Monitoring IPv6 Local Pools for Neighbor Discovery Router Advertisements for all
Configured Pools on page 161
•
Monitoring IPv6 Local Pools for Neighbor Discovery Router Advertisements by Pool
Name on page 162
Copyright © 2012, Juniper Networks, Inc.
Chapter 3: Monitoring and Troubleshooting Remote Access
•
Monitoring IPv6 Local Pool Statistics for Neighbor Discovery Router Advertisements
Allocation of Prefixes on page 163
•
Monitoring the Status of the Override Feature to Initiate IPCP and IPv6CP Negotiations
Based on RADIUS-Returned Attributes on page 164
Setting Baselines for Remote Access
You can set baseline statistics using the baseline commands. The router implements
the baseline by reading and storing the statistics at the time the baseline is set and then
subtracting this baseline when you retrieve baseline-relative statistics.
Issue the delta keyword with the show aaa statistics command to show baselined
statistics.
1.
Setting a Baseline for AAA Statistics on page 105
2. Setting a Baseline for AAA Route Downloads on page 105
3. Setting a Baseline for COPS Statistics on page 105
4. Setting a Baseline for Local Address Pool Statistics on page 106
5. Setting a Baseline for RADIUS Statistics on page 106
6. Setting the Baseline for SRC Statistics on page 106
Setting a Baseline for AAA Statistics
Purpose
Action
Set a baseline for all AAA statistics.
Issue the baseline aaa command:
host1#baseline aaa
There is no no version.
Setting a Baseline for AAA Route Downloads
Purpose
Action
Set a baseline for route downloads.
•
Issue the baseline aaa route-download command for IPv4 routes:
host1#baseline aaa route-download
•
Issue the baseline aaa route-download ipv6 command for IPv6 routes:
host1#baseline aaa route-download ipv6
There is no no version.
Setting a Baseline for COPS Statistics
Purpose
Action
Set a baseline for COPS statistics.
Issue the show cops statistics command:
Copyright © 2012, Juniper Networks, Inc.
105
JunosE 13.3.x Broadband Access Configuration Guide
host1#show cops statistics
There is no no version.
Setting a Baseline for Local Address Pool Statistics
Purpose
Action
Set a baseline for local address pool statistics.
Issue the show local pool statistics command:
host1#show local pool statistics
There is no no version.
Setting a Baseline for RADIUS Statistics
Purpose
Action
Set a baseline for RADIUS statistics.
Issue the show radius statistics command:
host1#show radius statistics
There is no no version.
Setting the Baseline for SRC Statistics
Purpose
Action
Set a baseline for SRC statistics.
Issue the show sscc statistics command:
host#1show sscc statistics
There is no no version.
Related
Documentation
•
baseline aaa
•
baseline aaa route-download
•
baseline cops
•
baseline local pool
•
baseline radius
•
baseline sscc
How to Monitor PPP Interfaces
Purpose
Action
Monitor PPP interfaces.
Use the following commands:
•
106
show ppp interface summary
Copyright © 2012, Juniper Networks, Inc.
Chapter 3: Monitoring and Troubleshooting Remote Access
•
show ppp interface <selective control>
For details on the show ppp commands, see JunosE Link Layer Configuration Guide.
You can use the output filtering feature of the show command to include or exclude lines
of output based on a text string you specify. For details, see JunosE System Basics
Configuration Guide.
NOTE: AAA and RADIUS statistics are not preserved across a warm restart
when stateful SRP Switchover is enabled.
Related
Documentation
•
Monitoring PPP Interfaces
•
Monitoring Multilinked and Nonmultilinked PPP Interfaces
Monitoring the AAA Accounting Configuration
Purpose
Action
Display the AAA accounting configuration.
To display the show aaa accounting command:
host1:vrXyz7#show aaa accounting
Accounting duplication set to router vrXyz25
Broadcast accounting uses group groupXyzCompany20
send acct-stop on AAA access deny is enabled
send acct-stop on authentication server access deny is disabled
acct-interval (for PPP Clients) 0
service-acct-interval 0
send immediate-update is enabled
Meaning
Table 12 on page 107 lists the show aaa accounting command output fields.
Table 12: show aaa accounting Output Fields
Field Name
Field Description
Accounting duplication
Name of the virtual router to which duplicate
accounting records are sent to the accounting server
Broadcast accounting
Name of the virtual router groups to which broadcast
accounting records are sent to the accounting server
send acct-stop on AAA access
deny
Enabled, disabled
send acct-stop on authentication
server access deny
Enabled, disabled
acct-interval (for PPP Clients)
Number of minutes between accounting update
operations
Copyright © 2012, Juniper Networks, Inc.
107
JunosE 13.3.x Broadband Access Configuration Guide
Table 12: show aaa accounting Output Fields (continued)
Related
Documentation
•
Field Name
Field Description
service-acct-interval
Number of minutes between interim accounting
updates for services created by the Service Manager
feature
send immediate-update
On receipt of response to Acct-Start message;
enabled, disabled
show aaa accounting
Monitoring AAA Accounting Default
Purpose
Display the AAA accounting default method for a subscriber type.
You can view the method used for ATM 1483, IPSec, PPP, RADIUS relay server, and tunnel
subscribers, and IP subscriber management interfaces.
Action
To display the default AAA accounting method:
host1#show aaa accounting tunnel default
radius
Related
Documentation
•
show aaa accounting default
Monitoring the AAA Accounting Interval
Purpose
Action
Display the accounting interval.
To display the accounting interval:
host1#show aaa accounting interval
acct-interval (for PPP Clients) 10
Related
Documentation
•
show aaa accounting interval
Monitoring AAA Specific Virtual Router Groups
Purpose
Action
Display the names of a specific virtual router group or of all virtual router groups configured
on the router, and of the virtual routers making up the groups.
To display the names of a specific virtual router group or of all virtual router groups
configured on the router. Display the virtual routers making up the groups:
host1#show aaa accounting vr-group
vr-group groupXyzCompany10:
virtual-router 1 vrXyzA
virtual-router 2 vrXyzB
108
Copyright © 2012, Juniper Networks, Inc.
Chapter 3: Monitoring and Troubleshooting Remote Access
virtual-router 3 vrXyzC
virtual-router 4 vrXyzD
vr-group groupXyzCompany20:
virtual-router 1 vrXyzP
virtual-router 2 vrXyzQ
virtual-router 3 vrXyzR
virtual-router 4 vrXyzS
Meaning
Table 13 on page 109 lists the show aaa accounting vr-group command output fields.
Table 13: show aaa accounting vr-group Output Fields
Related
Documentation
Field Name
Field Description
vr-group
Name of the virtual router group
•
Configuring AAA Broadcast Accounting on page 64
•
show aaa accounting vr-group
Monitoring the Default AAA Authentication Method List
Purpose
Display the default AAA authentication method list for a subscriber type. You can view
the method list used for ATM 1483 subscribers, IPSec subscribers, IP subscriber
management interfaces, PPP subscribers, RADIUS relay subscribers, and tunnel
subscribers.
For example, you can verify that the local authentication method is configured for PPP
subscribers.
Action
To display the default AAA authentication method list for a subscriber type:
host1#show aaa authentication ppp default
local none
Related
Documentation
•
show aaa authentication default
Monitoring AAA Domain Name Stripping for a Domain Per Virtual Router
Purpose
Action
Display information about the aaa domain-name stripping functionality per virtual router.
To display information about the aaa domain-name stripping functionality per virtual
router:
host1:vr1(config)#show aaa strip-domain
strip-domain is disable
strip-domain domainName delimiter is “@”
strip-domain domainName parse direction is right-to-left
Meaning
Table 14 on page 110 lists the show aaa strip-domain command output fields.
Copyright © 2012, Juniper Networks, Inc.
109
JunosE 13.3.x Broadband Access Configuration Guide
Table 14: show aaa strip-domain Output Fields
Related
Documentation
Field Name
Field Description
delimiter
Delimiter value configured for the subscriber’s domain
domainName
The domain name characteristics configured for the broadband
remote access subscriber per virtual router
disable
The domain name stripping functionality is disabled for the virtual
router
enable
The domain name stripping functionality is enabled for the virtual
router
left-to-right
The parsing direction configured for stripping the domain name
at the virtual router is left-to-right
right-to-left
The parsing direction configured for stripping the domain name
at the virtual router is right-to-left
•
aaa domain-map
•
ppp authentication
•
show aaa delimiters
•
show aaa strip-domain
Monitoring Mapping Between User Domains and Virtual Routers
Purpose
Display the mapping between user domains and virtual routers.
The following keywords have significance when used as user domains:
Action
•
none—All client requests with no user domain name are associated with the virtual
router mapped to the none entry
•
default—All client requests with a domain present that have no map are associated
with the virtual router mapped to the default entry
To display the mapping between user domains and virtual routers:
host1#show aaa domain-map
Domain: lac-tunnel; auth-router-name: lac;
ip-router-name: default; ipv6-router-name: default
Tunnel
Tunnel
Tunnel
Tunnel
Tunnel
Tag
Tunnel Peer
Source
Type
Medium
Password
-------------------------------------5
192.168.1.1
<null>
l2tp
ipv4
welcome
Tunnel
Tag
110
Tunnel
Client Name
Tunnel
Server
Name
Tunnel
Preference
Tunnel
Max
Sessions
Tunnel Id
----------lac-tunnel
Tunnel RWS
Copyright © 2012, Juniper Networks, Inc.
Chapter 3: Monitoring and Troubleshooting Remote Access
Meaning
-----5
----------lac
Tunnel
Tag
-----5
Tunnel
Virtual
Router
------<null>
-----boston
---------5
Tunnel
Failover
Resync
-------silent failover
-------0
Tunnel
Switch
Profile
--------denver
-------------4
Tunnel
Tx
Speed
Method
-----qos
Table 15 on page 111 lists the show aaa domain-map command output fields.
Table 15: show aaa domain-map Output Fields
Field Name
Field Description
Domain
Name of the domain
auth-router-name
Access virtual router to which user domain name is
mapped
ip-router-name
IPv4 virtual router to which user domain name is
mapped
router-mask
IP mask of the local interface
tunnel-group
Name of the tunnel group assigned to the domain
map
ipv6-router-name
IPv6 virtual router to which user domain name is
mapped
local-interface
Interface information to use on the local (E Series)
side of the subscriber’s interface
ipv6-local-interface
IPv6 interface information to use on the local (E
Series) side of the subscriber’s interface
poolname
Local address pool from which the router allocates
addresses for this domain
IP hint
IP hint is enabled
strip-domain
Strip domain is enabled
override-username
Single username used for all users from a domain in
place of the values received from the remote client
override-password
Single password used for all users from a domain in
place of the values received from the remote client
Tunnel Tag
Tag that identifies the tunnel
Tunnel Peer
Destination address of the tunnel
Copyright © 2012, Juniper Networks, Inc.
111
JunosE 13.3.x Broadband Access Configuration Guide
Table 15: show aaa domain-map Output Fields (continued)
Related
Documentation
•
Field Name
Field Description
Tunnel Source
Source address of the tunnel
Tunnel Type
L2TP
Tunnel Medium
Type of medium for the tunnel; only IPv4 is supported
Tunnel Password
Password for the tunnel
Tunnel Id
ID of the tunnel
Tunnel Client Name
Host name that the LAC sends to the LNS when
communicating to the LNS about the tunnel
Tunnel Server Name
Host name expected from the peer (the LNS) when
during tunnel startup
Tunnel Preference
Preference level for the tunnel
Tunnel Max Sessions
Maximum number of sessions allowed on a tunnel
Tunnel RWS
L2TP receive window size (RWS) for a tunnel on the
LAC; displays either the configured value or the default
behavior, which is indicated by system chooses
Tunnel Virtual Router
Name of the virtual router to map to the user domain
name
Tunnel Failover Resync
L2TP peer resynchronization method
Tunnel Switch Profile
Name of the L2TP tunnel switch profile
Tunnel Tx Speed Method
Method that the router uses to calculate the transmit
connect speed of the subscriber’s access interface:
static layer2, dynamic layer2, qos, actual, not set
show aaa domain-map
Monitoring Tunnel Subscriber Authentication
Purpose
Action
112
Verify configuration of tunnel subscriber authentication. When authentication is enabled,
the output indicates this configuration. When authentication is disabled, the output
presents no information about the configuration.
To display tunnel subscriber authentication configuration:
Copyright © 2012, Juniper Networks, Inc.
Chapter 3: Monitoring and Troubleshooting Remote Access
host1#show aaa domain-map
Domain: tunnel.com; auth-router-name: default; ip-router-name: default
ipv6-router-name: default; tunnel-subscriber authentication: enable
Meaning
Related
Documentation
Authentication is enabled.
•
show aaa domain-map
Monitoring Routing Table Address Lookup
Purpose
Display whether the routing table address lookup or duplicate address check is enabled
or disabled.
Action
To display whether the routing table address lookup or duplicate address check is enabled
or disabled:
host1#show aaa duplicate-address-check
enabled
Related
Documentation
•
show aaa duplicate-address-check
Monitoring the AAA Model
Purpose
Action
Display the AAA model.
To display the AAA model:
host1#show aaa model
aaa model: old model
Related
Documentation
•
show aaa model
Monitoring IP Addresses of Primary and Secondary DNS and WINS Name Servers
Purpose
Action
Display the IP addresses of the primary and secondary DNS and WINS name servers.
To display the IP addresses of the primary and secondary DNS and WINS name servers:
host1#show aaa name-servers
Name Server Addresses (for PPP Clients):
primary DNS Addr
10.2.3.4
secondary DNS Addr
10.6.7.8
primary NBNS (WINS) Addr
10.22.33.44
secondary NBNS (WINS) Addr
10.66.77.88
Meaning
Related
Documentation
The IP addresses of DNS and WINS name servers are displayed.
•
show aaa name-servers
Copyright © 2012, Juniper Networks, Inc.
113
JunosE 13.3.x Broadband Access Configuration Guide
Monitoring AAA Profile Configuration
Purpose
Action
Display the configuration of all AAA profiles or of a specific profile.
To display the configuration of all AAA profiles or of a specific profile:
host1#show aaa profile name PreAuth1
preAuth1:
atm nas-port-type: ADLSL-CAP
ethernet nas-port-type: Cable
profile-service-description: xyzService
pre-authenticate
allow xyz.com
deny default
translate xyz1.com abc.com
aaaPerProfileName:aaaProfile1
radiusPerProfileName:radiusProfile1
Meaning
Table 16 on page 114 Lists the show aaa profile command output fields.
Table 16: show aaa profile Output Fields
Related
Documentation
114
•
Field Name
Field Description
atm nas-port-type
Configuration of NAS-Port-Type attribute for ATM
interfaces
ethernet nas-port-type
Configuration of NAS-Port-Type attribute for Ethernet
interfaces
profile-service-description
Description configured in the Service-Description
attribute
pre-authenticate
Indicates that subscriber preauthentication is
configured for the profile
allow
One or more domain names that are allowed access
to AAA authentication
deny
One or more domain names that are denied access
to AAA authentication
translate
Original domain name and the name to which it is
mapped for domain map lookup
aaaPerProfileName
Name of the AAA per-profile
radiusPerProfileName
Name of the RADIUS per-profile
show aaa profile
Copyright © 2012, Juniper Networks, Inc.
Chapter 3: Monitoring and Troubleshooting Remote Access
Monitoring Statistics about the RADIUS Route-Download Server
Purpose
Action
Display statistics about the RADIUS route-download server configuration.
•
Use the optional statistics keyword to display information about the RADIUS route
download server operation.
•
Use the optional delta keyword to show baselined statistics.
To display information about the RADIUS route-download server operation for IPv4
routes:
host1#show aaa route-download
AAA Route Downloader:
configured in virtual router default
Download Interval:
720 minutes
Retry Interval:
10 minutes
Default Cost:
2
Default Tag:
0
Base User Name:
<HOSTNAME>
Password:
<DEFAULT>
Synchronization:
<NOT SET>
Status:
Last Download Attempt:
Last Download Success:
Last Regular Download:
Next Download Scheduled:
Next Regular Download:
idle
TUE DEC 19
TUE DEC 19
complete
WED DEC 20
WED DEC 20
22:46:47 2006
22:46:47 2006
10:46:47 2006
10:46:47 2006
To display statistics about the RADIUS route-download server configuration for IPv4
routes:
host1#show aaa route-download statistics
Total Download Attempts:
Successful Downloads:
Downloaded Fragments:
Downloaded Routes:
IP Updates:
Updated Routes:
Cleared Route Intervals:
2
2
3756
192000
1
96000
0
To display information about the RADIUS route-download server operation for IPv6
routes:
host1#show aaa route-download ipv6
AAA Route Downloader:
configured in virtual router default
Download Interval:
720 minutes
Retry Interval:
10 minutes
Default Cost:
2
Default Tag:
0
Base User Name:
<HOSTNAME>
Password:
<DEFAULT>
Synchronization:
<NOT SET>
Status:
Last Download Attempt:
Last Download Success:
Last Regular Download:
Copyright © 2012, Juniper Networks, Inc.
idle
TUE DEC 13 2011 00:05:43 UTC
TUE DEC 13 2011 00:05:43 UTC
complete
115
JunosE 13.3.x Broadband Access Configuration Guide
Next Download Scheduled:
Next Regular Download:
TUE DEC 13 2011 12:05:42 UTC
TUE DEC 13 2011 12:05:42 UTC
To display statistics about the RADIUS route-download server configuration for IPv6
routes:
host1#show aaa route-download ipv6 statistics
Total Download Attempts:
Successful Downloads:
Downloaded Fragments:
Downloaded Routes:
IP Updates:
Updated Routes:
Cleared Route Intervals:
Meaning
3
3
30
240
2
16
0
Table 17 on page 116 lists the show aaa route-download command and show aaa
route-download ipv6 command output fields.
Table 17: show aaa route-download Output Fields
116
Field Name
Field Description
AAA Route Downloader
Virtual router where the RADIUS route-download
server is configured
Download Interval
Number of minutes between route downloads
Retry Interval
Number of minutes before retry after a download
failure
Default Cost
Default cost of downloaded routes
Default Tag
Default tag for downloaded routes
Base User Name
Virtual router used for route-download requests;
either <HOSTNAME> or the configured name
Password
Password for route-download requests or
<DEFAULT>
Synchronization
Either <NOT SET> or the time that the server starts
the route download operation each day
Status
Current status of route-download server; waiting for
base router, waiting for IP warmstart, idle,
downloading, updating ip, downloading and updating
ip, or suspended
Last Download Attempt
Either <NEVER> or the day, date, and time of attempt
Last Download Success
Either <NEVER> or the day, date, and time of success
Last Regular Download
Status of last regular download; either complete or
not complete
Copyright © 2012, Juniper Networks, Inc.
Chapter 3: Monitoring and Troubleshooting Remote Access
Table 17: show aaa route-download Output Fields (continued)
Related
Documentation
•
Field Name
Field Description
Next Download Scheduled
<DOWNLOAD ACTIVE>,<NOT SCHEDULED>, or the
day, date, and time of next download
Next Regular Download
Day, date, and time
Total Download Attempts
Number of downloads attempted
Successful Downloads
Number of successful download operations
Downloaded Fragments
Number of downloaded fragments
Downloaded Routes
Number of downloaded routes
IP Updates
Number of IP updates
Updated Routes
Number of updated routes
Cleared Route Intervals
Number of cleared route intervals
show aaa route-download
Monitoring Routes Downloaded by the RADIUS Route-Download Server
Purpose
Display information about the routes that are downloaded by the RADIUS route-download
server.
Use the optional detail keyword to display more detailed information about the
downloaded routes.
Action
To display information about the IPv4 static routes that are downloaded by the RADIUS
route-download server:
host1#show aaa route-download routes
96000 downloaded routes
To display detailed information about the IPv4 static routes that are downloaded by the
RADIUS route-download server:
host1#show aaa route-download routes detail
Prefix/Length
Type
NextHop
--------------- -------- --------------192.168.1.1/32
Access-P 255.255.255.255
192.168.1.5/32
Access-P 255.255.255.255
192.168.1.9/32
Access-P 255.255.255.255
192.168.1.13/32 Access-P 255.255.255.255
192.168.1.17/32 Access-P 255.255.255.255
192.168.1.21/32 Access-P 255.255.255.255
Copyright © 2012, Juniper Networks, Inc.
Dst/Met
------254/2
254/2
254/2
254/2
254/2
254/2
Intf
----null0
null0
null0
null0
null0
null0
Tag
--0
0
0
0
0
0
117
JunosE 13.3.x Broadband Access Configuration Guide
To display information about the IPv6 routes that are downloaded by the RADIUS
route-download server:
host1#show aaa route-download ipv6 routes
13 downloaded routes
To display detailed information about the IPv6 routes that are downloaded by the RADIUS
route-download server:
host1#show aaa route-download ipv6 routes detail
Prefix/Length
Type
Dst/Met
Intf
-----------------------------f001::1/128
Access-P
0/2
null0
f002::1/128
Access-P
0/2
null0
f002::2/128
Access-P
0/2
null0
f002::3/128
Access-P
0/2
null0
f002::4/128
Access-P
0/2
null0
f003::2/128
Access-P
0/2
null0
f004::2/128
Access-P
0/2
null0
f005::2/128
Access-P
0/2
null0
f006::2/128
Access-P
0/2
null0
f007::2/128
Access-P
0/2
null0
f008::2/128
Access-P
0/2
null0
f009::2/128
Access-P
0/2
null0
f00a::2/128
Access-P
0/2
null0
Meaning
Tag
--0
0
0
0
0
0
0
0
0
0
0
0
0
Table 18 on page 118 lists the show aaa route-download routes command and show
aaa route-download ipv6 routes command output fields.
Table 18: show aaa route-download routes Output Fields
Related
Documentation
118
Field Name
Field Description
downloaded routes
Number of current downloaded routes
Prefix/Length
IP address prefix and mask information for
downloaded routes
Type
Type of downloaded routes; Access-P indicates routes
downloaded from the RADIUS route-download server
NextHop
IP address of the next hop
Dst/Met
Administrative distance and number of hops for the
route
Tag
Tag assigned to downloaded routes
Intf
Interface type and specifier
•
show aaa route-download routes
•
show aaa route-download ipv6 routes
Copyright © 2012, Juniper Networks, Inc.
Chapter 3: Monitoring and Troubleshooting Remote Access
Monitoring Chassis-Wide Routes Downloaded by the RADIUS Route-Download Server
Purpose
Display chassis-wide information about routes that are downloaded by RADIUS
route-download servers.
Use the optional detail keyword to display more detailed information about the
downloaded routes.
Use the optional start keyword to specify the first router context that you want to display
in the output. For example, aaa:a2 specifies that the display shows a list of router contexts
starting with VRF a2 in virtual router aaa.
Action
To display chassis-wide information about IPv4 routes that are downloaded by RADIUS
route-download servers:
host1#show aaa route-download routes global
Number
of
Virtual Router
VRF
Present Routes
--------------- --------------- ------- -----aaa
n
4
aaa
a1
n
4
default
y
4
default
d1
n
4
To display more detailed information about the downloaded IPv4 routes:
host1# show aaa route-download routes global detail
Virtual Router
--------------aaa
aaa
aaa
aaa
aaa
aaa
aaa
aaa
default
default
default
default
default
default
default
default
VRF
---
a1
a1
a1
a1
d1
d1
d1
d1
Present
------n
n
n
n
n
n
n
n
y
y
y
y
n
n
n
n
Prefix/Length
--------------192.168.1.1/32
192.168.1.2/32
192.168.3.1/32
192.168.4.1/32
192.168.5.3/32
192.168.7.1/32
192.168.7.5/32
192.168.9.1/32
192.168.22.1/32
192.168.23.1/32
192.168.24.1/32
192.168.25.1/32
192.168.40.6/32
192.168.40.7/32
192.168.40.8/32
192.168.40.9/32
Type
-------Access-P
Access-P
Access-P
Access-P
Access-P
Access-P
Access-P
Access-P
Access-P
Access-P
Access-P
Access-P
Access-P
Access-P
Access-P
Access-P
NextHop
--------------255.255.255.255
255.255.255.255
255.255.255.255
255.255.255.255
255.255.255.255
255.255.255.255
255.255.255.255
255.255.255.255
255.255.255.255
255.255.255.255
255.255.255.255
255.255.255.255
255.255.255.255
255.255.255.255
255.255.255.255
255.255.255.255
Dst/Met
------0/2
0/2
0/2
0/2
0/2
0/2
0/2
0/2
0/2
0/2
0/2
0/2
0/2
0/2
0/2
0/2
Intf
----null0
null0
null0
null0
null0
null0
null0
null0
null0
null0
null0
null0
null0
null0
null0
null0
Tag
--0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
To specify the first router context that you want to display in the output:
host1#show aaa route-download routes global start aaa:a2
Number
of
Virtual Router
VRF
Present Routes
--------------- --------------- ------- -----default
y
4
default
d1
n
4
Copyright © 2012, Juniper Networks, Inc.
119
JunosE 13.3.x Broadband Access Configuration Guide
To display chassis-wide information about IPv6 routes that are downloaded by RADIUS
route-download servers:
host1#show aaa route-download ipv6 routes global
Number
of
Virtual Router
VRF
Present Routes
--------------- --------------- ------- -----def
y
3
def
temp
y
1
default
y
13
Context1
n
27
test
n
36
To display more detailed information about the downloaded IPv6 routes:
host1# show aaa route-download ipv6 routes global detail
Virtual
Router
VRF
Present
Prefix/Length
Type
----------------------------------def
y
f00b::2/128
Access-P
def
y
f00b::3/128
Access-P
def
y
f00b::4/128
Access-P
def
temp
y
f00b::1/128
Access-P
default
y
f001::1/128
Access-P
default
y
f002::1/128
Access-P
default
y
f002::2/128
Access-P
default
y
f002::3/128
Access-P
default
y
f002::4/128
Access-P
default
y
f003::2/128
Access-P
default
y
f004::2/128
Access-P
default
y
f005::2/128
Access-P
default
y
f006::2/128
Access-P
default
y
f007::2/128
Access-P
Dst/Met
------0/2
0/2
0/2
0/2
0/2
0/2
0/2
0/2
0/2
0/2
0/2
0/2
0/2
0/2
Intf
----null0
null0
null0
null0
null0
null0
null0
null0
null0
null0
null0
null0
null0
null0
Tag
--0
0
0
0
0
0
0
0
0
0
0
0
0
0
To specify the router context that you want to display in the output:
host1#show aaa route-download ipv6 routes global start Context1
Number
of
Virtual Router
VRF
Present Routes
--------------- --------------- ------- -----Context1
n
27
test
n
36
Meaning
Table 19 on page 120 lists the show aaa route-download routes global command and
show aaa route-download ipv6 routes global command output fields.
Table 19: show aaa route-download routes global Output Fields
120
Field Name
Field Description
Virtual Router
Name of the virtual router used to download the
routes
VRF
Name of the VRF used to download the routes
Present
Routes have been downloaded; y (yes) or n (no)
indicates if the router context has been created.
Copyright © 2012, Juniper Networks, Inc.
Chapter 3: Monitoring and Troubleshooting Remote Access
Table 19: show aaa route-download routes global Output
Fields (continued)
Related
Documentation
Field Name
Field Description
Number of Routes
Number of current downloaded routes
Prefix/Length
IP address prefix and mask information for
downloaded routes
Type
Type of downloaded routes; Access-P indicates routes
downloaded from the RADIUS route-download server
NextHop
IP address of the next hop
Dst/Met
Administrative distance and number of hops for the
route
Tag
Tag assigned to downloaded routes
Intf
Interface type and specifier
•
show aaa route-download routes global
•
show aaa route-download ipv6 routes global
Monitoring AAA Statistics
Purpose
Display authentication, authorization, and accounting statistics.
Use the optional delta keyword to specify that baselined statistics are to be shown.
Action
To display authentication, authorization, and accounting statistics:
host1#show aaa statistics
AAA Statistics
-------------Statistic
-----------------------------------incoming initiate requests
incoming disconnect requests
outgoing grant (tunnel) responses
outgoing grant responses
outgoing deny responses
outgoing error responses
outgoing Authentication requests
incoming Authentication responses
outgoing Re-Authentication requests
incoming Re-Authentication responses
outgoing Pre-Authentication requests
incoming Pre-Authentication responses
outgoing Accounting requests
incoming Accounting responses
outgoing Duplicate Acct requests
Copyright © 2012, Juniper Networks, Inc.
Count
----109
7
3
6
0
0
9
9
0
0
1
1
120
120
18
121
JunosE 13.3.x Broadband Access Configuration Guide
incoming
outgoing
incoming
outgoing
incoming
Meaning
Duplicate Acct responses
Broadcast Acct requests
Broadcast Acct responses
Address requests
Address responses
18
32
32
0
0
Table 20 on page 122 lists the show aaa statistics command output fields.
Table 20: show aaa statistics Output Fields
122
Field Name
Field Description
incoming initiate requests
Number of incoming AAA requests (from other
E Series applications) for user connect services
incoming disconnect requests
Number of incoming AAA requests (from other
E Series applications) for user disconnect services
outgoing grant (tunnel) responses
Number of outgoing tunnel grant responses to AAA
requests
outgoing grant responses
Number of outgoing grant responses to AAA requests
outgoing deny responses
Number of outgoing deny responses to AAA requests
outgoing error responses
Number of outgoing error responses to AAA requests
outgoing Authentication requests
Number of authentication requests from AAA to the
authentication task
incoming Authentication
responses
Number of authentication responses from the
authentication task to AAA
outgoing Re-Authentication
requests
Number of reauthentication requests from AAA to the
authentication task
incoming Re-Authentication
responses
Number of reauthentication responses from the
authentication task to AAA
outgoing Pre-Authentication
requests
Number of preauthentication requests from AAA to
the preauthentication task
incoming Pre-Authentication
responses
Number of preauthentication responses from the
preauthentication task to AAA
outgoing Accounting requests
Number of accounting requests (starts, updates,
stops) from AAA to the accounting task
incoming Accounting responses
Number of accounting responses (starts, updates,
stops) from the accounting task to AAA
outgoing Duplicate Acct requests
Number of duplicate accounting requests (starts,
updates, stops) from AAA to the accounting task
Copyright © 2012, Juniper Networks, Inc.
Chapter 3: Monitoring and Troubleshooting Remote Access
Table 20: show aaa statistics Output Fields (continued)
Related
Documentation
•
Field Name
Field Description
incoming Duplicate Acct
responses
Number of duplicate accounting responses (starts,
updates, stops) from the accounting task to AAA
outgoing Broadcast Acct requests
Number of broadcast accounting requests (starts,
updates, stops) from AAA to the accounting task
incoming Broadcast Acct
responses
Number of broadcast accounting responses (starts,
updates, stops) from the accounting task to AAA
outgoing Address requests
Number of address allocation/release requests from
AAA to address allocation task
incoming Address responses
Number of address allocation/release responses from
the address allocation task to AAA
show aaa statistics
Monitoring the Number of Active Subscribers Per Port
Purpose
Action
Display the maximum number of active subscribers configured per port.
To display the maximum number of active subscribers configured per port:
host1#show aaa subscriber per-port-limit
Subscriber Port Limits
---------------------Port
Limit
----------------------------0/2
5
0/3
2
3/2
2
Related
Documentation
•
show aaa subscriber per-port-limit
Monitoring the Maximum Number of Active Subscribers Per Virtual Router
Purpose
Action
Display the maximum number of active subscribers configured per virtual router.
To display the maximum number of active subscribers configured per virtual router:
host1# show aaa subscriber per-vr-limit
subscriber limit is 0
Related
Documentation
•
show aaa subscriber per-vr-limit
Copyright © 2012, Juniper Networks, Inc.
123
JunosE 13.3.x Broadband Access Configuration Guide
Monitoring Session Timeouts
Purpose
Action
Display idle and session timeouts.
To display idle and session timeouts:
host1#show aaa timeout
idle timeout 1200 seconds monitor ingress only
session timeout 3600 seconds
Related
Documentation
•
show aaa timeout
Monitoring Interim Accounting for Users on the Virtual Router
Purpose
Display the default interval used for interim accounting for users on the virtual router. An
entry of 0 indicates that the feature is disabled.
Action
To display the default interval used for interim accounting for users on the virtual router:
host1:vrXyz7#show aaa user accounting interval
user-acct-interval 20
Related
Documentation
•
show aaa user accounting interval
Monitoring Virtual Router Groups Configured for AAA Broadcast Accounting
Purpose
Display the virtual router groups that are configured for AAA broadcast accounting.
For additional information about the show configuration command, see JunosE System
Basics Configuration Guide.
Action
To display the virtual router groups that are configured for AAA broadcast accounting:
host1#show configuration category aaa global-attributes
! Configuration script being generated on MON JAN 10 2005 15:19:19 UTC
! Juniper Edge Routing Switch ERX1440
! Version: 9.9.9 development-4.0 (January 7, 2005 17:26)
! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved.
!
! Commands displayed are limited to those available at privilege level 15
!
! NOTE: This script represents only a subset of the full system configuration.
! The category displayed is: aaa global-attributes
!
aaa accounting vr-group groupXyzCompany10
aaa virtual-router 1 vrXyzA
aaa virtual-router 2 vrXyzB
aaa virtual-router 3 vrXyzC
aaa virtual-router 4 vrXyzD
aaa accounting vr-group groupXyzCompany20
aaa virtual-router 1 vrXyzP
aaa virtual-router 2 vrXyzQ
aaa virtual-router 3 vrXyzR
124
Copyright © 2012, Juniper Networks, Inc.
Chapter 3: Monitoring and Troubleshooting Remote Access
aaa virtual-router 4 vrXyzS
!
hostname "host1"
Meaning
Table 21 on page 125 lists the show configuration category aaa global-attributes
command output fields.
Table 21: show configuration category aaa global-attributes Output Fields
Related
Documentation
•
Field Name
Field Description
aaa accounting vr-group
Name of virtual router groups
aaa virtual-router
Name and index number of the virtual routers that
are members of the virtual router group
show configuration
Monitoring Configuration Information for AAA Local Authentication
Purpose
Display the configuration information for AAA local authentication. You can display
information for the following keywords:
•
•
Action
•
databases—Local user databases configured on the router
•
users—Users configured in the local user databases
•
virtual-router—Local user database selected by the specified virtual router for local
authentication
For additional information about the show configuration command, see JunosE System
Basics Configuration Guide.
To display the configuration information for AAA local authentication:
host1#show configuration category aaa local-authentication databases
! Configuration script being generated on TUE NOV 09 2004 12:50:18 UTC
! Juniper Edge Routing Switch ERX1400
! Version: 6.1.0 (November 8, 2004 18:31)
! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved.
!
! Commands displayed are limited to those available at privilege level 15
!
! NOTE: This script represents only a subset of the full system configuration.
! The category displayed is: aaa local-authentication databases
!
hostname host1
aaa new-model
aaa local database default
aaa local database svaleLdb10
Meaning
Table 22 on page 126 lists the show configuration category aaa local-authentication
command output fields.
Copyright © 2012, Juniper Networks, Inc.
125
JunosE 13.3.x Broadband Access Configuration Guide
Table 22: show configuration category aaa local-authentication Output
Fields
Related
Documentation
•
Field Name
Field Description
aaa local database
Name of the local user database; the name default
specifies the default local user database
aaa local select database
Local user database that the virtual router uses for
local authentication
aaa local username
Unique user entry in the local user database
database
Name of the local user database for the specified
username
hostname
Name of the host router
ip-address
IP address parameter for the user entry
ip-address-pool
IP address pool parameter for the user entry
operational virtual-router
Virtual router parameter for the user entry
password
Password used to authenticate the subscriber
secret
Secret used to authenticate the subscriber
virtual-router
Name of virtual router
show configuration category aaa local-authentication
Monitoring AAA Server Attributes
Purpose
Display status of the attributes on the AAA server, including AAA accounting duplication
and broadcast.
For additional information about the show configuration command, see JunosE System
Basics Configuration Guide.
Action
To display status of the attributes on the AAA server, including AAA accounting duplication
and broadcast:
host1#show configuration category aaa server-attributes include-defaults
! Configuration script being generated on FRI MAY 21 2010 07:52:13 UTC
! Juniper Edge Routing Switch ERX1440
! Version: 11.2.0 beta-1.1 [BuildId 12073] (April 22, 2010 11:46)
! Copyright (c) 1999-2010 Juniper Networks, Inc. All rights reserved.
!
! Commands displayed are limited to those available at privilege level 15
!
! NOTE: This script represents only a subset of the full system configuration.
126
Copyright © 2012, Juniper Networks, Inc.
Chapter 3: Monitoring and Troubleshooting Remote Access
! The category displayed is: aaa server-attributes
!
virtual-router default
aaa accounting duplication lac
aaa accounting broadcast group1
aaa duplicate-address-check enable
aaa accounting acct-stop on-aaa-failure enable
aaa accounting acct-stop on-access-deny disable
aaa subscriber limit per-vr 0
aaa intf-desc-format include sub-intf enable
aaa intf-desc-format include adapter enable
aaa accounting immediate-update disable
no aaa ipv6-nd-ra-prefix framed-ipv6-prefix
no aaa dhcpv6-delegated-prefix delegated-ipv6-prefix
aaa duplicate-prefix-check disable
!
! ==============================================================================
!
virtual-router lac
no aaa accounting duplication
no aaa accounting broadcast
aaa duplicate-address-check enable
aaa accounting acct-stop on-aaa-failure enable
aaa accounting acct-stop on-access-deny disable
aaa subscriber limit per-vr 0
aaa intf-desc-format include sub-intf enable
aaa intf-desc-format include adapter enable
aaa accounting immediate-update disable
no aaa ipv6-nd-ra-prefix framed-ipv6-prefix
no aaa dhcpv6-delegated-prefix delegated-ipv6-prefix
aaa duplicate-prefix-check disable
!
! ==============================================================================
!
virtual-router isp
no aaa accounting duplication
no aaa accounting broadcast
aaa duplicate-address-check enable
aaa accounting acct-stop on-aaa-failure enable
aaa accounting acct-stop on-access-deny disable
aaa subscriber limit per-vr 0
aaa intf-desc-format include sub-intf enable
aaa intf-desc-format include adapter enable
aaa accounting immediate-update disable
no aaa ipv6-nd-ra-prefix framed-ipv6-prefix
no aaa dhcpv6-delegated-prefix delegated-ipv6-prefix
aaa duplicate-prefix-check disable
Meaning
Table 23 on page 127 lists the show configuration category aaa server-attributes
include-defaults command output fields.
Table 23: show configuration category aaa server-attributes
include-defaults Output Fields
Field Name
Field Description
virtual router
Name of the virtual router
aaa accounting duplication
Virtual router used for duplicate accounting
Copyright © 2012, Juniper Networks, Inc.
127
JunosE 13.3.x Broadband Access Configuration Guide
Table 23: show configuration category aaa server-attributes
include-defaults Output Fields (continued)
Related
Documentation
•
Field Name
Field Description
aaa accounting broadcast
Virtual router group used for broadcast accounting
aaa duplicate-address-check
Enabled, disabled
aaa accounting acct-stop
on-aaa-failure
Enabled, disabled
aaa accounting acct-stop
on-access-deny
Enabled, disabled
aaa subscriber limit per-vr
Enabled, disabled
aaa intf-desc-format include
sub-intf
Enabled, disabled
aaa intf-desc-format include
adapter
Enabled, disabled
aaa accounting
immediate-update
Enabled, disabled
aaa ipv6-nd-ra-prefix
framed-ipv6-prefix
Framed-IPv6-Prefix RADIUS attribute used for IPv6
Neighbor Discovery router advertisements
aaa dhcpv6-delegated-prefix
delegated-ipv6-prefix
Delegated-IPv6-Prefix RADIUS attribute used for
DHCPv6 prefix delegation
aaa duplicate-prefix-check
Enabled, disabled
show configuration
Monitoring the COPS Layer Over SRC Connection
Purpose
Action
Display information about the COPS layer over which the SRC connection is made.
To display information about the COPS layer over which the SRC connection is made:
host1#show cops info
General Cops Information:
Sessions Created: 1
Sessions Deleted: 0
Current Sessions: 1
Bytes Received: 680
Packets Received: 17
Bytes Sent: 692
Packets Sent: 21
Keep Alive Received: 12
128
Copyright © 2012, Juniper Networks, Inc.
Chapter 3: Monitoring and Troubleshooting Remote Access
Keep Alive Sent: 12
Session Information
Remote Ip Address: 10.10.0.223
Remote TCP Port: 4001
Client Type: 16384
Bytes Received:
2224
Packets Received: 5
Bytes Sent:
596
Packets Sent:
9
REQ Sent:
4
DEC Rcv:
4
RPT Sent:
4
DRQ Sent:
0
SSQ Rcv:
0
OPN Sent:
1
CAT Rcv:
1
CC Sent:
0
CC Rcv:
0
SSC Sent:
0
Meaning
Table 24 on page 129 lists the show cops info command output fields.
Table 24: show cops info Output Fields
Field Name
Field Description
Session Created
Number of COPS sessions created
Sessions Deleted
Number of COPS sessions deleted
Current Sessions
Number of current COPS sessions
Bytes Received
Number of bytes received on all COPS sessions
Packets Received
Number of packets received on all COPS sessions
Bytes Sent
Number of bytes transmitted on all COPS sessions
Packets Sent
Number of packets transmitted on all COPS sessions
Keep Alive Received
Number of COPS keepalive messages received
Keep Alive Sent
Number of COPS keepalive messages sent
Remote IP Address
IP address of the remote pee
Remote TCP Port
TCP port number of the remote peer
Client Type
Type of client for the session. For this release the
client type must be 16640 (SRC client).
Bytes Received
Number of bytes received for this COPS session
Packets Received
Number of packets received for this COPS session
Copyright © 2012, Juniper Networks, Inc.
129
JunosE 13.3.x Broadband Access Configuration Guide
Table 24: show cops info Output Fields (continued)
Related
Documentation
•
Field Name
Field Description
Bytes Sent
Number of bytes sent on this COPS session
Packets Sent
Number of packets sent on this COPS session
REQ Sent
Number of Request packets sent on this COPS session
DEC Rcv
Number of Decision packets received on this COPS
session
RPT Sent
Number of Report packets sent on this COPS session
DRQ Sent
Number of Delete Requests sent on this COPS session
SSQ Rcv
Number of Synch Requests received on this COPS
session
OPN Sent
Number of Open messages sent on this COPS session
CAT Rcv
Number of Client Accepts packets received on this
COPS session
CC Sent
Number of Client Closes packets sent on this COPS
session
CC Rcv
Number of Client Closes packets received on this
COPS session
SSC Sent
Number of Sync Complete packets sent on this COPS
session
show cops info
Monitoring Statistics About the COPS Layer
Purpose
Action
Display statistics about the COPS layer over which the SRC connection is made.
To display statistics about the COPS layer:
host1#show cops statistics
General Cops Information:
Sessions Created: 0
Sessions Deleted: 0
Current Sessions: 0
Bytes Received: 1108
Packets Received: 12
Bytes Sent: 1572
Packets Sent: 18
Keep Alive Received: 2
130
Copyright © 2012, Juniper Networks, Inc.
Chapter 3: Monitoring and Troubleshooting Remote Access
Keep Alive Sent: 2
Session Information:
Client Type: 24754
Bytes Received:
2539032
Packets Received: 20388
Bytes Sent:
4386648
Packets Sent:
51337
REQ Sent:
21203
DEC Rcv:
20388
RPT Sent:
20391
DRQ Sent:
9743
SSQ Rcv:
0
OPN Sent:
0
CAT Rcv:
0
CC Sent:
0
CC Rcv:
0
SSC Sent:
0
Meaning
Table 25 on page 131 lists the show cops statistics command output fields.
Table 25: show cops statistics Output Fields
Field Name
Field Description
Session Created
Number of COPS sessions created
Sessions Deleted
Number of COPS sessions deleted
Current Sessions
Number of current COPS sessions
Bytes Received
Number of bytes received on all COPS sessions
Packets Received
Number of packets received on all COPS sessions
Bytes Sent
Number of bytes transmitted on all COPS sessions
Packets Sent
Number of packets transmitted on all COPS sessions
Keep Alive Received
Number of COPS keepalive messages received
Keep Alive Sent
Number of COPS keepalive messages sent
Client Type
Type of client for the session
Bytes Received
Number of bytes received for this COPS session
Packets Received
Number of packets received for this COPS session
Bytes Sent
Number of bytes sent on this COPS session
Packets Sent
Number of packets sent on this COPS session
REQ Sent
Number of Request packets sent on this COPS session
Copyright © 2012, Juniper Networks, Inc.
131
JunosE 13.3.x Broadband Access Configuration Guide
Table 25: show cops statistics Output Fields (continued)
Related
Documentation
•
Field Name
Field Description
DEC Rcv
Number of Decision packets received on this COPS
session
RPT Sent
Number of Report packets sent on this COPS session
DRQ Sent
Number of Delete Requests sent on this COPS session
SSQ Rcv
Number of Synch Requests received on this COPS
session
OPN Sent
Number of Open messages sent on this COPS session
CAT Rcv
Number of Client Accepts packets received on this
COPS session
CC Sent
Number of Client Closes packets sent on this COPS
session
CC Rcv
Number of Client Closes packets received on this
COPS session
SSC Sent
Number of Sync Complete packets sent on this COPS
session
show cops statistics
Monitoring Local Address Pool Aliases
Purpose
Action
Display information about aliases for the local address pools configured on your router.
If you do not specify a particular alias, the router displays all aliases.
To display information about local address pool aliases:
host1#show ip local alias
Alias
-----alias1
alias2
alias3
poolA
poolB
poolC
Meaning
132
Pool
----poolA
poolB
poolC
poolD
poolD
poolD
Table 26 on page 133 lists the show ip local alias command output fields.
Copyright © 2012, Juniper Networks, Inc.
Chapter 3: Monitoring and Troubleshooting Remote Access
Table 26: show ip local alias Output Fields
Related
Documentation
•
Field Name
Field Description
Alias
Name of alias for the local address pool
Pool
Name of the local address pool
show ip local alias
Monitoring Local Address Pools
Purpose
Action
Display information about the local address pools configured on your router. If you do
not specify the name of a local address pool, the router displays all local address pools.
To display information about local address pools:
host1#show ip local pool
High
Thresh
-----85
Pool
----poolA
Abated
Thresh
-----75
Trap
---N
Group
-----
Aliases
------alias1
Begin
-------10.1.1.1
10.1.2.1
10.1.3.1
High
Thresh
-----85
Pool
----poolB
End
--------10.1.1.10
10.1.2.10
10.1.3.10
Abated
Thresh
-----75
Free
---10
10
10
Trap
---N
In
Use
--0
0
0
Group
-----
Aliases
------alias2
Begin
-------10.2.1.1
10.2.2.1
High
Thresh
-----85
Pool
----poolC
End
--------10.2.1.10
10.2.2.10
Abated
Thresh
-----75
Free
---10
10
Trap
---N
In
Use
--0
0
Group
-----
Aliases
------alias3
Begin
Copyright © 2012, Juniper Networks, Inc.
End
Free
In
Use
133
JunosE 13.3.x Broadband Access Configuration Guide
-------10.3.1.1
High
Thresh
-----85
Pool
----poolD
--------10.3.1.10
Abated
Thresh
-----75
---10
Trap
---N
--0
Group
-----
Aliases
------poolA
poolB
poolC
Begin
-------10.4.1.1
Meaning
End
---------10.4.1.255
Free
---255
In
Use
--0
Table 27 on page 134 lists the show ip local pool command output fields.
Table 27: show ip local pool Output Fields
Related
Documentation
•
Field Name
Field Description
Pool
User-specified name of the address pool
High Thresh
High utilization threshold value
Abated Thresh
Abated utilization threshold value
Trap
Enable SNMP pool utilization traps: Y (yes) or N (no)
Aliases
Aliases for the local address pool
Begin
Starting IP address
End
Ending IP address
Free
Number of addresses available for use
In Use
Number of addresses currently in use
show ip local pool
Monitoring Local Address Pool Statistics
Purpose
Action
Display local address pool statistics. Use the optional delta keyword to specify that
baselined statistics are to be shown.
To display local address pool statistics:
host1#show ip local pool statistics
Local Address Pool Statistics
134
Copyright © 2012, Juniper Networks, Inc.
Chapter 3: Monitoring and Troubleshooting Remote Access
Statistic
--------------------------------Requests denied (pool exhaustion)
Related
Documentation
•
Values
-----0
show ip local pool
Monitoring Shared Local Address Pools
Purpose
Action
Display the shared local address pool configurations.
To display shared local address pool configuration information:
host1#show ip local shared-pool
Shared Pool
----------shared_poolA
shared_poolB
shared_poolC
Meaning
In Use
-----253
83
99
Dhcp Pool
--------dhcp_pool_25
dhcp_pool_25
dhcp_pool_17
Table 28 on page 135 lists the show ip local shared-pool command output fields.
Table 28: show ip local shared-pool Output Fields
Related
Documentation
•
Field Name
Field Description
Shared Pool
Name of the shared local address pool
In Use
Number of addresses allocated
Dhcp Pool
Name of the DHCP address pool
show ip local shared-pool
Monitoring the Routing Table
Purpose
Action
Display the current state of the routing table, including routes not used for forwarding.
An Access-P entry in the Type column of the output indicates routes that are downloaded
by the RADIUS route-download server.
To display information in the routing table:
host1#show ip route
Protocol/Route type codes:
I1- ISIS level 1, I2- ISIS level2,
I- route type intra, IA- route type inter, E- route type external,
i- metric type internal, e- metric type external,
P- periodic download, O- OSPF, E1- external type 1, E2- external type2,
N1- NSSA external type1, N2- NSSA external type2
L- MPLS label, V- VRF, *- via indirect next-hop
Prefix/Length
Type
Next Hop
Dst/Met
Interface
------------------ --------- --------------- ---------- -----------------
Copyright © 2012, Juniper Networks, Inc.
135
JunosE 13.3.x Broadband Access Configuration Guide
0.0.0.0/0
192.168.10.0/23
192.168.21.21/32
192.168.22.22/32
192.168.23.23/32
192.168.24.24/32
Meaning
Related
Documentation
Static
Connect
Access-P
Access-P
Access-P
Access-P
10.13.10.1
10.13.10.187
255.255.255.255
255.255.255.255
255.255.255.255
255.255.255.255
1/0
0/0
254/2
254/2
254/2
254/2
FastEthernet6/0/0
FastEthernet6/0/0
null0
null0
null0
null0
Refer to the description of the show ip route command in JunosE IP, IPv6, and IGP
Configuration Guide for additional information about the show ip route command.
•
show ip route
Monitoring the B-RAS License
Purpose
Action
Display the B-RAS license.
To display the B-RAS license:
host1#show license b-ras
K4bZ16Lr
Related
Documentation
•
show license b-ras
Monitoring the RADIUS Server Algorithm
Purpose
Action
Display information about the currently configured RADIUS server algorithm.
To display the RADIUS server algorithm:
host1#show radius algorithm
direct
Related
Documentation
•
show radius algorithm
Monitoring RADIUS Override Settings
Purpose
Action
Display the current RADIUS override settings.
To display the RADIUS override settings:
host1:vrXyz7#show radius override
nas-ip-addr: nas-ip-addr
nas-info:
from authentication virtual router
Meaning
136
Table 29 on page 137 lists the show radius override command output fields.
Copyright © 2012, Juniper Networks, Inc.
Chapter 3: Monitoring and Troubleshooting Remote Access
Table 29: show radius override Output Fields
Related
Documentation
•
Field Name
Field Description
nas-ip-addr
Either the NAS-IP-Address [4] attribute is used, or it is overridden
with the Tunnel-Client-Endpoint [66] attribute.
nas-info
Either the NAS-IP-Address [4] and NAS-Identifier [32] attributes of
the virtual router generating the accounting information are used,
or they are overridden with the respective attributes of the
authentication virtual router.
show radius override
Monitoring the RADIUS Rollover Configuration
Purpose
Action
Display the configuration of the RADIUS rollover-on-reject feature.
To display the RADIUS rollover configuration:
host1#show radius rollover-on-reject
rollover-on-reject enabled
Meaning
Related
Documentation
RADIUS rollover-on-reject is enabled.
•
show radius rollover-on-reject
Monitoring RADIUS Server Information
Purpose
Display RADIUS server information.
Use with the optional accounting, authentication, dynamic-request, route-download,
or pre-authentication keywords to limit output to the specific type of server.
Action
To display RADIUS server configuration information:
host1#show radius servers
RADIUS Authentication Configuration
----------------------------------Udp
Retry
Maximum
IP Address
Port
Count
Timeout
Sessions
--------------------------------172.28.30.117
1812
3
3
255
172.28.30.118
1812
3
3
255
172.28.30.119
1812
3
3
255
IP Address
------------172.28.30.117
Copyright © 2012, Juniper Networks, Inc.
RADIUS Accounting Configuration
------------------------------Udp
Retry
Maximum
Port
Count
Timeout
Sessions
-------------- -------1813
3
3
255
Dead
Time
---30
30
30
Dead
Time
---30
Secret Status
------ -----radius dead
radius active
radius alive
Secret
-----radius
Status
-----dead
137
JunosE 13.3.x Broadband Access Configuration Guide
172.28.30.118
172.28.30.119
1813
1813
3
3
3
3
255
255
30
30
RADIUS Pre-Authentication Configuration
--------------------------------------Udp
Retry
Maximum
Dead
IP Address
Port
Count
Timeout
Sessions
Time
--------------------------------- ---172.28.30.117
1812
3
3
255
30
172.28.30.118
1812
3
3
255
30
172.28.30.119
1812
3
3
255
30
IP Address
------------192.168.30.16
192.168.30.17
192.168.30.18
Meaning
RADIUS Route-Download Configuration
----------------------------------Udp
Retry
Maximum
Port
Count
Timeout
Sessions
--------------------1812
3
3
255
1812
3
3
255
1812
3
3
255
Dead
Time
---30
30
30
radius
radius
active
alive
Secret Status
------ -----radius dead
radius active
radius alive
Secret
-----radius
radius
radius
Status
-----dead
active
alive
If a RADIUS server was never configured on the virtual router, the command displays the
following message:
host1#show radius servers
no radius servers configured
If a RADIUS server was configured previously and then removed on the virtual router, the
command displays the following information:
host1#show radius servers
RADIUS Authentication Configuration
----------------------------------Udp
Retry
Maximum
IP Address
Port
Count
Timeout
Sessions
---------------------------------
IP Address
-------------
RADIUS Accounting Configuration
------------------------------Udp
Retry
Maximum
Port
Count
Timeout
Sessions
-------------- --------
Dead
Time
----
Dead
Time
----
IP Address
-------------
RADIUS Pre-Authentication Configuration
--------------------------------------Udp
Retry
Maximum
Dead
Port
Count
Timeout
Sessions
Time
--------------------- ----
IP Address
-------------
RADIUS Route-Download Configuration
----------------------------------Udp
Retry
Maximum
Port
Count
Timeout
Sessions
---------------------
Dead
Time
----
Secret Status
------ ------
Secret
------
Status
------
Secret Status
------ ------
Secret
------
Status
------
Table 30 on page 138 lists the show radius servers command output fields.
Table 30: show radius servers Output Fields
138
Field Name
Field Description
IP Address
IP address of RADIUS server
Copyright © 2012, Juniper Networks, Inc.
Chapter 3: Monitoring and Troubleshooting Remote Access
Table 30: show radius servers Output Fields (continued)
Related
Documentation
•
Field Name
Field Description
Udp Port
Number of the UDP port of the RADIUS server
Retry Count
Maximum number of times that the router retransmits a
RADIUS packet to the RADIUS server
Timeout
Interval (in seconds) before the router retransmits a
RADIUS packet to the RADIUS server
Maximum Sessions
Number of outstanding requests to the RADIUS server
Dead Time
Amount of time to remove the authentication server or
accounting server from the available list when a timeout
occurs
Secret
Configured authentication server or accounting server
secret
Status
Status of the configured RADIUS server:
•
dead-The status displayed if the server does not respond
within the configured number of retransmit counts, and
if Dead Time is configured to a non-zero value.
•
active-The status displayed of the earliest configured,
non-dead server if the server is accessed using the direct
algorithm. The status displayed of all non-dead servers
if the server is accessed using the round-robin algorithm.
•
alive-The status displayed of all non-dead servers except
the earliest configured non-dead server, if the server is
accessed using the direct algorithm. The status of none
of the servers if the server is accessed using the
round-robin algorithm.
show radius servers
Monitoring RADIUS Services Statistics
Purpose
Use to display statistics for RADIUS services.
Use with the optional accounting, authentication, dynamic-request, route-download,
or pre-authentication keywords to limit output to the specific type of statistics. Use the
optional delta keyword to specify that baselined statistics are to be shown.
Action
To display RADIUS authentication and accounting statistics:
host1#show radius statistics
RADIUS Authentication Statistics
-------------------------------Statistic
10.10.121.128
-------------------------------
Copyright © 2012, Juniper Networks, Inc.
139
JunosE 13.3.x Broadband Access Configuration Guide
UDP Port
Round Trip Time
Access Requests
Rollover Requests
Retransmissions
Access Accepts
Access Rejects
Access Challenges
Malformed Responses
Bad Authenticators
Requests Pending
Request Timeouts
Unknown Responses
Packets Dropped
1812
0
0
0
0
0
0
0
0
0
0
0
0
0
RADIUS Accounting Statistics
---------------------------Statistic
10.10.121.128
------------------------------UDP Port
1646
Round Trip Time
2
Requests
1
Start Requests
1
Interim Requests
0
Stop Requests
0
Reject Requests
0
Rollover Requests
0
Retransmissions
3
Responses
1
Start Responses
1
Interim Responses
0
Stop Responses
0
Reject Responses
0
Malformed Responses
0
Bad Authenticators
0
Requests Pending
0
Request Timeouts
3
Unknown Responses
0
Packets Dropped
0
To display RADIUS pre-authentication statistics:
host1#show radius pre-authentication statistics
RADIUS Pre-Authentication Statistics
-----------------------------------Statistic
172.28.30.117
------------------------------UDP Port
1812
Round Trip Time
0
Access Requests
2809
Rollover Requests
0
Retransmissions
56
Access Accepts
2809
Access Rejects
0
Access Challenges
0
Malformed Responses
0
Bad Authenticators
0
Requests Pending
0
Request Timeouts
72
Unknown Responses
0
Packets Dropped
2
140
Copyright © 2012, Juniper Networks, Inc.
Chapter 3: Monitoring and Troubleshooting Remote Access
To display RADIUS route-download statistics:
host1#show radius route-download statistics
RADIUS Route-Download Statistics
-------------------------------Statistic
192.168.30.16
------------------------------UDP Port
1812
Round Trip Time
0
Access Requests
1613
Rollover Requests
0
Retransmissions
6
Access Accepts
1612
Access Rejects
1
Access Challenges
0
Malformed Responses
0
Bad Authenticators
0
Requests Pending
0
Request Timeouts
6
Unknown Responses
0
Packets Dropped
5
Meaning
Table 31 on page 141 lists the show radius statistics command output fields.
NOTE: All descriptions apply to the primary, secondary, and tertiary RADIUS
authentication and accounting servers.
Table 31: show radius statistics Output Fields
Field Name
Field Description
UDP Port
Number of the UDP port of a RADIUS server
Round Trip Time
Hundreds of seconds from request to response
Access Requests
Number of access requests sent to server
Rollover Requests
Number of requests coming into server as a result of
the previous server timing out
Retransmissions
Number of retransmissions
Access Accepts
Number of Access-Accepts received from the server
Access Rejects
Number of Access-Rejects received from the server
Access Challenges
Number of access challenges received from the server
Malformed Responses
Number of responses with attributes having an invalid
length or unexpected attributes (such as two
attributes when the response is required to have at
most one)
Copyright © 2012, Juniper Networks, Inc.
141
JunosE 13.3.x Broadband Access Configuration Guide
Table 31: show radius statistics Output Fields (continued)
142
Field Name
Field Description
Bad Authenticators
Number of responses in which the authenticator is
incorrect for the matching request. This can occur if
the RADIUS secret for the client and server does not
match.
Requests Pending
Number of requests waiting for a response
Request Timeouts
Number of requests that timed out
Unknown Responses
Number of unknown responses. The RADIUS response
type in the header is invalid or unsupported.
Packets Dropped
Number of packets dropped either because they are
too short or the E Series router receives a response
for which there is no corresponding request. For
example, if the router sends a request and the request
times out, the router removes the request from the
list and sends a new request. If the server is slow and
sends a response to the first request after the router
removes the request, the packet is dropped.
Requests
Total number of accounting requests sent, which is
the combined total of Start Requests, Interim
Requests, Stop Requests, and Reject Requests
Start Requests
Number of accounting start requests sent; includes
Acct-On, Acct-Start, Acct-Link-State, and
Acct-Tunnel-Start requests
Interim Requests
Number of interim accounting requests
Stop Requests
Number of accounting stop requests sent; includes
Acct-Off, Acct-Stop, Acct-Link-Stop, and
Acct-Tunnel-Stop requests
Reject Requests
Number of accounting reject requests sent; includes
Acct-Link-Reject and Acct-Tunnel-Reject requests
Responses
Number of accounting responses received from the
server
Start Responses
Number of accounting start responses received;
includes Acct-On, Acct-Start, Acct-Link-Start, and
Acct-Tunnel-Start responses
Interim Responses
Number of interim accounting responses
Stop Responses
Number of accounting stop responses received;
includes Acct-Off, Acct-Stop, Acct-Link-Stop, and
Acct-Tunnel-Stop responses
Copyright © 2012, Juniper Networks, Inc.
Chapter 3: Monitoring and Troubleshooting Remote Access
Table 31: show radius statistics Output Fields (continued)
Related
Documentation
•
Field Name
Field Description
Reject Responses
Number of accounting reject responses received;
includes Acct-Link-Reject and Acct-Tunnel-Reject
responses
show radius statistics
Monitoring RADIUS SNMP Traps
Purpose
Action
Display the configuration of RADIUS SNMP traps.
To display RADIUS SNMP traps configuration information:
host1#show radius trap
trap for auth-server-not-responding enabled
trap for no-auth-server-responding disabled
trap for auth-server-responding enabled
trap for acct-server-not-responding enabled
trap for no-acct-server-responding disabled
trap for acct-server-responding disabled
Meaning
Related
Documentation
A list of the configured RADIUS-related SNMP traps is displayed.
•
show radius trap
Monitoring RADIUS Accounting for L2TP Tunnels
Purpose
Action
Display the status for RADIUS accounting for L2TP tunnels.
To display RADIUS accounting for L2TP tunnels:
host1#show radius tunnel-accounting
disabled
Meaning
Related
Documentation
RADIUS accounting is either enabled or disabled.
•
show radius tunnel-accounting
Monitoring RADIUS UDP Checksums
Purpose
Action
Display information about UDP checksums.
To display the status of RADIUS UDP checksums:
host1#show radius udp-checksum
enabled
Copyright © 2012, Juniper Networks, Inc.
143
JunosE 13.3.x Broadband Access Configuration Guide
Meaning
Related
Documentation
RADIUS checksums status is either enabled or disabled.
•
show radius udp-checksum
Monitoring RADIUS Server IP Addresses
Purpose
Action
Display the IP address of the RADIUS servers.
To display the RADIUS server IP address:
host1#show radius update-source-address
192.168.1.228
Related
Documentation
•
show radius update-source-addr
Monitoring the RADIUS Attribute Used for IPv6 Neighbor Discovery Router
Advertisements
Purpose
Action
Display the RADIUS attribute used for IPv6 Neighbor Discovery router advertisements.
To display the RADIUS attribute used for IPv6 Neighbor Discovery router advertisements:
host1#show aaa ipv6-nd-ra-prefix
IPv6 ND RA Prefix
: IPv6-NdRa-Prefix (Juniper VSA)
Related
Documentation
•
show aaa ipv6-nd-ra-prefix
Monitoring the RADIUS Attribute Used for DHCPv6 Prefix Delegation
Purpose
Action
Display the RADIUS attribute used for DHCPv6 Prefix Delegation.
To display the RADIUS attribute used for DHCPv6 Prefix Delegation:
host1#show aaa dhcpv6-delegated-prefix
DHCPv6 Delegated Prefix : Framed-IPv6-Prefix
Related
Documentation
•
show aaa dhcpv6-delegated-prefix
Monitoring Duplicate IPv6 Prefixes
Purpose
Action
Display whether the ability to detect duplicates of IPv6 Neighbor Discovery router
advertisement prefixes and DHCPv6 delegated prefixes is enabled.
To check whether duplicate IPv6 prefix detection capability is enabled:
host1#show aaa duplicate-prefix-check
enabled
144
Copyright © 2012, Juniper Networks, Inc.
Chapter 3: Monitoring and Troubleshooting Remote Access
Related
Documentation
•
show aaa duplicate-prefix-check
Monitoring Duplicate IPv6 Prefixes in the AAA User Profile Database
Purpose
Action
Display whether the ability to detect duplicates of IPv6 Neighbor Discovery router
advertisement prefixes and DHCPv6 delegated prefixes, in the AAA userProfile database,
is enabled.
To check whether enhanced duplicate IPv6 prefix detection capability is enabled:
host1#show aaa duplicate-prefix-check-extension
enabled
Related
Documentation
•
Duplicate IPv6 Prefix Detection in the AAA User Profile Database Overview on page 40
•
Configuring Detection of Duplicate IPv6 Prefixes in the AAA User Profile Database on
page 91
•
show aaa duplicate-prefix-check-extension
Monitoring SRC Client Connection Status
Purpose
Action
Display the current status of the SRC client connection to the SAEs. The command output
refers to the SRC client by its former name, SSC client.
To display the status of the SRC client connection:
host1#show sscc info
The SSC Client configured protocols : IP(v4), DHCP(v4), L2TP(LAC)
The SSC Client is currently unconnected
The SSC Client configured servers are:
Primary: 10.10.2.2:3
Secondary: 0.0.0.0:0
Tertiary: 0.0.0.0:0
Local Source: FastEthernet 0/0, Local Source Address: 10.13.5.61
The configured transport router is: default
The configured retry timer is (seconds): 90
The configured update-policy-request is: Enabled
The connection state is: NoConnection
SSC Client Statistics:
Policy Commands received
0
Policy Commands(List)
0
Policy Commands(Acct)
0
Bad Policy Cmds received
0
Error Policy Cmds received 0
Policy Reports sent
0
Connection Open requests
0
Connection Open completed 0
Connection Closed sent
0
Connection Closed remotely 0
Create Interfaces sent
0
Delete Interfaces sent
0
Active IP Interfaces
2
IP Interface Transitions
0
Synchronizes received
0
Synchronize Complete sent 0
Copyright © 2012, Juniper Networks, Inc.
145
JunosE 13.3.x Broadband Access Configuration Guide
Internal Errors
Communication Errors
Tokens Seen
Active Tokens
Token Transitions
Token Creates Sent
Token Deletes Sent
Active Addresses
Address Transitions
Create Addresses Sent
Delete Addresses Sent
Authentication Successes
Authentication Failures
Meaning
0
0
0
0
0
0
0
0
0
0
0
0
0
Table 32 on page 146 lists the show sscc info command output fields.
Table 32: show sscc info Output Fields
146
Field Name
Field Description
The SSC client configured
protocols
Protocols that are enabled on the virtual router for policy and QoS
management by the SRC software
The SSC client configured
servers
IP addresses of the primary, secondary, and tertiary SAEs
Local Source
Fixed source interface for the TCP/COPS connection
Local Source Address
Fixed source address for the TCP/COPS connection
The configured transport
router is
Router on which is TCP/COPS connection is established
The configured retry timer is
(seconds)
Delay period the client waits for a response from the SAE before
submitting request again
The configured
update-policy-request is
Whether the router or the SRC client retrieves DSL line rate
parameters, whenever the values change after connection
establishment, from ANCP and transfers the details to the COPS
server with other COPS messages, enabled or disabled
The connection state is
Current state of the TCP/COPS connection
Copyright © 2012, Juniper Networks, Inc.
Chapter 3: Monitoring and Troubleshooting Remote Access
Table 32: show sscc info Output Fields (continued)
Related
Documentation
•
Field Name
Field Description
SSC Client Statistics
Statistics about the connection between the SRC client and SAE
•
Policy Commands received—Number of policy commands
received on the SRC client connection
•
Policy Commands(List)—Number of Policy Commands with
subtype List
•
Policy Commands(Acct)—Number of Policy Commands with
subtype Accounting
•
Bad Policy Cmds received—Number of Policy Commands
received with bad policies
•
Error Policy Cmds received—Number of Policy Commands
received with errors
•
Policy Reports sent—Number of Policy Reports sent
•
Connection Open requests—Number of connections the SRC
client has tried to open with a remote SAE
•
Connection Open completed—Number of connections
successfully open to the SAE
•
Connection Closed sent—Number of connections the SRC client
has closed
•
Connection Closed remotely—Number of connections that were
closed by the remote SAE
•
Create Interfaces sent—Number of create interface indications
sent to the SAE
•
Delete Interfaces sent—Number of delete interface indications
sent to the SAE
•
Active IP Interfaces—Current number of active IP interfaces the
SRC client is aware of
•
IP Interface Transitions—Number of IP interface transitions
logged by the SRC client
•
Synchronizes received—Number of synchronization requests
the SRC client received from the SAE
•
Synchronize Complete sent—Number of synchronization
complete indications sent
•
Internal Errors—Number of internal errors
•
Communication Errors—Number of errors with lower-layer
communications (such as socket errors)
show sscc info
Monitoring SRC Client Connection Statistics
Purpose
Action
Display statistics about connection between the SRC client and SAE. The command
output refers to the SRC client by its former name, SSC client.
To display statistics for the SRC client connection:
host1#show sscc statistics
SSC Client Statistics:
Copyright © 2012, Juniper Networks, Inc.
147
JunosE 13.3.x Broadband Access Configuration Guide
Policy Commands received
0
Policy Commands(List)
0
Policy Commands(Acct)
0
Bad Policy Cmds received
0
Error Policy Cmds received 0
Policy Reports sent
3
Connection attempts
7
Connection Open requests
7
Connection Open completed 0
Connection Closed sent
0
Connection Closed remotely 5
Create Interfaces sent
0
Delete Interfaces sent
3
Active IP Interfaces
3282
IP Interface Transitions
3281
Synchronizes received
0
Synchronizes rcvd & dropped 0
Synchronize Complete sent 2
Internal Errors
0
Communication Errors
0
Discovers Seen
15263
Active Discovers
4911
Discover Transitions
20704
Discover Creates Sent
15263
Discover Deletes Sent
10352
Active Addresses
3274
Address Transitions
3280
Create Addresses Sent
3277
Delete Addresses Sent
3
Meaning
Table 33 on page 148 lists the show sscc statistics command output fields.
Table 33: show sscc statistics Output Fields
148
Field Name
Field Description
Policy Commands received
Number of policy commands received on the SRC
client connection
Policy Commands(List)
Number of Policy Commands with subtype List
Policy Commands(Acct)
Number of Policy Commands with subtype
Accounting
Bad Policy Cmds received
Number of Policy Commands received with bad
policies
Error Policy Cmds received
Number of Policy Commands received with errors
Policy Reports sent
Number of Policy Reports sent
Connection Open requests
Number of connections the SRC client has tried to
open with a remote SAE
Connection Open completed
Number of connections successfully open to the SAE
Connection Closed sent
Number of connections the SRC client has closed
Copyright © 2012, Juniper Networks, Inc.
Chapter 3: Monitoring and Troubleshooting Remote Access
Table 33: show sscc statistics Output Fields (continued)
Related
Documentation
•
Field Name
Field Description
Connection Closed remotely
Number of connections that were closed by the
remote SAE
Create Interfaces sent
Number of create interface indications sent to the
SAE
Delete Interfaces sent
Number of delete interface indications sent to the
SAE
Active IP Interfaces
Current number of active IP interfaces the SRC client
is aware of
IP Interface Transitions
Number of IP interface transitions logged by the SRC
client
Synchronizes received
Number of synchronization requests the SRC client
received from the SAE
Synchronize Complete sent
Number of synchronization complete indications sent
Internal Errors
Number of internal errors
Communication Errors
Number of errors with lower-layer communications
(such as socket errors)
show sscc statistics
Monitoring the SRC Client Version Number
Purpose
Action
Display the SRC client (formerly SDX client) version number.
To display the SRC client version number:
host1#show sscc version
The SSC Client version is: 4.0
Related
Documentation
•
show sscc version
Monitoring the SRC Option
Purpose
Action
Displays information about SRC client options for the virtual router.
To display the SRC option:
host1#show sscc options
The SSC Client options for vr default:
generate-nas-port-id: disabled
Copyright © 2012, Juniper Networks, Inc.
149
JunosE 13.3.x Broadband Access Configuration Guide
Send-Calling-Station-Id with radius-default-value: enabled
Send-Calling-Station-Id with radius-overridden-value: disabled
send-lac-nas-ip: enabled
send-lac-nas-port: enabled
send-local-qos-profile-config: disabled
user-ip-mask-override: disabled
Meaning
Table 34 on page 150lists the show sscc option command output fields.
Table 34: show sscc option Output Fields
Related
Documentation
Field Name
Field Description
generate-nas-port-id
If enabled, the LNS side NAS-Port information is sent to the PDP
for a virtual router
Send-Calling-Station-Id with
radius-default-value
If enabled, the default calling station ID is sent to the PDP for a
virtual router, irrespective of whether the ID is included or
excluded from the Access-Request and Acct-Start messages
sent from the RADIUS client to the server
Send-Calling-Station-Id with
radius-overridden-value
If enabled, the overridden calling station ID is sent to the PDP
for a virtual router, irrespective of whether the ID is included or
excluded from the Access-Request and Acct-Start messages
sent from the RADIUS client to the server
send-calling-station-id
If enabled, the calling station ID is sent to the PDP for a virtual
router
send-lac-nas-ip
If enabled, the LAC side NAS-IP address information is sent to
the PDP for a virtual router
send-lac-nas-port
If enabled, the LAC side NAS-Port information is sent to the PDP
for a virtual router
send-local-qos-profile-config
If enabled, the local QoS profile attachment information is sent
to the PDP for a virtual router
user-ip-mask-override
If enabled, the user IP address mask is sent to the PDP for a
virtual router
•
show sscc options
•
sscc option
Monitoring Subscriber Information
Purpose
150
Display active subscribers on the router. If you specify a username, the router displays
only the users that match the username. When you issue the show subscribers command
in the default VR, all users are displayed. When you issue the show subscribers command
in a nondefault VR, only those users attached to that VR are displayed. The following list
describes keywords that you can issue with the show subscribers command:
Copyright © 2012, Juniper Networks, Inc.
Chapter 3: Monitoring and Troubleshooting Remote Access
•
You can specify the domain, interface, port, profile, slot, username, or virtual-router
keyword on all routers to filter the results. If you do not specify a keyword, all active
users are displayed.
•
When you use the interface keyword to display detailed subscriber information by
interface, you must also specify the atm, ethernet, or lag keyword, an interface specifier,
and, optionally, a subinterface specifier.
•
If you specify the lag keyword, the output displays active subscribers for the specified
LAG interface. By default, the aaa intf-desc-format include sub-intf enable command
includes the subinterface and S-VLAN ID in the LAG interface ID. Use the aaa
intf-desc-format include sub-intf disable command to exclude the subinterface and
S-VLAN ID from the LAG interface ID.
•
The output displayed in the Interface field depends on the configuration of two
commands at the time the subscriber logs in: aaa intf-desc-format include sub-intf
and aaa intf-desc-format include adapter (for the E120 and E320 Broadband Services
routers).
•
When you issue the aaa intf-desc-format include sub-intf disable command, the
subinterface is stripped from the subscriber’s interface field at login and is not
displayed in the output. In the default state, or when you issue the aaa
intf-desc-format include sub-intf enable command, the subinterface is included
in the subscriber’s interface field at login and is displayed in the output.
•
When you issue the aaa intf-desc-format include adapter disable command, the
adapter is stripped from the subscriber’s interface field at login and is not displayed
in the output. In the default state, or when you issue the aaa intf-desc-format include
adapter enable command, the adapter is included in the subscriber’s interface field
at login and is displayed in the output.
•
Even when the subinterface has been stripped from the subscriber’s interface field,
you can still include the subinterface specifier in the show subscribers interface
command. Even though the subinterface itself is not displayed, only subscribers on
the specified subinterface are displayed.
•
The above considerations do not apply when you issue the summary keyword. The
output displayed in the Interface field of summary versions is not affected by the
state of either the aaa intf-desc-format include sub-intf command or the aaa
intf-desc-format include adapter command when the subscriber logs in.
•
You can issue the ipv6 keyword to display all IPv6 subscribers or include the IPv6 prefix
to limit the display to only IPv6 subscribers on a specific network.
•
You can issue the icr-partition keyword to display active subscribers for a particular
ICR partition configured on a chassis.
Copyright © 2012, Juniper Networks, Inc.
151
JunosE 13.3.x Broadband Access Configuration Guide
NOTE: If you attempt to bring up tunneled subscribers on ACI-based VLAN
subinterfaces on LAC devices with subscriber groups that are based on
S-VLAN IDs (using the ip vrrp vrid icr-partition group svlan command on
S-VLAN subinterfaces), the VLAN subinterface does not come up and a
log message to denote its down state is not generated. If you attempt to
bring up tunneled subscribers on ACI-based VLAN subinterfaces on LAC
devices with subscriber groups that are based on VLAN IDs (using the ip
vrrp vrid icr-partition group vlan command on VLAN subinterfaces), the
subscribers over tunnels are brought up. However, on the LAC device, the
subscribers are logged in outside of the ICR partition.
This behavior is expected when attempts are made to log in tunneled
subscribers over ACI-based VLAN subinterfaces configured with ICR
partitions with VLAN-based grouping or S-VLAN-based grouping.
Action
•
You can use the profile keyword to list subscribers who share the same profile.
•
You can specify the summary keyword to display only summary information about
active subscribers.
•
In the Interface field in the output of the show subscribers command, for subscribers
that are logged in to the router over VLAN interfaces configured on the LAG bundle
using protocols such as DHCP or PPPoE, the logged-in subscriber name is displayed
against the LAG bundle on the member interface where the user session is established.
The subscriber sessions are displayed for the corresponding major interfaces, such as
Ethernet, only if the subscribers are logged in over VLAN subinterfaces configured over
major interfaces.
To display general subscriber information:
host1# show subscribers
Subscriber List
---------------User Name
----------------------fred
bert
User Name
----------------------fred
bert
User Name
----------------------fred
bert
User Name
-----------------------
152
Virtual
Addr|Endpt
Router
------------------------------10.10.65.86/radius
default
192.168.10.3/user
default
Interface
-------------------------------atm 2/1.42:100.104
FastEthernet 5/2.4
Login Time
Circuit Id
---------------------------------06/05/12 10:58:42
atm 5/1.3
06/05/12 10:59:08
Remote Id
---------------Type
----tst
tst
Copyright © 2012, Juniper Networks, Inc.
Chapter 3: Monitoring and Troubleshooting Remote Access
fred
bert
(800) 555-1212
To display detailed information about subscribers on the specified interface:
host1# show subscribers interface ethernet 5/2
Subscriber List
--------------User Name
-----------------------bert
User Name
-----------------------bert
User Name
-----------------------bert
User Name
----------------------bert
Virtual
Addr|Endpt
Router
------------------------------192.168.10.3/user
default
Interface
-------------------------------FastEthernet 5/2.4
Login Time
Circuit Id
---------------------------------06/05/12 10:59:08
Remote Id
---------------(800) 555-0000
Type
----tst
To display detailed information about subscribers on the specified LAG interface:
host1# show subscribers interface lag lag2.1:1-1
Subscriber List
--------------User Name
------------4101DHCPCLIENT@CT.NET
Type
----ip
Addr|Endpt
----------2.0.0.3/user
User Name
-----------------------4101DHCPCLIENT@CT.NET
Interface
-----------lag lag2.1:1-1
User Name
-----------------------4101DHCPCLIENT@CT.NET
Login Time
------------------09/10/29 02:07:51
User Name
-----------------------4101DHCPCLIENT@CT.NET
Router
--------default
Circuit Id
----------------
Remote Id
----------------
To display detailed information about subscribers on the specified slot:
host1# show subscribers slot 5
Subscriber List
--------------User Name
-----------------------fred
User Name
-----------------------fred
User Name
-----------------------fred
User Name
Copyright © 2012, Juniper Networks, Inc.
Virtual
Addr|Endpt
Router
------------------------------10.10.65.86/radius
default
Interface
-------------------------------atm 5/1.42:100.104
Login Time
Circuit Id
---------------------------------06/05/12 10:58:42
atm 5/1.3
Remote Id
Type
----tst
153
JunosE 13.3.x Broadband Access Configuration Guide
----------------------fred
----------------
To display detailed information about subscribers who share the same profile:
host1# show subscribers profile aaa
Subscriber List
--------------User Name
-----------------------user
user
User Name
-----------------------user
user
User Name
-----------------------user
user
User Name
-----------------------user
user
Virtual
Addr|Endpt
Router
------------------------------20.10.10.3/local
default
20.10.10.8/local
default
Interface
-------------------------------FastEthernet 1/5
FastEthernet 1/5
Login Time
Circuit Id
---------------------------------12/08/21 11:36:05
12/08/22 16:34:53
Remote Id
Profile Name
--------------------------------------aaa
aaa
Type
----ppp
ppp
To display the number of subscribers who share the same profile:
host1# show subscribers summary profile
Profile Name
Count
------------------------------------aa
2
aaa
2
aab
2
Total Subscribers : 6 (chassis-wide total)
Peak Subscribers : 6 (chassis-wide total)
To display the number of subscribers on each virtual router, as well as the total and peak
subscribers for the chassis:
host1#show subscribers summary
Virtual
Router
Subscribers
Ppp
Ip
--------------------------------default
1
1
0
Total Subscribers : 10 (chassis-wide total)
Peak Subscribers : 15 (chassis-wide total)
Tnl
-----0
Total
-----1
To display the number of subscribers on each port:
host1#show subscribers summary port
Interface
Count
----------------3/1
5
2/1
5
Total Subscribers : 10 (chassis-wide total)
Peak Subscribers : 15 (chassis-wide total)
To display the number of subscribers by domain name:
host1#show subscribers summary domain
Domain Name
Count
154
Copyright © 2012, Juniper Networks, Inc.
Chapter 3: Monitoring and Troubleshooting Remote Access
------------------------------------abc.com
5
iii.com
5
Total Subscribers : 10 (chassis-wide total)
Peak Subscribers : 15 (chassis-wide total)
To display the number of subscribers by interface:
host1#show subscribers summary interface
Interface
Count
-----------------------ATM 3/2.1
1
ETHERNET 5/2.1
2
LAG lag1.100
1
Total Subscribers: 4 (chassis-wide total)
Peak Subscribers: 8 (chassis-wide total)
To display the number of subscribers by slot:
host1#show subscribers summary slot
Slot
Count
-----------3
1
5
4
Total Subscribers : 5 (chassis-wide total)
Peak Subscribers : 8 (chassis-wide total)
To display the number of subscribers by ICR partition:
host1#show subscribers summary icr-partition
ICR-Partition (location-id)
-------------------------------------------3/0.1.4
3/0.2.5
Total Subscribers: 10 (chassis-wide total)
Peak Subscribers: 15 (chassis-wide total)
Count
-------5
5
To display the number of subscribers that are logged in on top of a LAG bundle:
host1#show subscribers summary lag
Interface
Count
------------------------LAG OLT
6
Total Subscribers : 6 (chassis-wide total)
Peak Subscribers : 6 (chassis-wide total)
Meaning
Table 35 on page 155 lists the show subscribers command output fields.
Table 35: show subscribers Output Fields
Field Name
Field Description
User Name
Name of the subscriber
Type
Type of subscriber: atm, ip, ipsec, ppp, tnl (tunnel), or
tst (test)
Copyright © 2012, Juniper Networks, Inc.
155
JunosE 13.3.x Broadband Access Configuration Guide
Table 35: show subscribers Output Fields (continued)
156
Field Name
Field Description
Addr | Endpt
IP or IPv6 address and source of the address: l2tp,
local, dhcp, radius, or user. For local, dhcp, radius, and
user endpoints, the address is that of the user. When
the endpoint is l2tp, the address is that of the LNS.
Virtual Router
Name of the virtual router context
Interface
Interface specifier over which the subscriber is
connected
Login Time
Date, in YY/MM/DD format, and time the subscriber
logged in
Circuit Id
User circuit ID value specified by PPPoE
Remote Id
User remote ID value specified by PPPoE
Total Subscribers
Number of active subscribers, chassis-wide
Peak Subscribers
Maximum value that is displayed in the Total
Subscriber field during the time the router has been
active, chassis-wide
Subscribers
Number of subscribers; the sum of the Ppp and Ip
fields
Ppp
Number of PPPoA and PPPoE users, combined
Ip
Number of DHCP and IP subscriber manager users,
combined
Tnl
Number of users tunneled to an LNS
Total
Total number of users per virtual router; the sum of
the Ppp, Ip, and Tnl fields
Domain Name
Domain name used by the subscriber
ICR-Partition (location-id)
A unique identifier for each ICR partition on a chassis.
Note that this ID is different from the partition name,
which is configured using the ip vrrp vrid icr-partition
partitionName command.
Count
Number of subscribers
Slot
Number of slot in the chassis
Copyright © 2012, Juniper Networks, Inc.
Chapter 3: Monitoring and Troubleshooting Remote Access
Related
Documentation
•
show subscribers
Monitoring Application Terminate Reason Mappings
Purpose
Action
Display information about the mappings for application terminate reasons.
To display the current terminate reasons that are mapped to a specific
Acct-Terminate-Cause-Code:
This example uses the radius keyword to display all current terminate reasons mapped
to RADIUS Acct-Terminate-Cause codes. The output lists all PPP mappings, followed
by L2TP mappings, and then AAA mappings.
host1(config)#run show terminate-code radius
Apps
--------ppp
ppp
ppp
ppp
ppp
ppp
ppp
--More--
Terminate Reason
-------------------------authenticate-authenticator
-timeout
authenticate-challenge-tim
eout
authenticate-chap-no-resou
rces
authenticate-chap-peer-aut
henticator-timeout
authenticate-deny-by-peer
authenticate-inactivity-ti
meout
authenticate-max-requests
Description
-------------------------authenticate authenticator
timeout
authenticate challenge tim
eout
authenticate chap no resou
rces
authenticate chap peer aut
henticator timeout
authenticate deny by peer
authenticate inactivity ti
meout
authenticate max requests
Radius
Code
-----17
10
10
17
17
4
10
To display all terminate reasons that are mapped to a specific terminate code:
This example uses the radius keyword and a RADIUS Acct-Terminate-Cause code (radius
4) to display all terminate reasons mapped to the specified terminate code.
host1(config)#run show terminate-code radius 4
Apps
--------ppp
l2tp
Terminate Reason
-------------------------authenticate-inactivity-ti
meout
session-timeout-inactivity
Description
-------------------------authenticate inactivity ti
meout
session timeout inactivity
Radius
Code
-----4
4
To display all current mappings for a particular application’s terminate reasons:
This example uses aaa as the application.
host1(config)#run show terminate-code aaa
Apps
--------aaa
aaa
aaa
aaa
Copyright © 2012, Juniper Networks, Inc.
Terminate Reason
-------------------------deny-server-not-available
deny-server-request-timeou
t
deny-authentication-failur
e
deny-address-assignment-fa
Description
-------------------------deny server not available
deny server request timed
out
deny authentication failur
e from server
deny address assignment fa
Radius
Code
-----17
17
17
17
157
JunosE 13.3.x Broadband Access Configuration Guide
ilure
deny-address-allocation-fa
ilure
deny-no-address-allocation
-resources
deny-unknown-subscriber
deny-no-resources
aaa
aaa
aaa
aaa
ilure
deny address allocation fa
ilure
deny insufficient resource
s for address allocation
deny no such server entry
deny no resources availabl
e
17
17
17
10
--More--
To display the mapping for a specific terminate reason for an application:
This example uses l2tp as the application and session-access-interface-down as the
terminate reason.
host1#show terminate-code l2tp session-access-interface-down
Terminate Reason Description
-----------------------------------------------------------session access interface down
Meaning
Radius
Code
-----8
Table 36 on page 158 lists the show terminate-code command output fields.
Table 36: show terminate-code Output Fields
Related
Documentation
•
Field Name
Field Description
Apps
The application generating the terminate reason; AAA,
L2TP, PPP, or RADIUS client
Terminate Reason
The application’s terminate reason
Description
The terminate reason
Radius Code
The RADIUS Acct-Terminate-Cause code to which
the application’s terminate reason is mapped
show terminate-code
Monitoring IPv6 Local Pools for DHCP Prefix Delegation By All Configured Pools
Purpose
Action
Display a summary of all the IPv6 local address pools configured on a virtual router, along
with the prefix ranges in each of those pools, total number of prefixes that can be allocated
to clients, and the number of prefixes that are in use by clients.
To display information about all the IPv6 local address pools configured on a virtual
router:
host1#show ipv6 local pool
IPv6 Local Address Pools
-----------------------Pool
---------------ipv6Pool-pppoa
158
Start
------------------------2002:2002::/48
End
------------------------2002:2002:ffff::/48
Total
------65536
In Use
------0
Copyright © 2012, Juniper Networks, Inc.
Chapter 3: Monitoring and Troubleshooting Remote Access
ipv6Pool-pppoe
example
3003:3003::/48
4004:4004::/48
Meaning
3003:3003:ffff::/48
4004:4004:ffff::/48
65536
65536
0
16000
Table 37 on page 159 lists the show ipv6 local pool command output fields.
Table 37: show ipv6 local pool Output Fields
Related
Documentation
•
Field Name
Field Description
Pool
Names of IPv6 local address pools configured
on the virtual router
Start
Starting prefix of the range of prefixes configured
in a particular pool
End
Ending prefix of the range of prefixes configured
in a particular pool
Total
Number of prefixes available for allocation to
clients from a particular pool
In Use
Number of prefixes in a pool that are currently
used by DHCPv6 clients
show ipv6 local pool
Monitoring IPv6 Local Pools for DHCP Prefix Delegation By Pool Name
Purpose
Action
Display prefix delegation details for an IPv6 local address pool configured on a virtual
router.
To display prefix delegation information for a specific IPv6 local address pool:
host1#show ipv6 local pool example
Pool : example
-------------Utilization : 24
Start
End
--------------4004:4004::/48
------------------4004:4004:ffff::/48
Exclude
Dns Servers
Domain Search List
Meaning
Total
In Use
Exclude
Util
-----65536
------16000
------1
---24
Preferred
Lifetime
----------30 minutes
Valid
Lifetime
---------1 day
4004:4004::/48
5:5:5:5:5:5:5:5
6:6:6:6:6:6:6:6
example-1.com
example-2.com
example-3.com
example-4.com
Table 38 on page 160 lists the show ipv6 local pool poolName command output fields.
Copyright © 2012, Juniper Networks, Inc.
159
JunosE 13.3.x Broadband Access Configuration Guide
Table 38: show ipv6 local pool poolName Output Fields
Related
Documentation
•
Field Name
Field Description
Pool
Name of the IPv6 local address pool for which
prefix delegation details are displayed
Utilization
Percentage of IPv6 prefixes currently allocated
to clients from the local address pool
Start
Starting prefix of the range of prefixes configured
in a particular pool
End
Ending prefix of the range of prefixes configured
in a particular pool
Total
Number of prefixes available for allocation to
clients from a particular pool
In Use
Number of prefixes in a pool that are currently
used by DHCPv6 clients
Preferred Lifetime
Amount of time for which the prefix remains
preferred for the requesting router to use
Valid Lifetime
Amount of time for which the prefix remains valid
for the requesting router to use
Exclude
Prefix length or prefix range excluded from
allocation to the requesting router
Util
Percentage of prefixes currently allocated to
clients from a particular prefix range in the pool
Dns Servers
List of IPv6 addresses of DNS servers to be sent
to clients in the DHCPv6 responses
Domain Search List
List of domain names configured in the IPv6 local
pool for DNS resolution
show ipv6 local pool
Monitoring IPv6 Local Pool Statistics for DHCP Prefix Delegation
Purpose
Action
Display IPv6 local address pool statistics used for DHCP prefix delegation to requesting
routers.
To display all IPv6 local address pool statistics for prefix delegation to clients:
host1#show ipv6 local pool statistics
IPv6 Local Address Pool Statistics
----------------------------------
160
Copyright © 2012, Juniper Networks, Inc.
Chapter 3: Monitoring and Troubleshooting Remote Access
Statistic
----------------Allocations
Allocation Errors
Releases
Release Errors
Meaning
Value
----0
0
0
0
Table 39 on page 161 lists the show ipv6 local pool statistics command output fields.
Table 39: show ipv6 local pool statistics Output Fields
Related
Documentation
•
Field Name
Field Description
Allocations
Number of prefixes allocated to DHCPv6 clients
from the local address pool
Allocation Errors
Number of errors encountered during the
allocation of prefixes
Releases
Number of prefixes released back to the pool
Release Errors
Number of errors encountered during the process
of release of previously assigned prefixes by the
requesting router
show ipv6 local pool
Monitoring IPv6 Local Pools for Neighbor Discovery Router Advertisements for all
Configured Pools
Purpose
Action
Display a summary of all the IPv6 local address pools configured on a virtual router, along
with the prefix ranges in each of those pools, total number of prefixes that can be allocated
to clients, and the number of prefixes that are in use by clients for Neighbor Discovery
router advertisements.
To display information about all the IPv6 local address pools configured on a virtual
router for Neighbor Discovery router advertisements:
host1#show ipv6 local ndra-pool
Pool
---------------ipv6Pool-expm1
ipv6Pool-expm2
example
IPv6 Local Address ND-RA Pools
-----------------------Start
End
------------------------------------------------2002:2002::/64
2002:2002:ffff::/64
3003:3003::/48
3003:3003:ffff::/48
4004:4004:0:ff00::/64
4004:4004:ffff::/48
Meaning
Total
------65536
65536
65536
In Use
------0
0
16000
Table 40 on page 162 lists the show ipv6 local ndra-pool command output fields.
Copyright © 2012, Juniper Networks, Inc.
161
JunosE 13.3.x Broadband Access Configuration Guide
Table 40: show ipv6 local ndra-pool Output Fields
Related
Documentation
Field Name
Field Description
Pool
Names of IPv6 Neighbor Discovery router
advertisement local address pools configured
on the virtual router
Start
Starting prefix of the range of prefixes configured
in a particular Neighbor Discovery router
advertisements pool
End
Ending prefix of the range of prefixes configured
in a particular Neighbor Discovery router
advertisements pool
Total
Number of prefixes available for allocation to
clients from a particular Neighbor Discovery
router advertisements pool
In Use
Number of prefixes in a pool that are currently
used by Neighbor Discovery clients
•
IPv6 Prefix Allocation Using Neighbor Discovery Router Advertisements from IPv6
Address Pools Overview on page 54
•
Monitoring IPv6 Local Pools for Neighbor Discovery Router Advertisements by Pool
Name on page 162
•
Monitoring IPv6 Local Pool Statistics for Neighbor Discovery Router Advertisements
Allocation of Prefixes on page 163
•
show ipv6 local ndra-pool
Monitoring IPv6 Local Pools for Neighbor Discovery Router Advertisements by Pool
Name
Purpose
Action
Display information about an IPv6 local address pool for Neighbor Discovery router
advertisements configured on a virtual router.
To display information about an IPv6 local address pool for Neighbor Discovery router
advertisements configured on a virtual router:
host1#show ipv6 local ndra-pool example
Pool : example
-------------Utilization : 24
Start
--------------2002:2002::/64
3003:3003::/64
162
End
------------------2002:2002:ffff::/64
3003:3003:0:1000::/64
Total
-----65536
17
In Use
------0
0
Exclude
------0
0
Util
---0
0
Copyright © 2012, Juniper Networks, Inc.
Chapter 3: Monitoring and Troubleshooting Remote Access
4004:4004:0:ff00::/64
Meaning
4004:4004:0:ffff::/64
256
0
0
0
Table 41 on page 163 lists the show ipv6 local ndra-pool poolName command output
fields.
Table 41: show ipv6 local ndra-pool poolName Output Fields
Related
Documentation
Field Name
Field Description
Pool
Names of IPv6 Neighbor Discovery router
advertisements local address pools configured
on the virtual router
Start
Starting prefix of the range of prefixes configured
in a particular Neighbor Discovery router
advertisements pool
End
Ending prefix of the range of prefixes configured
in a particular Neighbor Discovery router
advertisements pool
Total
Number of prefixes available for allocation to
clients from a particular Neighbor Discovery
router advertisements pool
In Use
Number of prefixes in a pool that are currently
used by Neighbor Discovery clients
Exclude
Prefix length or prefix range excluded
Util
Percentage of prefixes currently allocated to
clients from a particular prefix range in the
Neighbor Discovery router advertisements pool
•
IPv6 Prefix Allocation Using Neighbor Discovery Router Advertisements from IPv6
Address Pools Overview on page 54
•
Monitoring IPv6 Local Pools for Neighbor Discovery Router Advertisements for all
Configured Pools on page 161
•
Monitoring IPv6 Local Pool Statistics for Neighbor Discovery Router Advertisements
Allocation of Prefixes on page 163
•
show ipv6 local ndra-pool
Monitoring IPv6 Local Pool Statistics for Neighbor Discovery Router Advertisements
Allocation of Prefixes
Purpose
Display IPv6 local address pool statistics used for Neighbor Discovery router
advertisements to requesting routers.
Copyright © 2012, Juniper Networks, Inc.
163
JunosE 13.3.x Broadband Access Configuration Guide
Action
To display all IPv6 local address pool statistics for Neighbor Discovery router
advertisements to requesting routers:
host1#show ipv6 local ndra-pool statistics
IPv6 Local Address Pool Statistics
---------------------------------Statistic
Value
--------------------Allocations
0
Allocation Errors
0
Releases
0
Release Errors
0
Meaning
Table 42 on page 164 lists the show ipv6 local ndra-pool statistics command output
fields.
Table 42: show ipv6 local ndra-pool statistics Output Fields
Related
Documentation
Field Name
Field Description
Allocations
Number of prefixes allocated to Neighbor
Discovery router advertisements clients from the
local address pool
Allocation Errors
Number of errors encountered during the
allocation of prefixes
Releases
Number of prefixes released back to the pool
Release Errors
Number of errors encountered during the process
of release of previously assigned prefixes by the
requesting router
•
IPv6 Prefix Allocation Using Neighbor Discovery Router Advertisements from IPv6
Address Pools Overview on page 54
•
Monitoring IPv6 Local Pools for Neighbor Discovery Router Advertisements for all
Configured Pools on page 161
•
Monitoring IPv6 Local Pools for Neighbor Discovery Router Advertisements by Pool
Name on page 162
•
show ipv6 local ndra-pool
Monitoring the Status of the Override Feature to Initiate IPCP and IPv6CP Negotiations
Based on RADIUS-Returned Attributes
Purpose
Action
164
Displays the status of the override feature to initiate IPCP and IPv6CP negotiations for
IPv4 and IPv6 clients based on RADIUS-returned attributes.
To display the status of the override feature to initiate IPCP and IPv6CP negotiations for
IPv4 and IPv6 clients based on RADIUS-returned attributes:
Copyright © 2012, Juniper Networks, Inc.
Chapter 3: Monitoring and Troubleshooting Remote Access
host1#show aaa radius-override-ncp-negotiation
enabled
Related
Documentation
•
Overriding AAA to Perform IPCP and IPv6CP Negotiations Based on RADIUS-Returned
Attributes on page 101
•
show aaa radius-override-ncp-negotiation
Copyright © 2012, Juniper Networks, Inc.
165
JunosE 13.3.x Broadband Access Configuration Guide
166
Copyright © 2012, Juniper Networks, Inc.
PART 2
Managing RADIUS and TACACS+
•
Configuring RADIUS Attributes on page 169
•
Configuring RADIUS Dynamic-Request Server on page 217
•
Configuring RADIUS Relay Server on page 225
•
RADIUS Attribute Descriptions on page 231
•
Application Terminate Reasons on page 255
•
Monitoring RADIUS on page 281
•
Configuring TACACS+ on page 295
•
Monitoring TACACS+ on page 305
Copyright © 2012, Juniper Networks, Inc.
167
JunosE 13.3.x Broadband Access Configuration Guide
168
Copyright © 2012, Juniper Networks, Inc.
CHAPTER 4
Configuring RADIUS Attributes
This chapter identifies the Remote Authentication Dial-In User Service (RADIUS) attributes
that JunosE Software supports and describes the RADIUS attributes you can configure
with the command-line interface (CLI). RADIUS attributes are discussed in the following
sections:
•
RADIUS Overview on page 170
•
RADIUS Platform Considerations on page 171
•
RADIUS References on page 171
•
Subscriber AAA Access Messages Overview on page 172
•
RADIUS IETF Attributes Supported for Subscriber AAA Access Messages on page 173
•
Juniper Networks VSAs Supported for Subscriber AAA Access Messages on page 176
•
Processing DNS Addresses from Microsoft RADIUS VSAs for PPP Clients During
IPCP on page 181
•
Subscriber AAA Accounting Messages Overview on page 182
•
RADIUS IETF Attributes Supported for Subscriber AAA Accounting Messages on page 183
•
Juniper Networks VSAs Supported for Subscriber AAA Accounting Messages on page 186
•
RADIUS IETF Attributes Supported for AAA Tunnel Accounting Messages on page 190
•
AAA Access Messages During IPCP Negotiations for Dual-Stack Subscribers on page 191
•
AAA Accounting Messages During IPCP Negotiations for Dual-Stack
Subscribers on page 193
•
DSL Forum VSAs in AAA Access and Accounting Messages Overview on page 196
•
DSL Forum VSAs Supported for AAA Access and Accounting Messages on page 196
•
RADIUS Attributes Supported for CLI AAA Messages on page 198
•
CLI Commands Used to Modify RADIUS Attributes on page 199
•
CLI Commands Used to Configure RADIUS IETF Attributes on page 199
•
CLI Commands Used to Configure Juniper Networks VSAs on page 203
•
CLI Commands Used to Include ANCP-Related Juniper Networks VSAs in Access and
Accounting Messages on page 205
•
CLI Commands Used to Include DSL Forum VSAs in Access and Accounting
Messages on page 207
Copyright © 2012, Juniper Networks, Inc.
169
JunosE 13.3.x Broadband Access Configuration Guide
•
CLI Commands Used to Include or Exclude Attributes in RADIUS Messages on page 208
•
CLI Commands Used to Ignore Attributes when Receiving Access-Accept
Messages on page 213
•
RADIUS Per-Profile Attribute List Configuration Overview on page 213
•
Example: Configuring RADIUS-Specific Attributes on page 214
RADIUS Overview
RADIUS is a distributed client/server that protects networks against unauthorized access.
RADIUS clients running on a Juniper Networks E Series Broadband Services Router send
authentication requests to a central RADIUS server.
You can access the RADIUS server through either a subscriber line or the CLI.
NOTE: For CLI/telnet users only—For CLI security, the router supports the
RADIUS Access-Challenge message. The RADIUS server uses this message
to send the user a challenge requiring a response. The router then displays
the single reply message and attempts to authenticate the user with the new
response as the password.
The central RADIUS server stores all the required user authentication and network access
information. RADIUS informs the router of the privilege levels for which
RADIUS-authenticated users have enable access. The router permits or denies enable
access accordingly.
The RADIUS server is configured and managed by a RADIUS administrator. See your
RADIUS server documentation for information about configuring and managing a RADIUS
server.
The E Series RADIUS client uses the IP address in the router ID unless you explicitly set
an IP address by using the radius update-source-addr command.
To explicitly set the source address, perform the following tasks:
•
Configure the RADIUS update-source address.
•
Set this address on the RADIUS server if required.
NOTE: For additional RADIUS information about topics such as restricting
user access, vty line authentication, or SSH, see the Passwords and Security
chapter in JunosE System Basics Configuration Guide.
RADIUS Services
RADIUS provides three distinct services:
170
Copyright © 2012, Juniper Networks, Inc.
Chapter 4: Configuring RADIUS Attributes
•
Authentication—Determines whether or not a user is allowed to access a specific
service or resource.
•
Authorization—Associates connection attributes or characteristics with a specific user.
•
Accounting—Tracks service use by subscribers.
RADIUS Attributes
JunosE Software supports the RADIUS attributes and vendor-specific attributes (VSAs)
listed in this chapter. These attributes define specific authentication, authorization, and
accounting elements in a user’s profile. The profile is stored on the RADIUS server. RADIUS
messages contain RADIUS attributes to communicate information between an E Series
Broadband Services Router and the RADIUS server.
Note these guidelines about RADIUS attribute numbers:
Related
Documentation
•
The number, such as [1], that appears in brackets before each attribute is the attribute’s
standard number.
•
Any attribute number beginning with 26, such as [26-1], identifies a vendor-specific
attribute.
•
RADIUS Authentication and Accounting Servers Configuration Overview on page 16
•
RADIUS Platform Considerations on page 171
•
RADIUS IETF Attributes on page 231
RADIUS Platform Considerations
RADIUS is supported on all E Series routers.
For information about the modules supported on E Series routers:
Related
Documentation
•
See the ERX Module Guide for modules supported on ERX7xx models, ERX14xx models,
and the ERX310 Broadband Services Router.
•
See the E120 and E320 Module Guide for modules supported on the Juniper Networks
E120 and E320 Broadband Services Routers.
•
RADIUS Overview on page 170
RADIUS References
For more information about RADIUS, consult the following resources:
•
RFC 2865—Remote Authentication Dial In User Service (RADIUS) (June 2000)
•
RFC 2866—RADIUS Accounting (June 2000)
•
RFC 2867—RADIUS Accounting Modifications for Tunnel Protocol Support (June 2000)
Copyright © 2012, Juniper Networks, Inc.
171
JunosE 13.3.x Broadband Access Configuration Guide
Related
Documentation
•
RFC 2868—RADIUS Attributes for Tunnel Protocol Support (June 2000)
•
RFC 2869—RADIUS Extensions (June 2000)
•
RFC 4679—DSL Forum Vendor-Specific RADIUS Attributes (September 2006)
•
GSMP extensions for layer2 control (L2C) Topology Discovery and Line
Configuration—draft-wadhwa-gsmp-l2control-configuration-00.txt (July 2006
expiration)
•
RADIUS Overview on page 170
•
Subscriber AAA Access Messages Overview on page 172
•
Subscriber AAA Accounting Messages Overview on page 182
•
DSL Forum VSAs in AAA Access and Accounting Messages Overview on page 196
Subscriber AAA Access Messages Overview
Authorization and authentication access messages identify subscribers before the RADIUS
server grants or denies them access to the network or network services. When an
application requests user authentication, the request must have certain authenticating
attributes, such as a user’s name, password, and the particular type of service the user
is requesting. This information is sent in the authentication request via the RADIUS
protocol to the RADIUS server. In response, the RADIUS server grants or denies the request.
The router supports the following types of authentication and authorization messages:
Related
Documentation
172
•
Access-Request—Requests client authentication. RADIUS responds to a client
authentication request with either an Access-Accept, an Access-Reject, or an
Access-Challenge message. An Access-Request message can contain a number of
RADIUS attributes.
•
Access-Accept—Grants the client’s access request and can provide specific
configuration information necessary to begin delivery of service to the user.
•
Access-Reject—Sent if any value of the received attributes is not acceptable.
•
Access-Challenge—Sent to the client, requesting additional authentication information.
•
Change-of-Authorization-Request (CoA-Request)—Dynamically modifies session
attributes, such as data filters.
•
Disconnect-Request—Immediately terminates a user session.
•
RADIUS IETF Attributes Supported for Subscriber AAA Access Messages on page 173
•
Juniper Networks VSAs Supported for Subscriber AAA Access Messages on page 176
Copyright © 2012, Juniper Networks, Inc.
Chapter 4: Configuring RADIUS Attributes
RADIUS IETF Attributes Supported for Subscriber AAA Access Messages
Table 43 on page 173 lists the Access-Request, Access-Accept, Access-Reject,
Access-Challenge, CoA, and Disconnect-Request attributes supported by JunosE
Software. The following notes are referenced in Table 43 on page 173:
1.
Attribute is used by Access-Request messages when terminating a PPP connection
at the LNS or the initiating LAC.
2. Attribute is used to support pass-through exchange of EAP messages.
3. Attribute is used by Access-Challenge messages to set the PPP retransmission timeout
used for EAP request packets.
Table 43 on page 173 lists the RADIUS IETF attributes supported for Access-Request,
Access-Accept, Access-Reject, CoA-Request, and Disconnect-Request messages.
Table 43: AAA Access Message RADIUS IETF Attributes Supported
Attribute
Number
Attribute Name
AccessRequest
AccessAccept
AccessReject
AccessChallenge
CoARequest
DisconnectRequest
[1]
User-Name
✓
✓
–
–
✓
✓
[2]
User-Password
✓
–
–
–
–
–
[3]
CHAP-Password
✓
–
–
–
–
–
[4]
NAS-IP-Address
✓
–
–
–
–
–
[5]
NAS-Port
✓
–
–
–
–
–
[6]
Service-Type
✓
✓
–
–
–
–
[7]
Framed-Protocol
✓
✓
–
–
–
–
[8]
Framed-IP-Address
✓
✓
–
–
✓
–
[9]
Framed-IP-Netmask
–
✓
–
–
–
–
[11]
Filter-Id
–
✓
–
–
–
–
[12]
Framed-MTU
(See Note 2.)
✓
✓
–
–
–
–
[18]
Reply-Message
(See Note 2.)
–
✓
✓
✓
–
–
[22]
Framed-Route
–
✓
–
–
–
–
[24]
State
(See Note 2.)
–
–
✓
✓
–
–
Copyright © 2012, Juniper Networks, Inc.
173
JunosE 13.3.x Broadband Access Configuration Guide
Table 43: AAA Access Message RADIUS IETF Attributes Supported
(continued)
Attribute
Number
Attribute Name
AccessRequest
AccessAccept
AccessReject
AccessChallenge
CoARequest
DisconnectRequest
[25]
Class
–
✓
–
–
–
–
[27]
Session-Timeout
(See Note 2.)
–
✓
✓
✓
–
–
(See Note 3.)
[28]
Idle-Timeout
–
✓
–
–
–
–
[30]
Called-Station-Id
✓
–
–
–
–
–
[31]
Calling-Station-Id
✓
–
–
–
✓
–
[32]
NAS-Identifier
✓
–
–
–
–
–
[33]
Proxy-State
✓
–
–
–
–
–
[44]
Acct-Session-Id
✓
–
–
–
✓
✓
[50]
Acct-Multi-Session-Id
✓
–
–
–
–
✓
[60]
CHAP-Challenge
✓
–
–
–
–
–
[61]
NAS-Port-Type
✓
–
–
–
–
–
[62]
Port-Limit
–
✓
–
–
–
–
[64]
Tunnel-Type
(See Note 1.)
✓
✓
–
–
–
–
[65]
Tunnel-Medium-Type
(See Note 1.)
✓
✓
–
–
–
–
[66]
Tunnel-Client-Endpoint
(See Note 1.)
✓
✓
–
–
–
–
[67]
Tunnel-Server-Endpoint
(See Note 1.)
✓
✓
–
–
–
–
[68]
Acct-Tunnel-Connection
(See Note 1.)
✓
–
–
–
–
–
[69]
Tunnel-Password
–
✓
–
–
–
–
[77]
Connect-Info
✓
–
–
–
–
–
174
Copyright © 2012, Juniper Networks, Inc.
Chapter 4: Configuring RADIUS Attributes
Table 43: AAA Access Message RADIUS IETF Attributes Supported
(continued)
Attribute
Number
Attribute Name
AccessRequest
AccessAccept
AccessReject
AccessChallenge
CoARequest
DisconnectRequest
[79]
EAP-Message
(See Note 2.)
✓
✓
✓
✓
–
–
[80]
Message-Authenticator
(See Note 2.)
✓
✓
✓
✓
–
–
[82]
Tunnel-Assignment-Id
–
✓
–
–
–
–
[83]
Tunnel-Preference
–
✓
–
–
–
–
[85]
Acct-Interim-Interval
–
✓
–
–
–
–
[87]
NAS-Port-Id
✓
–
–
–
✓
–
[88]
Framed-Pool
–
✓
–
–
–
–
[90]
Tunnel-Client-Auth-Id
(See Note 1.)
✓
✓
–
–
–
–
[91]
Tunnel-Server-Auth-Id
(See Note 1.)
✓
✓
–
–
–
–
[96]
Framed-Interface-Id
–
✓
–
–
–
–
[97]
Framed-Ipv6-Prefix
–
✓
–
–
–
–
[99]
Framed-Ipv6-Route
–
✓
–
–
–
–
[100]
Framed-IPv6-Pool
–
✓
–
–
–
–
[101]
Error-Cause
–
–
–
–
✓
✓
[123]
Delegated-IPv6-Prefix
–
✓
–
–
–
–
[135]
Ascend-Primary-Dns
–
✓
–
–
–
–
[136]
Ascend-Secondary-Dns
–
✓
–
–
–
–
[144]
DS-Lite-Tunnel-Name
–
✓
–
–
–
–
[188]
Ascend-Num-In-Multilink
✓
–
–
–
–
–
[242]
Ascend-Data-Filter
–
✓
–
–
–
–
Copyright © 2012, Juniper Networks, Inc.
175
JunosE 13.3.x Broadband Access Configuration Guide
Related
Documentation
•
Subscriber AAA Access Messages Overview on page 172
•
CLI Commands Used to Configure RADIUS IETF Attributes on page 199
•
CLI Commands Used to Include or Exclude Attributes in RADIUS Messages on page 208
•
CLI Commands Used to Ignore Attributes when Receiving Access-Accept Messages
on page 213
•
RADIUS IETF Attributes on page 231
Juniper Networks VSAs Supported for Subscriber AAA Access Messages
Table 44 on page 176 lists the Juniper Networks (Vendor ID 4874) VSAs supported for
Access-Request, Access-Accept, Access-Reject, CoA-Request, and Disconnect-Request
messages.
Table 44: AAA Access Message Juniper Networks (Vendor ID 4874) VSAs Supported
Attribute
Number
Attribute Name
AccessRequest
AccessAccept
AccessReject
CoARequest
DisconnectRequest
[26-1]
Virtual-Router
–
✓
–
✓
–
[26-2]
Local-Address-Pool
–
✓
–
–
–
[26-3]
Local-Loopback-Interface
–
✓
–
–
–
[26-4]
Primary-DNS
–
✓
–
–
–
[26-5]
Secondary-DNS
–
✓
–
–
–
[26-6]
Primary-WINS (NBNS)
–
✓
–
–
–
[26-7]
Secondary-WINS (NBNS)
–
✓
–
–
–
[26-8]
Tunnel-Virtual-Router
–
✓
–
–
–
[26-9]
Tunnel-Password
–
✓
–
–
–
[26-10]
Ingress-Policy-Name
–
✓
–
–
–
[26-11]
Egress-Policy-Name
–
✓
–
–
–
[26-12]
Ingress-Statistics
–
✓
–
–
–
[26-13]
Egress-Statistics
–
✓
–
–
–
[26-14]
Service-Category
–
✓
–
–
–
[26-15]
PCR
–
✓
–
–
–
176
Copyright © 2012, Juniper Networks, Inc.
Chapter 4: Configuring RADIUS Attributes
Table 44: AAA Access Message Juniper Networks (Vendor ID 4874) VSAs Supported (continued)
Attribute
Number
Attribute Name
AccessRequest
AccessAccept
AccessReject
CoARequest
DisconnectRequest
[26-16]
SCR
–
✓
–
–
–
[26-17]
Mbs
–
✓
–
–
–
[26-22]
Sa-Validate
–
✓
–
–
–
[26-23]
IGMP-Enable
–
✓
–
–
–
[26-24]
Pppoe-Description
✓
–
–
–
–
[26-25]
Redirect-Vrouter-Name
–
✓
–
–
–
[26-26]
Qos-Profile-Name
–
✓
–
–
–
[26-30]
Tunnel-Nas-Port-Method
–
✓
–
–
–
[26-31]
SSC-Service-Bundle-Name
–
✓
–
–
–
[26-33]
Tunnel-Max-Sessions
–
✓
–
–
–
[26-34]
Framed-IP-Route-Tag
–
✓
–
–
–
[26-44]
Tunnel-Interface-ID
✓
–
–
–
–
[26-45]
Ipv6-Virtual-Router
–
✓
–
–
–
[26-46]
Ipv6-Local-Interface
–
✓
–
–
–
[26-47]
Ipv6-Primary-DNS
–
✓
–
–
–
[26-48]
Ipv6-Secondary-DNS
–
✓
–
–
–
[26-52]
RADIUS-Client-Address
✓
–
–
–
–
[26-53]
Service-Description
✓
–
–
–
–
[26-54]
L2tp-Recv-Window-Size
–
✓
–
–
–
[26-55]
DHCP-Options
✓
–
–
–
–
[26-56]
DHCP-MAC-Address
✓
–
–
–
–
[26-57]
DHCP-GI-Address
✓
–
–
–
–
[26-58]
LI-Action
–
✓
–
✓
–
Copyright © 2012, Juniper Networks, Inc.
177
JunosE 13.3.x Broadband Access Configuration Guide
Table 44: AAA Access Message Juniper Networks (Vendor ID 4874) VSAs Supported (continued)
Attribute
Number
Attribute Name
AccessRequest
AccessAccept
AccessReject
CoARequest
DisconnectRequest
[26-59]
Med-Dev-Handle
–
✓
–
✓
–
[26-60]
Med-Ip-Address
–
✓
–
✓
–
[26-61]
Med-Port-Number
–
✓
–
✓
–
[26-62]
MLPPP-Bundle-Name
✓
–
–
–
–
[26-63]
Interface-Desc
✓
–
–
–
–
[26-64]
Tunnel-Group
–
✓
–
–
–
[26-65]
Activate-Service
–
✓
–
✓
–
[26-66]
Deactivate-Service
–
✓
–
✓
–
[26-67]
Service-Volume
–
✓
–
✓
–
[26-68]
Service-Timeout
–
✓
–
✓
–
[26-69]
Service-Statistics
–
✓
–
✓
–
[26-70]
Ignore-DF-Bit
–
✓
–
–
–
[26-71]
IGMP-Access-Name
–
✓
–
–
–
[26-72]
IGMP-Access-Src-Name
–
✓
–
–
–
[26-73]
IGMP-OIF-Map-Name
–
✓
–
–
–
[26-74]
MLD-Access-Name
–
✓
–
–
–
[26-75]
MLD-Access-Src-Name
–
✓
–
–
–
[26-76]
MLD-OIF-Map-Name
–
✓
–
–
–
[26-77]
MLD-Version
–
✓
–
–
–
[26-78]
IGMP-Version
–
✓
–
–
–
[26-79]
IP-Mcast-Adm-Bw-Limit
–
✓
–
–
–
[26-80]
IPv6-Mcast-Adm-Bw-Limit
–
✓
–
–
–
[26-81]
L2c-Information
✓
–
–
–
–
178
Copyright © 2012, Juniper Networks, Inc.
Chapter 4: Configuring RADIUS Attributes
Table 44: AAA Access Message Juniper Networks (Vendor ID 4874) VSAs Supported (continued)
Attribute
Number
Attribute Name
AccessRequest
AccessAccept
AccessReject
CoARequest
DisconnectRequest
[26-82]
QoS-Parameters
–
✓
–
–
–
[26-84]
Mobile-IP-Algorithm
–
✓
–
–
–
[26-85]
Mobile-IP-SPI
–
✓
–
–
–
[26-86]
Mobile-IP-Key
–
✓
–
–
–
[26-87]
Mobile-IP-Replay
–
✓
–
–
–
[26-88]
Mobile-IP-Access-Control-List
–
✓
–
–
–
[26-89]
Mobile-IP-Lifetime
–
✓
–
–
–
[26-90]
L2TP-Resynch-Method
–
✓
–
–
–
[26-91]
Tunnel-Switch-Profile
–
✓
–
–
–
[26-92]
L2C-Up-Stream-Data
✓
–
–
–
–
[26-93]
L2C-Down-Stream-Data
✓
–
–
–
–
[26-94]
Tunnel-Tx-Speed-Method
–
✓
–
–
–
[26-95]
IGMP-Query-Interval
–
✓
–
–
–
[26-96]
IGMP-Max-Resp-Time
–
✓
–
–
–
[26-97]
IGMP-Immediate-Leave
–
✓
–
–
–
[26-98]
MLD-Query-Interval
–
✓
–
–
–
[26-99]
MLD-Max-Resp-Time
–
✓
–
–
–
[26-100]
MLD-Immediate-Leave
–
✓
–
–
–
[26-106]
Ipv6-Ingress-Policy-Name
–
✓
–
–
–
[26-107]
Ipv6-Egress-Policy-Name
–
✓
–
–
–
[26-110]
Acc-Loop-Cir-Id
✓
–
–
–
–
[26-111]
Acc-Aggr-Cir-Id-Bin
✓
–
–
–
–
[26-112]
Acc-Aggr-Cir-Id-Asc
✓
–
–
–
–
Copyright © 2012, Juniper Networks, Inc.
179
JunosE 13.3.x Broadband Access Configuration Guide
Table 44: AAA Access Message Juniper Networks (Vendor ID 4874) VSAs Supported (continued)
Attribute
Number
Attribute Name
AccessRequest
AccessAccept
AccessReject
CoARequest
DisconnectRequest
[26-113]
Act-Data-Rate-Up
✓
–
–
–
–
[26-114]
Act-Data-Rate-Dn
✓
–
–
–
–
[26-115]
Min-Data-Rate-Up
✓
–
–
–
–
[26-116]
Min-Data-Rate-Dn
✓
–
–
–
–
[26-117]
Att-Data-Rate-Up
✓
–
–
–
–
[26-118]
Att-Data-Rate-Dn
✓
–
–
–
–
[26-119]
Max-Data-Rate-Up
✓
–
–
–
–
[26-120]
Max-Data-Rate-Dn
✓
–
–
–
–
[26-121]
Min-LP-Data-Rate-Up
✓
–
–
–
–
[26-122]
Min-LP-Data-Rate-Dn
✓
–
–
–
–
[26-123]
Max-Interlv-Delay-Up
✓
–
–
–
–
[26-124]
Act-Interlv-Delay-Up
✓
–
–
–
–
[26-125]
Max-Interlv-Delay-Dn
✓
–
–
–
–
[26-126]
Act-Interlv-Delay-Dn
✓
–
–
–
–
[26-127]
DSL-Line-State
✓
–
–
–
–
[26-128]
DSL-Type
✓
–
–
–
–
[26-129]
Ipv6-NdRa-Prefix
–
✓
–
–
–
[26-130]
QoS-Interfaceset-Name
–
✓
–
–
–
[26-140]
Service-Interim-Acct-Interval
–
✓
–
✓
–
[26-141]
Downstream-Calculated-QosRate
✓
✓
–
✓
–
[26-142]
Upstream-Calculated-Qos-Rate
✓
✓
–
✓
–
[26-143]
Max-Clients-Per-Interface
–
✓
–
–
–
[26-144]
PPP-Monitor-Ingress-Only
—
✓
—
—
—
180
Copyright © 2012, Juniper Networks, Inc.
Chapter 4: Configuring RADIUS Attributes
Table 44: AAA Access Message Juniper Networks (Vendor ID 4874) VSAs Supported (continued)
Attribute
Number
Attribute Name
AccessRequest
AccessAccept
AccessReject
CoARequest
DisconnectRequest
[26-147]
Backup-Address-Pool
—
✓
—
—
—
[26-150]
ICR-Partition-Id
✓
—
—
—
—
[26-157]
Ipv6-Ndra-Pool
—
✓
—
—
—
[26-159]
DHCP-Option 82
✓
—
—
✓
—
[26-161]
Delegated-Ipv6-Pool
—
✓
—
—
—
[26-164]
Ipv4-release-control
✓
—
—
—
—
[26-165]
PCP-Server-Name
—
✓
—
—
—
Related
Documentation
•
Subscriber AAA Access Messages Overview on page 172
•
CLI Commands Used to Configure Juniper Networks VSAs on page 203
•
CLI Commands Used to Include ANCP-Related Juniper Networks VSAs in Access and
Accounting Messages on page 205
•
CLI Commands Used to Include or Exclude Attributes in RADIUS Messages on page 208
•
CLI Commands Used to Ignore Attributes when Receiving Access-Accept Messages
on page 213
•
Juniper Networks VSAs on page 238
Processing DNS Addresses from Microsoft RADIUS VSAs for PPP Clients During IPCP
The RADIUS client, which is a B-RAS router, supports the processing and parsing of
Microsoft RADIUS VSAs for the primary and secondary DNS addresses that are returned
in the Access-Accept messages from the RADIUS server in an environment that contains
PPP clients. The AAA application running on the router, which is the RADIUS client,
transmits the DNS addresses to the PPP application in the authentication response
message. PPP includes these DNS addresses in the Internet Protocol Control Protocol
(IPCP) packets that are negotiated between the PPP client and the router.
The RADIUS client services the Microsoft vendor ID, 311, and does not discard the DNS
server addresses that the Microsoft VSAs contain in the Access-Accept messages.
The PPP application uses Link Control Protocol (LCP) negotiations to establish the
connection with the subscriber. PPP sends Network Control Protocol (NCP) packets to
establish and configure the session with the client. After a link has been established and
optional facilities have been negotiated as needed by the Link Control Protocol (LCP)
between the customer premises equipment (CPE) and the provider edge (PE) device,
PPP running on the PE device or the B-RAS server sends Network Control Protocol (NCP)
Copyright © 2012, Juniper Networks, Inc.
181
JunosE 13.3.x Broadband Access Configuration Guide
packets. When the CPE sends an IPCP negotiation, it negotiates IPv4 addresses, IPv6
addresses, or both.
After the PE device or the router receives an IPCP configuration request from the CPE,
which starts the IPCP negotiation process, the B-RAS application running on the router
requests a new IPv4 address from the RADIUS server. After successful authentication,
the RADIUS server sends the Access-Accept message with all of the supported attributes
for all established sessions.
If the Access-Accept message contains the MS-Primary-DNS-Server [311-28] and
MS-Secondary-DNS-Server [311-29] RADIUS VSA attributes, which denote the primary
and secondary DNS server addresses that can be requested by PPP clients from the
B-RAS server during IPCP negotiations, the RADIUS client or the B-RAS server sends the
values of the VSAs to the CPE in the IPCP packet that is negotiated.
During IPCPv4 negotiations, if the Access-Accept message contains both the Juniper
Networks VSAs related to the DNS addresses (Primary-DNS [26-4] and Secondary-DNS
[26-5]) and the Microsoft VSAs related to DNS addresses (MS-Primary-DNS-Server
[311-28] and the MS-Secondary-DNS-Server [311-29]), the Juniper Networks VSAs take
precedence over the Microsoft VSAs.
During IPCPv6 negotiations, if the Access-Accept message contains both the Juniper
Networks VSAs related to the DNS addresses (Ipv6-Primary-DNS [26-47] and
Ipv6-Secondary-DNS [26-48]) and the Microsoft VSAs related to DNS addresses
(MS-Primary-DNS-Server [311-28] and the MS-Secondary-DNS-Server [311-29]), the
Juniper Networks VSAs take precedence over the Microsoft VSAs.
With the capability to validate the Microsoft VSAs for primary and secondary DNS
addresses enabled, the order of precedence of the RADIUS attributes in the Access-Accept
messages to be used for IPCP negotiations is as follows:
1.
Juniper Networks VSAs
2. RADIUS IETF attributes
3. Microsoft VSAs
Related
Documentation
•
Processing NCP Negotiations in a Dual-Stack Environment Overview
Subscriber AAA Accounting Messages Overview
Accounting messages identify service provisions and use on a per-user or per-tunnel
basis. These messages keep track of when a particular service is initiated and terminated
for a specific user.
JunosE Software supports the Acct-On message on startup or configuration of the first
accounting server. Acct-Off messages are supported when the last RADIUS accounting
server in a virtual router is removed, when the router is shut down, and when a virtual
router that has configured RADIUS accounting servers is deleted.
182
Copyright © 2012, Juniper Networks, Inc.
Chapter 4: Configuring RADIUS Attributes
Beginning with JunosE Release 11.0.0, you can configure the router to send the
Partition-Accounting-On and Partition-Accounting-On messages to the RADIUS server
whenever an ICR partition toggles between the backup and master states.
The router supports the following types of accounting messages:
Related
Documentation
•
Acct-Start
•
Acct-Stop
•
Interim-Acct
•
Acct-On
•
Acct-Off
•
Partition-Accounting-On
•
Partition-Accounting-Off
•
RADIUS IETF Attributes Supported for Subscriber AAA Accounting Messages on page 183
•
Juniper Networks VSAs Supported for Subscriber AAA Accounting Messages on page 186
RADIUS IETF Attributes Supported for Subscriber AAA Accounting Messages
Table 45 on page 184 lists the RADIUS IETF attributes supported for Acct-Start, Acct-Stop,
Interim-Acct, Acct-On, and Acct-Off messages.
The following notes are referred to in Table 45 on page 184:
1.
The attribute is used when terminating a PPP connection at the LNS or the initiating
LAC.
2. For this attribute to be included, an IP address must be assigned to the subscriber.
3. The attribute is not included in Acct-Stop messages that are sent when a user session
does not get established in one of the following situations.
•
The aaa accounting acct-stop on-access-deny command is enabled and the
authentication server sends an Access-Reject (deny) message.
•
The aaa accounting acct-stop on-aaa-failure command is enabled and the
authentication server issues an Access-Accept message (grant), but the AAA
configuration denies access for the user. The aaa accounting acct-stop
on-aaa-failure is enabled by default.
•
The aaa accounting acct-stop on-aaa-failure command is enabled and the user
terminates before AAA receives the authentication response from the authentication
server.
4. For this attribute to be included, an IPv6 interface ID must be assigned to the subscriber.
5. For this attribute to be included, at least one IPv6 prefix must be assigned to the
subscriber.
Copyright © 2012, Juniper Networks, Inc.
183
JunosE 13.3.x Broadband Access Configuration Guide
Table 45: AAA Accounting Message RADIUS IETF Attributes Supported
Attribute
Number
Attribute Name
Acct-Start
Acct-Stop
Interim-Acct
Acct-On
Acct-Off
[1]
User-Name
✓
✓
✓
–
–
[4]
NAS-IP-Address
✓
✓
✓
✓
✓
[5]
NAS-Port
✓
✓
✓
–
–
[6]
Service-Type
✓
✓
✓
–
–
[7]
Framed-Protocol
(See Note 3.)
✓
✓
✓
–
–
[8]
Framed-IP-Address
(See Note 2.)
✓
✓
✓
–
–
[9]
Framed-IP-Netmask
✓
✓
✓
–
–
[13]
Framed-Compression
(See Note 3.)
✓
✓
✓
–
–
[22]
Framed-Route
✓
✓
✓
–
–
[25]
Class
✓
✓
✓
–
–
[30]
Called-Station-Id
✓
✓
✓
–
–
[31]
Calling-Station-Id
✓
✓
✓
–
–
[32]
NAS-Identifier
✓
✓
✓
✓
✓
[40]
Acct-Status-Type
✓
✓
✓
✓
✓
[41]
Acct-Delay-Time
✓
✓
✓
✓
✓
[42]
Acct-Input-Octets
–
✓
✓
–
–
[43]
Acct-Output-Octets
–
✓
✓
–
–
[44]
Acct-Session-Id
✓
✓
✓
✓
✓
[45]
Acct-Authentic
✓
✓
✓
✓
✓
[46]
Acct-Session-Time
–
✓
✓
–
–
[47]
Acct-Input-Packets
–
✓
✓
–
–
[48]
Acct-Output-Packets
–
✓
✓
–
–
184
Copyright © 2012, Juniper Networks, Inc.
Chapter 4: Configuring RADIUS Attributes
Table 45: AAA Accounting Message RADIUS IETF Attributes Supported (continued)
Attribute
Number
Attribute Name
Acct-Start
Acct-Stop
Interim-Acct
Acct-On
Acct-Off
[49]
Acct-Terminate-Cause
–
✓
–
–
✓
[50]
Acct-Multi-Session-Id
(See Note 3.)
✓
✓
✓
–
–
[51]
Acct-Link-Count
(See Note 3.)
✓
✓
✓
–
–
[52]
Acct-Input-Gigawords
–
✓
✓
–
–
[53]
Acct-Output-Gigawords
–
✓
✓
–
–
[55]
Event-Timestamp
✓
✓
✓
✓
✓
[61]
NAS-Port-Type
✓
✓
✓
–
–
[64]
Tunnel-Type
(See Note 1.)
✓
✓
✓
–
–
[65]
Tunnel-Medium-Type
(See Note 1.)
✓
✓
✓
–
–
[66]
Tunnel-Client-Endpoint
(See Note 1.)
✓
✓
✓
–
–
[67]
Tunnel-Server-Endpoint
(See Note 1.)
✓
✓
✓
–
–
[68]
Acct-Tunnel-Connection
(See Note 1.)
✓
✓
✓
–
–
[77]
Connect-Info
✓
✓
✓
–
–
[82]
Tunnel-Assignment-Id (LAC only)
(See Note 1.)
✓
✓
✓
–
–
[83]
Tunnel-Preference (LAC only)
✓
✓
✓
–
–
[87]
NAS-Port-Id
✓
✓
✓
–
–
[90]
Tunnel-Client-Auth-Id
(See Note 1.)
✓
✓
✓
–
–
[91]
Tunnel-Server-Auth-Id
(See Note 1.)
✓
✓
✓
–
–
[96]
Framed-Interface-Id
(See Note 1.)
✓
✓
✓
–
–
Copyright © 2012, Juniper Networks, Inc.
185
JunosE 13.3.x Broadband Access Configuration Guide
Table 45: AAA Accounting Message RADIUS IETF Attributes Supported (continued)
Attribute
Number
Attribute Name
Acct-Start
Acct-Stop
Interim-Acct
Acct-On
Acct-Off
[97]
Framed-Ipv6-Prefix
(See Note 5.)
✓
✓
✓
–
–
[99]
Framed-IPv6-Route
✓
✓
✓
–
–
[100]
Framed-IPv6-Pool
✓
✓
✓
–
–
[123]
Delegated-Ipv6-Prefix
✓
✓
✓
–
–
[144]
DS-Lite-Tunnel-Name
✓
✓
✓
–
–
[188]
Ascend-Num-In-Multilink
(See Note 3.)
✓
✓
✓
–
–
Related
Documentation
•
Subscriber AAA Accounting Messages Overview on page 182
•
CLI Commands Used to Configure RADIUS IETF Attributes on page 199
•
CLI Commands Used to Include or Exclude Attributes in RADIUS Messages on page 208
•
RADIUS IETF Attributes on page 231
Juniper Networks VSAs Supported for Subscriber AAA Accounting Messages
Table 46 on page 187 lists the Juniper Networks (Vendor ID 4874) VSAs supported for
Acct-Start, Acct-Stop, Interim-Acct, Acct-On, Acct-Off, Partition-Accounting-On, and
Partition-Accounting-Off messages.
The following notes are referred to in Table 46 on page 187:
1.
The attribute is not included in Acct-Stop messages that are sent when a user session
does not get established in one of the following situations.
•
The aaa accounting acct-stop on-access-deny command is enabled and the
authentication server sends an Access-Reject (deny) message.
•
The aaa accounting acct-stop on-aaa-failure command is enabled and the
authentication server issues an Access-Accept message (grant), but the AAA
configuration denies access for the user. The aaa accounting acct-stop
on-aaa-failure is enabled by default.
•
The aaa accounting acct-stop on-aaa-failure command is enabled and the user
terminates before AAA receives the authentication response from the authentication
server.
2. ERX routers send IPv6 accounting attributes in the Acct-Stop and Interim-Acct
messages (stop, interim) when they are configured to return these attributes and
186
Copyright © 2012, Juniper Networks, Inc.
Chapter 4: Configuring RADIUS Attributes
when the subscriber is either an IPv6 subscriber or a combined IPv4/IPv6 subscriber
in a dual stack. For an IPv4 subscriber, IPv6 accounting attributes are not included in
the accounting messages even if the IPv6 accounting is enabled.
In JunosE Release 10.1.x and lower-numbered releases, the combined accounting
statistics were retrieved at the layer 2. Therefore, error or discarded packets in the
layer 2 itself were excluded in these statistics. Because the layer 2 cannot detect the
error or discarded packets in the layer 3, the combined statistics also include the error
or discarded packets of the layer 3. In this release, with the support for RADIUS VSAs
for IPv6 accounting, the IPv6 statistics are retrieved at the layer 3. To be consistent
with the combined statistics, the error or discarded packets of the layer 3 are also
included in these IPv6 statistics.
3. The ICR partition accounting messages comprise the following:
•
Partition-Accounting-On—Sent to the RADIUS server whenever an ICR partition
changes to the master state from the backup state. The Partition-Accounting-On
message has the same Acct-Status-Type attribute value as the Accounting-On
message, but also contains the ICR-Partition-Id VSA, which specifies the ICR partition
to which this message corresponds.
•
Partition-Accounting-Off—Sent to the RADIUS server when the partition changes
from the master state to the backup state. However, in the event of a complete
chassis failure, the Partition-Accounting-Off message is not sent.
Partition-Accounting-Off message has the same Acct-Status-Type attribute value
as the Accounting-Off message and contains the ICR-Partition-Id VSA to denote
the ICR partition to which the message is associated.
For more information about how to configure and use ICR partitions, see the Managing
Interchassis Redundancy chapter in the JunosE Services Availability Configuration Guide.
Table 46: AAA Accounting Message Juniper Network (Vendor ID 4874) VSAs Supported
Attribute
Number
Attribute Name
Acct-Start
Acct-Stop
Interim-Acct
Acct-On
Acct-Off
PartitionAccounting-On
PartitionAccounting-Off
[26-10]
Ingress-Policy-Name
✓
✓
✓
–
–
–
–
[26-11]
Egress-Policy-Name
✓
✓
✓
–
–
–
–
[26-24]
Pppoe-Description
(See Note 1.)
✓
✓
✓
–
–
–
–
[26-26]
QoS-Profile-Name
✓
✓
✓
–
–
–
–
[26-42]
Acct-Input-Gigapackets
–
✓
✓
–
–
–
–
[26-43]
Acct-Output-Gigapackets
–
✓
✓
–
–
–
–
[26-44]
Tunnel-Interface-Id
✓
✓
✓
–
–
–
–
[26-45]
Ipv6-Virtual-Router
✓
✓
✓
–
–
–
–
Copyright © 2012, Juniper Networks, Inc.
187
JunosE 13.3.x Broadband Access Configuration Guide
Table 46: AAA Accounting Message Juniper Network (Vendor ID 4874) VSAs Supported (continued)
Attribute
Number
Attribute Name
Acct-Start
Acct-Stop
Interim-Acct
Acct-On
Acct-Off
PartitionAccounting-On
PartitionAccounting-Off
[26-46]
Ipv6-Local-Interface
✓
✓
✓
–
–
–
–
[26-47]
Ipv6-Primary-DNS
✓
✓
✓
–
–
–
–
[26-48]
Ipv6-Secondary-DNS
✓
✓
✓
–
–
–
–
[26-51]
Disconnect-Cause
–
✓
–
–
–
–
–
[26-53]
Service-Description
✓
✓
✓
–
–
–
–
[26-55]
DHCP-Options
(See Note 1.)
✓
✓
✓
–
–
–
–
[26-56]
DHCP-MAC-Address
(See Note 1.)
✓
✓
✓
–
–
–
–
[26-57]
DHCP-GI-Address
(See Note 1.)
✓
✓
✓
–
–
–
–
[26-62]
MLPPP-Bundle-Name
✓
✓
✓
–
–
–
–
[26-63]
Interface-Description
✓
✓
✓
–
–
–
–
[26-92]
L2C-Up-Stream-Data
✓
✓
✓
–
–
–
–
[26-93]
L2C-Down-Stream-Data
✓
✓
✓
–
–
–
–
[26-106]
Ipv6-Ingress-Policy-Name
✓
✓
✓
–
–
–
–
[26-107]
Ipv6-Egress-Policy-Name
✓
✓
✓
–
–
–
–
[26-110]
Acc-Loop-Cir-Id
✓
✓
✓
–
–
–
–
[26-111]
Acc-Aggr-Cir-Id-Bin
✓
✓
✓
–
–
–
–
[26-112]
Acc-Aggr-Cir-Id-Asc
✓
✓
✓
–
–
–
–
[26-113]
Act-Data-Rate-Up
✓
✓
✓
–
–
–
–
[26-114]
Act-Data-Rate-Dn
✓
✓
✓
–
–
–
–
[26-115]
Min-Data-Rate-Up
✓
✓
✓
–
–
–
–
[26-116]
Min-Data-Rate-Dn
✓
✓
✓
–
–
–
–
[26-117]
Att-Data-Rate-Up
✓
✓
✓
–
–
–
–
188
Copyright © 2012, Juniper Networks, Inc.
Chapter 4: Configuring RADIUS Attributes
Table 46: AAA Accounting Message Juniper Network (Vendor ID 4874) VSAs Supported (continued)
Attribute
Number
Attribute Name
Acct-Start
Acct-Stop
Interim-Acct
Acct-On
Acct-Off
PartitionAccounting-On
PartitionAccounting-Off
[26-118]
Att-Data-Rate-Dn
✓
✓
✓
–
–
–
–
[26-119]
Max-Data-Rate-Up
✓
✓
✓
–
–
–
–
[26-120]
Max-Data-Rate-Dn
✓
✓
✓
–
–
–
–
[26-121]
Min-LP-Data-Rate-Up
✓
✓
✓
–
–
–
–
[26-122]
Min-LP-Data-Rate-Dn
✓
✓
✓
–
–
–
–
[26-123]
Max-Interlv-Delay-Up
✓
✓
✓
–
–
–
–
[26-124]
Act-Interlv-Delay-Up
✓
✓
✓
–
–
–
–
[26-125]
Max-Interlv-Delay-Dn
✓
✓
✓
–
–
–
–
[26-126]
Act-Interlv-Delay-Dn
✓
✓
✓
–
–
–
–
[26-127]
DSL-Line-State
✓
✓
✓
–
–
–
–
[26-128]
DSL-Type
✓
✓
✓
–
–
–
–
[26-129]
Ipv6-NdRa-Prefix
✓
✓
✓
–
–
–
–
[26-150]
ICR-Partition-Id
(See Note 3.)
✓
✓
✓
–
–
✓
✓
[26-151]
Ipv6-Acct-Input-Octets
(See Note 2.)
–
✓
✓
–
–
–
–
[26-152]
Ipv6-Acct-Output-Octets
(See Note 2.)
–
✓
✓
–
–
–
–
[26-153]
Ipv6-Acct-Input-Packets
(See Note 2.)
–
✓
✓
–
–
–
–
[26-154]
Ipv6-Acct-Output-Packets
(See Note 2.)
–
✓
✓
–
–
–
–
[26-155]
Ipv6-Acct-Input-Gigawords
(See Note 2.)
–
✓
✓
–
–
–
–
[26-156]
Ipv6-Acct-Output-Gigawords
(See Note 2.)
–
✓
✓
–
–
–
–
[26-159]
DHCP-Option 82
(See Note 1.)
✓
✓
✓
–
–
–
–
Copyright © 2012, Juniper Networks, Inc.
189
JunosE 13.3.x Broadband Access Configuration Guide
Table 46: AAA Accounting Message Juniper Network (Vendor ID 4874) VSAs Supported (continued)
Attribute
Number
Attribute Name
Acct-Start
Acct-Stop
Interim-Acct
Acct-On
Acct-Off
PartitionAccounting-On
PartitionAccounting-Off
[26-164]
Ipv4-release-control
–
–
✓
–
–
–
–
[26-165]
PCP-Server-Name
✓
✓
✓
–
–
–
–
Related
Documentation
•
Subscriber AAA Accounting Messages Overview on page 182
•
CLI Commands Used to Configure Juniper Networks VSAs on page 203
•
CLI Commands Used to Include ANCP-Related Juniper Networks VSAs in Access and
Accounting Messages on page 205
•
CLI Commands Used to Include or Exclude Attributes in RADIUS Messages on page 208
•
Juniper Networks VSAs on page 238
RADIUS IETF Attributes Supported for AAA Tunnel Accounting Messages
Table 47 on page 190 lists RADIUS attributes supported by the following tunnel-related
accounting messages:
•
Acct-Tunnel-Start
•
Acct-Tunnel-Stop
•
Acct-Tunnel-Reject
•
Acct-Tunnel-Link-Start
•
Acct-Tunnel-Link-Stop
•
Acct-Tunnel-Link-Reject
Table 47: AAA Accounting Tunnel Message RADIUS Attributes
Supported
Attribute
Number
Attribute Name
Acct-TunnelStart
Acct-TunnelStop
Acct-TunnelReject
Acct-TunnelLink-Start
Acct-TunnelLink-Stop
Acct-TunnelLink-Reject
[1]
User-Name
–
–
–
✓
✓
–
[4]
NAS-IP-Address
✓
✓
✓
✓
✓
✓
[26-51]
Disconnect-Cause
–
–
–
–
✓
–
[32]
NAS-Identifier
✓
✓
✓
✓
✓
✓
[40]
Acct-Status-Type
✓
✓
✓
✓
✓
✓
[41]
Acct-Delay-Time
✓
✓
✓
✓
✓
✓
190
Copyright © 2012, Juniper Networks, Inc.
Chapter 4: Configuring RADIUS Attributes
Table 47: AAA Accounting Tunnel Message RADIUS Attributes
Supported (continued)
Attribute
Number
Attribute Name
Acct-TunnelStart
Acct-TunnelStop
Acct-TunnelReject
Acct-TunnelLink-Start
Acct-TunnelLink-Stop
Acct-TunnelLink-Reject
[44]
Acct-Session-Id
✓
✓
✓
✓
✓
✓
[46]
Acct-Session-Time
–
✓
–
–
✓
–
[49]
Acct-Terminate-Cause
–
✓
✓
–
✓
✓
[55]
Event-Timestamp
✓
✓
✓
✓
✓
✓
[64]
Tunnel-Type
✓
✓
✓
✓
✓
✓
[65]
Tunnel-Medium-Type
✓
✓
✓
✓
✓
✓
[66]
Tunnel-Client-Endpoint
✓
✓
✓
✓
✓
✓
[67]
Tunnel-Server-Endpoint
✓
✓
✓
✓
✓
✓
[68]
Acct-TunnelConnection
✓
✓
✓
✓
✓
✓
[82]
Tunnel-Assignment-Id
(LAC only)
✓
✓
✓
✓
✓
✓
[83]
Tunnel-Preference
(LAC only)
–
–
–
✓
✓
✓
[86]
Acct-Tunnel-PacketsLost
–
–
–
–
✓
✓
[90]
Tunnel-Client-Auth-Id
✓
✓
✓
✓
✓
✓
[91]
Tunnel-Server-Auth-Id
✓
✓
✓
✓
✓
✓
Related
Documentation
•
Subscriber AAA Accounting Messages Overview on page 182
•
RADIUS IETF Attributes on page 231
•
Juniper Networks VSAs on page 238
AAA Access Messages During IPCP Negotiations for Dual-Stack Subscribers
The Ipv4-release-control RADIUS VSA attribute [26-164] can be configured to be sent
in the Access-Request and Interim-Acct messages. You can use the aaa ipv4 addr-saving
command to configure this attribute to be sent in the access and accounting messages
and enable the PPP application to inform the RADIUS server about the released IPv4
Copyright © 2012, Juniper Networks, Inc.
191
JunosE 13.3.x Broadband Access Configuration Guide
address for dual-stack subscribers, immediately after the address is released. The
following sections describe the different scenarios during the negotiation of IPCP packets
for IPv4 addresses, and the transmission of access messages between the router and
the AAA server.
Access-Request Messages When an IPv4 Address is Renegotiated
During IPCP renegotiation of IPv4 addresses, the router always includes the following
RADIUS attributes in the Access-Request messages sent to the RADIUS server:
•
[1] User-Name
•
[2] User-Password
•
[4] NAS-Ip-Address
•
[5] NAS-Port
•
[25] Class
•
[44] Acct-Session-Id
•
[87] NAS-Port-Id
•
[32] NAS-Identifier
•
[26-164] Ipv4-release-control
The other attributes that are supported for this message are optional during
renegotiations.
Access-Accept Messages When an IPv4 Address is Assigned
When the Access-Accept message is sent from the RADIUS server after the subscriber
is successfully authenticated, during the initial session establishment, this message might
or might not contain the Framed-Ip-Address [8] attribute.
When an IPv4 address is delegated to the CPE during an IPCP negotiation, the following
RADIUS attributes are always included in the Access-Accept messages:
•
[8] Framed-Ip-Address
•
[9] Framed-Ip-Netmask
•
[25] Class
The following RADIUS attributes can be optionally included in the Access-Accept
messages based on the user topology settings:
192
•
[242] Ascend-Data-Filter (always included if the policy is defined using this attribute
for clients)
•
[26-4] Primary-DNS
•
[26-5] Secondary-DNS (included if the B-RAS user's DNS server is different from the
previously stored entry during IPCP negotiation)
Copyright © 2012, Juniper Networks, Inc.
Chapter 4: Configuring RADIUS Attributes
The following RADIUS attributes are never included in the Access-Accept messages
when this functionality to optimally utilize IPv4 addresses is configured:
Related
Documentation
•
[26-65] Activate-Service
•
[242] Ascend-Data-Filter
•
[26-66] Deactivate-Service
•
[26-58] LI-Action
•
[27] Session-Timeout
•
[28] Idle-Timeout
•
[97] Framed-Ipv6-Prefix
•
[123] Delegated-Ipv6-Prefix
•
AAA Accounting Messages During IPCP Negotiations for Dual-Stack Subscribers on
page 193
•
Juniper Networks VSAs on page 238
•
Juniper Networks VSAs Supported for Subscriber AAA Access Messages on page 176
•
IPCP Renegotiation of IPv4 Addresses for Dual-Stack Subscribers
AAA Accounting Messages During IPCP Negotiations for Dual-Stack Subscribers
The Ipv4-release-control RADIUS VSA attribute [26-164] is supported only in Interim-Acct
messages. The following sections describe the different scenarios during the negotiation
of IPCP packets for IPv4 addresses and release of addresses for terminated user sessions
in a dual-stack network, and the transmission of interim accounting messages between
the router and the AAA server.
Interim-Acct Messages When an IPv4 Address is Assigned
The following RADIUS attributes are always included in Interim-Acct messages when
an IPv4 address is assigned to a dual-stack subscriber during an IPCP negotiation:
•
[55] Event-Timestamp
•
[25] Class
•
[97] Framed-Ipv6-Prefix
•
[8] Framed-Ip-Address
•
[9] Framed-Ip-Netmask
The other attributes supported in Interim-Acct messages are included, based on the user
configuration settings.
Copyright © 2012, Juniper Networks, Inc.
193
JunosE 13.3.x Broadband Access Configuration Guide
Interim-Acct Messages When an IPv4 Address is Not Assigned
The following RADIUS attributes are always included in Interim-Acct messages when
an IPv4 address is not assigned to a dual-stack subscriber during an IPCP negotiation:
•
[55] Event-Timestamp
•
[25] Class
•
[97] Framed-Ipv6-Prefix
The other attributes supported in Interim-Acct messages are included, based on the user
configuration settings.
The following RADIUS attributes are never included in Interim-Acct messages when IPv4
address assignment fails:
•
[8] Framed-Ip-Address
•
[9] Framed-Ip-Netmask
Interim-Acct Messages During a Successful IPCP Renegotiation for IPv4 Addresses
The following RADIUS attributes are always included in Interim-Acct messages upon
the receipt of IPCP configuration requests for IPv4 addresses from CPE and a successful
IPCP renegotiation:
•
[26-164] Ipv4-release-control
•
[55] Event-Timestamp
•
[25] Class
•
[97] Framed-Ipv6-Prefix
•
[8] Framed-Ip-Address
•
[9] Framed-Ip-Netmask
•
[123] Delegated-Ipv6-Prefix
•
[44] Acct-Session-Id
The other attributes supported in Interim-Acct messages are included, based on the user
configuration settings.
Interim-Acct Messages During a Failed IPCP Renegotiation for IPv4 Addresses
The following RADIUS attributes are always included in Interim-Acct messages after the
receipt of IPCP configuration requests for IPv4 addresses from CPE and a failed IPCP
renegotiation:
194
•
[26-164] Ipv4-release-control
•
[55] Event-Timestamp
•
[25] Class
Copyright © 2012, Juniper Networks, Inc.
Chapter 4: Configuring RADIUS Attributes
•
[97] Framed-Ipv6-Prefix
•
[123] Delegated-Ipv6-Prefix
•
[44] Acct-Session-Id
The other attributes supported in Interim-Acct messages are included, based on the user
configuration settings.
The following RADIUS attributes are never included in Interim-Acct messages when IPv4
address assignment fails after an IPCP renegotiation:
•
[8] Framed-Ip-Address
•
[9] Framed-Ip-Netmask
Interim-Acct Messages When an IPv4 Address is Released
The following RADIUS attributes are always included in Interim-Acct messages when
an IPv4 address is released upon the termination of a subscriber session:
•
[26-164] Ipv4-release-control
•
[55] Event-Timestamp
•
[25] Class
•
[97] Framed-Ipv6-Prefix
•
[123] Delegated-Ipv6-Prefix
•
[44] Acct-Session-Id
The other attributes supported in Interim-Acct messages are included, based on the user
configuration settings.
The following RADIUS attributes are never included in Interim-Acct messages when an
IPv4 address is released to the AAA server:
•
[8] Framed-Ip-Address
•
[9] Framed-Ip-Netmask
For both these attributes, even if the IP address assigned to the user is 0.0.0.0, it is
discarded and not included in the accounting messages.
Related
Documentation
•
AAA Access Messages During IPCP Negotiations for Dual-Stack Subscribers on page 191
•
Juniper Networks VSAs on page 238
•
Juniper Networks VSAs Supported for Subscriber AAA Accounting Messages on page 186
•
IPCP Renegotiation of IPv4 Addresses for Dual-Stack Subscribers
Copyright © 2012, Juniper Networks, Inc.
195
JunosE 13.3.x Broadband Access Configuration Guide
DSL Forum VSAs in AAA Access and Accounting Messages Overview
JunosE Software supports the inclusion of a set of DSL Forum vendor-specific attributes
(VSAs) in the following AAA access and accounting messages:
•
Access-Request
•
Acct-Start
•
Acct-Stop
•
Interim-Acct (if Acct-Stop messages are specified)
•
CoA-Request
The DSL Forum VSAs convey information about the subscriber associated with the digital
subscriber line (DSL) and the data rate of the DSL. When you use radius include
dsl-forum-attributes command to enable inclusion of the DSL Forum VSAs in these
AAA messages, the router includes all of the attributes listed in Table 48 on page 196 in
the specified message, provided that the VSA is available in the information that the
router receives from the digital subscriber line access multiplexer (DSLAM).
NOTE: JunosE Software also supports several Juniper Networks VSAs that
you can use to include DSL-related information. See “Juniper Networks VSAs”
on page 238 .
Related
Documentation
•
Subscriber AAA Access Messages Overview on page 172
•
Subscriber AAA Accounting Messages Overview on page 182
•
DSL Forum VSAs Supported for AAA Access and Accounting Messages on page 196
•
CLI Commands Used to Include DSL Forum VSAs in Access and Accounting Messages
on page 207
•
DSL Forum VSAs on page 250
DSL Forum VSAs Supported for AAA Access and Accounting Messages
Table 48 on page 196 lists the DSL Forum VSAs supported by JunosE Software in
Access-Request, Acct-Start, Acct-Stop, (if Acct-Stop is specified) Interim-Acct, and
CoA-Request messages. JunosE Software uses the vendor ID assigned to the DSL Forum
(3561, or DE9 in hexadecimal format) by the IANA.
Table 48: DSL Forum (Vendor ID 3561) VSAs Supported in AAA Access
and Accounting Messages
Attribute
Number
Attribute Name
Access-Request
Acct-Start
Acct-Stop
Interim-Acct
CoA-Request
[26-1]
Agent-Circuit-Id
✓
✓
✓
✓
✓
196
Copyright © 2012, Juniper Networks, Inc.
Chapter 4: Configuring RADIUS Attributes
Table 48: DSL Forum (Vendor ID 3561) VSAs Supported in AAA Access
and Accounting Messages (continued)
Attribute
Number
Attribute Name
Access-Request
Acct-Start
Acct-Stop
Interim-Acct
CoA-Request
[26-2]
Agent-Remote-Id
✓
✓
✓
✓
✓
[26-129]
Actual-Data-Rate-Upstream
✓
✓
✓
✓
–
[26-130]
Actual-Data-Rate-Downstream
✓
✓
✓
✓
–
[26-131]
Minimum-Data-Rate-Upstream
✓
✓
✓
✓
–
[26-132]
Minimum-Data-Rate-Downstream
✓
✓
✓
✓
–
[26-133]
Attainable-Data-Rate-Upstream
✓
✓
✓
✓
–
[26-134]
Attainable-Data-Rate-Downstream
✓
✓
✓
✓
–
[26-135]
Maximum-Data-Rate-Upstream
✓
✓
✓
✓
–
[26-136]
Maximum-Data-Rate-Downstream
✓
✓
✓
✓
–
[26-137]
Minimum-Data-Rate-Upstream-Low-Power
✓
✓
✓
✓
–
[26-138]
Minimum-Data-Rate-Downstream-Low-Power
✓
✓
✓
✓
–
[26-139]
Maximum-Interleaving-Delay-Upstream
✓
✓
✓
✓
–
[26-140]
Actual-Interleaving-Delay-Upstream
✓
✓
✓
✓
–
[26-141]
Maximum-Interleaving-Delay-Downstream
✓
✓
✓
✓
–
[26-142]
Actual-Interleaving-Delay-Downstream
✓
✓
✓
✓
–
[26-144]
Access-Loop-Encapsulation
✓
✓
✓
✓
–
[26-254]
IWF-Session
✓
✓
✓
✓
–
Related
Documentation
•
Subscriber AAA Access Messages Overview on page 172
•
Subscriber AAA Accounting Messages Overview on page 182
•
DSL Forum VSAs in AAA Access and Accounting Messages Overview on page 196
•
CLI Commands Used to Include DSL Forum VSAs in Access and Accounting Messages
on page 207
•
DSL Forum VSAs on page 250
Copyright © 2012, Juniper Networks, Inc.
197
JunosE 13.3.x Broadband Access Configuration Guide
RADIUS Attributes Supported for CLI AAA Messages
There are four types of AAA messages used by CLI users to gain administrative access
to the router. Access-Challenge attributes pertain only to CLI/telnet users.
•
Access-Request
•
Access-Accept
•
Access-Challenge
•
Access-Reject
Table 49 on page 198 lists the RADIUS attributes supported for CLI AAA messages.
Table 49: CLI AAA Access Message RADIUS Attributes Supported
Attribute
Number
Attribute Name
Access-Request
Access-Accept
Access-Challenge
Access-Reject
[1]
User-Name
✓
–
–
–
[2]
User Password
✓
–
–
–
[4]
NAS-IP-Address
✓
–
–
–
[6]
Service-Type
✓
✓
–
–
[18]
Reply-Message
–
–
✓
✓
[24]
State
(Access-Request is only in
response to an
Access-Challenge)
✓
–
✓
–
[25]
Class
–
✓
–
–
[26-1]
Virtual-Router
–
✓
–
–
[26-18]
Init-CLI-Access-Level
–
✓
–
–
[26-19]
Allow-All-VR-Access
–
✓
–
–
[26-20]
Alt-CLI-Access-Level
–
✓
–
–
[26-21]
Alt-CLI-Virtual-Router-Name
–
✓
–
–
[26-25]
Redirect-Vrouter-Name
–
✓
–
–
Related
Documentation
198
•
Subscriber AAA Access Messages Overview on page 172
•
Subscriber AAA Accounting Messages Overview on page 182
Copyright © 2012, Juniper Networks, Inc.
Chapter 4: Configuring RADIUS Attributes
•
CLI Commands Used to Configure RADIUS IETF Attributes on page 199
•
CLI Commands Used to Configure Juniper Networks VSAs on page 203
•
CLI Commands Used to Include or Exclude Attributes in RADIUS Messages on page 208
•
CLI Commands Used to Ignore Attributes when Receiving Access-Accept Messages
on page 213
•
DSL Forum VSAs on page 250
•
Juniper Networks VSAs on page 238
CLI Commands Used to Modify RADIUS Attributes
You can configure the RADIUS Internet Engineering Task Force (IETF) attributes and the
Juniper Networks vendor-specific attributes using CLI commands.
For many attributes, you can configure the router to include the attribute in RADIUS
messages.
You can also configure the router to ignore many attributes that it receives in
Access-Accept messages.
For a complete list of RADIUS attributes supported by JunosE Software, see “RADIUS
IETF Attributes” on page 231.
Related
Documentation
•
CLI Commands Used to Configure RADIUS IETF Attributes on page 199
•
CLI Commands Used to Configure Juniper Networks VSAs on page 203
•
CLI Commands Used to Include ANCP-Related Juniper Networks VSAs in Access and
Accounting Messages on page 205
•
CLI Commands Used to Include DSL Forum VSAs in Access and Accounting Messages
on page 207
•
CLI Commands Used to Include or Exclude Attributes in RADIUS Messages on page 208
•
CLI Commands Used to Ignore Attributes when Receiving Access-Accept Messages
on page 213
CLI Commands Used to Configure RADIUS IETF Attributes
Table 50 on page 200 lists the RADIUS IETF attributes and the corresponding CLI
commands used to configure them. The attributes are listed numerically—each attribute
is followed by a list of the commands that you can use to manage the attribute.
Copyright © 2012, Juniper Networks, Inc.
199
JunosE 13.3.x Broadband Access Configuration Guide
Table 50: CLI Commands Used to Configure RADIUS IETF Attributes
Attribute Number
Attribute Name
CLI Command
[4]
NAS-IP-Address
•
radius override nas-ip-addr
tunnel-client-endpoint
•
radius override nas-info
•
radius include nas-port
•
radius nas-port-format
•
radius nas-port-format extended
atm
•
radius nas-port-format extended
ethernet
•
radius pppoe nas-port-format unique
•
radius vlan nas-port-format stacked
[5]
NAS-Port
[8]
Framed-IP-Address
•
radius include framed-ip-addr
[9]
Framed-Ip-Netmask
•
radius include framed-ip-netmask
•
radius ignore framed-ip-netmask
[13]
Framed-Compression
•
radius include framed-compression
[22]
Framed-Route
•
radius include framed-route
[25]
Class
•
radius include class
[30]
Called-Station-Id
•
radius include called-station-id
[31]
Calling-Station-Id
•
radius calling-station-format
•
radius calling-station-delimiter
•
radius include calling-station-id
•
radius override calling-station-id
remote-circuit-id
•
radius nas-identifier
•
radius include nas-identifier
•
radius override nas-info
•
radius remote-circuit-id-format
•
radius remote-circuit-id-delimiter
[32]
NAS-Identifier
[41]
Acct-Delay-Time
•
radius include acct-delay-time
[44]
Acct-Session-Id
•
radius include acct-session-id
•
radius acct-session-id-format
[45]
Acct-Authentic
•
radius include acct-authentic
[49]
Acct-Terminate-Cause
•
radius include acct-terminate-cause
[50]
Acct-Multi-Session-Id
•
radius include acct-multi-session-id
200
Copyright © 2012, Juniper Networks, Inc.
Chapter 4: Configuring RADIUS Attributes
Table 50: CLI Commands Used to Configure RADIUS IETF Attributes (continued)
Attribute Number
Attribute Name
CLI Command
[51]
Acct-Link-Count
•
radius include acct-link-count
[52]
Acct-Input-Gigawords
•
radius include input-gigawords
[53]
Output-Gigawords
•
radius include output-gigawords
[55]
Event-Timestamp
•
radius include event-timestamp
[61]
NAS-Port-Type
•
radius dsl-port-type
•
radius ethernet-port-type
•
radius include nas-port-type
[64]
Tunnel-Type
•
radius include tunnel-type
[65]
Tunnel-Medium-Type
•
radius include tunnel-medium-type
[66]
Tunnel-Client-Endpoint
•
radius include tunnel-client-endpoint
[67]
Tunnel-Server-Endpoint
•
radius include
tunnel-server-endpoint
[68]
Acct-Tunnel-Connection
•
radius include
acct-tunnel-connection
[77]
Connect-Info
•
radius connect-info-format
l2tp-connect-speed
•
radius include connect-info
[82]
Tunnel-Assignment-Id
•
radius include tunnel-assignment-id
[83]
Tunnel-Preference
•
radius include tunnel-preference
[87]
NAS-Port-Id
•
aaa intf-desc-format include
•
radius include nas-port-id
•
radius override nas-port-id
remote-circuit-id
[90]
Tunnel-Client-Auth-Id
•
radius include tunnel-client-auth-id
[91]
Tunnel-Server-Auth-Id
•
radius include tunnel-server-auth-id
[96]
Framed-Interface-Id
•
radius include framed-interface-id
[97]
Framed-Ipv6-Prefix
•
radius include framed-ipv6-prefix
[99]
Framed-Ipv6-Route
•
radius include framed-ipv6-route
[100]
Framed-Ipv6-Pool
•
radius include framed-ipv6-pool
Copyright © 2012, Juniper Networks, Inc.
201
JunosE 13.3.x Broadband Access Configuration Guide
Table 50: CLI Commands Used to Configure RADIUS IETF Attributes (continued)
Attribute Number
Attribute Name
CLI Command
[123]
Delegated-Ipv6-Prefix
•
radius include delegated-ipv6-prefix
[144]
DS-Lite-Tunnel-Name
•
radius include ds-lite-tunnel-name
[188]
Ascend-Num-In-Multilink
•
radius include
ascend-num-in-multilink
All Tunnel Server Attributes
•
radius include
tunnel-server-attributes
Related
Documentation
202
•
Propagation of LAG Subscriber Information to AAA and RADIUS on page 43
•
RADIUS IETF Attributes Supported for Subscriber AAA Access Messages on page 173
•
RADIUS IETF Attributes Supported for Subscriber AAA Accounting Messages on page 183
•
RADIUS IETF Attributes Supported for AAA Tunnel Accounting Messages on page 190
•
RADIUS IETF Attributes on page 231
•
aaa intf-desc-format include
•
radius acct-session-id-format
•
radius calling-station-delimiter
•
radius calling-station-format
•
radius connect-info-format
•
radius dsl-port-type
•
radius ethernet-port-type
•
radius ignore
•
radius include
•
radius nas-identifier
•
radius nas-port-format
•
radius nas-port-format extended
•
radius override calling-station-id remote-circuit-id
•
radius override nas-info
•
radius override nas-ip-addr tunnel-client-endpoint
•
radius override nas-port-id remote-circuit-id
•
radius pppoe nas-port-format unique
•
radius remote-circuit-id-delimiter
•
radius remote-circuit-id-format
Copyright © 2012, Juniper Networks, Inc.
Chapter 4: Configuring RADIUS Attributes
•
radius vlan nas-port-format stacked
CLI Commands Used to Configure Juniper Networks VSAs
Table 51 on page 203 lists the Juniper Networks VSAs and the corresponding CLI commands
used to modify them. The attributes are listed numerically.
Table 51: CLI Commands Used to Configure Juniper Networks VSAs
Attribute Number
Attribute Name
CLI Command
[26-1]
Virtual-Router
•
radius ignore virtual-router
[26-10]
Ingress-Policy-Name
•
radius include ingress-policy-name
•
radius ignore ingress-policy-name
•
radius include egress-policy-name
•
radius ignore egress-policy-name
[26-11]
Egress-Policy-Name
[26-14]
Service-Category
•
radius ignore atm-service-category
[26-15]
PCR
•
radius ignore atm-pcr
[26-16]
SCR
•
radius ignore atm-scr
[26-17]
MBS
•
radius ignore atm-mbs
[26-24]
Pppoe-Description
•
radius include pppoe-description
[26-26]
QoS-Profile-Name
•
radius include qos-profile-name
[26-35]
Acct-Input-Gigapackets
•
radius include input-gigapkts
[26-36]
Acct-Output-Gigapackets
•
radius include output-gigapkts
[26-44]
Tunnel-Interface-Id
•
radius include tunnel-interface-id
[26-45]
Ipv6-Virtual-Router
•
radius include ipv6-virtual-router
[26-46]
Ipv6-Local-Interface
•
radius include ipv6-local-interface
[26-47]
Ipv6-Primary-DNS
•
radius include ipv6-primary-dns
[26-48]
Ipv6-Secondary-DNS
•
radius include ipv6-secondary-dns
[26-51]
Disconnect-Cause
•
radius include
l2tp-ppp-disconnect-cause
[26-53]
Service-Description
•
radius include
profile-service-description
Copyright © 2012, Juniper Networks, Inc.
203
JunosE 13.3.x Broadband Access Configuration Guide
Table 51: CLI Commands Used to Configure Juniper Networks VSAs (continued)
Attribute Number
Attribute Name
CLI Command
[26-55]
DHCP-Options
•
radius include dhcp-options
[26-56]
DHCP-MAC-Address
•
radius include dhcp-mac-address
[26-57]
DHCP-GI-Address
•
radius include dhcp-gi-address
[26-62]
MLPPP-Bundle-Name
•
radius include mlppp-bundle-name
[26-63]
Interface-Desc
•
radius include interface-description
[26-81]
L2C-Information
•
radius include
access-loop-parameters
[26-92]
L2C-Up-Stream-Data
•
radius include l2c-upstream-data
[26-93]
L2C-Down-Stream-Data
•
radius include l2c-downstream-data
[26-106]
Ipv6-Ingress-Policy-Name
•
radius include
ipv6-ingress-policy-name
•
radius ignore
ipv6-ingress-policy-name
•
radius include
ipv6-egress-policy-name
•
radius ignore
ipv6-egress-policy-name
[26-107]
Ipv6-Egress-Policy-Name
[26-129]
Ipv6-NdRa-Prefix
•
radius include ipv6-nd-ra-prefix
[26-141]
Downstream-Calculated-Qos-Rate
•
radius include
downstream-calculated-qos-rate
access-request
•
radius include downstream
calculated-qos-rate acct-start
•
radius include
downstream-calculated-qos-rate
acct-stop
•
radius include
upstream-calculated-qos-rate
access-request
•
radius include upstream
calculated-qos-rate acct-start
•
radius include
upstream-calculated-qos-rate
acct-stop
•
radius ignore pppoe-max-session
[26-142]
[26-143]
204
Upstream-Calculated-Qos-Rate
Max-Clients-Per-Interface
Copyright © 2012, Juniper Networks, Inc.
Chapter 4: Configuring RADIUS Attributes
Table 51: CLI Commands Used to Configure Juniper Networks VSAs (continued)
Attribute Number
Attribute Name
CLI Command
[26-150]
ICR-Partition-Id
•
radius include icr-partition-id
•
radius icr-partition-accounting
[26-151]
IPv6-Acct-Input-Octets
•
radius include ipv6-accounting
[26-152]
IPv6-Acct-Output-Octets
•
radius include ipv6-accounting
[26-153]
IPv6-Acct-Input-Packets
•
radius include ipv6-accounting
[26-154]
IPv6-Acct-Output-Packets
•
radius include ipv6-accounting
[26-155]
IPv6-Acct-Input-Gigawords
•
radius include ipv6-accounting
[26-156]
IPv6-Acct-Output-Gigawords
•
radius include ipv6-accounting
[26-159]
DHCP-Option 82
•
radius include dhcp-option-82
[26-165]
PCP-Server-Name
•
radius include pcp-server-name
Related
Documentation
•
Juniper Networks VSAs Supported for Subscriber AAA Access Messages on page 176
•
Juniper Networks VSAs Supported for Subscriber AAA Accounting Messages on page 186
•
RADIUS Attributes Supported for CLI AAA Messages on page 198
•
Juniper Networks VSAs on page 238
•
Monitoring Included RADIUS Attributes on page 285
•
Monitoring Ignored RADIUS Attributes on page 288
•
radius icr-partition-accounting
•
radius ignore
•
radius include
CLI Commands Used to Include ANCP-Related Juniper Networks VSAs in Access and
Accounting Messages
You use the radius include command to specify information about ANCP, also known
as L2C, that you want to include in the RADIUS Access-Request, Acct-Start, and Acct-Stop
messages. Also, if you specify Acct-Stop messages, the router includes ANCP information
in Interim-Acct messages that the router sends to RADIUS. By default, the router does
not include the ANCP-related information provided by the Juniper Networks VSAs in
RADIUS messages.
These Juniper Networks ANCP-related VSAs are based on definitions in GSMP extensions
for layer2 control (L2C) Topology Discovery and Line
Copyright © 2012, Juniper Networks, Inc.
205
JunosE 13.3.x Broadband Access Configuration Guide
Configuration—draft-wadhwa-gsmp-l2control-configuration-00.txt (July 2006
expiration).
NOTE:
•
You must enable ANCP discovery with the discovery-mode command prior
to configuring the radius include command with the ANCP-related VSAs.
Configuring discovery mode enables the RADIUS authentication server to
retrieve ANCP information.
•
JunosE Software continues to support DSL Forum VSAs (vendor ID 3561)
that you can use to include DSL-related information in RADIUS messages.
See “DSL Forum VSAs” on page 250.
Table 52 on page 206 lists the ANCP (L2C)-related keywords that you can use in the radius
include command and the associated Juniper Networks VSAs. The table also indicates
the mappings between ANCP parameters and the VSAs.
Table 52: ANCP (L2C)-Related Keywords for radius include Command
206
Command Keyword
Juniper Networks
VSA Number
Juniper Networks
VSA Name
ANCP
Type
ANCP
Subtype
l2cd-acc-loop-cir-id
[26-110]
Acc-Loop-Cir-Id
1
–
l2cd-acc-aggr-cir-id-bin
[26-111]
Acc-Aggr-Cir-Id-Bin
2
–
l2cd-acc-aggr-cir-id-asc
[26-112]
Acc-Aggr-Cir-Id-Asc
3
–
l2cd-act-data-rate-up
[26-113]
Act-Data-Rate-Up
4
129
l2cd-act-data-rate-dn
[26-114]
Act-Data-Rate-Dn
4
130
l2cd-min-data-rate-up
[26-115]
Min-Data-Rate-Up
4
131
l2cd-min-data-rate-dn
[26-116]
Min-Data-Rate-Dn
4
132
l2cd-att-data-rate-up
[26-117]
Att-Data-Rate-Up
4
133
l2cd-att-data-rate-dn
[26-118]
Att-Data-Rate-Dn
4
134
l2cd-max-data-rate-up
[26-119]
Max-Data-Rate-Up
4
135
l2cd-max-data-rate-dn
[26-120]
Max-Data-Rate-Dn
4
136
l2cd-min-lp-data-rate-up
[26-121]
Min-LP-Data-Rate-Up
4
137
l2cd-min-lp-data-rate-dn
[26-122]
Min-LP-Data-Rate-Dn
4
138
l2cd-max-interlv-delay-up
[26-123]
Max-Interlv-Delay-Up
4
139
Copyright © 2012, Juniper Networks, Inc.
Chapter 4: Configuring RADIUS Attributes
Table 52: ANCP (L2C)-Related Keywords for radius include Command
(continued)
Related
Documentation
Command Keyword
Juniper Networks
VSA Number
Juniper Networks
VSA Name
ANCP
Type
ANCP
Subtype
l2cd-act-interlv-delay-up
[26-124]
Act-Interlv-Delay-Up
4
140
l2cd-max-interlv-delay-dn
[26-125]
Max-Interlv-Delay-Dn
4
141
l2cd-act-interlv-delay-dn
[26-126]
Act-Interlv-Delay-Dn
4
142
l2cd-dsl-line-state
[26-127]
DSL-Line-State
4
143
l2cd-dsl-type
[26-128]
DSL-Type
4
144
•
Subscriber AAA Access Messages Overview on page 172
•
Subscriber AAA Accounting Messages Overview on page 182
•
Juniper Networks VSAs Supported for Subscriber AAA Access Messages on page 176
•
Juniper Networks VSAs Supported for Subscriber AAA Accounting Messages on page 186
•
CLI Commands Used to Include or Exclude Attributes in RADIUS Messages on page 208
•
Juniper Networks VSAs on page 238
•
Monitoring Included RADIUS Attributes on page 285
•
radius include
CLI Commands Used to Include DSL Forum VSAs in Access and Accounting Messages
You can use the radius include dsl-forum-attributes command to control the inclusion
of a set of DSL Forum VSAs in Access-Request, Acct-Start, Acct-Stop, and (if Acct-Stop
messages are specified) Interim-Acct messages that the router sends to RADIUS.
The DSL Forum VSAs, as defined in RFC 4679—DSL Forum Vendor-Specific RADIUS
Attributes (September 2006), convey information about the associated subscriber for
and data rate of the DSL. A service provider might find it useful to enable inclusion of the
DSL Forum VSAs in RADIUS messages in order to bill subscribers for different classes of
service based on the data rate of their DSL connection.
NOTE: JunosE Software also supports several Juniper Networks VSAs that
you can use to include DSL-related information. See “Juniper Networks VSAs”
on page 238 .
The router receives data containing one or more of the DSL Forum VSAs from a DSLAM
connected to the router via a PPPoE interface. When you enable the inclusion of the DSL
Forum VSAs in these RADIUS messages, the router includes all of the following attributes
Copyright © 2012, Juniper Networks, Inc.
207
JunosE 13.3.x Broadband Access Configuration Guide
in the specified message type, provided that the VSA is available in the information that
the router receives from the DSLAM.
NOTE: The router uses the vendor ID assigned to the DSL Forum (3561, or
DE9 in hexadecimal format) by the IANA for the DSL Forum VSAs.
Agent-Circuit-Id [26-1]
Maximum-Data-Rate-Downstream [26-136]
Agent-Remote-Id [26-2]
Minimum-Data-Rate-Upstream-Low-Power
[26-137]
Actual-Data-Rate-Upstream [26-129]
Minimum-Data-Rate-Downstream-Low-Power
[26-138]
Actual-Data-Rate-Downstream [26-130]
Maximum-Interleaving-Delay-Upstream [26-139]
Minimum-Data-Rate-Upstream [26-131]
Actual-Interleaving-Delay-Upstream [26-140]
Minimum-Data-Rate-Downstream [26-132]
Maximum-Interleaving-Delay-Downstream [26-141]
Attainable-Data-Rate-Upstream [26-133]
Actual-Interleaving-Delay-Downstream [26-142]
Attainable-Data-Rate-Downstream
[26-134]
Access-Loop-Encapsulation [26-144]
Maximum-Data-Rate-Upstream [26-135]
IWF-Session [26-254]
For information about enabling the QoS downstream rate application to obtain
downstream rates from the Actual-Data-Rate-Downstream [26-130] DSL Forum VSA,
see the Configuring the Downstream Rate Using QoS Parameters chapter in JunosE Quality
of Service Configuration Guide.
Related
Documentation
•
Subscriber AAA Access Messages Overview on page 172
•
Subscriber AAA Accounting Messages Overview on page 182
•
DSL Forum VSAs in AAA Access and Accounting Messages Overview on page 196
•
DSL Forum VSAs Supported for AAA Access and Accounting Messages on page 196
•
DSL Forum VSAs on page 250
•
radius include dsl-forum-attributes
CLI Commands Used to Include or Exclude Attributes in RADIUS Messages
You can use the radius include command to enable or disable the inclusion of RADIUS
attributes in Acct-on, Acct-off, Access-Request, Acct-Start, and Acct-Stop messages.
208
Copyright © 2012, Juniper Networks, Inc.
Chapter 4: Configuring RADIUS Attributes
Table 53 on page 209 lists the RADIUS attributes that can be included or excluded in
RADIUS messages using the radius include command and the RADIUS messages in
which the attributes are supported.
Table 53: RADIUS Attributes Included in Corresponding RADIUS Messages
Attribute
Number
Attribute Name
Access-Request
Acct-on
Acct-off
Acct-Start
Acct-Stop
[5]
NAS-Port
✓
–
–
✓
✓
[8]
Framed-IP-Address
✓
–
–
✓
✓
[9]
Framed-IP-Netmask
–
–
–
✓
✓
[13]
Framed-Compression
–
–
–
✓
✓
[22]
Framed-Route
–
–
–
✓
✓
[25]
Class
–
–
–
✓
✓
[26-10]
Ingress-Policy-Name
–
–
–
✓
✓
[26-11]
Egress-Policy-Name
–
–
–
✓
✓
[26-24]
Pppoe-Description
✓
–
–
✓
✓
[26-26]
QoS-Profile-Name
–
–
–
✓
✓
[26-35]
Acct-Input-Gigapackets
–
–
–
–
✓
[26-43]
Acct-Output-Gigapackets
–
–
–
–
✓
[26-44]
Tunnel-Interface-ID
✓
–
–
✓
✓
[26-45]
Ipv6-Virtual-Router
–
–
–
–
✓
[26-46]
Ipv6-Local-Interface
–
–
–
–
✓
[26-47]
Ipv6-Primary-DNS
–
–
–
–
✓
[26-48]
Ipv6-Secondary-DNS
–
–
–
–
✓
[26-51]
Disconnect-Cause
–
–
–
–
✓
[26-53]
Service-Description
✓
–
–
✓
✓
[26-55]
DHCP-Options
✓
–
–
✓
✓
[26-56]
DHCP-MAC-Address
✓
–
–
✓
✓
Copyright © 2012, Juniper Networks, Inc.
209
JunosE 13.3.x Broadband Access Configuration Guide
Table 53: RADIUS Attributes Included in Corresponding RADIUS Messages (continued)
Attribute
Number
Attribute Name
Access-Request
Acct-on
Acct-off
Acct-Start
Acct-Stop
[26-57]
DHCP-GI-Address
✓
–
–
✓
✓
[26-62]
MLPPP-Bundle-Name
✓
–
–
✓
✓
[26-63]
Interface-Description
✓
–
–
✓
✓
[26-81]
L2c-Information
✓
–
–
–
–
[26-92]
L2C-Up-Stream-Data
✓
–
–
✓
✓
[26-93]
L2C-Down-Stream-Data
✓
–
–
✓
✓
[26-106]
Ipv6-Ingress-Policy-Name
–
–
–
✓
✓
[26-107]
Ipv6-Egress-Policy-Name
–
–
–
✓
✓
[26-110]
Acc-Loop-Cir-Id
✓
–
–
✓
✓
[26-111]
Acc-Aggr-Cir-Id-Bin
✓
–
–
✓
✓
[26-112]
Acc-Aggr-Cir-Id-Asc
✓
–
–
✓
✓
[26-113]
Act-Data-Rate-Up
✓
–
–
✓
✓
[26-114]
Act-Data-Rate-Dn
✓
–
–
✓
✓
[26-115]
Min-Data-Rate-Up
✓
–
–
✓
✓
[26-116]
Min-Data-Rate-Dn
✓
–
–
✓
✓
[26-117]
Att-Data-Rate-Up
✓
–
–
✓
✓
[26-118]
Att-Data-Rate-Dn
✓
–
–
✓
✓
[26-119]
Max-Data-Rate-Up
✓
–
–
✓
✓
[26-120]
Max-Data-Rate-Dn
✓
–
–
✓
✓
[26-121]
Min-LP-Data-Rate-Up
✓
–
–
✓
✓
[26-122]
Min-LP-Data-Rate-Dn
✓
–
–
✓
✓
[26-123]
Max-Interlv-Delay-Up
✓
–
–
✓
✓
[26-124]
Act-Interlv-Delay-Up
✓
–
–
✓
✓
210
Copyright © 2012, Juniper Networks, Inc.
Chapter 4: Configuring RADIUS Attributes
Table 53: RADIUS Attributes Included in Corresponding RADIUS Messages (continued)
Attribute
Number
Attribute Name
Access-Request
Acct-on
Acct-off
Acct-Start
Acct-Stop
[26-125]
Max-Interlv-Delay-Dn
✓
–
–
✓
✓
[26-126]
Act-Interlv-Delay-Dn
✓
–
–
✓
✓
[26-127]
DSL-Line-State
✓
–
–
✓
✓
[26-128]
DSL-Type
✓
–
–
✓
✓
[26-129]
Ipv6-NdRa-Prefix
–
–
–
–
✓
[26-141]
Downstream-Calculated-Qos
✓
–
–
✓
✓
[26-142]
Upstream-Calculated-Qos-Rate
✓
–
–
✓
✓
[26-150]
ICR-Partition-Id
✓
–
–
✓
✓
[26-159]
DHCP-Option 82
✓
–
–
✓
✓
[26-165]
PCP-Server-Name
–
–
–
✓
✓
[30]
Called-Station-Id
✓
–
–
✓
✓
[31]
Calling-Station-Id
✓
–
–
✓
✓
[32]
NAS-Identifier
✓
✓
✓
✓
✓
[41]
Acct-Delay-Time
–
✓
✓
–
–
[44]
Acct-Session-Id
✓
✓
✓
–
–
[45]
Acct-Authentic
–
✓
✓
–
–
[49]
Acct-Terminate-Cause
–
–
✓
–
–
[50]
Acct-Multi-Session-Id
✓
–
–
✓
✓
[51]
Acct-Link-Count
–
–
–
✓
✓
[52]
Acct-Input-Gigawords
–
–
–
–
✓
[53]
Acct-Output-Gigawords
–
–
–
–
✓
[55]
Event-Timestamp
–
✓
✓
✓
✓
[61]
NAS-Port-Type
✓
–
–
✓
✓
Copyright © 2012, Juniper Networks, Inc.
211
JunosE 13.3.x Broadband Access Configuration Guide
Table 53: RADIUS Attributes Included in Corresponding RADIUS Messages (continued)
Attribute
Number
Attribute Name
Access-Request
Acct-on
Acct-off
Acct-Start
Acct-Stop
[64]
Tunnel-Type
✓
–
–
✓
✓
[65]
Tunnel-Medium-Type
✓
–
–
✓
✓
[66]
Tunnel-Client-Endpoint
✓
–
–
✓
✓
[67]
Tunnel-Server-Endpoint
✓
–
–
✓
✓
[68]
Acct-Tunnel-Connection
✓
–
–
✓
✓
[77]
Connect-Info
✓
–
–
✓
✓
[82]
Tunnel-Assignment-Id
–
–
–
✓
✓
[83]
Tunnel-Preference
–
–
–
✓
✓
[87]
NAS-Port-Id
✓
–
–
✓
✓
[90]
Tunnel-Client-Auth-Id
✓
–
–
✓
✓
[91]
Tunnel-Server-Auth-Id
✓
–
–
✓
✓
[96]
Framed-Interface-Id
✓
–
–
✓
✓
[97]
Framed-Ipv6-Prefix
✓
–
–
✓
✓
[99]
Framed-Ipv6-Route
–
–
–
–
✓
[100]
Framed-IPv6-Pool
–
–
–
–
✓
[123]
Delegated-IPv6-Prefix
–
–
–
–
✓
[144]
DS-Lite-Tunnel-Name
–
–
–
✓
✓
[188]
Ascend-Num-In-Multilink
✓
–
–
✓
✓
All Tunnel-Server-Attributes
✓
–
–
✓
✓
All Ipv6-Accounting Attributes
–
–
–
–
✓
Related
Documentation
212
•
Subscriber AAA Access Messages Overview on page 172
•
Subscriber AAA Accounting Messages Overview on page 182
•
RADIUS IETF Attributes on page 231
•
Juniper Networks VSAs on page 238
Copyright © 2012, Juniper Networks, Inc.
Chapter 4: Configuring RADIUS Attributes
•
Monitoring Included RADIUS Attributes on page 285
•
radius include
CLI Commands Used to Ignore Attributes when Receiving Access-Accept Messages
You can use the radius ignore command to configure the router to ignore or accept a
RADIUS attribute from the received Access-Accept messages.
The following attributes can be ignored or accepted using the radius ignore command:
Related
Documentation
•
atm-mbs
•
atm-pcr
•
atm-scr
•
atm-service-category
•
egress-policy-name
•
framed-ip-netmask
•
ingress-policy-name
•
ipv6-egress-policy-name
•
ipv6-ingress-policy-name
•
pppoe-max-session
•
virtual-router
•
Subscriber AAA Access Messages Overview on page 172
•
Monitoring Ignored RADIUS Attributes on page 288
•
radius ignore
RADIUS Per-Profile Attribute List Configuration Overview
JunosE Software enables you to configure RADIUS-specific attributes for subscribers
attached to a specific PPP profile. If a per-profile list is configured, then only the attributes
specified in the per-profile list are processed. If the per-profile list is not configured, then
the existing standard attributes are configured.
NOTE: The attributes supported by the per-profile list take precedence over
the standard RADIUS attribute configuration. By default, the inclusion of all
attributes is disabled in the per-profile list.
This feature enables you to configure the following RADIUS attributes:
•
override nas-ip-addr
Copyright © 2012, Juniper Networks, Inc.
213
JunosE 13.3.x Broadband Access Configuration Guide
Related
Documentation
•
calling-station-id
•
RADIUS Overview on page 170
•
attributes (RADIUS)
Example: Configuring RADIUS-Specific Attributes
In this example, RADIUS-specific attributes are configured for subscribers attached to a
specific PPP profile. You can configure this as follows:
1.
Create a RADIUS per-profile attribute list, and configure the required RADIUS attributes
in the list.
host1(config)#radius per-profile-attr-list abc
host1 (config-perprofile-list)#request-type acct-start
host1 (config-perprofile-list)#action-type enable
host1 (config-perprofile-list)#attributes calling-station-id override-nas-ip-addr
2. Create an AAA profile.
host1(config)#aaa profile aaaprofile1
3. Specify the RADIUS attribute list in the AAA profile.
host1(config-aaa-profile)#radius-perprofilelist-name abc
4. Create a PPP profile.
host1(config)#profile pppprofile1
5. Attach the AAA profile name to the PPP profile.
host1(config-profile)#ppp aaa-profile aaaprofile1
6. To view the attributes configured in the RADIUS per-profile attribute list, issue the
show radius per-profile-attr-list command.
host1#show radius per-profile-attr-list abc
Attribute Name
AccessRequest
AccountStart
––––––––––––––
–––––––––––––
––––––––––––
calling-station-id
enabled
disabled
override-nas-ip-addr enabled
enabled
Related
Documentation
214
AccountStop
–––––––––––
enabled
enabled
•
RADIUS Per-Profile Attribute List Configuration Overview on page 213
•
aaa profile
•
action-type
•
attributes (RADIUS)
•
ppp aaa-profile
•
profile
•
radius per-profile-attr-list
•
radius-perprofilelist-name
Copyright © 2012, Juniper Networks, Inc.
Chapter 4: Configuring RADIUS Attributes
•
request-type
•
show radius per-profile-attr-list
Copyright © 2012, Juniper Networks, Inc.
215
JunosE 13.3.x Broadband Access Configuration Guide
216
Copyright © 2012, Juniper Networks, Inc.
CHAPTER 5
Configuring RADIUS Dynamic-Request
Server
This chapter describes the RADIUS dynamic-request server feature on E Series routers.
The following topics describe this feature:
•
RADIUS Dynamic-Request Server Overview on page 217
•
RADIUS Dynamic-Request Server Platform Considerations on page 218
•
RADIUS Dynamic-Request Server References on page 219
•
Understanding RADIUS-Initiated Disconnect on page 219
•
Configuring RADIUS-Initiated Disconnect on page 221
•
Understanding RADIUS-Initiated Change of Authorization on page 222
•
Configuring RADIUS-Initiated Change of Authorization on page 224
RADIUS Dynamic-Request Server Overview
The E Series router’s RADIUS dynamic-request server feature provides an efficient way
for you to use RADIUS servers to centrally manage user sessions. The RADIUS
dynamic-request server enables the router to receive the following types of messages
from RADIUS servers:
•
Disconnect messages—Immediately terminate specific user sessions.
•
Change-of-Authorization (CoA) messages—Dynamically modify session authorization
attributes, such as data filters.
NOTE: The RADIUS dynamic-request server’s support for CoA messages
is used by the Service Manager and by the E Series router’s packet mirroring
feature. For information about using the Service Manager, see the
Configuring Service Manager chapter in this guide. For specific information
about using the dynamic-request server with packet mirroring, see the
Configuring RADIUS-Based Packet Mirroring chapter in JunosE Policy
Management Configuration Guide.
Copyright © 2012, Juniper Networks, Inc.
217
JunosE 13.3.x Broadband Access Configuration Guide
For example, you might use the RADIUS dynamic-request server to terminate specific
user sessions. Without the RADIUS dynamic-request server, the only way to disconnect
a RADIUS user is from the E Series router. This disconnect method is cumbersome when
a network has many systems. The RADIUS dynamic-request server allows RADIUS servers
to initiate user-related operations, such as a termination operation, by sending unsolicited
request messages to an E Series router.
Figure 5 on page 218 shows a network that would benefit from the RADIUS
dynamic-request server functionality. In Figure 5 on page 218, instead of disconnecting
users on each E Series router, the RADIUS servers can initiate the disconnection. Although
the network has multiple RADIUS servers, the servers share a common database that
contains authorization and accounting information. Having a common database allows
any server to view who is currently valid and connected, and allows service providers to
manage the disconnection of users.
Figure 5: Sample Remote Access Network Using RADIUS
Related
Documentation
•
Monitoring the Configuration of the RADIUS Dynamic-Request Server on page 290
•
Setting the Baseline for RADIUS Dynamic-Request Server Statistics on page 288
RADIUS Dynamic-Request Server Platform Considerations
RADIUS dynamic-request server is supported on all E Series routers. For information
about the modules supported on E Series routers:
Related
Documentation
218
•
See the ERX Module Guide for modules supported on ERX7xx models, ERX14xx models,
and the ERX310 Broadband Services Router.
•
See the E120 and E320 Module Guide for modules supported on the E120 and E320
Broadband Services Routers.
•
RADIUS Dynamic-Request Server Overview on page 217
Copyright © 2012, Juniper Networks, Inc.
Chapter 5: Configuring RADIUS Dynamic-Request Server
RADIUS Dynamic-Request Server References
For more information about the RADIUS dynamic-request server feature, see the following
references:
Related
Documentation
•
RFC 2865—Remote Authentication Dial In User Service (RADIUS) (June 2000)
•
RFC 2866—RADIUS Accounting (June 2000)
•
RFC 5176—Dynamic Authorization Extensions to Remote Authentication Dial In User
Service (RADIUS) (January 2008)
•
RADIUS Dynamic-Request Server Overview on page 217
•
RADIUS Dynamic-Request Server Platform Considerations on page 218
Understanding RADIUS-Initiated Disconnect
In a typical client-server RADIUS environment, the E Series router functions as the client
and the RADIUS server functions as the server. However, when using the RADIUS
dynamic-request server feature, the roles are reversed. For example, during a
RADIUS-initiated disconnect operation, the E Series router’s RADIUS dynamic-request
server functions as the server, and the RADIUS server functions as the disconnect client.
This section describes the RADIUS dynamic-request server’s RADIUS-initiated disconnect
feature.
Disconnect Messages
To centrally control the disconnection of remote access users, the RADIUS
dynamic-request server on the router must receive and process unsolicited messages
from RADIUS servers.
The RADIUS-initiated disconnect feature uses the existing format of RADIUS disconnect
request and response messages. The RADIUS-initiated disconnect feature uses the
following codes in its RADIUS request and response messages:
•
Disconnect-Request (40)
•
Disconnect-ACK (41)
•
Disconnect-NAK (42)
Message Exchange
The RADIUS server and the router’s RADIUS dynamic-request server exchange messages
using User Datagram Protocol (UDP). The Disconnect-Request message sent by the
RADIUS server has the same format as the CoA-Request packet that is sent for a change
of authorization operation.
The disconnect response is either a Disconnect-ACK or a Disconnect-NAK message:
Copyright © 2012, Juniper Networks, Inc.
219
JunosE 13.3.x Broadband Access Configuration Guide
•
If AAA successfully disconnects the user, the response is a RADIUS-formatted packet
with a Disconnect-ACK message.
•
If AAA cannot disconnect the user, the request is malformed, or attributes are missing
from the request, the response is a RADIUS-formatted packet with a Disconnect-NAK
message.
Supported Error-Cause Codes (RADIUS Attribute 101)
When a disconnect request fails, the RADIUS dynamic-request server includes an
error-cause attribute (RADIUS attribute 101) in the Disconnect-NAK message that it
sends back to the RADIUS server. If the detected error does not map to one of the
supported error-cause attributes, the router sends the Disconnect-NAK without an
error-cause attribute. Table 54 on page 220 lists the supported error-cause codes.
Table 54: Error-Cause Codes (RADIUS Attribute 101)
Code
Value
Description
401
Unsupported
attribute
The request contains an attribute that is not supported (for
example, a third-party attribute).
402
Missing attribute
A critical attribute (for example, the session identification attribute)
is missing from a request.
404
Invalid request
Some other aspect of the request is invalid, such as if one or more
attributes (for example, the packet mirroring Mirror Identifier value)
are not formatted properly.
503
Session context not
found
The session context identified in the request does not exist on the
NAS.
504
Session context not
removable
The subscriber identified by attributes in the disconnect request
is owned by a component that does not support RADIUS-initiated
disconnect (for example, IP LAC subscribers cannot be
disconnected).
506
Resources
unavailable
A request could not be honored due to lack of available NAS
resources (such as memory).
Qualifications for Disconnect
For the server to disconnect a user, the Disconnect-Request message must contain an
attribute with a session ID. The Disconnect-Request message can contain an
Acct-Session-Id (44) attribute or a Acct-Multi-Session-Id (50) attribute for the session
ID or both. If both the Acct-Session-Id and Acct-Multi-Session-Id attributes are present
in the request, the router uses both attributes. If the User-Name (1) attribute is also
present in the request, the username and session ID are used to perform the disconnection.
Authentication, authorization, and accounting (AAA) services handle the actual request.
220
Copyright © 2012, Juniper Networks, Inc.
Chapter 5: Configuring RADIUS Dynamic-Request Server
NOTE: The inclusion of the Acct-Multi-Session-Id (50) attribute in RADIUS
Disconnect-Request messages for LAC L2TP sessions causes the
disconnection of L2TP LAC user sessions to occur properly. The value of this
attribute is constructed from the Acct-Session-ID (44) attribute of the first
PPP link established for MLPPP bundles. If the Acct-Multi-Session-Id (50)
attribute is contained in the Disconnect-Request message for MLPPP links,
which are on the LAC side of an L2TP tunnel, the subscriber session is
disconnected.
Security/Authentication
The RADIUS server (the disconnect client) must calculate the authenticator as specified
for an Accounting-Request message in RFC 2866. The router’s RADIUS dynamic-request
server verifies the request using authenticator calculation as specified for an
Accounting-Request message in RFC 2866. A key (secret), as specified in RFC 2865,
must be configured and used in the calculation of the authenticator. The response
authenticator is calculated as specified for an Accounting-Response message in RFC
2866.
Related
Documentation
•
Configuring RADIUS-Initiated Disconnect on page 221
•
Understanding RADIUS-Initiated Change of Authorization on page 222
•
Configuring RADIUS-Initiated Change of Authorization on page 224
Configuring RADIUS-Initiated Disconnect
To configure RADIUS-initiated disconnect feature, perform the following steps to set up
the RADIUS dynamic-request server that will perform the disconnect operation:
1.
Configure the RADIUS dynamic-request server, and enter RADIUS Configuration mode.
host1(config)#radius dynamic-request server 10.10.5.10
host1(config-radius)#
2. Enable the RADIUS-initiated disconnect capability on the RADIUS dynamic-request
server.
host1(config-radius)#subscriber disconnect
3. Define the secret used in the RADIUS Authenticator field during exchanges between
the RADIUS dynamic-request server and the RADIUS server.
host1(config-radius)#key Secret3Clientkey
4. (Optional) Specify the UDP port on which the RADIUS dynamic-request server listens
for messages from the RADIUS server. The default is 1700.
host1(config-radius)#udp-port 1770
Related
Documentation
•
Setting the Baseline for RADIUS Dynamic-Request Server Statistics on page 288
•
Monitoring RADIUS Dynamic-Request Server Statistics on page 288
Copyright © 2012, Juniper Networks, Inc.
221
JunosE 13.3.x Broadband Access Configuration Guide
•
Monitoring the Configuration of the RADIUS Dynamic-Request Server on page 290
•
key
•
radius disconnect client
•
subscriber disconnect
•
udp-port
Understanding RADIUS-Initiated Change of Authorization
This section describes the RADIUS dynamic-request server’s support for CoA messages.
CoA messages are used by the E Series router’s RADIUS-initiated packet mirroring feature,
which is described in the Configuring RADIUS-Based Packet Mirroring chapter in JunosE
Policy Management Configuration Guide, and by Service Manager, which is described in
the Configuring Service Manager chapter of this guide.
Change-of-Authorization Messages
The RADIUS dynamic-request server receives and processes the unsolicited CoA messages
from RADIUS servers. The RADIUS-initiated CoA feature uses the following codes in its
RADIUS request and response messages:
•
CoA-Request (43)
•
CoA-ACK (44)
•
CoA-NAK (45)
Message Exchange
The RADIUS server and the router’s RADIUS dynamic-request server exchange messages
using UDP. The CoA-Request message sent by the RADIUS server has the same format
as the Disconnect-Request packet that is sent for a disconnect operation.
The response is either a CoA-ACK or a CoA-NAK message:
•
If AAA successfully changes the authorization, the response is a RADIUS-formatted
packet with a CoA-ACK message, and the data filter is applied to the session.
•
If AAA is unsuccessful, the request is malformed, or attributes are missing, the response
is a RADIUS-formatted packet with a CoA-NAK message.
Supported Error-Cause Codes (RADIUS Attribute 101)
When AAA is unsuccessful, the RADIUS dynamic-request server includes an error-cause
attribute (RADIUS attribute 101) in the CoA-NAK message that it sends back to the
RADIUS server. If the detected error does not map to one of the supported error-cause
attributes, the router sends the CoA-NAK without an error-cause attribute. Table 55 on
page 223 lists the supported error-cause codes.
222
Copyright © 2012, Juniper Networks, Inc.
Chapter 5: Configuring RADIUS Dynamic-Request Server
Table 55: Error-Cause Codes (RADIUS Attribute 101)
Code
Value
Description
401
Unsupported
attribute
The request contains an attribute that is not supported (for
example, a third-party attribute).
402
Missing attribute
A critical attribute (for example, the session identification attribute)
is missing from a request.
404
Invalid request
Some other aspect of the request is invalid, such as if one or more
attributes (for example, the packet mirroring Mirror Identifier value)
are not formatted properly.
503
Session context not
found
The session context identified in the request does not exist on the
NAS.
504
Session context not
removable
The subscriber identified by attributes in the disconnect request
is owned by a component that does not support RADIUS-initiated
disconnect (for example, IP LAC subscribers cannot be
disconnected).
506
Resources
unavailable
A request could not be honored due to lack of available NAS
resources (such as memory).
Qualifications for Change of Authorization
To complete the change of authorization for a user, the CoA-Request must contain one
of the following RADIUS attributes or pairs of attributes. AAA services handle the actual
request.
•
User-Name [attribute 1] with Virtual-Router [attribute 26–1] to identify the user per
virtual router context
•
Framed-IP-Address [attribute 8] with Virtual-Router [attribute 26–1] to identify the
address per virtual router context
•
Calling-Station-ID [attribute 31]
•
Acct-Session-ID [attribute 44] (mandatory for all CoA requests, except when the
request is for packet mirroring)
•
Nas-Port-ID [attribute 5]
•
DHCP-Option-82 [attribute 26–159], Vendor ID 4874
•
Agent-Circuit-ID [attribute 26–1], Vendor ID 3561
•
Agent-Remote-ID [attribute 26–2], Vendor ID 3561
NOTE: The Calling-Station-ID attribute is valid only for the tunneled
subscribers and on the LNS. Additionally, the Calling-Station-ID and
Nas-Port-ID attributes are valid only if there is no RADIUS override setting.
Copyright © 2012, Juniper Networks, Inc.
223
JunosE 13.3.x Broadband Access Configuration Guide
Security/Authentication
For change-of-authorization operations, the RADIUS server calculates the authenticator
as specified for an Accounting-Request message in RFC 2866. The RADIUS
dynamic-request server verifies the request using authenticator calculation as specified
for an Accounting-Request in RFC 2866. A key (secret), as specified in RFC 2865, must
be configured and used in the calculation of the authenticator. The response authenticator
is calculated as specified for an Accounting-Response message in RFC 2866.
Related
Documentation
•
Configuring RADIUS-Initiated Change of Authorization on page 224
•
Understanding RADIUS-Initiated Disconnect on page 219
•
Configuring RADIUS-Initiated Disconnect on page 221
Configuring RADIUS-Initiated Change of Authorization
To configure the RADIUS dynamic-request change of authorization (CoA) feature, perform
the following steps to set up the RADIUS dynamic-request server that will perform the
CoA operation:
1.
Configure the RADIUS dynamic-request server, and enter RADIUS Configuration mode.
host1(config)#radius dynamic-request server 10.10.5.10
2. Enable the CoA capability on the RADIUS dynamic-request server.
host1(config-radius)#authorization change
3. Define the key (secret) used in the RADIUS Authenticator field during exchanges
between the RADIUS dynamic-request server and the RADIUS server.
host1(config-radius)#key Secret21Clientkey
4. (Optional) Specify the UDP port on which the router listens for messages from the
RADIUS server. The default is 1700.
host1(config-radius)#udp-port 1770
Related
Documentation
224
•
Setting the Baseline for RADIUS Dynamic-Request Server Statistics on page 288
•
Monitoring RADIUS Dynamic-Request Server Statistics on page 288
•
Monitoring the Configuration of the RADIUS Dynamic-Request Server on page 290
•
authorization change
•
key
•
udp-port
Copyright © 2012, Juniper Networks, Inc.
CHAPTER 6
Configuring RADIUS Relay Server
This chapter describes the E Series router’s RADIUS relay server feature. The RADIUS
relay server provides authentication, authorization, accounting, and addressing services
to wireless subscribers in public areas, such as airports and coffee shops. This chapter
has the following sections:
•
Understanding the RADIUS Relay Server on page 225
•
RADIUS Relay Server Platform Considerations on page 228
•
RADIUS Relay Server References on page 228
•
RADIUS Relay Server and the SRC Software on page 228
•
Configuring RADIUS Relay Server Support on page 229
Understanding the RADIUS Relay Server
The JunosE RADIUS relay server provides authentication, authorization, accounting, and
addressing services in an 802.1x-based wireless environment.
The IEEE 802.1x standard is an authentication standard for wireless LANs; it enables a
wireless subscriber to be authenticated by a central authority. The standard uses the
Extensible Authentication Protocol (EAP) for message exchange during the authentication
process. The E Series router’s RADIUS relay server enhances the 802.1x environment by
including authorization, accounting, and addressing support for wireless subscribers.
Figure 6 on page 226 illustrates a typical 802.1x-based wireless environment. In the figure,
wireless subscribers connect to wireless access points (WAPs) for authentication. The
WAPs in turn connect to the E Series router’s RADIUS relay server. The RADIUS relay
server passes the request on to the authentication server, which might be a RADIUS or
TACACS+ server. The RADIUS server authenticates the subscriber, who is then granted
access. After authentication, the RADIUS relay server obtains an IP address for the
subscriber from the Dynamic Host Configuration Protocol (DHCP) local or external server.
The RADIUS relay server can also use the RADIUS server or the optional Session and
Resource Control (SRC) software (formerly the SDX software), to provide the accounting
support.
Copyright © 2012, Juniper Networks, Inc.
225
JunosE 13.3.x Broadband Access Configuration Guide
Figure 6: RADIUS Relay Server
E Series router
How RADIUS Relay Server Works
When a wireless subscriber starts a session, the WAP encapsulates EAP attributes into
a RADIUS Access-Request message and sends the request to the E Series router, which
the WAP views as the RADIUS server. The encapsulated message uses the RADIUS
EAP-Message (79) attribute. The RADIUS relay server does not process any of the EAP
attributes in the RADIUS Access-Request message; the encrypted message is simply
passed through the router to the actual RADIUS server. The RADIUS server must be EAP
aware.
You can also use an optional RADIUS proxy server to provide additional enhancements
to the 802.1x-based environment. For example, the RADIUS proxy server enables
subscribers to be multiplexed to multiple Internet service providers (ISPs) that are
customers of the same carrier. The server performs one of the following actions:
•
If the ISP’s RADIUS server supports EAP, the RADIUS proxy server extends the EAP
session to the RADIUS server.
•
If the ISP’s RADIUS server does not support EAP, the RADIUS proxy server translates
the EAP session into a legacy RADIUS session for the RADIUS server.
Authentication and Addressing
The WAP initiates the authentication and authorization request by sending a standard
RADIUS Access-Request to the RADIUS relay server. The Access-Request must include
the attributes listed in Table 56 on page 226. The attributes uniquely identify the wireless
subscriber.
Table 56: Required RADIUS Access-Request Attributes
226
Attribute Name
Description
Called-Station-id [30]
Subscriber’s WAP
Calling-Station-id [31]
Subscriber’s media access control (MAC) address
Copyright © 2012, Juniper Networks, Inc.
Chapter 6: Configuring RADIUS Relay Server
When the RADIUS server authenticates the subscriber, the router’s RADIUS relay server
creates a RADIUS Access-Accept message and sends the message back to the subscriber.
The router’s DHCP server (either the router’s DHCP local server or an external DHCP
server) assigns an IP address to the subscriber and creates the subscriber interface.
For information about using the optional SRC software with the RADIUS relay server to
assign IP addresses, see the Using the SRC Software for Addressing section in “RADIUS
Relay Server and the SRC Software” on page 228.
The WAP might periodically reauthenticate a subscriber. For example, reauthentication
is necessary to renegotiate a new Wired Equivalent Privacy (WEP) key. The RADIUS relay
server ignores any new RADIUS attributes that are sent during a renegotiation operation.
Accounting
The RADIUS relay server’s clients (the WAPs) send standard accounting request messages
to the RADIUS relay server. The accounting server processes the request and sends the
results back to the RADIUS relay server, which then creates a RADIUS accounting response
message and forwards the information to the client WAP.
For tracking purposes, the forwarding RADIUS relay server adds the Radius-Client-Address
vendor-specific attribute (VSA 26-52) to the forwarded accounting request messages.
The VSA indicates the RADIUS relay server’s IP address.
For information about using the SRC software with the RADIUS relay server to provide
accounting, see the Using the SRC Software for Addressing section in “RADIUS Relay
Server and the SRC Software” on page 228.
Table 57 on page 227 shows the RADIUS attributes that must be included in accounting
requests. The attributes uniquely identify subscribers.
Table 57: Required RADIUS Accounting Attributes
For RADIUS Acct-Start and Acct-Stop Messages
Description
Called-Station-id [30]
Subscriber’s WAP
Calling-Station-id [31]
Subscriber’s MAC address
For RADIUS Acct-On and Acct-Off Messages
Called-Station-id [30]
Subscriber’s WAP
Terminating the Wireless Subscriber’s Connection
The RADIUS relay server terminates the wireless subscriber’s session when one of the
following events occurs. When a subscriber session is terminated, the subscriber’s IP
address is released back into the available address pool.
•
The RADIUS relay server receives a RADIUS accounting stop request.
•
No RADIUS accounting messages are received for this subscriber for more than 24
hours.
Copyright © 2012, Juniper Networks, Inc.
227
JunosE 13.3.x Broadband Access Configuration Guide
Related
Documentation
•
RADIUS Relay Server and the SRC Software on page 228
•
Configuring RADIUS Relay Server Support on page 229
RADIUS Relay Server Platform Considerations
RADIUS relay is supported on all E Series routers.
For information about the modules supported on E Series routers:
Related
Documentation
•
See the ERX Module Guide for modules supported on ERX7xx models, ERX14xx models,
and the ERX310 Broadband Services Router.
•
See the E120 and E320 Module Guide for modules supported on the E120 and E320
Broadband Services Routers.
•
Understanding the RADIUS Relay Server on page 225
•
RADIUS Relay Server References on page 228
RADIUS Relay Server References
For more information about RADIUS relay server, see the following resources:
Related
Documentation
•
IEEE 802.1x-2001—Port-Based Network Access Control
•
RFC 2869—RADIUS Extensions (June 2000)
•
RFC 2284—PPP Extensible Authentication Protocol (EAP) (March 1998)
•
RFC 3539—Authentication, Authorization and Accounting (AAA) Transport Profile
(June 2003)
•
Understanding the RADIUS Relay Server on page 225
•
RADIUS Relay Server Platform Considerations on page 228
RADIUS Relay Server and the SRC Software
The SRC software is an advanced subscriber configuration and management service.
The RADIUS relay server can optionally use the SRC software to perform addressing and
accounting services for the subscriber and WAP.
The RADIUS relay server uses the E Series router’s DHCP local server or DHCP external
server and SRC client process to communicate with the SRC software.
Using the SRC Software for Addressing
If you integrate the SAE software into the RADIUS relay server configuration, the
application can contribute to the address pool selection used to lease an address to the
228
Copyright © 2012, Juniper Networks, Inc.
Chapter 6: Configuring RADIUS Relay Server
subscriber. The SRC software only contributes to address pool selection when the DHCP
local server is used; it is not supported when a DHCP external server is used.
Using the SRC Software for Accounting
If you use the SRC software with the RADIUS relay server feature, two accounting domains
might actually be created. The first domain is established by the WAP, when the subscriber
is authenticated. The second domain is created for the connection between the E Series
router and the SRC software.
If you want to continue to use the SRC software’s user session and problem-tracking
features, you should not configure the SRC software to generate RADIUS accounting
records. Also, the following attributes must be configured on the RADIUS server used by
the WAP:
Related
Documentation
•
Service-Bundle [26-31]
•
Class [25]
•
User-Name [1]
•
Understanding the RADIUS Relay Server on page 225
Configuring RADIUS Relay Server Support
To configure the RADIUS relay server feature, you enable support for the feature on the
E Series router and identify the key (secret) used for the connection between the WAP
and the RADIUS relay server. The following example configures a RADIUS relay
authentication server. Use similar steps to configure a RADIUS relay accounting server.
NOTE: The E Series router supports one instance of the RADIUS relay server
per virtual router. The instance can provide authentication, authorization,
and accounting support.
1.
Enable RADIUS relay server support on the E Series router, and enter RADIUS Relay
Configuration mode.
host1(config)#radius relay authentication server
host1(config-radius-relay)#
2. Specify the IP address and mask of the network that will use the relay authentication
server, and the secret used during exchanges between the relay authentication server
and clients (the WAPs).
host1(config-radius-relay)#key 192.168.25.9 255.255.255.255 mysecret
3. Specify the router’s User Datagram Protocol (UDP) port on which the RADIUS relay
server listens.
host1(config-radius-relay)#udp-port 1812
4. (Optional) Verify the configuration.
Copyright © 2012, Juniper Networks, Inc.
229
JunosE 13.3.x Broadband Access Configuration Guide
host1(config-radius-relay)#exit
host1(config)#exit
host1#show radius relay servers
RADIUS Relay Authentication Server Configuration
-----------------------------------------------IP Address
IP Mask
Secret
----------------------------------10.10.15.0
255.255.255.0
secret
10.10.8.15
255.255.255.255
newsecret
192.168.25.9
255.255.255.255
mysecret
192.168.102.5
255.255.255.255
999Y2K
Udp Port: 1812
RADIUS Relay Accounting Server Configuration
-------------------------------------------IP Address
IP Mask
Secret
--------------------------------10.10.1.0
255.255.255.0
NO8pxq
192.168.102.5
255.255.255.255
12BE$56
Udp Port: 1813
Related
Documentation
230
•
Setting a Baseline for RADIUS Relay Statistics on page 290
•
Monitoring RADIUS Relay Server Statistics on page 291
•
Monitoring the Configuration of the RADIUS Relay Server on page 292
•
Monitoring the Status of RADIUS Relay UDP Checksums on page 293
Copyright © 2012, Juniper Networks, Inc.
CHAPTER 7
RADIUS Attribute Descriptions
This chapter lists the RADIUS attributes that are supported by JunosE Software. Table
58 on page 231 describes the supported RADIUS IETF attributes. Table 59 on page 238
describes the supported Juniper Networks vendor-specific attributes (VSAs). Table 60
on page 251 describes the DSL Forum VSA formats supported by JunosE Software. Table
61 on page 252 describes RADIUS attributes that are simply passed to their destination
by the router.
RADIUS attributes are discussed in the following sections:
•
RADIUS IETF Attributes on page 231
•
Juniper Networks VSAs on page 238
•
DSL Forum VSAs on page 250
•
Pass Through RADIUS Attributes on page 252
•
RADIUS Attributes References on page 252
RADIUS IETF Attributes
Table 58 on page 231 describes the RADIUS IETF attributes supported by JunosE Software.
The attributes are sorted by standard number.
Table 58: RADIUS IETF Attributes Supported by JunosE Software
Attribute
Number
Attribute Name
Description
[1]
User-Name
•
Name of user to be authenticated
•
Configurable username override
•
Password of user to be authenticated
•
Configurable password override
•
Password Authentication Protocol (PAP)
[2]
[3]
User-Password
CHAP-Password
Copyright © 2012, Juniper Networks, Inc.
Response value provided by a Point-to-Point Protocol (PPP) Challenge
Handshake Authorization Protocol (CHAP) user in the response to an access
challenge
231
JunosE 13.3.x Broadband Access Configuration Guide
Table 58: RADIUS IETF Attributes Supported by JunosE Software (continued)
Attribute
Number
Attribute Name
Description
[4]
NAS-IP-Address
•
IP address of the network access server (NAS) that is requesting
authentication of the user
•
You can use the radius update-source-addr command to override this
behavior.
•
Physical port number of the NAS that is authenticating the user
•
See the radius nas-port-format, radius pppoe nas-port-format unique,
and radius vlan nas-port-format stacked commands.
•
Type of service the user has requested or the type of service to be provided
•
Admin, Login, NAS Prompt, or Framed only
•
Framing protocol used for framed access
•
Standard value of 1 set for PPP
•
Nonstandard value of 1008 set for dynamic ATM
•
IP address to be configured for the user
•
0.0.0.0 or absence is interpreted as 255.255.255.254
•
See the framed-ip-add acct-start attribute name in the radius include
command.
•
IP network to be configured for the user when the user is a router to a
network
•
Absence implies 255.255.255.255
•
Name of the filter list for the user
•
Interpreted as input policy name
•
The maximum transmission unit to be configured for the user, when it is
not negotiated by some other means (such as PPP).
•
When sent in an Access-Request with an EAP-Message, indicates the
maximum size of the EAP-Message string that the external server supports.
[5]
[6]
[7]
[8]
[9]
[11]
[12]
NAS-Port
Service-Type
Framed-Protocol
Framed-IP-Address
Framed-IP-Netmask
Filter-Id
Framed-MTU
[13]
Framed-Compression
Always set to none.
[18]
Reply-Message
•
Text that may be displayed to the user
•
Only the first instance of this attribute is used
[22]
Framed-Route
String that provides routing information to be configured for the user on the
NAS; in the format:
<addr>[/<maskLen>] <nexthop> [<cost>] [tag <tagValue>] [distance
<distValue>]
[24]
232
State
•
An arbitrary value that the router includes in new Access-Request packets
from the previous Accept-Challenge
•
Applicable for CLI, telnet, or EAP message exchange
Copyright © 2012, Juniper Networks, Inc.
Chapter 7: RADIUS Attribute Descriptions
Table 58: RADIUS IETF Attributes Supported by JunosE Software (continued)
Attribute
Number
Attribute Name
Description
[25]
Class
An arbitrary value that the NAS includes in all accounting packets for the user
if supplied by the RADIUS server
[26]
Vendor-Specific
Juniper Networks Enterprise number 0x0000130A
[27]
Session-Timeout
Maximum number of consecutive seconds of service to be provided to the
user before termination of the session
[28]
Idle-Timeout
Maximum number of consecutive seconds of idle connection provided to the
user before termination of the session
[30]
Called-Station-Id
•
Allows the NAS to send the phone number that the user called
•
Not supported for nontunneled or LAC session side
•
For the LNS, the format is the string passed in the Called Number AVP
•
For RADIUS relay server, indicates the subscriber’s wireless access point
•
Allows the NAS to send the phone number from which the call originated
•
See the radius calling-station-format and the radius
calling-station-delimiter commands.
•
For RADIUS relay server, indicates the subscriber’s MAC address
•
Identifies the NAS originating the request
•
System-wide configurable hostname or VR-sensitive configurable
NAS-identifier name
[31]
[32]
Calling-Station-Id
NAS-Identifier
[33]
Proxy-State
E Series router’s port ID and IP address
[40]
Acct-Status-Type
Indicates whether this Accounting-Request marks the beginning of the user
service (Start), the end (Stop), or the interim (Interim-Update)
[41]
Acct-Delay-Time
Indicates how many seconds the client has been trying to send a particular
record
[42]
Acct-Input-Octets
•
Indicates how many octets have been received from the port during the
time this service has been provided
•
IP subscriber manager—Statistics are reported
•
PPP—Statistics are counted according to the rules of the generic interface
MIB
•
Indicates how many octets have been sent to the port during the time this
service has been provided
•
IP subscriber manager—Statistics are reported
•
PPP—Statistics are counted according to the rules of the generic interface
MIB
[43]
Acct-Output-Octets
Copyright © 2012, Juniper Networks, Inc.
233
JunosE 13.3.x Broadband Access Configuration Guide
Table 58: RADIUS IETF Attributes Supported by JunosE Software (continued)
Attribute
Number
Attribute Name
Description
[44]
Acct-Session-Id
•
Unique accounting identifier that makes it easy to match start and stop
records in a log file
•
See the radius acct-session-id-format and the radius include
acct-session-id access-request commands.
•
Indicates how the user was authenticated: whether by RADIUS, the NAS
itself, or another remote authentication protocol
•
Always 1
[45]
Acct-Authentic
[46]
Acct-Session-Time
Indicates how long in seconds that the user has received service
[47]
Acct-Input-Packets
•
Indicates how many packets have been received from the port during the
time this service has been provided to a framed user
•
IP subscriber manager—Statistics are reported
•
PPP—Statistics are counted according to the rules of the generic interface
MIB
•
Indicates how many packets have been sent to the port in the course of
delivering this service to a framed user
•
IP subscriber manager—Statistics are reported
•
PPP—Statistics are counted according to the rules of the generic interface
MIB
[48]
[49]
[50]
[51]
234
Acct-Output-Packets
Acct-Terminate-Cause
Acct-Multi-Session-Id
Acct-Link-Count
Contains the reason the service (a PPP session) was terminated. The service
can be terminated for the following reasons:
•
User Request (1)—User initiated the disconnect (log out)
•
Idle Timeout (4)—Idle timer has expired
•
Session Timeout (5)—Client reached the maximum continuous time allowed
on the service or session
•
Admin Reset (6)—System administrator terminated the session
•
Port Error (8)—PVC failed; no hardware or no interface
•
NAS Error (9)—Negotiation failures, connection failures, or address lease
expiration
•
NAS Request (10)—PPP challenge timeout, PPP request timeout, tunnel
establishment failure, PPP bundle failure, IP address lease expiration, PPP
keep-alive failure, Tunnel disconnect, or an unaccounted-for error
•
String constructed from the Acct-Session-ID of the first PPP link established
for the Multilink PPP bundle and the internal Multilink PPP bundle ID.
•
This string is the hexadecimal ASCII characters for two 4-octet unsigned
integers. Example: 0a34331200001249.
A value that increments with each link that joins the MLPPP bundle. This
attribute does not indicate the number of active links. For more details, see
RFC 2866—RADIUS Accounting (June 2000).
Copyright © 2012, Juniper Networks, Inc.
Chapter 7: RADIUS Attribute Descriptions
Table 58: RADIUS IETF Attributes Supported by JunosE Software (continued)
Attribute
Number
Attribute Name
Description
[52]
Acct-Input-Gigawords
•
Indicates how many times the Acct-Input-Octets counter has wrapped
around 2^32 during the time this service has been provided, and can be
present in Accounting-Request records only where the Acct-Status-Type
is set to Stop or Interim-Update
•
IP subscriber manager—Statistics are reported
•
PPP—Statistics are counted according to the rules of the generic interface
MIB
•
Indicates how many times the Acct-Output-Octets counter has wrapped
around 2^32 in the course of delivering this service, and can be present in
Accounting-Request records only where the Acct-Status-Type is set to
Stop or Interim-Update
•
IP subscriber manager—Statistics are reported
•
PPP—Statistics are counted according to the rules of the generic interface
MIB
[53]
Acct-Output-Gigawords
[55]
Event-Timestamp
Records the time that this event occurred on the NAS, in seconds, since January
1, 1970 00:00 UTC
[60]
CHAP-Challenge
Contains the CHAP challenge sent by the NAS to a PPP CHAP user
[61]
NAS-Port-Type
•
Indicates the type of physical port the NAS is using to authenticate the user
•
See the radius dsl-port-type and the radius ethernet-port-type commands.
[62]
Port-Limit
Specifies the maximum number of MLPPP member links allowed for the
subscriber
[64]
Tunnel-Type
•
Which tunneling protocol to use (in the case of a tunnel initiator) or the
tunneling protocol in use (in the case of a tunnel terminator)
•
Only L2TP tunnels supported at this time
•
Transport medium to use when creating a tunnel for those protocols (such
as L2TP) that can operate over multiple transports
•
Only IPv4 supported at this time
[65]
Tunnel-Medium-Type
[66]
Tunnel-Client-Endpoint
Address of the initiator end of the tunnel
[67]
Tunnel-Server-Endpoint
Address of the server end of the tunnel
[68]
Acct-Tunnel-Connection
•
Indicates the identifier assigned to the tunnel session
•
Value is L2TP call-serial number
[69]
Tunnel-Password
Password to be used to authenticate to a remote server
[77]
Connect-Info
Sent from the NAS to indicate the nature of the user’s connection
[79]
EAP-Message
Encapsulates EAP packets, which allows the NAS to authenticate users
through EAP without having to understand the EAP protocol
Copyright © 2012, Juniper Networks, Inc.
235
JunosE 13.3.x Broadband Access Configuration Guide
Table 58: RADIUS IETF Attributes Supported by JunosE Software (continued)
Attribute
Number
Attribute Name
Description
[80]
Message-Authenticator
Must be used in any Access-Request, Access-Accept, Access-Reject or AccessChallenge messages that include EAP-Message attributes
[82]
Tunnel-Assignment-Id
Indicates to the tunnel initiator the particular tunnel to which a session is to
be assigned
[83]
Tunnel-Preference
•
If more than one set of tunneling attributes is returned by the RADIUS server
to the tunnel initiator, this attribute is included in each set to indicate the
relative preference assigned to each tunnel.
•
Included in the Tunnel-Link-Start, the Tunnel-Link-Reject, and the
Tunnel-Link-Stop packets (LAC only)
[85]
Acct-Interim-Interval
Number of seconds between each interim accounting update for this session
[86]
Acct-Tunnel-Packets-Lost
Number of packets lost on a given link
[87]
NAS-Port-Id
•
Text string that identifies the physical interface of the NAS that is
authenticating the user
•
If the PPP user connects via ATM slot 12, port 2, subinterface 3, vpi 100, vci
101, then the NAS-Port-Id value in the RADIUS packets will be atm
12/2.3:100.101
•
If the user is a PPP user that started as a result of the E Series LNS feature
(that is, no physical port), then the NAS-Port-Id value is as follows:
media:local address:peer address:local tunnel id:peer tunnel id:local session
id:peer session id:call serial number
•
•
For example: ip:172.81.1.98:172.81.1.99:18d:cb8:ce6:9f4:6
•
In this case, the local information refers to the LNS, and the peer
information refers to the LAC
NAS-Port-Id usually contains one of the following:
•
atm <slot> / <port><.subinterface>:<vpi>.<vci>
•
FastEthernet <slot> / <port><.subinterface> [:<vlan>]
•
GigabitEthernet <slot> / <port><.subinterface> [<vlan>
•
serial <slot>/<port> [:<sonetPath> [/<sonetTributary (x/x/x)>
[/<fractionalInterface>] ] ]
•
from LNS—ip:local ip:peer ip:local tid:peer tid:local sid:peer sid:call serial
number
tid—tunnel id
sid—session id
NOTE: Releases before 4.0.0 did not pass the subinterface number to RADIUS
for inclusion in the NAS-Port-Id. If you do not want the subinterface number
to be included, you must enter the aaa intf-desc-format include sub-intf
disable command to omit the subinterface.
[88]
Framed-Pool
Name of an assigned address pool that should be used to assign an address
for the user
[90]
Tunnel-Client-Auth-Id
Name used by the tunnel initiator during the authentication phase of tunnel
establishment
236
Copyright © 2012, Juniper Networks, Inc.
Chapter 7: RADIUS Attribute Descriptions
Table 58: RADIUS IETF Attributes Supported by JunosE Software (continued)
Attribute
Number
Attribute Name
Description
[91]
Tunnel-Server-Auth-Id
Name used by the tunnel terminator during the authentication phase of tunnel
establishment
[96]
Framed-Interface-Id
IPv6 interface identifier configured by the user
[97]
Framed-Ipv6-Prefix
Provides the IPv6 prefix that is delegated to a downstream CPE
[99]
Framed-Ipv6-Route
Provides routing information to be configured for the user on the NAS
[100]
Framed-Ipv6-Pool
Name of the local address pool from which an IPv6 prefix is assigned to the
requesting router
[101]
Error-Cause
4-octet field that contains an integer that specifies the cause of the error
[123]
Delegated-Ipv6-Prefix
IPv6 prefix to be delegated to clients using the DHCPv6 Prefix Delegation
mechanism
[135]
Ascend-Primary-DNS
•
Indicates the IP address of the primary DNS
•
The format is 1 byte of type (135), 1 byte of length (length=6),
4 bytes of value (IPv4 address)
•
Indicates the IP address of the secondary DNS
•
The format is 1 byte of type (136), 1 byte of length (length=6),
4 bytes of value (IPv4 address)
[136]
Ascend-Secondary-DNS
[144]
DS-Lite-Tunnel-Name
Specifies the fully qualified domain name(FQDN) of the Address Family
Transition Router(AFTR) name to which DHCPv6 client can establish an
IPv4-over-IPv6 tunnel (IPv4-over-IPv6 tunnel is commonly referred to as
Softwire)
[188]
Ascend-Num-In-Multilink
Current number of links in a multilink bundle
[242]
Ascend-Data-Filter
RADIUS policy definitions used to configure a policy to classify packet flows
and perform filter, forward, packet marking, rate-limit profile, and traffic class
actions
Related
Documentation
•
RADIUS IETF Attributes Supported for Subscriber AAA Access Messages on page 173
•
RADIUS IETF Attributes Supported for Subscriber AAA Accounting Messages on page 183
•
RADIUS IETF Attributes Supported for AAA Tunnel Accounting Messages on page 190
•
CLI Commands Used to Configure RADIUS IETF Attributes on page 199
Copyright © 2012, Juniper Networks, Inc.
237
JunosE 13.3.x Broadband Access Configuration Guide
Juniper Networks VSAs
Table 59 on page 238 lists Juniper Networks VSA formats for RADIUS. JunosE Software
uses the vendor ID assigned to Juniper Networks (vendor ID 4874) by the Internet Assigned
Numbers Authority (IANA).
Table 59: Juniper Networks (Vendor ID 4874) VSA Formats
Attribute
Number
Attribute Name
Description
Length
Subtype
Length
[26-1]
Virtual-Router
•
Virtual router name for the Broadband
Remote Access Server (B-RAS) user’s
IP interface.
len
sublen
string:
virtual-router-name
•
Allowed only from RADIUS server in
default virtual router context.
•
For restricted users, specifies the only
virtual router that the user can access.
•
For nonrestricted users, specifies the
initial virtual router that the user
accesses.
•
For tunneled connections, specifies the
tunnel source parameter where the
source address for the tunneled
connection is resolved.
•
See the enable command in the
Passwords and Security chapter in JunosE
System Basics Configuration Guide.
•
Name of an assigned address pool that
should be used to assign an address for
the user
len
sublen
string:
address-pool-name
•
Same as RADIUS attribute 88,
Framed-Pool
len
sublen
string: local-interface
12
6
integer: 4-byte
primary-dns-address
12
6
integer: 4-byte
secondary-dns-address
[26-2]
[26-3]
Local-Address-Pool
Local-Interface
Interface to apply to the E Series side of the
connection
Value
The interface value can be one of the
following:
[26-4]
[26-5]
238
Primary-DNS
Secondary-DNS
•
The IP address (with subnet mask)
•
The loopback interface
•
B-RAS user’s DNS address negotiated
during IPCP
•
4-octet IP address
•
B-RAS user’s DNS address negotiated
during IPCP
•
4-octet IP address
Copyright © 2012, Juniper Networks, Inc.
Chapter 7: RADIUS Attribute Descriptions
Table 59: Juniper Networks (Vendor ID 4874) VSA Formats (continued)
Attribute
Number
Attribute Name
Description
Length
Subtype
Length
[26-6]
Primary-WINS (NBNS)
•
B-RAS user’s WINS (NBNS) address
negotiated during IPCP
12
6
integer: 4-byte
primary-wins-address
•
4-octet IP address
•
B-RAS user’s WINS (NBNS) address
negotiated during IPCP
12
6
•
4-octet IP address
integer: 4-byte
secondary-winsaddress
[26-7]
Secondary-WINS
(NBNS)
Value
[26-8]
Tunnel-Virtual-Router
For tunneled connections, specifies the
virtual router associated with the tunnel
connection
len
sublen
string:
tunnel-virtual-router
[26-9]
Tunnel-Password
Tunnel password in cleartext
len
sublen
string:
tunnel-password
[26-10]
Ingress-Policy-Name
IPv4 input policy name to apply to B-RAS
user’s interface
len
sublen
string:
input-policy-name
[26-11]
Egress-Policy-Name
IPv4 output policy name to apply to B-RAS
user’s interface
len
sublen
string:
output-policy-name
[26-12]
Ingress-Statistics
Enable or disable input statistics on B-RAS
user’s interface
12
6
integer: 0 = disable,
1 = enable
[26-13]
Egress-Statistics
Enable or disable output statistics on
B-RAS user’s interface
12
6
integer: 0 = disable,
1 = enable
[26-14]
Service-Category
ATM service category to apply to B-RAS
user’s interface
12
6
integer: 1= UBR,
2 = UBR PCR,
3 = NRT VBR,
4 = CBR
5 = RT VBR,
[26-15]
PCR
•
Peak cell rate
12
6
integer: 4-octet
•
4-octet integer
•
Sustained cell rate
12
6
integer: 4-octet
•
4-octet integer
•
Maximum burst rate
12
6
integer: 4-octet
•
4-octet integer
•
Specifies the initial level of access to CLI
commands
len
sublen
single attribute: enter
0, 1, 5, 10, or 15
•
See the enable command in the
Passwords and Security chapter in JunosE
System Basics Configuration Guide.
[26-16]
[26-17]
[26-18]
SCR
Mbs
Init-CLI-Access-Level
Copyright © 2012, Juniper Networks, Inc.
239
JunosE 13.3.x Broadband Access Configuration Guide
Table 59: Juniper Networks (Vendor ID 4874) VSA Formats (continued)
Attribute
Number
Attribute Name
Description
Length
Subtype
Length
[26-19]
Allow-All-VR-Access
•
Specifies user access to all virtual routers
len
sublen
•
See the enable command in the
Passwords and Security chapter in JunosE
System Basics Configuration Guide.
integer: 0 = disable,
1 = enable
•
Specifies other levels of access to CLI
commands
len
sublen
single attribute; enter
0, 1, 5, 10, or 15
•
See the enable command in chapter
Passwords and Security in JunosE
System Basics Configuration Guide.
•
For restricted users, specifies other VRs
that the user may access.
len
sublen
string:
virtual-router-name
•
See the enable command in chapter
Passwords and Security in JunosE
System Basics Configuration Guide.
•
Enable or disable source address
validation on a user’s interface
len
sublen
integer: 0 = disable,
1 = enable
•
4-octet integer
•
Enable or disable IGMP on a user’s
interface
len
sublen
integer: 0 = disable,
1 = enable
•
Allows the end user to register for the
reception of multicast services
•
4-octet integer
[26-20]
[26-21]
[26-22]
[26-23]
Alt-CLI-Access-Level
Alt-CLI-Vrouter-Name
Sa-Validate
Igmp-Enable
Value
[26-24]
Pppoe-Description
The string pppoe <mac addr> sent to the
RADIUS server supplied by PPPoE
len
sublen
string: pppoe<mac
addr>
[26-25]
Redirect-Vrouter-Name
•
Virtual router name indicating the VR
context in which to authenticate the user
len
sublen
authenticationredirection
•
Behavior is similar to that of a remote
domain-map lookup.
[26-26]
QoS-Profile-Name
Name of the QoS profile to attach to the
user’s interface
len
sublen
string:
qos-profile-name
[26-28]
PppoE-Url
PPPoE URL that is passed to PPPoE
subscribers
len
sublen
string:URL
[26-30]
Tunnel-Nas-Port-Method
Conveys nasPort and nasPort type in tunnel
12
6
4-octet integer:
0 = none,
1 = Cisco CLID
[26-31]
Service-Bundle
Specifies the SRC service bundle
len
sublen
string
[26-33]
Tunnel-Max-Sessions
Maximum number of sessions allowed in a
tunnel
12
6
integer: 4-octet
240
Copyright © 2012, Juniper Networks, Inc.
Chapter 7: RADIUS Attribute Descriptions
Table 59: Juniper Networks (Vendor ID 4874) VSA Formats (continued)
Attribute
Number
Attribute Name
Description
Length
Subtype
Length
Value
[26-34]
Framed-Ip-Route-Tag
Route tag to apply to returned
framed-ip-address
12
6
integer: 4-octet
[26-35]
Tunnel-Dialout-Number
Dial number in L2TP dial-out
len
sublen
string:dial-out-number
[26-36]
PPP-Username
Username used in PPP L2TP dial-out
sessions at the LNS for L2TP dial-out
len
sublen
string: ppp-username
[26-37]
PPP-Password
Password used in PPP L2TP dial-out
sessions at the LNS for L2TP dial-out
len
sublen
string: ppp-password
[26-38]
PPP-Protocol
PPP authentication protocol used for L2TP
dial-out sessions at the LNS
12
6
integer: 0 = none;
1 = PAP; 2 = CHAP;
3 = PAP-CHAP;
4 = CHAP-PAP
[26-39]
Tunnel-Min-Bps
Minimum line speed for L2TP dial-out
12
6
integer
[26-40]
Tunnel-Max-Bps
Maximum line speed for L2TP dial-out
12
6
integer
[26-41]
Tunnel-Bearer-Type
Bearer capability required for L2TP dial-out
12
6
integer: 0 = none;
1= analog; 2 = digital
[26-42]
Input-GigaPkts
Number of times input-packets attribute
rolls over its 4-octet field
12
6
integer
[26-43]
Output-GigaPkts
Number of times output-packets attribute
rolls over its 4-octet field
12
6
integer
[26-44]
Tunnel-Interface-Id
Tunnel interface selector that AAA caches
as part of the tunnel-session profile and
the user’s profile. This attribute is available
to the RADIUS authentication and
accounting servers.
len
sublen
string: tunnel selector
[26-45]
Ipv6-Virtual-Router
Virtual router name for B-RAS user’s IPv6
interface
len
sublen
string:
virtual-router-name
[26-46]
Ipv6-Local-Interface
Local IPv6 interface to apply to the E Series
side of the connection
len
sublen
string:
ipv6-local-interface
[26-47]
Ipv6-Primary-DNS
B-RAS user’s primary IPv6 DNS address
negotiated by DHCP
len
sublen
hexadecimal string:
ipv6-primary-dnsaddress
[26-48]
Ipv6-Secondary-DNS
B-RAS user’s secondary IPv6 DNS address
negotiated by DHCP
len
sublen
hexadecimal string:
ipv6-primary-dnsaddress
Copyright © 2012, Juniper Networks, Inc.
241
JunosE 13.3.x Broadband Access Configuration Guide
Table 59: Juniper Networks (Vendor ID 4874) VSA Formats (continued)
Attribute
Number
Attribute Name
Description
Length
Subtype
Length
[26-51]
Disconnect-Cause
L2TP PPP disconnect cause information
received by the LAC
len
sublen
string:l2tp-pppdisconnect-cause
[26-52]
Radius-Client-Address
RADIUS relay server’s IP address
12
6
integer:4-octet
[26-53]
Service-Description
AAA profile service description string
len
sublen
string:profile-servicedescription
[26-54]
L2tp-Recv-Window-Size
•
L2TP receive window size (RWS) for a
tunnel on the LAC
12
6
integer:4-octet
•
Number of packets that the peer can
transmit without receiving an
acknowledgment from the router
•
4-octet integer
Value
[26-55]
DHCP-Options
Client’s DHCP options
len
sublen
string:dhcp-options
[26-56]
DHCP-MAC-Address
Client’s MAC address
len
sublen
string:mac-address
[26-57]
DHCP-GI-Address
DHCP relay agent’s IP address
12
6
integer:4-octet
[26-58]
LI-Action
Packet mirroring action
len
sublen
Salt encrypted
integer: 0 = stop
monitoring; 1 = start
monitoring; 2 = no
action
[26-59]
Med-Dev-Handle
Hexadecimal string used to determine
mirror header attributes, prepended to each
mirrored packet that is sent to the analyzer
device
len
sublen
Salt encrypted string;
hexadecimal string of
4 bytes or 8 bytes
[26-60]
Med-Ip-Address
IP address of analyzer device to which
mirrored packets are forwarded
len
sublen
Salt encrypted IP
address
[26-61]
Med-Port-Number
UDP port in the analyzer device to which
mirrored packets are forwarded
len
sublen
Salt encrypted integer
[26-62]
MLPPP-Bundle-Name
Text string that identifies the Multilink PPP
bundle name
len
sublen
string:mlppp-bundlename
[26-63]
Interface-Desc
Text string that identifies the subscriber’s
access interface
len
sublen
string:interfacedescription
[26-64]
Tunnel-Group
Name of the tunnel group assigned to a
domain map
len
sublen
string:tunnel-groupname
[26-65]
Activate-Service
Service to activate for the subscriber
len
sublen
string:service-name
242
Copyright © 2012, Juniper Networks, Inc.
Chapter 7: RADIUS Attribute Descriptions
Table 59: Juniper Networks (Vendor ID 4874) VSA Formats (continued)
Attribute
Number
Attribute Name
Description
Length
Subtype
Length
Value
[26-66]
Deactivate-Service
Service to deactivate for the subscriber
len
sublen
string:service-name
[26-67]
Service-Volume-tagX
Amount of traffic, in MB, that can use the
service; service is deactivated when the
volume is exceeded
12
6
integer: volume in MB;
0 = infinite volume
[26-68]
Service-Timeout-tagX
Number of seconds that the service can be
active; service is deactivated when the
timeout expires
12
6
integer: time in
seconds; 0 = no
timeout
[26-69]
Service-Statistics-tagX
Enable or disable statistics for the service
12
6
integer: 0 = disable;
1 = enable time
statistics;
2 = enable time and
volume statistics
[26-70]
Ignore-DF-Bit
Enable or disable the ignore don’t fragment
(DF) bit feature on a B-RAS user's interface
12
6
integer: 0 = disable;
1 = enable
[26-71]
IGMP-Access-Name
Access List to use for the group (G) filter
len
sublen
string:32-octet
[26-72]
IGMP-Access-Src-Name
Access List to use for the source-group
(S,G) filter
len
sublen
string:32-octet
[26-73]
IGMP-OIF-Map-Name
Multicast OIF (outgoing interface) mapping
len
sublen
string:32-octet
[26-74]
MLD-Access-Name
Access List to use for the group (G) filter
len
sublen
string:32-octet
[26-75]
MLD-Access-Src-Name
Access List to use for the source-group
(S,G) filter
len
sublen
string:32-octet
[26-76]
MLD-OIF-Map-Name
Multicast OIF (outgoing interface) mapping
len
sublen
string:32-octet
[26-77]
MLD-Version
MLD Protocol Version (MLD Version 1 = 1;
MLD Version 2 = 2)
12
6
integer:1-octet
[26-78]
IGMP-Version
IGMP Protocol Version (IGMP Version 1=1;
IGMP Version 2 = 2; IGMP Version 3 = 3)
12
6
integer:1-octet
[26-79]
IP-Mcast-Adm-Bw-Limit
The maximum multicast bandwidth that
will be admitted on an IP interface, in Kbps
12
6
integer:4-octet
[26-80]
IPv6-Mcast-Adm-BwLimit
The maximum multicast bandwidth that
will be admitted on an IPv6 interface, in
Kbps
12
6
integer:4-octet
Copyright © 2012, Juniper Networks, Inc.
243
JunosE 13.3.x Broadband Access Configuration Guide
Table 59: Juniper Networks (Vendor ID 4874) VSA Formats (continued)
Attribute
Number
Attribute Name
Description
Length
Subtype
Length
[26-81]
L2c-Information
Series of type length value (tlv) fields
(binary) representing the access loop
parameters as defined in GSMP extensions
for layer2 control (L2C) Topology Discovery
and Line
Configuration—draft-wadhwa-gsmpl2control-configuration-00.txt (July 2006
expiration)
len
sublen
string: format is a
series of type length
value (tlv) fields
(binary) representing
the access loop
parameters
[26-82]
Qos-Parameters
Name of the QoS parameter instance to
create on the user’s interface, followed by
the value of the parameter. For example,
the max-bandwidth 4000000 parameter
instance represents the parameter name
that was defined using the qos-parameterdefine command (max-bandwidth) and
the value to assign to the parameter
(4000000). Multiple instances of this VSA
can be returned from RADIUS using this
format.
len
sublen
string: format is
parameter name
parameter value,
where parameter
name is ASCII name of
a parameter name
found in the QoS
parameter definition
and parameter value
is the ASCII
representation of
0–21474836470;
multiple instances of
this VSA can be
returned from RADIUS
using this format
[26-83]
Service-Session
Name of the service (including parameter
values) that is associated with service
manager statistics
len
sublen
string:service-name
[26-84]
Mobile-IP-Algorithm
Authentication algorithm used for Mobile
IP registration
12
6
integer: 4-octet
[26-85]
Mobile-IP-SPI
Security parameter index for Mobile IP
registration
12
6
integer: 4-octet
[26-86]
Mobile-IP-Key
Security association MD-5 key for Mobile
IP registration
len
sublen
string: 32-octet
[26-87]
Mobile-IP-Replay
Replay time stamp for Mobile IP
registration
12
6
integer: 4-octet
[26-88]
Mobile-IP-AccessControl-List
Access control list to filter on basis of
care-of address
len
sublen
string: 32-octet
[26-89]
Mobile-IP-Lifetime
Registration lifetime for Mobile IP
registration
12
6
integer: 4-octet
244
Value
Copyright © 2012, Juniper Networks, Inc.
Chapter 7: RADIUS Attribute Descriptions
Table 59: Juniper Networks (Vendor ID 4874) VSA Formats (continued)
Attribute
Number
Attribute Name
Description
Length
Subtype
Length
[26-90]
L2TP-Resynch-Method
L2TP peer resynchronization method
12
6
integer: 0 = disabled;
1= failover protocol;
2 = silent failover;
3 = failover protocol
with silent failover as
backup
[26-91]
Tunnel-Switch-Profile
•
Name of the L2TP tunnel switch profile
len
sublen
•
The L2TP tunnel switch profile defines
the L2TP tunnel switching behavior for
the interfaces to which this profile is
assigned
string:
tunnel-switch-profile
Value
[26-92]
L2C-Up-Stream-Data
Actual upstream rate access loop
parameter (ASCII encoded) as defined in
GSMP extensions for layer2 control (L2C)
Topology Discovery and Line
Configuration—draft-wadhwa-gsmpl2control-configuration-00.txt (July 2006
expiration).
len
sublen
string: actual
upstream rate access
loop parameter (ASCII
encoded)
[26-93]
L2C-Down-Stream-Data
Actual downstream rate access loop
parameter (ASCII encoded) as defined in
GSMP extensions for layer2 control (L2C)
Topology Discovery and Line
Configuration—draft-wadhwa-gsmpl2control-configuration-00.txt (July 2006
expiration).
len
sublen
string: actual
downstream rate
access loop
parameter (ASCII
encoded)
[26-94]
Tunnel-Tx-Speed-Method
The method that the router uses to
calculate the transmit connect speed of
the subscriber’s access interface. This
speed is reported in L2TP Transmit (TX)
Speed AVP 24. During the establishment
of an L2TP tunnel session, the LAC sends
AVP 24 to the LNS to convey the transmit
speed of the subscriber’s access interface.
12
6
integer:
1 = static-layer2, TX
speed based on static
layer 2 settings;
2 =dynamic-layer2, TX
speed based on
dynamic layer 2
settings;
3 = qos, TX speed
based on QoS
settings;
4 = actual, TX speed
that is the lesser of
the dynamic-layer2
value or the qos value
[26-95]
IGMP-Query-Interval
IGMP Query Interval
12
6
integer: 4-octet
[26-96]
IGMP-Max-Resp-Time
IGMP Maximum Response Time
12
6
integer: 4-octet
[26-97]
IGMP-Immediate-Leave
IGMP Immediate Leave
12
6
4-octet integer:
0 = disabled
1 = enabled
Copyright © 2012, Juniper Networks, Inc.
245
JunosE 13.3.x Broadband Access Configuration Guide
Table 59: Juniper Networks (Vendor ID 4874) VSA Formats (continued)
Attribute
Number
Attribute Name
Description
Length
Subtype
Length
Value
[26-98]
MLD-Query-Interval
MLD Query Interval
12
6
integer: 4-octet
[26-99]
MLD-Max-Resp-Time
MLD Maximum Response Time
12
6
integer: 4-octet
[26-100]
MLD-Immediate-Leave
MLD Immediate Leave
12
6
integer: 4-octet;
0 = disabled
1 = enabled
[26-101]
IP-Block-Multicast
Block all multicast traffic with a scope
larger than link-local (for example, global)
and prevent mroute creation under these
conditions. This attribute does not affect
reception of link-local multicast packets.
12
6
integer: 4-octet;
0 = disabled;
1 = enabled
[26-102]
IGMP-Explicit-Tracking
Enable or disable explicit host tracking for
IPv4 IGMP interfaces. This option enables
the router to explicitly track each individual
host that is joined to a group or channel on
a particular multi-access network.
12
6
integer: 4-octet;
0 = disabled;
1 = enabled
[26-103]
IGMP-No-Tracking-V2-Grps
Disable IGMP explicit host tracking for
groups that contain IGMP V2 hosts. This
attribute is valid only if IGMP V3 is enabled
on the interface.
12
6
integer: 4-octet;
0 = disabled;
1 = enabled
[26-104]
MLD-Explicit-Tracking
Enable or disable explicit host tracking for
IPv6 MLD interfaces. This option enables
the router to explicitly track each individual
host that is joined to a group or channel on
a particular multi-access network.
12
6
integer: 4-octet;
0 = disabled;
1 = enabled
[26-105]
MLD-No-Tracking-V1-Grps
Disable MLD explicit host tracking for
groups that contain MLD V1 hosts. This
attribute is valid only if MLD V2 is enabled
on the interface.
12
6
integer: 4-octet;
0 = disabled;
1 = enabled
[26-106]
Ipv6-Ingress-Policy-Name
IPv6 ingress policy that is applied to the
subscriber interface
len
sublen
string:
Ipv6-Ingress-Policy-Name
[26-107]
Ipv6-Egress-Policy-Name
IPv6 egress policy that is applied to the
subscriber interface
len
sublen
string:
Ipv6-Egress-Policy-Name
[26-110]
Acc-Loop-Cir-Id
Identification of the subscriber node
connection to the access node
len
sublen
string: up to 63 ASCII
characters
[26-111]
Acc-Aggr-Cir-Id-Bin
Unique identification of the DSL line
len
sublen
integer: 8-octet
246
Copyright © 2012, Juniper Networks, Inc.
Chapter 7: RADIUS Attribute Descriptions
Table 59: Juniper Networks (Vendor ID 4874) VSA Formats (continued)
Attribute
Number
Attribute Name
Description
Length
Subtype
Length
[26-112]
Acc-Aggr-Cir-Id-Asc
Identification of the uplink on the access
node. For example:
len
sublen
string: up to 63 ASCII
characters
•
For Ethernet access aggregation:
ethernet slot/port [:inner-vlan-id]
[:outer-vlan-id]
•
For ATM aggregation:
atm slot/port:vpi.vci
Value
[26-113]
Act-Data-Rate-Up
Actual upstream data rate of the
subscriber’s synchronized DSL link
12
6
integer: 4-octet
[26-114]
Act-Data-Rate-Dn
Actual downstream data rate of the
subscriber’s synchronized DSL link
12
6
integer: 4-octet
[26-115]
Min-Data-Rate-Up
Minimum upstream data rate configured
for the subscriber
12
6
integer: 4-octet
[26-116]
Min-Data-Rate-Dn
Minimum downstream data rate configured
for the subscriber
12
6
integer: 4-octet
[26-117]
Att-Data-Rate-Up
Upstream data rate that the subscriber can
attain
12
6
integer: 4-octet
[26-118]
Att-Data-Rate-Dn
Downstream data rate that the subscriber
can attain
12
6
integer: 4-octet
[26-119]
Max-Data-Rate-Up
Maximum upstream data rate configured
for the subscriber
12
6
integer: 4-octet
[26-120]
Max-Data-Rate-Dn
Maximum downstream data rate
configured for the subscriber
12
6
integer: 4-octet
[26-121]
Min-LP-Data-Rate-Up
Minimum upstream data rate in low power
state configured for the subscriber
12
6
integer: 4-octet
[26-122]
Min-LP-Data-Rate-Dn
Minimum downstream data rate in low
power state configured for the subscriber
12
6
integer: 4-octet
[26-123]
Max-Interlv-Delay-Up
Maximum one-way upstream interleaving
delay configured for the subscriber
12
6
integer: 4-octet
[26-124]
Act-Interlv-Delay-Up
Subscriber’s actual one-way upstream
interleaving delay
12
6
integer: 4-octet
[26-125]
Max-Interlv-Delay-Dn
Maximum one-way downstream
interleaving delay configured for the
subscriber
12
6
integer: 4-octet
Copyright © 2012, Juniper Networks, Inc.
247
JunosE 13.3.x Broadband Access Configuration Guide
Table 59: Juniper Networks (Vendor ID 4874) VSA Formats (continued)
Attribute
Number
Attribute Name
Description
Length
Subtype
Length
Value
[26-126]
Act-Interlv-Delay-Dn
Subscriber’s actual one-way downstream
interleaving delay
12
6
integer: 4-octet
[26-127]
DSL-Line-State
State of the DSL line
12
6
4-octet integer
1 = Show uptime
2 = Idle
3 = Silent
[26-128]
DSL-Type
Encapsulation used by the subscriber
associated with the DSLAM interface from
which requests are initiated
11
5
string: 3-byte
[26-129]
Ipv6-NdRa-Prefix
Prefix value in IPv6 Neighbor Discovery
route advertisements
len
sublen
hexadecimal string
[26-130]
QoS-Interfaceset-Name
Name of the QoS interface set to attach to
the subscriber interface
len
sublen
string:
qos-interfaceset-name
[26-140]
Service-Interim-AcctInterval
Amount of time between interim
accounting updates for this service.
12
6
integer: time in the
range 600–86400
seconds;
0 = disabled
[26-141]
Downstream-CalculatedQos-Rate
Calculated downstream QoS rate in Kbps
as set by the ANCP configuration
12
6
integer: 4-octet
[26-142]
Upstream-CalculatedQos-Rate
Calculated downstream QoS rate in Kbps
as set by the ANCP configuration
12
6
integer: 4-octet
[26-143]
Max-Clients-Per-Interface
Maximum number of PPPoE client sessions
supported per interface. For DHCP clients,
this value is the maximum number of
PPPoE sessions per logical interface. For
PPPoE, this value is the maximum number
of PPPoE subinterfaces per a PPPoE major
interface.
12
6
integer: 4-octet
12
6
integer:
0 = disable,
1 = enable
See JunosE Release Notes, Appendix A,
System Maximums corresponding to your
software release for information about the
maximum number of PPPoE subinterfaces
supported for each line module.
[26-144]
248
PPP-Monitor-IngressOnly
Enable or disable monitoring of only ingress
traffic to determine inactivity of a PPP
session and subsequent disconnection of
an inactive session. If this option is disabled
or not configured, the router monitors both
ingress traffic and egress traffic to
determine session inactivity.
Copyright © 2012, Juniper Networks, Inc.
Chapter 7: RADIUS Attribute Descriptions
Table 59: Juniper Networks (Vendor ID 4874) VSA Formats (continued)
Attribute
Number
Attribute Name
Description
Length
Subtype
Length
[26-147]
Backup-Address-Pool
Name of the backup local address pool that
can be used to assign addresses to users
being authenticated by a RADIUS server,
when the existing addresses in the primary
local address pool are fully exhausted.
len
sublen
string:
Backup-address-pool-name
Value
The authentication server overrides the
backup local address pool name configured
using this attribute with the backup local
address pool name received in the
RADIUS-Access-Accept message.
[26-150]
ICR-Partition-Id
Used in all the RADIUS authentication and
accounting (Acct-Start, Acct-Stop, and
Interim-Acct messages for both user and
service accounting) messages
corresponding to a subscriber to determine
the partition in which the subscriber has
logged in
len
sublen
string:icr-partition-id
[26–151]
Ipv6-Acct-Input-Octets
Number of times that IPv6 octets have
been received from the port during the time
this service has been provided
12
6
4–octet integer
[26–152]
Ipv6-Acct-Output-Octets
Number of times that IPv6 octets have
been sent to the port during the time this
service has been provided
12
6
4–octet integer
[26–153]
Ipv6-Acct-Input-Packets
Number of times that IPv6 packets have
been received from the port during the time
this service has been provided to a framed
user
12
6
4–octet integer
[26–154]
Ipv6-Acct-Output-Packets
Number of times that IPv6 packets have
been sent to the port in the course of
delivering this service to a framed user
12
6
4–octet integer
[26–155]
Ipv6-Acct-Input-Gigawords
Number of times that the
IPv6-Acct-Input-Octets counter has
wrapped around 2^32 during the time this
service has been provided, and can be
present in Accounting-Request records only
where the Acct-Status-Type is set to Stop
or Interim-Update
12
6
4–octet integer
[26–156]
Ipv6-Acct-Output-Gigawords
Number of times that the
IPv6-Acct-Output-Octets counter has
wrapped around 2^32 in the course of
delivering this service, and can be present
in Accounting-Request records only where
the Acct-Status-Type is set to Stop or
Interim-Update
12
6
4–octet integer
Copyright © 2012, Juniper Networks, Inc.
249
JunosE 13.3.x Broadband Access Configuration Guide
Table 59: Juniper Networks (Vendor ID 4874) VSA Formats (continued)
Attribute
Number
Attribute Name
Description
Length
Subtype
Length
[26-157]
Ipv6-Ndra-Pool
Used in RADIUS Access-Accept message
to inform the E Series router to allocate
IPv6 Neighbor Discovery router
advertisement prefix from this pool for the
subscriber. If CLI knob aaa
dhcpv6-ndra-pool override is disabled,
JunosE interprets this attribute as Neighbor
Discovery router advertisement local
address pool name.
len
sublen
String: 16
alpha-numeric
characters
[26-161]
Delegated-Ipv6-Pool
Used in RADIUS Access-Accept message
to inform the E Series router to allocate
IPv6 Neighbor Discovery router
advertisement prefix from this pool for the
subscriber. If CLI knob aaa
dhcpv6-ndra-pool override is enabled,
JunosE interprets this attribute as DHCPV6
PD pool name.
len
sublen
String: 16
alpha-numeric
characters
[26-164]
Ipv4-release-control
Causes the PPP application to notify the
RADIUS server regarding IPv4 addresses
released by a subscriber in a dual-stack
network, when an IPCP negotiation for IPv4
sessions is terminated or if the IPv4 session
becomes inactive. This attribute is added
to RADIUS messages only if the subscriber
session is of a dual-stack type and if the
IPv4 address is allocated from the RADIUS
server and not from local address pools.
len
sublen
String: 32
alpha-numeric
characters
[26-165]
PCP-Server-Name
Specifies the PCP server name to which
DHCP clients send PCP requests. A PCP
client must know the fully qualified domain
name (FQDN) of a PCP server, before it can
communicate with the latter in order to
perform the relevant PCP functions.
len
sublen
String: 245
octets(alpha-numeric
characters, dashes,
periods)
Related
Documentation
Value
•
Juniper Networks VSAs Supported for Subscriber AAA Access Messages on page 176
•
Juniper Networks VSAs Supported for Subscriber AAA Accounting Messages on page 186
•
CLI Commands Used to Configure Juniper Networks VSAs on page 203
•
CLI Commands Used to Include ANCP-Related Juniper Networks VSAs in Access and
Accounting Messages on page 205
DSL Forum VSAs
Table 60 on page 251 describes the DSL Forum VSAs supported by JunosE Software for
RADIUS. JunosE Software uses the vendor ID assigned to the DSL Forum (3561, or DE9
in hexadecimal format) by the Internet Assigned Numbers Authority (IANA).
250
Copyright © 2012, Juniper Networks, Inc.
Chapter 7: RADIUS Attribute Descriptions
Table 60: JunosE Software DSL Forum (Vendor ID 3561) VSA Formats
Attribute
Number
Attribute Name
Description
Length
Subtype
Length
Value
[26-1]
Agent-Circuit-Id
Identifier for the subscriber agent circuit
ID that corresponds to the DSLAM
interface from which subscriber requests
are initiated
len
sublen
string: agent-circuit-id
[26-2]
Agent-Remote-Id
Unique identifier for the subscriber
associated with the DSLAM interface
from which requests are initiated
len
sublen
string:
agent-remote-id
[26-129]
Actual-Data-RateUpstream
Actual upstream data rate of the
subscriber’s synchronized DSL link
12
6
integer: 4-octet
[26-130]
Actual-Data-RateDownstream
Actual downstream data rate of the
subscriber’s synchronized DSL link
12
6
integer: 4-octet
[26-131]
Minimum-Data-RateUpstream
Minimum upstream data rate configured
for the subscriber
12
6
integer: 4-octet
[26-132]
Minimum-Data-RateDownstream
Minimum downstream data rate
configured for the subscriber
12
6
integer: 4-octet
[26-133]
Attainable-Data-RateUpstream
Upstream data rate that the subscriber
can attain
12
6
integer: 4-octet
[26-134]
Attainable-Data-RateDownstream
Downstream data rate that the subscriber
can attain
12
6
integer: 4-octet
[26-135]
Maximum-Data-RateUpstream
Maximum upstream data rate configured
for the subscriber
12
6
integer: 4-octet
[26-136]
Maximum-Data-RateDownstream
Maximum downstream data rate
configured for the subscriber
12
6
integer: 4-octet
[26-137]
Minimum-Data-RateUpstream-Low-Power
Minimum upstream data rate in low
power state configured for the subscriber
12
6
integer: 4-octet
[26-138]
Minimum-Data-RateDownstream-Low-Power
Minimum downstream data rate in low
power state configured for the subscriber
12
6
integer: 4-octet
[26-139]
Maximum-InterleavingDelay-Upstream
Maximum one-way upstream interleaving
delay configured for the subscriber
12
6
integer: 4-octet
[26-140]
Actual-InterleavingDelay-Upstream
Subscriber’s actual one-way upstream
interleaving delay
12
6
integer: 4-octet
[26-141]
Maximum-InterleavingDelay-Downstream
Maximum one-way downstream
interleaving delay configured for the
subscriber
12
6
integer: 4-octet
Copyright © 2012, Juniper Networks, Inc.
251
JunosE 13.3.x Broadband Access Configuration Guide
Table 60: JunosE Software DSL Forum (Vendor ID 3561) VSA Formats
(continued)
Attribute
Number
Attribute Name
Description
Length
Subtype
Length
Value
[26-142]
Actual-InterleavingDelay-Downstream
Subscriber’s actual one-way downstream
interleaving delay
12
6
integer: 4-octet
[26-144]
Access-LoopEncapsulation
Encapsulation used by the subscriber
associated with the DSLAM interface
from which requests are initiated
11
5
string: 3-byte
[26-254]
IWF-Session
Indication that the interworking function
(IWF) has been performed for the
subscriber’s session to enable the
transport of PPP over ATM traffic on a
PPPoE interface
8
2
No data field required
Related
Documentation
•
DSL Forum VSAs Supported for AAA Access and Accounting Messages on page 196
•
DSL Forum VSAs in AAA Access and Accounting Messages Overview on page 196
•
CLI Commands Used to Include DSL Forum VSAs in Access and Accounting Messages
on page 207
Pass Through RADIUS Attributes
Table 61 on page 252 describes the RADIUS attribute that is not processed by JunosE
Software. The router simply passes this attribute to its destination.
Table 61: RADIUS Attribute Passed Through by JunosE Software
Related
Documentation
•
Standard
Number
Attribute Name
Description
[79]
EAP-Message
•
Used by RADIUS relay servers
•
Passed through to the RADIUS server
RADIUS IETF Attributes Supported for Subscriber AAA Access Messages on page 173
RADIUS Attributes References
For more information about RADIUS attributes, see the following RFCs:
252
•
RFC 2661—Layer Two Tunneling Protocol “ L2TP” (August 1999)
•
RFC 2865—Remote Authentication Dial In User Service (RADIUS) (June 2000)
•
RFC 2866—RADIUS Accounting (June 2000)
•
RFC 2867—RADIUS Accounting Modifications for Tunnel Protocol Support (June 2000)
Copyright © 2012, Juniper Networks, Inc.
Chapter 7: RADIUS Attribute Descriptions
•
RFC 2868—RADIUS Attributes for Tunnel Protocol Support (June 2000)
•
RFC 2869—RADIUS Extensions (June 2000)
•
RFC 3748—Extensible Authentication Protocol (EAP) (June 2004)
•
RFC 4679—DSL Forum Vendor-Specific RADIUS Attributes (September 2006)
NOTE: IETF drafts are valid for only 6 months from the date of issuance.
They must be considered as works in progress. Please refer to the IETF
Web site at http://www.ietf.org for the latest drafts.
Related
Documentation
•
RADIUS References on page 171
•
RADIUS IETF Attributes on page 231
•
Juniper Networks VSAs on page 238
•
DSL Forum VSAs on page 250
Copyright © 2012, Juniper Networks, Inc.
253
JunosE 13.3.x Broadband Access Configuration Guide
254
Copyright © 2012, Juniper Networks, Inc.
CHAPTER 8
Application Terminate Reasons
This chapter lists the default mappings for application terminate reasons to RADIUS
Acct-Terminate-Cause attributes. Table 62 on page 255 lists the default mappings for
AAA, Table 63 on page 257 lists default mappings for L2TP, Table 64 on page 273 lists the
default mappings for PPP, and Table 65 on page 280 lists default mappings for RADIUS
client. See “Overview of Mapping Application Terminate Reasons and RADIUS Terminate
Codes” on page 34 in the Configuring Remote Access chapter. for information about
configuring custom mappings for application terminate reasons to RADIUS
Acct-Terminate-Cause attributes.
•
AAA Terminate Reasons on page 255
•
L2TP Terminate Reasons on page 256
•
PPP Terminate Reasons on page 273
•
RADIUS Client Terminate Reasons on page 280
AAA Terminate Reasons
Table 62 on page 255 lists the default AAA terminate mappings. The table indicates the
supported AAA terminate and deny reasons and the RADIUS Acct-Terminate-Cause
attributes they are mapped to by default.
Table 62: Default AAA Mappings
AAA Shutdown or Deny Reason
RADIUS Acct-Terminate-Cause
Code
Description
deny address allocation failure
17
user error
deny address assignment failure
17
user error
deny application error
17
user error
deny authentication denied
17
user error
deny authentication failure
17
user error
deny authorization failure
17
user error
Copyright © 2012, Juniper Networks, Inc.
255
JunosE 13.3.x Broadband Access Configuration Guide
Table 62: Default AAA Mappings (continued)
AAA Shutdown or Deny Reason
Related
Documentation
RADIUS Acct-Terminate-Cause
Code
Description
deny incompatible request
17
user error
deny invalid tunnel configuration
17
user error
deny limit exceeded
17
user error
deny mixed user types
10
nas request
deny no access challenge support
17
user error
deny no address allocation resources
17
user error
deny no resources
10
nas request
deny redirected authentication failure
17
user error
deny server not available
17
user error
deny server request timeout
17
user error
deny terminating user
10
nas request
deny unknown subscriber
17
user error
deny user termination
17
user error
shutdown address lease expiration
10
nas request
shutdown administrative reset
6
admin reset
•
Overview of Mapping Application Terminate Reasons and RADIUS Terminate Codes
on page 34
•
Monitoring Application Terminate Reason Mappings on page 157
L2TP Terminate Reasons
Table 63 on page 257 lists the default L2TP terminate mappings. The table indicates the
supported L2TP terminate reasons and the RADIUS Acct-Terminate-Cause attributes
they are mapped to by default.
256
Copyright © 2012, Juniper Networks, Inc.
Chapter 8: Application Terminate Reasons
Table 63: Default L2TP Mappings
L2TP Terminate Reason
RADIUS Acct-Terminate-Cause
Code
Description
session access interface down
8
port error
session admin close
6
admin reset
session admin drain
6
admin reset
session call down
10
nas request
session call failed
15
service unavailable
session create failed limit reached
9
nas error
session create failed no resources
9
nas error
session create failed single shot tunnel already fired
9
nas error
session create failed too busy
9
nas error
session failover protocol resync disconnect
6
admin reset
session hardware unavailable
8
port error
session no resources server port
9
nas error
session not ready
9
nas error
session rx cdn
10
nas request
session rx cdn avp bad hidden
10
nas request
session rx cdn avp bad value assigned session id
10
nas request
session rx cdn avp duplicate value assigned session id
10
nas request
session rx cdn avp malformed bad length
10
nas request
session rx cdn avp malformed truncated
10
nas request
session rx cdn avp missing mandatory assigned session id
10
nas request
session rx cdn avp missing mandatory result code
10
nas request
session rx cdn avp missing random vector
10
nas request
session rx cdn avp missing secret
10
nas request
Copyright © 2012, Juniper Networks, Inc.
257
JunosE 13.3.x Broadband Access Configuration Guide
Table 63: Default L2TP Mappings (continued)
L2TP Terminate Reason
258
RADIUS Acct-Terminate-Cause
Code
Description
session rx cdn avp unknown
10
nas request
session rx cdn no resources
10
nas request
session rx iccn avp bad hidden
10
nas request
session rx iccn avp bad value framing type
10
nas request
session rx iccn avp bad value proxy authen type
10
nas request
session rx iccn avp bad value unsupported proxy authen type
10
nas request
session rx iccn avp malformed bad length
10
nas request
session rx iccn avp malformed truncated
10
nas request
session rx iccn avp missing mandatory connect speed
10
nas request
session rx iccn avp missing mandatory framing type
10
nas request
session rx iccn avp missing mandatory proxy authen challenge
10
nas request
session rx iccn avp missing mandatory proxy authen id
10
nas request
session rx iccn avp missing mandatory proxy authen name
10
nas request
session rx iccn avp missing mandatory proxy authen response
10
nas request
session rx iccn avp missing random vector
10
nas request
session rx iccn avp missing secret
10
nas request
session rx iccn avp unknown
10
nas request
session rx iccn no resources
10
nas request
session rx iccn unexpected
10
nas request
session rx icrp avp bad hidden
10
nas request
session rx icrp avp bad value assigned session id
10
nas request
session rx icrp avp duplicate value assigned session id
10
nas request
session rx icrp avp malformed bad length
10
nas request
Copyright © 2012, Juniper Networks, Inc.
Chapter 8: Application Terminate Reasons
Table 63: Default L2TP Mappings (continued)
L2TP Terminate Reason
RADIUS Acct-Terminate-Cause
Code
Description
session rx icrp avp malformed truncated
10
nas request
session rx icrp avp missing mandatory assigned session id
10
nas request
session rx icrp avp missing random vector
10
nas request
session rx icrp avp missing secret
10
nas request
session rx icrp avp unknown
10
nas request
session rx icrp no resources
10
nas request
session rx icrp unexpected
10
nas request
session rx icrq admin close
6
admin reset
session rx icrq authenticate failed host
10
nas request
session rx icrq avp bad hidden
10
nas request
session rx icrq avp bad value assigned session id
10
nas request
session rx icrq avp bad value bearer type
10
nas request
session rx icrq avp bad value cisco nas port
10
nas request
session rx icrq avp duplicate value assigned session id
10
nas request
session rx icrq avp malformed bad length
10
nas request
session rx icrq avp malformed truncated
10
nas request
session rx icrq avp missing mandatory assigned session id
10
nas request
session rx icrq avp missing mandatory call serial number
10
nas request
session rx icrq avp missing random vector
10
nas request
session rx icrq avp missing secret
10
nas request
session rx icrq avp unknown
10
nas request
session rx icrq no resources
10
nas request
session rx icrq unexpected
10
nas request
Copyright © 2012, Juniper Networks, Inc.
259
JunosE 13.3.x Broadband Access Configuration Guide
Table 63: Default L2TP Mappings (continued)
L2TP Terminate Reason
260
RADIUS Acct-Terminate-Cause
Code
Description
session rx occn avp bad hidden
10
nas request
session rx occn avp bad value framing type
10
nas request
session rx occn avp malformed bad length
10
nas request
session rx occn avp malformed truncated
10
nas request
session rx occn avp missing mandatory connect speed
10
nas request
session rx occn avp missing mandatory framing type
10
nas request
session rx occn avp missing random vector
10
nas request
session rx occn avp missing secret
10
nas request
session rx occn avp unknown
10
nas request
session rx occn no resources
10
nas request
session rx occn unexpected
10
nas request
session rx ocrp avp bad hidden
10
nas request
session rx ocrp avp bad value assigned session id
10
nas request
session rx ocrp avp duplicate value assigned session id
10
nas request
session rx ocrp avp malformed bad length
10
nas request
session rx ocrp avp malformed truncated
10
nas request
session rx ocrp avp missing mandatory assigned session id
10
nas request
session rx ocrp avp missing random vector
10
nas request
session rx ocrp avp missing secret
10
nas request
session rx ocrp avp unknown
10
nas request
session rx ocrp no resources
10
nas request
session rx ocrp unexpected
10
nas request
session rx ocrq admin close
10
admin reset
Copyright © 2012, Juniper Networks, Inc.
Chapter 8: Application Terminate Reasons
Table 63: Default L2TP Mappings (continued)
L2TP Terminate Reason
RADIUS Acct-Terminate-Cause
Code
Description
session rx ocrq authenticate failed host
10
nas request
session rx ocrq avp bad hidden
10
nas request
session rx ocrq avp bad value assigned session id
10
nas request
session rx ocrq avp bad value bearer type
10
nas request
session rx ocrq avp bad value framing type
10
nas request
session rx ocrq avp duplicate value assigned session id
10
nas request
session rx ocrq avp malformed bad length
10
nas request
session rx ocrq avp malformed truncated
10
nas request
session rx ocrq avp missing mandatory assigned session id
10
nas request
session rx ocrq avp missing mandatory bearer type
10
nas request
session rx ocrq avp missing mandatory call serial number
10
nas request
session rx ocrq avp missing mandatory called number
10
nas request
session rx ocrq avp missing mandatory framing type
10
nas request
session rx ocrq avp missing mandatory maximum bps
10
nas request
session rx ocrq avp missing mandatory minimum bps
10
nas request
session rx ocrq avp missing random vector
10
nas request
session rx ocrq avp missing secret
10
nas request
session rx ocrq avp unknown
10
nas request
session rx ocrq no resources
10
nas request
session rx ocrq unexpected
10
nas request
session rx ocrq unsupported
9
nas error
session rx sli avp bad hidden
10
nas request
session rx sli avp bad value accm
10
nas request
Copyright © 2012, Juniper Networks, Inc.
261
JunosE 13.3.x Broadband Access Configuration Guide
Table 63: Default L2TP Mappings (continued)
L2TP Terminate Reason
262
RADIUS Acct-Terminate-Cause
Code
Description
session rx sli avp malformed bad length
10
nas request
session rx sli avp malformed truncated
10
nas request
session rx sli avp missing mandatory accm
10
nas request
session rx sli avp missing random vector
10
nas request
session rx sli avp missing secret
10
nas request
session rx sli avp unknown
10
nas request
session rx sli no resources
10
nas request
session rx unexpected packet lac incoming
10
nas request
session rx unexpected packet lac outgoing
10
nas request
session rx unexpected packet lns incoming
10
nas request
session rx unexpected packet lns outgoing
10
nas request
session rx unknown session id
10
nas request
session rx wen avp bad hidden
10
nas request
session rx wen avp malformed bad length
10
nas request
session rx wen avp malformed truncated
10
nas request
session rx wen avp missing mandatory call errors
10
nas request
session rx wen avp missing random vector
10
nas request
session rx wen avp missing secret
10
nas request
session rx wen avp unknown
10
nas request
session rx wen no resources
10
nas request
session timeout connection
10
nas request
session timeout inactivity
4
idle timeout
session timeout session
5
session timeout
Copyright © 2012, Juniper Networks, Inc.
Chapter 8: Application Terminate Reasons
Table 63: Default L2TP Mappings (continued)
L2TP Terminate Reason
RADIUS Acct-Terminate-Cause
Code
Description
session timeout upper create
9
nas error
session transmit speed unavailable
9
nas error
session tunnel down
15
service unavailable
session tunnel failed
15
service unavailable
session tunnel switch profile deleted
6
admin reset
session tunneled interface down
8
port error
session unknown cause
9
nas error
session upper create failed
9
nas error
session upper removed
15
service unavailable
session warmstart not operational
15
service unavailable
session warmstart recovery error
15
service unavailable
session warmstart upper not restacked
10
nas request
tunnel admin close
6
admin reset
tunnel admin drain
6
admin reset
tunnel control channel failed
15
service unavailable
tunnel created no sessions
1
user request
tunnel destination address changed
6
admin reset
tunnel destination down
10
nas request
tunnel failover protocol no resources for recovery tunnel
15
service unavailable
tunnel failover protocol no resources for session resync
15
service unavailable
tunnel failover protocol not supported
15
service unavailable
tunnel failover protocol not supported by peer
15
service unavailable
tunnel failover protocol recovery control channel failed
15
service unavailable
Copyright © 2012, Juniper Networks, Inc.
263
JunosE 13.3.x Broadband Access Configuration Guide
Table 63: Default L2TP Mappings (continued)
L2TP Terminate Reason
264
RADIUS Acct-Terminate-Cause
Code
Description
tunnel failover protocol recovery tunnel failed
15
service unavailable
tunnel failover protocol recovery tunnel finished
1
user request
tunnel failover protocol recovery tunnel primary down
1
user request
tunnel failover protocol session resync failed
15
service unavailable
tunnel host profile changed
6
admin reset
tunnel host profile deleted
6
admin reset
tunnel rx scccn authenticate failed challenge
17
user error
tunnel rx scccn avp bad hidden
15
service unavailable
tunnel rx scccn avp bad value challenge response
15
service unavailable
tunnel rx scccn avp malformed bad length
15
service unavailable
tunnel rx scccn avp malformed truncated
15
service unavailable
tunnel rx scccn avp missing challenge response
17
user error
tunnel rx scccn avp missing random vector
15
service unavailable
tunnel rx scccn avp missing secret
15
service unavailable
tunnel rx scccn avp unexpected challenge response
15
service unavailable
tunnel rx scccn avp unknown
15
service unavailable
tunnel rx scccn no resources
15
service unavailable
tunnel rx scccn session id not null
15
service unavailable
tunnel rx scccn unexpected
15
service unavailable
tunnel rx sccrp authenticate failed challenge
17
user error
tunnel rx sccrp authenticate failed host
17
user error
tunnel rx sccrp avp bad hidden
15
service unavailable
tunnel rx sccrp avp bad value assigned tunnel id
15
service unavailable
Copyright © 2012, Juniper Networks, Inc.
Chapter 8: Application Terminate Reasons
Table 63: Default L2TP Mappings (continued)
L2TP Terminate Reason
RADIUS Acct-Terminate-Cause
Code
Description
tunnel rx sccrp avp bad value bearer capabilities
15
service unavailable
tunnel rx sccrp avp bad value challenge
15
service unavailable
tunnel rx sccrp avp bad value challenge response
15
service unavailable
tunnel rx sccrp avp bad value failover capability
15
service unavailable
tunnel rx sccrp avp bad value framing capabilities
15
service unavailable
tunnel rx sccrp avp bad value protocol version
15
service unavailable
tunnel rx sccrp avp bad value receive window size
15
service unavailable
tunnel rx sccrp avp duplicate value assigned tunnel id
15
service unavailable
tunnel rx sccrp avp malformed bad length
15
service unavailable
tunnel rx sccrp avp malformed truncated
15
service unavailable
tunnel rx sccrp avp missing challenge response
17
user error
tunnel rx sccrp avp missing mandatory assigned tunnel id
15
service unavailable
tunnel rx sccrp avp missing mandatory framing capabilities
15
service unavailable
tunnel rx sccrp avp missing mandatory host name
15
service unavailable
tunnel rx sccrp avp missing mandatory protocol version
15
service unavailable
tunnel rx sccrp avp missing random vector
15
service unavailable
tunnel rx sccrp avp missing secret
15
service unavailable
tunnel rx sccrp avp unexpected challenge response
15
service unavailable
tunnel rx sccrp avp unexpected challenge without secret
15
service unavailable
tunnel rx sccrp avp unknown
15
service unavailable
tunnel rx sccrp no resources
15
service unavailable
tunnel rx sccrp session id not null
15
service unavailable
tunnel rx sccrp unexpected
15
service unavailable
Copyright © 2012, Juniper Networks, Inc.
265
JunosE 13.3.x Broadband Access Configuration Guide
Table 63: Default L2TP Mappings (continued)
L2TP Terminate Reason
266
RADIUS Acct-Terminate-Cause
Code
Description
tunnel rx sccrq admin close
6
admin reset
tunnel rx sccrq authenticate failed host
17
user error
tunnel rx sccrq avp bad hidden
15
service unavailable
tunnel rx sccrq avp bad value assigned tunnel id
15
service unavailable
tunnel rx sccrq avp bad value bearer capabilities
15
service unavailable
tunnel rx sccrq avp bad value challenge
15
service unavailable
tunnel rx sccrq avp bad value failover capability
15
service unavailable
tunnel rx sccrq avp bad value framing capabilities
15
service unavailable
tunnel rx sccrq avp bad value protocol version
15
service unavailable
tunnel rx sccrq avp bad value receive window size
15
service unavailable
tunnel rx sccrq avp duplicate value assigned tunnel id
15
service unavailable
tunnel rx sccrq avp malformed bad length
15
service unavailable
tunnel rx sccrq avp malformed truncated
15
service unavailable
tunnel rx sccrq avp missing mandatory assigned tunnel id
15
service unavailable
tunnel rx sccrq avp missing mandatory framing capabilities
15
service unavailable
tunnel rx sccrq avp missing mandatory host name
15
service unavailable
tunnel rx sccrq avp missing mandatory protocol version
15
service unavailable
tunnel rx sccrq avp missing random vector
15
service unavailable
tunnel rx sccrq avp missing secret
15
service unavailable
tunnel rx sccrq avp unexpected challenge without secret
15
service unavailable
tunnel rx sccrq avp unknown
15
service unavailable
tunnel rx sccrq bad address
15
service unavailable
tunnel rx sccrq no resources
15
service unavailable
Copyright © 2012, Juniper Networks, Inc.
Chapter 8: Application Terminate Reasons
Table 63: Default L2TP Mappings (continued)
L2TP Terminate Reason
RADIUS Acct-Terminate-Cause
Code
Description
tunnel rx sccrq no resources max tunnels
15
service unavailable
tunnel rx sccrq session id not null
15
service unavailable
tunnel rx sccrq unexpected
15
service unavailable
tunnel rx stopccn
1
user request
tunnel rx stopccn avp bad hidden
15
service unavailable
tunnel rx stopccn avp bad value assigned tunnel id
15
service unavailable
tunnel rx stopccn avp duplicate value assigned tunnel id
15
service unavailable
tunnel rx stopccn avp malformed bad length
15
service unavailable
tunnel rx stopccn avp malformed truncated
15
service unavailable
tunnel rx stopccn avp missing mandatory assigned tunnel id
15
service unavailable
tunnel rx stopccn avp missing mandatory result code
15
service unavailable
tunnel rx stopccn avp missing random vector
15
service unavailable
tunnel rx stopccn avp missing secret
15
service unavailable
tunnel rx stopccn avp unknown
15
service unavailable
tunnel rx stopccn no resources
15
service unavailable
tunnel rx stopccn session id not null
15
service unavailable
tunnel rx frs avp malformed truncated
15
service unavailable
tunnel rx frs avp missing mandatory failover session state
15
service unavailable
tunnel rx frs avp missing random vector
15
service unavailable
tunnel rx frs avp missing secret
15
service unavailable
tunnel rx frs avp unknown
15
service unavailable
tunnel rx frs no resources
15
service unavailable
tunnel rx frs session id not null
15
service unavailable
Copyright © 2012, Juniper Networks, Inc.
267
JunosE 13.3.x Broadband Access Configuration Guide
Table 63: Default L2TP Mappings (continued)
L2TP Terminate Reason
268
RADIUS Acct-Terminate-Cause
Code
Description
tunnel rx fsq avp bad hidden
15
service unavailable
tunnel rx fsq avp malformed bad length
15
service unavailable
tunnel rx fsq avp malformed truncated
15
service unavailable
tunnel rx fsq avp missing mandatory failover session state
15
service unavailable
tunnel rx fsq avp missing random vector
15
service unavailable
tunnel rx fsq avp missing secret
15
service unavailable
tunnel rx fsq avp unknown
15
service unavailable
tunnel rx fsq no resources
15
service unavailable
tunnel rx fsq session id not null
15
service unavailable
tunnel rx fsr avp bad hidden
15
service unavailable
tunnel rx fsr avp malformed bad length
15
service unavailable
tunnel rx unexpected packet
15
service unavailable
tunnel rx unexpected packet for session
15
service unavailable
tunnel rx unknown packet message type indecipherable
15
service unavailable
tunnel rx unknown packet message type unrecognized
15
service unavailable
tunnel rx recovery scccn authenticate failed challenge
17
user error
tunnel rx recovery scccn avp bad hidden
15
service unavailable
tunnel rx recovery scccn avp bad value challenge response
15
service unavailable
tunnel rx recovery scccn avp malformed bad length
15
service unavailable
tunnel rx recovery scccn avp malformed truncated
15
service unavailable
tunnel rx recovery scccn avp missing challenge response
17
user error
tunnel rx recovery scccn avp missing random vector
15
service unavailable
tunnel rx recovery scccn avp missing secret
15
service unavailable
Copyright © 2012, Juniper Networks, Inc.
Chapter 8: Application Terminate Reasons
Table 63: Default L2TP Mappings (continued)
L2TP Terminate Reason
RADIUS Acct-Terminate-Cause
Code
Description
tunnel rx recovery scccn avp unexpected challenge response
15
service unavailable
tunnel rx recovery scccn avp unknown
15
service unavailable
tunnel rx recovery scccn no resources
15
service unavailable
tunnel rx recovery scccn session id not null
15
service unavailable
tunnel rx recovery sccrp authenticate failed challenge
17
user error
tunnel rx recovery sccrp avp bad hidden
15
service unavailable
tunnel rx recovery sccrp avp bad value assigned tunnel id
15
service unavailable
tunnel rx recovery sccrp avp bad value bearer capabilities
15
service unavailable
tunnel rx recovery sccrp avp bad value challenge
15
service unavailable
tunnel rx recovery sccrp avp bad value challenge response
15
service unavailable
tunnel rx recovery sccrp avp bad value framing capabilities
15
service unavailable
tunnel rx recovery sccrp avp bad value protocol version
15
service unavailable
tunnel rx recovery sccrp avp bad value receive window size
15
service unavailable
tunnel rx recovery sccrp avp bad value suggested control
sequence
15
service unavailable
tunnel rx recovery sccrp avp duplicate value assigned
tunnel id
15
service unavailable
tunnel rx recovery sccrp avp malformed bad length
15
service unavailable
tunnel rx recovery sccrp avp malformed truncated
15
service unavailable
tunnel rx recovery sccrp avp mismatched host name
15
service unavailable
tunnel rx recovery sccrp avp mismatched vendor name
15
service unavailable
tunnel rx recovery sccrp avp missing challenge response
17
user error
tunnel rx recovery sccrp avp missing mandatory assigned
tunnel id
15
service unavailable
Copyright © 2012, Juniper Networks, Inc.
269
JunosE 13.3.x Broadband Access Configuration Guide
Table 63: Default L2TP Mappings (continued)
L2TP Terminate Reason
270
RADIUS Acct-Terminate-Cause
Code
Description
tunnel rx recovery sccrp avp missing mandatory framing
capabilities
15
service unavailable
tunnel rx recovery sccrp avp missing mandatory host name
15
service unavailable
tunnel rx recovery sccrp avp missing mandatory protocol
version
15
service unavailable
tunnel rx recovery sccrp avp missing random vector
15
service unavailable
tunnel rx recovery sccrp avp missing secret
15
service unavailable
tunnel rx recovery sccrp avp unexpected challenge response
15
service unavailable
tunnel rx recovery sccrp avp unexpected challenge without
secret
15
service unavailable
tunnel rx recovery sccrp avp unknown
15
service unavailable
tunnel rx recovery sccrp no resources
15
service unavailable
tunnel rx recovery sccrp session id not null
15
service unavailable
tunnel rx recovery sccrq admin close
6
admin reset
tunnel rx recovery sccrq avp bad hidden
15
service unavailable
tunnel rx recovery sccrq avp bad value assigned tunnel id
15
service unavailable
tunnel rx recovery sccrq avp bad value bearer capabilities
15
service unavailable
tunnel rx recovery sccrq avp bad value challenge
15
service unavailable
tunnel rx recovery sccrq avp bad value framing capabilities
15
service unavailable
tunnel rx recovery sccrq avp bad value protocol version
15
service unavailable
tunnel rx recovery sccrq avp bad value receive window size
15
service unavailable
tunnel rx recovery sccrq avp bad value tunnel recovery
15
service unavailable
tunnel rx recovery sccrq avp duplicate value assigned tunnel
id
15
service unavailable
tunnel rx recovery sccrq avp duplicate value tie breaker
15
service unavailable
Copyright © 2012, Juniper Networks, Inc.
Chapter 8: Application Terminate Reasons
Table 63: Default L2TP Mappings (continued)
L2TP Terminate Reason
RADIUS Acct-Terminate-Cause
Code
Description
tunnel rx recovery sccrq avp malformed bad length
15
service unavailable
tunnel rx recovery sccrq avp malformed truncated
15
service unavailable
tunnel rx recovery sccrq avp mismatched host name
15
service unavailable
tunnel rx recovery sccrq avp mismatched vendor name
15
service unavailable
tunnel rx recovery sccrq avp missing mandatory assigned
tunnel id
15
service unavailable
tunnel rx recovery sccrq avp missing mandatory framing
capabilities
15
service unavailable
tunnel rx recovery sccrq avp missing mandatory host name
15
service unavailable
tunnel rx recovery sccrq avp missing mandatory protocol
version
15
service unavailable
tunnel rx recovery sccrq avp missing mandatory tunnel
recovery
15
service unavailable
tunnel rx recovery sccrq avp missing random vector
15
service unavailable
tunnel rx recovery sccrq avp missing secret
15
service unavailable
tunnel rx recovery sccrq avp missing tie breaker
15
service unavailable
tunnel rx recovery sccrq avp unexpected challenge without
secret
15
service unavailable
tunnel rx recovery sccrq avp unknown
15
service unavailable
tunnel rx recovery sccrq no resources
15
service unavailable
tunnel rx recovery sccrq session id not null
15
service unavailable
tunnel rx recovery sccrq tunnel id not null
15
service unavailable
tunnel rx recovery stopccn avp bad hidden
15
service unavailable
tunnel rx recovery stopccn avp bad value assigned tunnel id
15
service unavailable
tunnel rx recovery stopccn avp duplicate value assigned
tunnel id
15
service unavailable
Copyright © 2012, Juniper Networks, Inc.
271
JunosE 13.3.x Broadband Access Configuration Guide
Table 63: Default L2TP Mappings (continued)
L2TP Terminate Reason
272
RADIUS Acct-Terminate-Cause
Code
Description
tunnel rx recovery stopccn avp malformed bad length
15
service unavailable
tunnel rx recovery stopccn avp malformed truncated
15
service unavailable
tunnel rx recovery stopccn avp missing mandatory assigned
tunnel id
15
service unavailable
tunnel rx recovery stopccn avp missing mandatory result
code
15
service unavailable
tunnel rx recovery stopccn avp missing random vector
15
service unavailable
tunnel rx recovery stopccn avp missing secret
15
service unavailable
tunnel rx recovery stopccn avp unknown
15
service unavailable
tunnel rx recovery stopccn no resources
15
service unavailable
tunnel rx recovery stopccn session id not null
15
service unavailable
tunnel rx recovery unexpected packet
15
service unavailable
tunnel rx recovery unknown packet message type
indecipherable
15
service unavailable
tunnel rx recovery unknown packet message type
unrecognized
15
service unavailable
tunnel rx session packet null sid invalid
15
service unavailable
tunnel rx session packet null sid without assigned session id
15
service unavailable
tunnel timeout connection
15
service unavailable
tunnel timeout connection recovery tunnel
15
service unavailable
tunnel timeout idle
1
user request
tunnel unknown cause
9
nas error
tunnel warmstart not operational
15
service unavailable
tunnel warmstart recovery error
15
service unavailable
Copyright © 2012, Juniper Networks, Inc.
Chapter 8: Application Terminate Reasons
Related
Documentation
•
Overview of Mapping Application Terminate Reasons and RADIUS Terminate Codes
on page 34
•
Configuring Custom Mappings for PPP Terminate Reasons on page 90
•
Monitoring Application Terminate Reason Mappings on page 157
PPP Terminate Reasons
Table 64 on page 273 lists the default PPP terminate mappings. The table indicates the
supported PPP terminate reasons and the RADIUS Acct-Terminate-Cause attributes
they are mapped to by default.
Table 64: Default PPP Mappings
PPP Terminate Reason
RADIUS Acct-Terminate-Cause
Code
Description
authenticate authenticator timeout
17
user error
authenticate challenge timeout
10
nas request
authenticate chap no resources
10
nas request
authenticate chap peer authenticator timeout
17
user error
authenticate deny by peer
17
user error
authenticate inactivity timeout
4
idle timeout
authenticate max requests
10
nas request
authenticate no authenticator
10
nas request
authenticate pap peer authenticator timeout
17
user error
authenticate pap request timeout
10
nas request
authenticate session timeout
5
session timeout
authenticate too many requests
10
nas request
authenticate tunnel fail immediate
10
nas request
authenticate tunnel unsupported tunnel type
10
nas request
bundle fail create
10
nas request
bundle fail engine add
10
nas request
Copyright © 2012, Juniper Networks, Inc.
273
JunosE 13.3.x Broadband Access Configuration Guide
Table 64: Default PPP Mappings (continued)
PPP Terminate Reason
274
RADIUS Acct-Terminate-Cause
Code
Description
bundle fail fragment size mismatch
10
nas request
bundle fail fragmentation location
10
nas request
bundle fail fragmentation mismatch
10
nas request
bundle fail join
10
nas request
bundle fail link selection mismatch
10
nas request
bundle fail local mped not set yet
10
nas request
bundle fail local mrru mismatch
10
nas request
bundle fail local mru mismatch
10
nas request
bundle fail peer mrru mismatch
10
nas request
bundle fail reassembly location
10
nas request
bundle fail reassembly mismatch
10
nas request
bundle fail record network
10
nas request
bundle fail server location mismatch
10
nas request
bundle fail static link
10
nas request
failover during authentication
6
admin reset
interface admin disable
6
admin reset
interface down
2
lost carrier
interface no hardware
8
port error
ip admin disable
10
nas request
ip inhibited by authentication
10
nas request
ip link down
10
nas request
ip max configure exceeded
10
nas request
ip no local ip address
10
nas request
Copyright © 2012, Juniper Networks, Inc.
Chapter 8: Application Terminate Reasons
Table 64: Default PPP Mappings (continued)
PPP Terminate Reason
RADIUS Acct-Terminate-Cause
Code
Description
ip no local ip address mask
10
nas request
ip no local primary dns address
10
nas request
ip no local primary nbns address
10
nas request
ip no local secondary dns address
10
nas request
ip no local secondary nbns address
10
nas request
ip no peer ip address
10
nas request
ip no peer ip address mask
10
nas request
ip no peer primary dns address
10
nas request
ip no peer primary nbns address
10
nas request
ip no peer secondary dns address
10
nas request
ip no peer secondary nbns address
10
nas request
ip no service
10
nas request
ip peer renegotiate rx conf ack
10
nas request
ip peer renegotiate rx conf nak
10
nas request
ip peer renegotiate rx conf rej
10
nas request
ip peer renegotiate rx conf req
10
nas request
ip peer terminate term ack
10
nas request
ip peer terminate code rej
10
nas request
ip peer terminate term req
10
nas request
ip service disable
10
nas request
ip stale stacking
10
nas request
ipv6 admin disable
10
nas request
ipv6 inhibited by authentication
10
nas request
Copyright © 2012, Juniper Networks, Inc.
275
JunosE 13.3.x Broadband Access Configuration Guide
Table 64: Default PPP Mappings (continued)
PPP Terminate Reason
276
RADIUS Acct-Terminate-Cause
Code
Description
ipv6 link down
10
nas request
ipv6 local and peer interface ids identical
10
nas request
ipv6 max configure exceeded
10
nas request
ipv6 no local ipv6 interface id
10
nas request
ipv6 no peer ipv6 interface id
10
nas request
ipv6 no service
10
nas request
ipv6 peer renegotiate rx conf ack
10
nas request
ipv6 peer renegotiate rx conf nak
10
nas request
ipv6 peer renegotiate rx conf rej
10
nas request
ipv6 peer renegotiate rx conf req
10
nas request
ipv6 peer terminate code rej
10
nas request
ipv6 peer terminate term ack
10
nas request
ipv6 peer terminate term req
10
nas request
ipv6 service disable
10
nas request
ipv6 stale stacking
10
nas request
lcp authenticate terminate hold
10
nas request
lcp configured mrru too small
10
nas request
lcp configured mru invalid
10
nas request
lcp configured mru too small
10
nas request
lcp dynamic interface hold
10
nas request
lcp keepalive failure
10
nas request
lcp loopback rx conf req
10
nas request
lcp loopback rx echo reply
10
nas request
Copyright © 2012, Juniper Networks, Inc.
Chapter 8: Application Terminate Reasons
Table 64: Default PPP Mappings (continued)
PPP Terminate Reason
RADIUS Acct-Terminate-Cause
Code
Description
lcp loopback rx echo req
10
nas request
lcp max configure exceeded
10
nas request
lcp mru changed
10
nas request
lcp negotiation timeout
10
nas request
lcp no localaccm
10
nas request
lcp no localacfc
10
nas request
lcp no local authentication
10
nas request
lcp no local endpoint discriminator
10
nas request
lcp no local magic number
10
nas request
lcp no local mrru
10
nas request
lcp no local mru
10
nas request
lcp no localpfc
10
nas request
lcp no peer accm
10
nas request
lcp no peer authentication
10
nas request
lcp no peer endpoint discriminator
10
nas request
lcp no peer magicnumber
10
nas request
lcp no peer mrru
10
nas request
lcp no peer mru
10
nas request
lcp no peer pfc
10
nas request
lcp peer terminate code rej
1
user request
lcp peer terminate term ack
1
user request
lcp peer terminate term req
1
user request
lcp peer terminate protocol reject
1
user request
Copyright © 2012, Juniper Networks, Inc.
277
JunosE 13.3.x Broadband Access Configuration Guide
Table 64: Default PPP Mappings (continued)
PPP Terminate Reason
278
RADIUS Acct-Terminate-Cause
Code
Description
lcp peer renegotiate rx conf ack
1
user request
lcp peer renegotiate rx conf nak
1
user request
lcp peer renegotiate rx conf rej
1
user request
lcp peer renegotiate rx conf req
1
user request
lcp tunnel disconnected
10
nas request
lcp tunnel failed
10
nas request
link interface no hardware
8
port error
lower interface attach failed
2
lost carrier
lower interface teardown
2
lost carrier
mpls admin disable
10
nas request
mpls link down
10
nas request
mpls max configure exceeded
10
nas request
mpls no service
10
nas request
mpls peer renegotiate rx conf ack
10
nas request
mpls peer renegotiate rx conf nak
10
nas request
mpls peer renegotiate rx conf rej
10
nas request
mpls peer renegotiate rx conf req
10
nas request
mpls peer terminate code rej
10
nas request
mpls peer terminate term ack
10
nas request
mpls peer terminate term req
10
nas request
mpls service disable
10
nas request
mpls stale stacking
10
nas request
network interface admin disable
6
admin reset
Copyright © 2012, Juniper Networks, Inc.
Chapter 8: Application Terminate Reasons
Table 64: Default PPP Mappings (continued)
PPP Terminate Reason
Related
Documentation
•
RADIUS Acct-Terminate-Cause
Code
Description
no bundle
10
nas request
no interface
8
port error
no link interface
8
port error
no ncps available
10
nas request
no network interface
10
nas request
no upper interface
9
nas error
osi admin disable
10
nas request
osi link down
10
nas request
osi max configure exceeded
10
nas request
osi no local align npdu
10
nas request
osi no peer align npdu
10
nas request
osi no service
10
nas request
osi peer renegotiate rx conf ack
10
nas request
osi peer renegotiate rx conf nak
10
nas request
osi peer renegotiate rx conf rej
10
nas request
osi peer renegotiate rx conf req
10
nas request
osi peer terminate code rej
10
nas request
osi peer terminate term ack
10
nas request
osi peer terminate term req
10
nas request
osi service disable
10
nas request
osi stale stacking
10
nas request
Overview of Mapping Application Terminate Reasons and RADIUS Terminate Codes
on page 34
Copyright © 2012, Juniper Networks, Inc.
279
JunosE 13.3.x Broadband Access Configuration Guide
•
Configuring Custom Mappings for PPP Terminate Reasons on page 90
•
L2TP Terminate Reasons on page 256
•
Monitoring Application Terminate Reason Mappings on page 157
RADIUS Client Terminate Reasons
Table 65 on page 280 lists the default RADIUS client terminate mappings. The table
indicates the supported RADIUS client terminate reasons and the RADIUS
Acct-Terminate-Cause attributes they are mapped to by default.
Table 65: Default RADIUS Client Mappings
RADIUS Client Terminate Reason
Related
Documentation
280
RADIUS Acct-Terminate-Cause
Code
Description
no-acct-server
10
nas request
system-reboot
10
nas request
virtual-router-deletion
10
nas request
•
Overview of Mapping Application Terminate Reasons and RADIUS Terminate Codes
on page 34
•
Monitoring Application Terminate Reason Mappings on page 157
Copyright © 2012, Juniper Networks, Inc.
CHAPTER 9
Monitoring RADIUS
This chapter describes how to monitor the RADIUS attributes, RADIUS dynamic-request
server, and RADIUS relay.
RADIUS topics are described in the following sections:
•
Monitoring Override Settings of RADIUS IETF Attributes on page 281
•
Monitoring the NAS-Port-Format RADIUS Attribute on page 282
•
Monitoring the Calling-Station-Id RADIUS Attribute on page 283
•
Monitoring the NAS-Identifier RADIUS Attribute on page 283
•
Monitoring the Format of the Remote-Circuit-ID for RADIUS on page 283
•
Monitoring the Delimiter Character in the Remote-Circuit-ID for RADIUS on page 284
•
Monitoring the Acct-Session-Id RADIUS Attribute on page 284
•
Monitoring the DSL-Port-Type RADIUS Attribute on page 284
•
Monitoring the Connect-Info RADIUS Attribute on page 285
•
Monitoring the NAS-Port-ID RADIUS Attribute on page 285
•
Monitoring Included RADIUS Attributes on page 285
•
Monitoring Ignored RADIUS Attributes on page 288
•
Setting the Baseline for RADIUS Dynamic-Request Server Statistics on page 288
•
Monitoring RADIUS Dynamic-Request Server Statistics on page 288
•
Monitoring the Configuration of the RADIUS Dynamic-Request Server on page 290
•
Setting a Baseline for RADIUS Relay Statistics on page 290
•
Monitoring RADIUS Relay Server Statistics on page 291
•
Monitoring the Configuration of the RADIUS Relay Server on page 292
•
Monitoring the Status of RADIUS Relay UDP Checksums on page 293
•
Monitoring the Status of ICR Partition Accounting on page 293
Monitoring Override Settings of RADIUS IETF Attributes
Purpose
Display the current override setting for RADIUS IETF attributes. You can monitor the
NAS-IP-Address [4], NAS-Port-Id [87], Calling-Station-Id [31], and NAS-Identifier [32]
attributes.
Copyright © 2012, Juniper Networks, Inc.
281
JunosE 13.3.x Broadband Access Configuration Guide
Action
To display the current setting for all configured RADIUS attributes:
host1#show radius override
nas-ip-addr:
nas-ip-addr
nas-port-id:
nas-port-id
calling-station-id:
calling-station-id
nas-info:
from current virtual router
host1#show radius override
nas-ip-addr: nas-ip-addr
nas-info:
from authentication virtual router
Meaning
Table 66 on page 282 lists the show radius override command output fields.
Table 66: show radius override Output Fields
Related
Documentation
•
Field Name
Field Description
nas-ip-addr
Displays the current setting for the NAS-IP-Address
[4] attribute. These settings can be changed with the
radius override nas-ip-addr tunnel-client-endpoint
and radius override nas-info commands.
nas-port-id
Displays the current setting for the NAS-Port-Id [87]
attribute. Use the radius override nas-port-id
remote-circuit-id command to override the standard
NAS-Port-Id attribute with the PPPoE remote circuit
ID transmitted from the DSLAM.
calling-station-id
Displays the current setting for the Calling-Station-Id
[31] attribute. Use the radius override
calling-station-id remote-circuit-id command to
override the standard Calling-Station-Id attribute with
the PPPoE remote circuit ID transmitted from the
DSLAM.
nas-info
Displays the current setting for the NAS-Identifier [32]
attribute. This setting can be changed with the radius
override nas-info command, which is used for AAA
broadcast accounting.
show radius override
Monitoring the NAS-Port-Format RADIUS Attribute
Purpose
Action
Display information for the NAS-Port attribute.
To display the setting for the NAS-Port attribute:
host1#show radius nas-port-format
0ssssppp
To display information about the NAS-Port attribute on an ATM interface on an E320
Broadband Services Router:
282
Copyright © 2012, Juniper Networks, Inc.
Chapter 9: Monitoring RADIUS
host1#show radius nas-port-format extended atm
extended atm field-width slot 5 adapter 0 port 4 vpi 4 vci 12
To display the status of NAS-Port attribute settings for PPPoE interfaces:
host1#show radius pppoe nas-port-format
unique
To display the status of the S-VLAN ID setting for the NAS-Port attribute for VLAN
interfaces:
host1#show radius vlan nas-port-format
vlan stacked
Related
Documentation
•
show radius nas-port-format
•
show radius nas-port-format extended
•
show radius pppoe nas-port-format
•
show radius vlan nas-port-format
Monitoring the Calling-Station-Id RADIUS Attribute
Purpose
Action
Display the format and delimiter used for the Calling-Station-Id [31] attribute.
To display the format configured for the Calling-Station-Id [31] attribute:
host1#show radius calling-station-format
fixed-format-adapter-new-field (includes SVLAN ID)
To display the delimiter used in the Calling-Station-Id for authenticated ATM PPP users:
host1#show radius calling-station-delimiter
&
Related
Documentation
•
show radius calling-station-format
•
show radius calling-station-delimiter
Monitoring the NAS-Identifier RADIUS Attribute
Purpose
Action
Display information about the NAS-Identifier value.
To display information about the NAS-Identifier value:
host1#show radius nas-identifier
fox
Related
Documentation
•
show radius nas-identifier
Monitoring the Format of the Remote-Circuit-ID for RADIUS
Purpose
Display the format configured for the PPPoE remote circuit ID value captured from a
DSLAM.
Copyright © 2012, Juniper Networks, Inc.
283
JunosE 13.3.x Broadband Access Configuration Guide
The default format is agent-circuit-ID. If the PPPoE remote circuit ID value is configured
to include any or all of the agent-circuit-id, agent-remote-id, and nas-identifier
components, the display lists the components included and the order in which they
appear.
If the PPPoE remote circuit ID value is configured to use the format for the dsl-forum-1
keyword of radius remote-circuit-id-format, the display indicates that this format is in
effect.
Action
To display the format configured for the PPPoE remote circuit ID value captured from a
DSLAM:
host1#show radius remote-circuit-id-format
nas-identifier agent-circuit-id agent-remote-id
Related
Documentation
•
show radius remote-circuit-id-format
Monitoring the Delimiter Character in the Remote-Circuit-ID for RADIUS
Purpose
Action
Display the delimiter character configured to set off components in the PPPoE remote
circuit ID value captured from a DSLAM. The default delimiter character is #.
To display the delimiter character:
host1#show radius remote-circuit-id-delimiter
!
Related
Documentation
•
show radius remote-circuit-id-delimiter
Monitoring the Acct-Session-Id RADIUS Attribute
Purpose
Action
Display the format used for the Acct-Session-Id attribute.
To display the format used for the Acct-Session-Id attribute:
host1#show radius acct-session-id-format
decimal
Related
Documentation
•
show radius acct-session-id-format
Monitoring the DSL-Port-Type RADIUS Attribute
Purpose
Action
Display the DSL port type for NAS-Port-Type attribute for ATM and Ethernet users.
To display the DSL port type for NAS-Port-Type attribute for ATM users:
host1#show radius dsl-port-type
xdsl
To display the NAS-Port-Type attribute for Ethernet interfaces:
284
Copyright © 2012, Juniper Networks, Inc.
Chapter 9: Monitoring RADIUS
host1#show radius ethernet-port-type
virtual
Related
Documentation
•
show radius dsl-port-type
•
show radius ethernet-port-type
Monitoring the Connect-Info RADIUS Attribute
Purpose
Action
Display the format for the Connect-Info attribute.
To display the format for the Connect-Info attribute:
host1(config)#show radius connect-info-format
l2tp-connect-speed-rx-when-equal
Related
Documentation
•
show radius connect-info-format
Monitoring the NAS-Port-ID RADIUS Attribute
Purpose
Action
Display whether the router includes or excludes the subinterface number or adapter in
the interface description that the router passes to RADIUS for inclusion in the NAS-Port-Id
attribute.
To display information about the interface description for the NAS-Port-ID:
host1#show aaa intf-desc-format
exclude sub-interface
include adapter
Related
Documentation
•
show aaa intf-desc-format
Monitoring Included RADIUS Attributes
Purpose
Action
Display the RADIUS attributes that are included in and excluded from Acct-On, Acct-Off,
Access-Request, Acct-Start, and Acct-Stop messages.
To display the list of included RADIUS attributes:
host1# show radius attributes-included
Account
Attribute Name
On
-------------------------------access-loop-parameters
n/c
acct-authentic
enabled
acct-delay-time
enabled
acct-link-count
n/c
acct-multi-session-id
n/c
acct-session-id
enabled
acct-terminate-cause
n/c
acct-tunnel-connection
n/c
ascend-num-in-multilink
n/c
called-station-id
n/c
Copyright © 2012, Juniper Networks, Inc.
Account
Off
------n/c
enabled
enabled
n/c
n/c
enabled
enabled
n/c
n/c
n/c
Access
Request
-------disabled
n/c
n/c
n/c
disabled
enabled
n/c
enabled
disabled
enabled
Account
Start
-------n/c
n/c
n/c
enabled
enabled
n/c
n/c
enabled
disabled
enabled
Account
Stop
-------n/c
n/c
n/c
enabled
enabled
n/c
n/c
enabled
disabled
enabled
285
JunosE 13.3.x Broadband Access Configuration Guide
downstream-calculated-qos-rate
upstream-calculated-qos-rate
calling-station-id
class
connect-info
delegated-ipv6-prefix
dhcp-options
dhcp-option-82
dhcp-option82-circuitid
dhcp-option82-remoteid
dhcp-mac-address
dhcp-gi-address
dsl-forum-attributes(vsa)
ds-lite-tunnel-name
egress-policy-name(vsa)
ipv6-egress-policy-name(vsa)
event-timestamp
framed-compression
framed-interface-id
framed-ip-address
framed-ip-netmask
framed-ipv6-pool
framed-ipv6-prefix
framed-ipv6-route
framed-route
icr-partition-id(vsa)
ingress-policy-name(vsa)
ipv6-ingress-policy-name(vsa)
input-gigapkts(vsa)
input-gigawords
interface-description(vsa)
ipv6-input-octets(vsa)
ipv6-output-octets(vsa)
ipv6-input-packets(vsa)
ipv6-output-packets(vsa)
ipv6-input-gigawords(vsa)
ipv6-output-gigawords(vsa)
ipv6-local-interface(vsa)
ipv6-nd-ra-prefix(vsa)
ipv6-primary-dns(vsa)
ipv6-secondary-dns(vsa)
ipv6-virtual-router(vsa)
l2c-downstream-data(vsa)
l2c-upstream-data(vsa)
l2cd-acc-loop-cir-id(vsa)
l2cd-acc-aggr-cir-id-bin(vsa)
l2cd-acc-aggr-cir-id-asc(vsa)
l2cd-act-data-rate-up(vsa)
l2cd-act-data-rate-dn(vsa)
l2cd-min-data-rate-up(vsa)
l2cd-min-data-rate-dn(vsa)
l2cd-att-data-rate-up(vsa)
l2cd-att-data-rate-dn(vsa)
l2cd-max-data-rate-up(vsa)
l2cd-max-data-rate-dn(vsa)
l2cd-min-lp-data-rate-up(vsa)
l2cd-min-lp-data-rate-dn(vsa)
l2cd-max-interlv-delay-up(vsa)
l2cd-act-interlv-delay-up(vsa)
l2cd-max-interlv-delay-dn(vsa)
l2cd-act-interlv-delay-dn(vsa)
286
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
enabled
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
enabled
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
disabled
disabled
enabled
n/c
enabled
n/c
disabled
disabled
enabled
enabled
disabled
disabled
disabled
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
disabled
n/c
n/c
n/c
n/c
enabled
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
enabled
enabled
enabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
enabled
enabled
enabled
enabled
disabled
enabled
enabled
disabled
disabled
disabled
disabled
disabled
enabled
enabled
n/c
n/c
enabled
n/c
n/c
n/c
n/c
n/c
n/c
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
enabled
enabled
enabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
enabled
enabled
enabled
enabled
disabled
enabled
enabled
disabled
disabled
disabled
disabled
disabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
Copyright © 2012, Juniper Networks, Inc.
Chapter 9: Monitoring RADIUS
l2cd-dsl-line-state(vsa)
l2cd-dsl-type(vsa)
l2tp-ppp-disconnect-cause
mlppp-bundle-name
nas-identifier
nas-port
nas-port-id
nas-port-type
output-gigapkts(vsa)
output-gigawords
pcp-server-name(vsa)
pppoe-description(vsa)
profile-service-descr(vsa)
qos-profile-name (vsa)
tunnel-assignment-id
tunnel-client-auth-id
tunnel-client-endpoint
tunnel-interface-id
tunnel-medium-type
tunnel-preference
tunnel-server-attributes
tunnel-server-auth-id
tunnel-server-endpoint
tunnel-type
Meaning
n/c
n/c
n/c
n/c
enabled
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
enabled
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
n/c
disabled
disabled
n/c
enabled
enabled
enabled
enabled
enabled
n/c
n/c
n/c
enabled
disabled
n/c
n/c
enabled
enabled
disabled
enabled
n/c
disabled
enabled
enabled
enabled
disabled
disabled
n/c
enabled
enabled
enabled
enabled
enabled
n/c
n/c
disabled
enabled
disabled
disabled
enabled
enabled
enabled
disabled
enabled
enabled
disabled
enabled
enabled
enabled
disabled
disabled
disabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
disabled
enabled
disabled
disabled
enabled
enabled
enabled
disabled
enabled
enabled
disabled
enabled
enabled
enabled
Table 67 on page 287 lists the show radius attributes-included command output fields.
Table 67: show radius attributes-included Output Fields
Related
Documentation
Field Name
Field Description
Attribute Name
Name of the RADIUS attribute
Account On
Include status of the attribute in Acct-On messages:
enabled, disabled, not configurable (n/c)
Account Off
Include status of the attribute in Acct-Off messages:
enabled, disabled, n/c
Access Request
Include status of the attribute in Access Request
messages: enabled, disabled, n/c
Account Start
Include status of the attribute in Acct-Start messages:
enabled, disabled, n/c
Account Stop
Include status of the attribute in Acct-Stop messages:
enabled, disabled, n/c
•
CLI Commands Used to Configure Juniper Networks VSAs on page 203
•
CLI Commands Used to Include ANCP-Related Juniper Networks VSAs in Access and
Accounting Messages on page 205
•
CLI Commands Used to Include or Exclude Attributes in RADIUS Messages on page 208
•
show radius attributes-included
Copyright © 2012, Juniper Networks, Inc.
287
JunosE 13.3.x Broadband Access Configuration Guide
Monitoring Ignored RADIUS Attributes
Purpose
Action
Display the RADIUS attributes that are ignored in Access-Accept messages.
To display the RADIUS attributes that are ignored:
host1#show radius attributes-ignored
attribute framed-ip-netmask ignored from RADIUS server
attribute atm-service-category (vsa) accepted from RADIUS server
attribute atm-mbs (vsa) accepted from RADIUS server
attribute atm-pcr (vsa) accepted from RADIUS server
attribute atm-scr (vsa) accepted from RADIUS server
attribute egress-policy-name (vsa) accepted from RADIUS server
attribute ingress-policy-name (vsa) accepted from RADIUS server
attribute ipv6-egress-policy-name (vsa) accepted from RADIUS server
attribute ipv6-ingress-policy-name (vsa) accepted from RADIUS server
attribute virtual-router (vsa) accepted from RADIUS server
attribute pppoe-max-session (vsa) ignored from RADIUS server
Related
Documentation
•
CLI Commands Used to Configure Juniper Networks VSAs on page 203
•
CLI Commands Used to Ignore Attributes when Receiving Access-Accept Messages
on page 213
•
show radius attributes-ignored
Setting the Baseline for RADIUS Dynamic-Request Server Statistics
You can set a statistics baseline for packet mirroring-related RADIUS statistics. To show
baseline statistics, use the delta keyword with the show radius dynamic-request
statistics command.
To set a baseline for RADIUS statistics for packet mirroring:
•
Issue the baseline radius dynamic-request command:
host1#baseline radius dynamic-request
There is no no version.
Related
Documentation
•
Monitoring RADIUS Dynamic-Request Server Statistics on page 288
•
baseline radius dynamic-request
Monitoring RADIUS Dynamic-Request Server Statistics
Purpose
Action
Display RADIUS dynamic-request server statistics.
To display RADIUS dynamic-request statistics:
host1#show radius dynamic-request statistics
RADIUS Request Statistics
------------------------Statistic
10.10.3.4
288
Copyright © 2012, Juniper Networks, Inc.
Chapter 9: Monitoring RADIUS
----------------------------UDP Port
Disconnect Requests
Disconnect Accepts
Disconnect Rejects
Disconnect No Session ID
Disconnect Bad Authenticators
Disconnect Packets Dropped
CoA Requests
CoA Accepts
CoA Rejects
CoA No Session ID
CoA Bad Authenticators
CoA Packets Dropped
No Secret
Unknown Request
Invalid Addresses Received
Meaning
------1700
0
0
0
0
0
0
0
0
0
0
0
0
0
0
:0
Table 68 on page 289 lists the show radius dynamic-request statistics command output
fields.
Table 68: show radius dynamic-request statistics Output Fields
Field Name
Field Description
Udp Port
Port on which the router listens for RADIUS server
Disconnect or CoA Requests
RADIUS-initiated disconnect or CoA requests received
Disconnect or CoA Accepts
RADIUS-initiated disconnect or CoA requests
accepted
Disconnect or CoA Rejects
RADIUS-initiated disconnect or CoA requests rejected
Disconnect or CoA No Session ID
RADIUS-initiated disconnect or CoA messages
rejected because the request did not include a session
ID attribute
Disconnect or CoA Bad
Authenticators
RADIUS-initiated disconnect or CoA messages
rejected because the calculated authenticator in the
authenticator field of the request did not match
Disconnect or CoA Packets
Dropped
RADIUS-initiated disconnect or CoA packets dropped
because of queue overflow
No Secret
Messages rejected because a secret was not present
in the authenticator field
Unknown Requests
Packets received with an invalid RADIUS code for
RADIUS disconnect or change of authorization
Invalid Addresses Received
Number of invalid addresses received
Copyright © 2012, Juniper Networks, Inc.
289
JunosE 13.3.x Broadband Access Configuration Guide
Related
Documentation
•
Setting the Baseline for RADIUS Dynamic-Request Server Statistics on page 288
•
show radius statistics
Monitoring the Configuration of the RADIUS Dynamic-Request Server
Purpose
Action
Display the configuration of the RADIUS dynamic-request server.
To display the configuration of the RADIUS dynamic-request server:
host1#show radius dynamic-request servers
IP Address
------------192.168.2.3
10.10.120.104
Meaning
RADIUS Request Configuration
---------------------------Change
Udp
Of
Port
Disconnect
Authorization
------------------------1700
disabled
disabled
1700
disabled
disabled
Secret
-----<NULL>
mysecret
Table 69 on page 290 lists the show radius dynamic-request servers command output
fields.
Table 69: show radius dynamic-request servers Output Fields
Related
Documentation
•
Field Name
Field Description
IP address
IP address of the RADIUS server
Udp Port
Port on which the router listens for RADIUS server
Disconnect
Status of RADIUS-initiated disconnect feature
Change of Authorization
Status of change of authorization feature
Secret
Secret used to connect to RADIUS server
show radius servers
Setting a Baseline for RADIUS Relay Statistics
You can set a baseline for RADIUS relay statistics. To show baseline statistics, use the
delta keyword with the show radius relay command.
To set a baseline for RADIUS relay statistics:
•
Issue the baseline radius relay command:
host1#baseline radius relay
There is no no version.
290
Copyright © 2012, Juniper Networks, Inc.
Chapter 9: Monitoring RADIUS
Related
Documentation
•
Monitoring RADIUS Relay Server Statistics on page 291
•
baseline radius relay
Monitoring RADIUS Relay Server Statistics
Purpose
Action
Display RADIUS relay server statistics.
To show RADIUS relay server statistics that were baselined:
host1#show radius relay statistics delta
RADIUS Relay Authentication Server Statistics
--------------------------------------------Statistic
Total
---------------------Access Requests
1000
Access Accepts
1000
Access Challenges
0
Access Rejects
0
Pending Requests
0
Duplicate Requests
0
Malformed Requests
0
Bad Authenticators
0
Unknown Requests
0
Dropped Packets
0
Invalid Requests
0
Statistics baseline set FRI APR 02 2004 19:01:52 UTC
RADIUS Relay Accounting Server Statistics
----------------------------------------Statistic
Total
-----------------------Accounting Requests
1000
Start
1000
Stop
0
Interim
0
Accounting Responses
1000
Start
1000
Stop
0
Interim
0
Pending Requests
0
Duplicate Requests
0
Malformed Requests
0
Bad Authenticators
0
Unknown Requests
0
Dropped Packets
0
Invalid Requests
0
Statistics baseline set FRI APR 02 2004 19:01:52 UTC
Meaning
Table 70 on page 291 lists the show radius relay statistics command output fields.
Table 70: show radius relay statistics Output Fields
Field Name
Field Description
Access Requests
Number of access requests received
Access Accepts
Number of access accepts received
Copyright © 2012, Juniper Networks, Inc.
291
JunosE 13.3.x Broadband Access Configuration Guide
Table 70: show radius relay statistics Output Fields (continued)
Related
Documentation
Field Name
Field Description
Access Challenges
Number of access challenges received
Access Rejects
Number of access rejects received
Pending Requests
Number of access requests waiting for a response
Duplicate Requests
Number of duplicate requests received while the
previous request is pending
Malformed Requests
Requests with attributes having an invalid length or
unexpected attributes
Bad Authenticators
Authenticator in the response is incorrect for the
matching request; can occur if the secret for the
RADIUS relay server and the WAP does not match
Unknown Requests
Packets received from nonconfigured clients
Dropped Packets
Packets dropped because of queue overflow
Invalid Requests
Number of invalid requests received
Accounting Requests
Number of accounting requests received, broken down
by type of request
Accounting Responses
Number of accounting responses, broken down by
type of request
•
Setting a Baseline for RADIUS Relay Statistics on page 290
•
show radius relay statistics
Monitoring the Configuration of the RADIUS Relay Server
Purpose
Action
Display information about the RADIUS relay server configuration.
To display the RADIUS relay server configuration:
host1#show radius relay servers
RADIUS Relay Authentication Server Configuration
-----------------------------------------------IP Address
IP Mask
Secret
----------------------------------10.10.8.15
255.255.255.255
newsecret
192.168.102.5
255.255.255.255
999Y2K
Udp Port: 1812
RADIUS Relay Accounting Server Configuration
--------------------------------------------
292
Copyright © 2012, Juniper Networks, Inc.
Chapter 9: Monitoring RADIUS
IP Address
------------10.10.1.0
192.168.102.5
Udp Port: 1813
Meaning
IP Mask
--------------255.255.255.0
255.255.255.255
Secret
------NO8pxq
12BE$56
Table 71 on page 293 lists the show radius relay servers command output fields.
Table 71: show radius relay servers Output Fields
Related
Documentation
•
Field Name
Field Description
IP Address
Address of the RADIUS relay server
IP Mask
Mask of the RADIUS relay server
Secret
Secret used for exchanges between the RADIUS relay
server and client
Udp Port
Router’s port on which the RADIUS relay server listens
show radius relay servers
Monitoring the Status of RADIUS Relay UDP Checksums
Purpose
Action
Display status of RADIUS relay UDP checksums.
To display the status of UDP checksums:
host1(config)#show radius relay udp-checksum
udp-checksums enabled
Meaning
Table 72 on page 293 lists the show radius relay udp-checksum command output fields.
Table 72: show radius relay udp-checksum Output Fields
Related
Documentation
•
Field Name
Field Description
udp-checksums
Status of UDP checksums: enabled or disabled
show radius relay udp-checksum
Monitoring the Status of ICR Partition Accounting
Purpose
Action
Display the status of ICR partition accounting.
To display the status of ICR partition accounting:
host1#show radius icr-partition-accounting
enabled
Copyright © 2012, Juniper Networks, Inc.
293
JunosE 13.3.x Broadband Access Configuration Guide
Meaning
Related
Documentation
294
ICR partition accounting status is either enabled or disabled.
•
show radius icr-partition-accounting
Copyright © 2012, Juniper Networks, Inc.
CHAPTER 10
Configuring TACACS+
This chapter explains how to enable and configure TACACS+ in your E Series router. It
has the following sections:
•
Understanding TACACS+ on page 295
•
TACACS+ Platform Considerations on page 299
•
TACACS+ References on page 299
•
Retry Attempts for Successful TCP Connection Overview on page 300
•
Configuring TACACS+ on page 300
Understanding TACACS+
With the increased use of remote access, the need for managing more network access
servers (NAS) has increased. Additionally, the need for control access on a per-user basis
has escalated, as has the need for central administration of users and passwords.
Terminal Access Controller Access Control System (TACACS) is a security protocol that
provides centralized validation of users who are attempting to gain access to a router or
NAS. TACACS+, a more recent version of the original TACACS protocol, provides separate
authentication, authorization, and accounting (AAA) services.
NOTE: TACACS+ is a completely new protocol and is not compatible with
TACACS or XTACACS.
The TACACS+ protocol provides detailed accounting information and flexible
administrative control over the authentication, authorization, and accounting process.
The protocol allows a TACACS+ client to request detailed access control and allows the
TACACS + process to respond to each component of that request. TACACS+ uses
Transmission Control Protocol (TCP) for its transport.
TACACS+ provides security by encrypting all traffic between the NAS and the process.
Encryption relies on a secret key that is known to both the client and the TACACS+
process.
Table 73 on page 296 describes terms that are frequently used in this chapter.
Copyright © 2012, Juniper Networks, Inc.
295
JunosE 13.3.x Broadband Access Configuration Guide
Table 73: TACACS-Related Terms
Term
Description
NAS
Network access server. A device that provides connections to a single user,
to a network or subnetwork, and to interconnected networks. In reference
to TACACS+, the NAS is the E Series router.
TACACS+ process
A program or software running on a security server that provides AAA
services using the TACACS+ protocol. The program processes
authentication, authorization, and accounting requests from an NAS. When
processing authentication requests, the process might respond to the NAS
with a request for additional information, such as a password.
TACACS+ host
The security server on which the TACACS+ process is running. Also referred
to as a TACACS+ server.
AAA Overview
TACACS+ allows effective communication of AAA information between NASs and a
central server. The separation of the AAA functions is a fundamental feature of the
TACACS+ design:
•
Authentication—Determines who a user is, then determines whether that user should
be granted access to the network. The primary purpose is to prevent intruders from
entering your networks. Authentication uses a database of users and passwords.
•
Authorization—Determines what an authenticated user is allowed to do. Authorization
gives the network manager the ability to limit network services to different users. Also,
the network manager can limit the use of certain commands to various users.
Authorization cannot occur without authentication.
•
Accounting—Tracks what a user did and when it was done. Accounting can be used
for an audit trail or for billing for connection time or resources used. Accounting can
occur independent of authentication and authorization.
Central management of AAA means that the information is in a single, centralized, secure
database, which is much easier to administer than information distributed across
numerous devices. Both RADIUS and TACACS+ protocols are client-server systems that
allow effective communication of AAA information.
For information about RADIUS, see “RADIUS Overview” on page 170.
Administrative Login Authentication
Fundamentally, TACACS+ provides the same services as RADIUS. Every authentication
login attempt on an NAS is verified by a remote TACACS+ process.
TACACS+ authentication uses three packet types. Start packets and Continue packets
are always sent by the user. Reply packets are always sent by the TACACS+ process.
TACACS+ sets up a TCP connection to the TACACS+ host and sends a Start packet. The
TACACS+ host responds with a Reply packet, which either grants or denies access, reports
an error, or challenges the user.
296
Copyright © 2012, Juniper Networks, Inc.
Chapter 10: Configuring TACACS+
TACACS+ might challenge the user to provide username, password, passcode, or other
information. Once the requested information is entered, TACACS+ sends a Continue
packet over the existing connection. The TACACS+ host sends a Reply packet. Once the
authentication is complete, the connection is closed. Only three login retries are allowed.
To enable login authentication through both TACACS+ and RADIUS servers, use the aaa
new-model command to specify AAA authentication for Telnet sessions.
Privilege Authentication
The privilege authentication process determines whether a user is allowed to use
commands at a particular privilege level. This authentication process is handled similarly
to login authentication, except that the user is limited to one authentication attempt. An
empty reply to the challenge forces an immediate access denial. The aaa authentication
enable default command allows you to set privilege authentication for users.
Login Authorization
To allow login authorization through the TACACS+ server, you can use the following
commands: aaa authorization, aaa authorization config-commands, and authorization.
For information about using these commands, see the Passwords and Security chapter
in JunosE System Basics Configuration Guide.
Accounting
The TACACS+ accounting service enables you to create an audit trail of User Exec sessions
and command-line interface (CLI) commands that have been executed within these
sessions. For example, you can track user CLI connects and disconnects, when
configuration modes have been entered and exited, and which configuration and
operational commands have been executed.
You configure TACACS+ accounting in the JunosE Software by defining accounting
method lists and then associating consoles and lines with the method lists. You define
an accounting method list with a service type, name, accounting mode, and method:
•
service type—Specifies the type of information being recorded
•
name—Uniquely identifies an accounting method list within a service type
•
accounting mode—Specifies what type of accounting records will be generated
•
method—Specifies the protocol for sending the accounting records to a security server
You can then configure consoles and lines with an accounting method list name for each
service type:
•
Method list—A specified configuration that defines how the NAS performs the AAA
accounting service. A service type can be configured with multiple method lists with
different names, and a method list name can be used for different service types. Initially,
no accounting method list is defined; therefore TACACS+ accounting is disabled.
•
Default method list—Configuration used by consoles and lines when no named
method list is assigned. You enable TACACS+ accounting by defining default
accounting method lists for each service type.
Copyright © 2012, Juniper Networks, Inc.
297
JunosE 13.3.x Broadband Access Configuration Guide
•
•
•
Named method list—Assigned to a console, specific line, or group of lines; overrides
the default method list.
Service type—Specifies the type of information provided by the TACACS+ accounting
service:
•
Exec—Provides information about User Exec terminal sessions, such as telnet, Local
Area Transport (LAT), and rlogin, on the NAS.
•
Commands <0-15>—Provides information about User Exec mode CLI commands
for a specified privilege level that are being executed on the NAS. Each of the sixteen
command privilege levels is a separate service type. Accounting records are generated
for commands executed by users, CLI scripts, and macros.
Accounting mode—Specifies the type of accounting records that are recorded on the
TACACS+ server. Accounting records track user actions and resource usage. You can
analyze and use the records for network management, billing, and auditing purposes.
•
start-stop—A start accounting record is generated just before a process begins, and
a stop accounting record is generated after a process successfully completes. This
mode is supported only for the Exec service type.
•
stop-only—A stop accounting record is generated after a process successfully
completes. This mode is supported only for the Commands service types.
The NAS sends TACACS+ accounting packets to the TACACS+ host. The accounting
packets contain data in the packet header, packet body, and attribute-value pairs (AVPs).
Table 74 on page 298 provides descriptions of the TACACS+ accounting data.
Table 74: TACACS+ Accounting Information
298
Field/Attribute
Location
Description
major_version
Packet header
Major TACACS+ version number
minor_version
Packet header
Minor TACACS+ version number
type
Packet header
Type of the AAA service: Accounting
flags
Packet body
Bitmapped flags representing the record type: start
accounting record or stop accounting record
priv-level
Packet body
Privilege level of the user executing the Exec session or
CLI command: 0 - 15
user
Packet body
Name of user running the Exec session or CLI command
port
Packet body
NAS port used by the Exec session or CLI command
rem-addr
Packet body
User’s remote location; either an IP address or the caller
ID
service
AVP
User’s primary service: Shell
Copyright © 2012, Juniper Networks, Inc.
Chapter 10: Configuring TACACS+
Table 74: TACACS+ Accounting Information (continued)
Related
Documentation
Field/Attribute
Location
Description
cmd
AVP
CLI command that is to be executed: specified for
Command-level accounting only
task_id
AVP
Unique sequential identifier used to match start and stop
records for a task
elapsed_time
AVP
Elapsed time in seconds for the task execution: specified
for Exec-level accounting stop records only
timezone
AVP
Time zone abbreviation used “Monitoring TACACS+
Statistics” on page 305for all timestamps
•
Configuring TACACS+ on page 300
•
Monitoring TACACS+ Statistics on page 305
•
Monitoring TACACS+ Information on page 307
TACACS+ Platform Considerations
TACACS+ is supported on all E Series routers. For information about the modules
supported on E Series routers:
Related
Documentation
•
See the ERX Module Guide for modules supported on ERX7xx models, ERX14xx models,
and the ERX310 Broadband Services Router.
•
See the E120 and E320 Module Guide for modules supported on the E120 and E320
Broadband Services Routers.
•
Understanding TACACS+ on page 295
TACACS+ References
For additional information about the TACACS+ protocol, see the following resources:
•
The TACACS+ Protocol, Version 1.78—draft-grant-tacacs-02.txt (January 1997
expiration)
•
RFC 2865—Remote Authentication Dial In User Service (RADIUS) (June 2000)
NOTE: IETF drafts are valid for only 6 months from the date of issuance.
They must be considered as works in progress. Please refer to the IETF
Web site at http://www.ietf.org for the latest drafts.
Copyright © 2012, Juniper Networks, Inc.
299
JunosE 13.3.x Broadband Access Configuration Guide
Related
Documentation
•
Understanding TACACS+ on page 295
Retry Attempts for Successful TCP Connection Overview
The TACACS+ client uses Transmission Control Protocol (TCP) to establish a connection
with the TACACS+ server. TCP provides a timeout value of 75 seconds. Within the
stipulated time, the TCP connection between the TACACS+ client and the TACACS+
server may not be established due to certain conditions, such as network congestion or
connectivity failure. If the TACACS+ client fails to establish a TCP connection, the
TACACS+ commands are not executed.
For robust TACACS+ operations, the TACACS+ client can reattempt connection upon
connection failure. You can configure the TACACS+ client retry value to establish the
TCP connection with the TACACS+ server. The retry is initiated in either of the following
two cases:
•
User configuration timeout occurs
•
TCP connection timeout occurs
NOTE: The same TACACS+ server is reattempted if TCP connection is not
established or the user-configured timer expires.
The maximum retry attempt for a request is five. By default, the maximum retry value is
two.
Related
Documentation
•
Configuring TACACS+ on page 300
•
tacacs-server retransmit-retries
Configuring TACACS+
Terminal Access Controller Access Control System (TACACS) is a security protocol that
provides centralized validation of users who are attempting to gain access to a router or
NAS. TACACS+, a more recent version of the original TACACS protocol, provides separate
authentication, authorization, and accounting (AAA) services. This topic includes the
following tasks:
1.
Configuring TACACS+ Support on page 300
2. Configuring Authentication on page 301
3. Configuring Accounting on page 302
Configuring TACACS+ Support
Before you begin to configure TACACS+, you must determine the following for the
TACACS+ authentication and accounting servers:
•
300
IP addresses
Copyright © 2012, Juniper Networks, Inc.
Chapter 10: Configuring TACACS+
•
TCP port numbers
•
Secret keys
To use TACACS+, you must enable AAA. To configure your router to support TACACS+,
perform the following tasks. Some of the tasks are optional. Once you configure TACACS+
support on the router, you can configure TACACS+ authentication, authorization, and
accounting independent of each other.
You can configure the TACACs+ server only on default virtual routers. If you attempt to
configure TACACS+ server settings on VRs other than the default VR or in a VRF, an error
message is displayed.
1.
Specify the names of the IP host or hosts maintaining a TACACS+ server. Optionally,
you can specify other parameters, such as port number, timeout interval, and key.
host1(config)#tacacs-server host 192.168.1.27 port 10 timeout 3 key your_secret primary
2. (Optional) Set the authentication and encryption key value shared by all TACACS+
servers that do not have a server-specific key set up by the tacacs-server host
command.
host1(config)#tacacs-server key “ &#889P^”
3. (Optional) Set alternative source address(es) to be used for TACACS+ server
communications.
host1(config)#tacacs-server source-address 192.168.134.63
4. (Optional) Set the timeout value for all TACACS+ servers that do not have a
server-specific timeout set up by the tacacs-server host command.
host1(config)#tacacs-server timeout 15
5. (Optional) Set the retry value for a TACACS+ client. The maximum retry attempt for
a request is five. By default, the retry value is two.
host1(config)#tacacs-server retransmit-retries 4
Configuring Authentication
Once TACACS+ support is enabled on the router, you can configure TACACS+
authentication. Perform the following steps:
1.
Specify AAA new model as the authentication method for the vty lines on your router.
host1(config)#aaa new-model
2. Specify AAA authentication by defining an authorization methods list.
host1(config)#aaa authentication login tac tacacs+ radius enable
3. Specify the privilege level by defining a methods list that uses TACACS+ for
authentication.
host1(config)#aaa authentication enable default tacacs+ radius enable
4. Configure vty lines.
host1(config)#line vty 0 4
Copyright © 2012, Juniper Networks, Inc.
301
JunosE 13.3.x Broadband Access Configuration Guide
5. Apply an authentication list to the vty lines you specified on your router.
host1(config-line)#login authentication tac
Configuring Accounting
Once TACACS+ support is enabled on the router, you can configure TACACS+ accounting.
Perform the following steps:
1.
Specify AAA new model as the accounting method for your router.
host1(config)#aaa new-model
2. Enable TACACS+ accounting on the router, and configure accounting method lists.
For example:
host1(config)#aaa accounting exec default start-stop tacacs+
host1(config)#aaa accounting commands 0 listX stop-only tacacs+
host1(config)#aaa accounting commands 1 listX stop-only tacacs+
host1(config)#aaa accounting commands 13 listY stop-only tacacs+
host1(config)#aaa accounting commands 14 default stop-only tacacs+
host1(config)#aaa accounting commands 15 default stop-only tacacs+
3. (Optional) Specify that accounting records are not generated for users without explicit
user names.
host1(config)#aaa accounting suppress null-username
4. Apply accounting method lists to a console or lines. For example:
host1(config)#line console 0
host1(config-line)#accounting commands 0 listX
host1(config-line)#accounting commands 1 listX
host1(config-line)#accounting commands 13 listY
host1(config-line)#exit
host1(config)#line vty 0 4
host1(config-line)#accounting commands 13 listY
Note that Exec accounting and User Exec mode commands accounting for privilege
levels 14 and 15 are now enabled for all lines and consoles with the creation of their
default method list, as shown in Step 2.
Related
Documentation
302
•
aaa accounting commands
•
aaa accounting exec
•
aaa accounting suppress null-username
•
aaa authentication enable default
•
aaa authentication login
•
aaa new-model
•
line
•
login authentication
•
tacacs-server host
Copyright © 2012, Juniper Networks, Inc.
Chapter 10: Configuring TACACS+
•
tacacs-server key
•
tacacs-server source-address
•
tacacs-server timeout
Copyright © 2012, Juniper Networks, Inc.
303
JunosE 13.3.x Broadband Access Configuration Guide
304
Copyright © 2012, Juniper Networks, Inc.
CHAPTER 11
Monitoring TACACS+
This chapter describes how to monitor the current TACACS+ configurations.
TACACS+ topics are described in the following sections:
•
Setting Baseline TACACS+ Statistics on page 305
•
Monitoring TACACS+ Statistics on page 305
•
Monitoring TACACS+ Information on page 307
Setting Baseline TACACS+ Statistics
You can set a baseline for TACACS+ statistics.
To set the baseline:
•
Issue the baseline tacacs command:
host1#baseline tacacs
There is no no version.
Related
Documentation
•
baseline tacacs
Monitoring TACACS+ Statistics
Purpose
Action
Display TACACS+ statistics.
To display TACACS+ statistics:
host1#show statistics tacacs
TACACSPLUS Statistics
--------------------Statistic
10.5.0.174
10.5.1.199
--------------------------------Search Order
1
2
TCP Port
3049
4049
Auth Requests
140
0
Auth Replies
85
0
Auth Pending
43
0
Auth Timeouts
12
0
Author Requests
6399
97
Author Replies
6301
0
Copyright © 2012, Juniper Networks, Inc.
305
JunosE 13.3.x Broadband Access Configuration Guide
Author Pending
Author Timeouts
Acct Requests
Acct Replies
Acct Pending
Acct Timeouts
Meaning
0
98
6321
6280
4
37
0
97
37
0
0
37
Table 75 on page 306 lists the show statistics tacacs command output fields.
Table 75: show statistics tacacs Output Fields
Related
Documentation
306
•
Field Name
Field Description
Statistic
IP address of the host
Search Order
The order in which requests are sent to hosts until a
response is received
TCP Port
TCP port of the host
Auth Requests
Number of authentication requests sent to the host
Auth Replies
Number of authentication replies received from the
host
Auth Pending
Number of expected but not received authentication
replies from the host
Auth Timeouts
Number of authentication timeouts for the host
Author Requests
Number of authorization requests sent to the host
Author Replies
Number of authorization replies received from the
host
Author Pending
Number of expected but not received authorization
replies from the host
Author Timeouts
Number of authorization timeouts for the host
Acct Requests
Number of accounting requests sent to the host
Acct Replies
Number of accounting replies received from the host
Acct Pending
Number of expected but not received accounting
replies from the host
Acct Timeouts
Number of accounting timeouts for the host
show statistics tacacs
Copyright © 2012, Juniper Networks, Inc.
Chapter 11: Monitoring TACACS+
Monitoring TACACS+ Information
Purpose
Action
Display TACACS+ information.
To display TACACS+ information.
host1#show tacacs
Key = hippo
Timeout = <NOTSET>, built-in timeout of 5 will be used
Source-address = <NOTSET>
Retry-attempts = 3
TACACS+ Configuration, (*) denotes inherited
-------------------------------------------Tcp
IP Address
Port
Timeout
Primary
Key
--------------------------------10.5.0.174
3049
5 (*)
y
hippo (*)
10.5.1.199
1049
5 (*)
n
hippo (*)
Search
Order
-----1
2
To display overall statistics:
host1#show tacacs statistics
To display statistics since they were baselined; deltas are not calculated for the pending
statistics:
host1#show tacacs delta
Meaning
Table 76 on page 307 lists the show tacacs command output fields.
Table 76: show tacacs Output Fields
Field Name
Field Description
Key
Authentication and encryption key
Timeout
TACACS+ host response timeout in seconds
Source-address
Alternative source IP address configured
Retry-attempts
Number of retry attempts that will be made to
establish a TCP connection between a TACACS+
client and the TACACS+ server
TACACSPLUS Configuration
Table contains statistics for each host
IP Address
IP address of the host
TCP Port
TCP port of the host for each IP address
Timeout
Timeout interval in seconds for each IP address
Primary
This IP address’s primary host; options: y = yes, n =
no
Copyright © 2012, Juniper Networks, Inc.
307
JunosE 13.3.x Broadband Access Configuration Guide
Table 76: show tacacs Output Fields (continued)
Related
Documentation
308
•
Field Name
Field Description
Key
Authentication and encryption key for this IP address
Search Order
The order in which requests are sent to hosts until a
response is received
show tacacs
Copyright © 2012, Juniper Networks, Inc.
PART 3
Managing L2TP
•
L2TP Overview on page 311
•
Configuring an L2TP LAC on page 319
•
Configuring an L2TP LNS on page 353
•
Configuring L2TP Dial-Out on page 391
•
L2TP Disconnect Cause Codes on page 405
•
Monitoring L2TP and L2TP Dial-Out on page 411
Copyright © 2012, Juniper Networks, Inc.
309
JunosE 13.3.x Broadband Access Configuration Guide
310
Copyright © 2012, Juniper Networks, Inc.
CHAPTER 12
L2TP Overview
Layer 2 Tunneling Protocol (L2TP) is a client-server protocol that allows Point-to-Point
Protocol (PPP) to be tunneled across a network. This chapter includes the following
topics that provide information for configuring L2TP on the Juniper Networks E Series
Broadband Services Routers.
•
L2TP Overview on page 311
•
L2TP Terminology on page 312
•
Implementing L2TP on page 313
•
Packet Fragmentation on page 315
•
L2TP Platform Considerations on page 315
•
L2TP Module Requirements on page 316
•
Sessions and Tunnels Supported on page 317
•
L2TP References on page 318
L2TP Overview
L2TP encapsulates layer 2 packets, such as PPP, for transmission across a network. An
L2TP access concentrator (LAC), configured on an access device, such as an E Series
router, receives packets from a remote client and forwards them to an L2TP network
server (LNS), on a remote network.
You can configure your router to act as an LAC in pass-through mode in which the LAC
receives packets from a remote client and then forwards them at layer 2 directly to the
LNS.
The E Series router creates tunnels dynamically by using authentication, authorization,
and accounting (AAA) authentication parameters and transmits L2TP packets to the
LNS via IP/User Datagram Protocol (UDP). Traffic travels in an L2TP session. A tunnel is
an aggregation of one or more sessions. Figure 7 on page 312 and Figure 8 on page 312
show the E Series router in typical LAC and LNS arrangements.
Copyright © 2012, Juniper Networks, Inc.
311
JunosE 13.3.x Broadband Access Configuration Guide
Figure 7: Using the E Series Router as an LAC
.
Figure 8: Using the E Series Router as an LNS
NOTE: The E Series router does not support terminating both ends of a tunnel
or session in the same router.
L2TP Terminology
Table 77 on page 312 describes the basic terms for L2TP.
Table 77: L2TP Terms
312
Term
Description
Attribute value
pair (AVP)
Combination of a unique attribute—represented by an integer—and a value
containing the actual value identified by the attribute.
LAC
L2TP access concentrator (LAC)—a node that acts as one side of an L2TP
tunnel endpoint and is a peer to the LNS. An LAC sits between an LNS and a
remote system and forwards packets to and from each.
Call
A connection (or attempted connection) between a remote system and an
LAC.
LNS
L2TP network server (LNS)—a node that acts as one side of an L2TP tunnel
endpoint and is a peer to the LAC. An LNS is the logical termination point of a
PPP connection that is being tunneled from the remote system by the LAC.
Copyright © 2012, Juniper Networks, Inc.
Chapter 12: L2TP Overview
Table 77: L2TP Terms (continued)
Term
Description
Peer
In the L2TP context, refers to either the LAC or LNS. An LAC’s peer is an LNS,
and vice versa.
Proxy
authentication
Authentication data from the PPP client that is sent from the LNS as part of
a proxy LCP. Data might include attributes such as authentication type,
authentication name, and authentication challenge.
Proxy LCP
LCP (Link Control Protocol) negotiation that is performed by the LAC on behalf
of the LNS. Proxy sent by the LAC to the LNS containing attributes such as the
last configuration attributes sent and received from the client.
Remote system
An end-system or router attached to a remote access network, which is either
the initiator or recipient of a call.
Session
A logical connection created between the LAC and the LNS when an end-to-end
PPP connection is established between a remote system and the LNS.
NOTE: There is a one-to-one relationship between established L2TP sessions
and their associated PPP connections.
Tunnel
A connection between an LAC-LNS pair consisting of a control connection and
0 or more L2TP sessions.
Implementing L2TP
The implementation of L2TP for the E Series router uses four levels:
•
System—The router
•
Destination—The remote L2TP system
•
Tunnel—A direct path between the LAC and the LNS
•
Session—A PPP connection in a tunnel
When the router has established destinations, tunnels, and sessions, you can control the
L2TP traffic. Making a change to a destination affects all tunnels and sessions to that
destination; making a change to a tunnel affects all sessions in that tunnel. For example,
closing a destination closes all tunnels and sessions to that destination.
Sequence of Events on the LAC
The E Series router creates destinations, tunnels, and sessions dynamically, as follows:
1.
The client initiates a PPP connection with the router.
2. The router and the client exchange Link Control Protocol (LCP) packets. For details
about negotiating PPP connections, see the Configuring Point-to-Point Protocol chapter
in JunosE Link Layer Configuration Guide.
Copyright © 2012, Juniper Networks, Inc.
313
JunosE 13.3.x Broadband Access Configuration Guide
3. By using either a local database related to the domain name or RADIUS authentication,
the router determines either to terminate or to tunnel the PPP connection.
4. If the router discovers that it should tunnel the session, it does the following:
a. Sets up a new destination or selects an existing destination.
b. Sets up a new tunnel or selects an existing tunnel.
c. Opens a new session.
5. The router forwards the results of the LCP negotiations and authentication to the
LNS.
A PPP connection now exists between the client and the LNS.
NOTE: The router discards received packets if the size of the variable-length,
optional offset pad field in the L2TP header is too large. The router always
supports packets that have an offset pad field of up to 16 bytes, and may
support larger offset pad fields, depending on other information in the header.
This restriction is a possible, although unlikely, cause of excessive discarding
of L2TP packets.
Sequence of Events on the LNS
The E Series router sets up an LNS as follows:
1.
An LAC initiates a tunnel with the router.
2. The router verifies that a tunnel with this LAC is valid—destination configured,
hostname and tunnel password correct.
3. The router completes the tunnel setup with the LAC.
4. The LAC sets up a session with the router.
5. The router creates a dynamic PPP interface on top of the session.
6. If they are enabled and present, the router takes the proxy LCP and the proxy
authentication data and passes them to PPP.
7. The E Series PPP processes the proxy LCP, if it is present, and, if acceptable, places
LCP on the router in opened state without renegotiation of LCP.
NOTE: If proxy LCP is not present or not acceptable, the router negotiates
LCP with the remote system.
8. The E Series PPP processes the proxy authentication data, if it is present, and passes
the data to AAA for verification. (If the data is not present, E Series PPP requests the
data from the remote system.)
9. The router passes the authentication results to the remote system.
314
Copyright © 2012, Juniper Networks, Inc.
Chapter 12: L2TP Overview
Packet Fragmentation
The E Series router supports the reassembly of IP-fragmented L2TP packets. (For more
information, see the IP Reassembly for Tunnels chapter in JunosE IP Services Configuration
Guide.) However, it is preferable to prevent fragmentation within L2TP tunnels because
of the effects of fragmentation and reassembly on performance.
To prevent fragmentation, PPP LCP negotiation of the maximum receive unit (MRU)
may be used to determine a proper maximum transmission unit (MTU). However, the
normal automatic method of determining the proper MRU to negotiate (by evaluating
the MRU of all lower layers in the interface stack) is not adequate for L2TP. The initial
LCP negotiation between PPP in the client and the LAC is inadequate because it does
not cover the entire extent of the eventual PPP session that travels all the way from the
client to the LNS. Furthermore, even if PPP in the LNS chooses to renegotiate the MRU,
it has no way to determine the proper MRU, since it does not know the minimum MRU
on all of the intervening links between it and the LAC.
To overcome the inadequacy of normal determination of the MRU under such
circumstances, you can configure the PPP MRU size by using the ppp mru command in
Profile Configuration mode, Interface Configuration mode, or Subinterface Configuration
mode. Use Profile Configuration mode for dynamic PPP interfaces, and Interface
Configuration mode or Subinterface Configuration mode for static PPP interfaces.
When you specify the size, you need to take into account the MRU for all possible links
between the LAC and the LNS. You must also take into account the L2TP encapsulation
that is added to all packets entering the tunnel.
For example, if the link between the LAC and LNS with the lowest MRU were an Ethernet
link, the following calculation applies:
Minimum link MRU
L2TP encapsulating IP header
L2TP encapsulating UDP header
Maximum L2TP header (assumes a maximum of
16 bytes of Offset Pad)
MRU size to specify
1500
-20
-8
-30
1442
If the smallest intervening link is an Ethernet link, specifying ppp mru 1442 at either the
LAC or LNS guarantees that no fragmentation will occur within the L2TP tunnel.
L2TP Platform Considerations
For information about modules that support LNS and LAC on the ERX7xx models, ERX14xx
models, and the ERX310 Broadband Services Router:
•
See ERX Module Guide, Table 1, ERX Module Combinations for detailed module
specifications.
Copyright © 2012, Juniper Networks, Inc.
315
JunosE 13.3.x Broadband Access Configuration Guide
•
See ERX Module Guide, Appendix A, Module Protocol Support for information about the
modules that support LNS and LAC.
For information about modules that support LNS and LAC on the E120 and E320
Broadband Services Routers:
•
See E120 and E320 Module Guide, Table 1, Modules and IOAs for detailed module
specifications.
•
See E120 and E320 Module Guide, Appendix A, IOA Protocol Support for information
about the modules that support LNS and LAC.
L2TP Module Requirements
The supported modules for LNS depends on the type of E Series router that you have.
ERX7xx Models, ERX14xx Models, and the ERX310 Router
To use an LNS on ERX7xx models, ERX14xx models, and the ERX310 router, at least one
Service line module (SM) or a module that supports the use of shared tunnel-server ports
must be installed in the ERX router. For information about installing modules in the ERX
router, see the ERX Hardware Guide.
SMs provide dedicated tunnel-server ports that are always configured on the module.
Unlike other line modules, SMs do not pair with corresponding I/O modules that contain
ingress and egress ports. Instead, they receive data from and transmit data to other line
modules with access to ingress and egress ports on their own associated I/O modules.
You can also create tunnels on E Series modules that support shared tunnel-server ports.
You can configure (provision) a shared tunnel-server port to use a portion of the module’s
bandwidth to provide tunnel services. For a list of the modules that support shared
tunnel-server ports, see the ERX Module Guide.
When you configure the GE-2 line module or the GE-HDE line module with a shared
tunnel-server port, the available bandwidth for tunnel services is limited to 0.5 Gbps per
module. When you configure the ES2 4G line module with a shared tunnel-server port,
the available bandwidth for tunnel services is limited to 0.8 Gbps per module.
For information about configuring tunnel services on dedicated and shared tunnel-server
ports, see the Managing Tunnel-Service and IPSec-Service Interfaces chapter in JunosE
Physical Layer Configuration Guide.
For information about line modules supported by the LAC and LNS and the type of support
each module type receives, see ERX Module Guide, Appendix A, Module Protocol Support.
E120 Router and E320 Router
To use an LNS on an E120 router or an E320 router, you must install an ES2 4G line module
(LM) or an ES2 10G ADV LM with an ES2-S1 Service I/O adapter (IOA). With the ES2 4G
LM, it is also possible to use an LNS with an IOA that supports the use of shared
tunnel-server ports. For information about installing modules in these routers, see the
E120 and E320 Hardware Guide.
316
Copyright © 2012, Juniper Networks, Inc.
Chapter 12: L2TP Overview
The combination of an ES2 4G LM or an ES2 10G ADV LM with an ES2-S1 Service IOA
provides a dedicated tunnel-server port that is always configured on the IOA. Unlike SMs,
the ES2 4G LM and the ES2 require the ES2-S1 Service IOA to condition it to receive and
transmit data to other line modules. The ES2-S1 Service IOA also does not have ingress
or egress ports. The ES2 10G ADV LM with the ES2-S1 Service IOA supports L2TP LNS
functionality, which supports IPv4 as well as IPv6 encapsulated within PPP and L2TP
over IPv4.
You can also create tunnels on IOAs that support shared tunnel-server ports. You can
configure (provision) a shared tunnel-server port to use a portion of the bandwidth of
the IOA to provide tunnel services. For a list of the IOAs that support shared tunnel-server
ports, see the E120 and E320 Module Guide.
For information about IOAs that are supported by the LAC and LNS and the type of
support each module type receives, see E120 and E320 Module Guide, Appendix A, IOA
Protocol Support.
Sessions and Tunnels Supported
The E120 and E320 routers support 60,000 L2TP sessions, the ERX1440 router supports
32,000 L2TP sessions, and all other E Series routers support a maximum of 16,000 L2TP
sessions. The following guidelines apply:
•
On all E Series routers
The SM and the ES2-S1 Service IOA both support the termination of 16,000 LNS
sessions per module. Therefore, if you want to apply input or output policies to all of
the available LNS sessions, you can only terminate a maximum of 8000 sessions per
module.
•
On the E120 router, E320 router, and the ERX1440 router
You can create a systemwide maximum of 60,000 sessions per E120 or E320 router
or 32,000 sessions per ERX1440 router. The maximum session limit is spread in any
combination across a maximum of 8000 tunnels. For a router that is operating as an
LAC for some tunnels and as an LNS for others, the 8000 tunnels and the router’s
applicable maximum sessions limits apply to the combined total of LAC and LNS
tunnels and sessions.
•
On all E Series routers except the ERX1440 router, E120 router, and the E320 router
You can create a systemwide maximum of 16,000 sessions spread in any combination
across a maximum of 8000 tunnels shared between an LAC and an LNS. For a router
that is operating as an LAC for some tunnels and as an LNS for others, the 8000 tunnels
and 16,000 sessions limits apply to the combined total of LAC and LNS tunnels and
sessions.
Copyright © 2012, Juniper Networks, Inc.
317
JunosE 13.3.x Broadband Access Configuration Guide
NOTE: In previous releases, the JunosE Software required that you use the
license l2tp-session command to configure a license to enable support
for the maximum allowable L2TP sessions on ERX1440 routers, E120
routers, and E320 routers. The license l2tp-session command still appears
in the CLI, but it has no effect on the actual enforced limit. The reported
license limit is 60,000. The show license l2tp-session command also still
appears in the CLI.
•
To obtain the maximum number of ingress and egress policy attachments supported
for L2TP sessions, see JunosE Release Notes, Appendix A, System Maximums.
L2TP References
For more information about L2TP, see the following resources:
•
RFC 2661—Layer Two Tunneling Protocol “ L2TP” (August 1999)
•
RFC 3145—L2TP Disconnect Cause Information (July 2001)
•
Fail Over extensions for L2TP “ failover” —draft-ietf-l2tpext-failover-06.txt (April 2006
expiration)
•
RFC 4951—Fail Over Extensions for Layer 2 Tunneling Protocol (L2TP) "failover" (August
2007)
For information about L2TP high availability support, see the Managing High Availability
chapter in JunosE System Basics Configuration Guide.
For information about setting up policy-based routing features for L2TP, such as rate
limit profiles, classifier control lists, and policy lists, see the JunosE Policy Management
Configuration Guide.
For information about creating and attaching QoS profiles to L2TP sessions, see the
JunosE Quality of Service Configuration Guide.
For information about how to secure Layer 2 Tunneling Protocol (L2TP) tunnels with IP
Security (IPSec) on your E Series router, see the Securing L2TP and IP Tunnels with IPSec
chapter in JunosE IP Services Configuration Guide.
318
Copyright © 2012, Juniper Networks, Inc.
CHAPTER 13
Configuring an L2TP LAC
An L2TP access concentrator (LAC) receives packets from a remote client and forwards
them to an L2TP network server (LNS), on a remote network. You can configure your
E Series router to function as an LAC.
This chapter includes the following topics that provide information for configuring an
L2TP LAC on the E Series router:
•
LAC Configuration Prerequisites on page 319
•
Modifying L2TP LAC Default Settings for Managing Destinations, Tunnels, and
Sessions on page 320
•
Generating UDP Checksums in Packets to L2TP Peers on page 321
•
Specifying a Destruct Timeout for L2TP Tunnels and Sessions on page 322
•
Preventing Creation of New Destinations, Tunnels, and Sessions on page 322
•
Shutting Down Destinations, Tunnels, and Sessions on page 324
•
Specifying the Number of Retransmission Attempts on page 325
•
Configuring Calling Number AVP Formats on page 325
•
Mapping a User Domain Name to an L2TP Tunnel Overview on page 334
•
Mapping User Domain Names to L2TP Tunnels from Domain Map Tunnel
Mode on page 335
•
Mapping User Domain Names to L2TP Tunnels from Tunnel Group Tunnel
Mode on page 339
•
Transmission of the Subscriber Access Interface Speed to LNS Using the RX
Connect-Speed AVP on page 341
•
Configuring the RX Speed on the LAC on page 343
•
Managing the L2TP Destination Lockout Process on page 344
•
Managing Address Changes Received from Remote Endpoints on page 347
•
Configuring LAC Tunnel Selection Parameters on page 348
LAC Configuration Prerequisites
Before you begin configuring the router as a LAC, perform the following steps:
1.
Create a virtual router.
Copyright © 2012, Juniper Networks, Inc.
319
JunosE 13.3.x Broadband Access Configuration Guide
host1(config)#virtual-router west
2. Assign a router ID IP address, such as that for a loopback interface, to the virtual router.
This address must be reachable by the L2TP peer.
host1:west(config)#ip router-id 10.10.45.3
CAUTION: You must explicitly assign a router ID to a virtual router rather
than using a dynamically assigned router ID. A fixed ID is required because
every time the ID changes, L2TP must disconnect all existing tunnels and
sessions that use the old ID. If you use a dynamically assigned router ID,
the value can change without warning, leading to failure of all L2TP tunnels
and sessions. Also, the router could dynamically assign a router ID that is
not reachable by the L2TP peer, causing a complete failure of L2TP. You
must set the router ID even if you specified a source address in the domain
map or a local address in the host profile.
3. When configuring the router as a LAC, configure the router or virtual router for
Broadband Remote Access Server (B-RAS).
NOTE: If you are using shared tunnel-server ports, you must configure
the shared tunnel-server ports before you configure Layer 2 Tunneling
Protocol (L2TP) network server (LNS) support. You use the tunnel-server
command in Global Configuration mode to specify the physical location
of the shared tunnel-server port that you want to configure.
See JunosE Physical Layer Configuration Guide for additional information
about the tunnel-server command and shared tunnel-server ports.
Related
Documentation
•
virtual-router
•
ip router-id
Modifying L2TP LAC Default Settings for Managing Destinations, Tunnels, and Sessions
Configuring an E Series router for B-RAS enables the router to operate as an LAC with
default settings. You can modify the default settings as follows:
•
Enable the verification of data integrity via UDP.
•
Specify the time period for which the router maintains dynamic destinations, tunnels,
or sessions after termination.
NOTE: The previous two operations also apply to an LNS, however there
is no default configuration that enables the LNS.
320
Copyright © 2012, Juniper Networks, Inc.
Chapter 13: Configuring an L2TP LAC
When the router is established as an LAC or LNS and is creating destinations, tunnels,
and sessions, you can manage them as follows:
•
Prevent the creation of new sessions, tunnels, and destinations.
•
Close and reopen all or selected destinations, tunnels, and sessions.
•
Configure drain timeout operations, which control the amount of time a disconnected
LAC tunnel waits before restarting after receiving a restart request.
•
Configure how many times the router retries a transmission if the initial attempt is
unsuccessful.
NOTE: All the commands in this section apply to both the LAC and the
LNS.
Related
Documentation
•
Generating UDP Checksums in Packets to L2TP Peers on page 321
•
Specifying a Destruct Timeout for L2TP Tunnels and Sessions on page 322
•
Preventing Creation of New Destinations, Tunnels, and Sessions on page 322
•
Shutting Down Destinations, Tunnels, and Sessions on page 324
•
Specifying the Number of Retransmission Attempts on page 325
Generating UDP Checksums in Packets to L2TP Peers
You can configure the router to generate a UDP data integrity checksum in data packets
sent to an L2TP peer. The router always uses UDP checksums during transmission and
reception of L2TP control packets. Generation of checksums is disabled by default.
•
To enable generation of UDP checksums:
host1(config)#l2tp checksum
NOTE: This command does not affect the way the router checks the UDP
data integrity checksum in L2TP data packets that are received from an
L2TP peer. The router checks all non-zero received checksums and discards
the packet if a data integrity problem is detected.
L2TP checksum generation support is available on an ES2 10G Uplink LM
and an ES2 4G LM only. It is not supported on an ES2 10G LM and an ES2
10G ADV LM. If an ES2 10G LM or an ES2 10G ADV LM is present when L2TP
checksum is enabled, the checksum is not calculated and its value is set
to zero.
Related
Documentation
•
l2tp checksum
Copyright © 2012, Juniper Networks, Inc.
321
JunosE 13.3.x Broadband Access Configuration Guide
Specifying a Destruct Timeout for L2TP Tunnels and Sessions
You can specify the maximum time period, in the range 10–3600 seconds
(1 hour), for which the router attempts to maintain dynamic destinations, tunnels, and
sessions after they have been destroyed. The router uses a timeout of 600 seconds by
default.
This command facilitates debugging and other analysis by saving underlying memory
structures after the destination, tunnel, or session is terminated.
Any specific dynamic destination, tunnel, or session may not be maintained for this entire
time period if the resources must be reclaimed early to allow new tunnels to be
established.
When a subscriber is terminated, the server port that hosted the subscriber session is
released after the dynamic interface destruct timeout is exceeded. The server port that
is released is available for a new incoming-call request (ICRQ) packet that the LAC sends
to the LNS. Until the time any server port is available to be used for a new incoming call,
new ICRQ packets are denied because of a lack of system resources.
TIP: If you use the l2tp destination lockout timeout command to configure
an optional lockout timeout, always configure the destruct timeout to be
longer than the lockout timeout. The destruct timeout overrides the lockout
timeout—when the destruct timeout expires, all information about the locked
out destination is deleted, including the lockout timeout and lockout test
settings. See “Managing the L2TP Destination Lockout Process” on page 344.
•
To specify a destruct timeout:
host1(config)#l2tp destruct-timeout 1200
Related
Documentation
•
l2tp destruct-timeout
Preventing Creation of New Destinations, Tunnels, and Sessions
You can configure several L2TP drain operations, which determine how the router creates
new L2TP destinations, tunnels, and sessions. You can manage the following features:
1.
Preventing Creation of New Destinations, Tunnels, and Sessions on the
Router on page 323
2. Preventing Creation of New Tunnels and Sessions at a Destination on page 323
3. Preventing Creation of New Sessions for a Tunnel on page 323
4. Specifying a Drain Timeout for a Disconnected Tunnel on page 323
322
Copyright © 2012, Juniper Networks, Inc.
Chapter 13: Configuring an L2TP LAC
Preventing Creation of New Destinations, Tunnels, and Sessions on the Router
You use the l2tp drain command to prevent the creation of new destinations, tunnels,
and sessions on the router.
The l2tp drain command and the l2tp shutdown command both affect the administrative
state of L2TP on the router. Although each command has a different effect, the no version
of each command is equivalent. Each command’s no version leaves L2TP in the enabled
state.
•
To prevent the creation of new destinations, tunnels, and sessions:
host1(config)#l2tp drain
Preventing Creation of New Tunnels and Sessions at a Destination
You use the l2tp drain destination command to prevent the creation of new tunnels and
sessions at a specific destination.
The l2tp drain destination command and the l2tp shutdown destination command
both affect the administrative state of L2TP for the destination. Although each command
has a different effect, the no version of each command is equivalent. Each command’s
no version leaves L2TP in the enabled state.
•
To prevent the creation of new tunnels and sessions at the specified destination:
host1(config)#l2tp drain destination ip 172.31.1.98
Preventing Creation of New Sessions for a Tunnel
Use the l2tp drain tunnel command to prevent the creation of new sessions for a tunnel.
The l2tp drain tunnel command and the l2tp shutdown tunnel command both affect
the administrative state of L2TP for the tunnel. Although each command has a different
effect, the no version of each command is equivalent. Each command’s no version leaves
L2TP in the enabled state.
•
To prevent the creation of new sessions for a specific tunnel:
host1(config)#l2tp drain tunnel virtual-router default ip 172.31.1.98 isp.com
Specifying a Drain Timeout for a Disconnected Tunnel
Use the l2tp tunnel short-drain-timeout command to specify the amount of time a
disconnected LAC L2TP tunnel waits before restarting after it receives a restart request.
You can specify a drain timeout in the range 0–31 seconds. This feature enables the
router to restart tunnels more quickly than the standard 31-second drain time specified
by RFC-2661. By default, the router uses a short-drain timeout of 2 seconds.
•
To specify the short-drain timeout:
host1(config)#l2tp tunnel short-drain-timeout 12
Copyright © 2012, Juniper Networks, Inc.
323
JunosE 13.3.x Broadband Access Configuration Guide
Shutting Down Destinations, Tunnels, and Sessions
You can configure how the router shuts down L2TP destinations, tunnels, and sessions.
You can specify the following shut down methods, which also prevent the creation of
new tunnels:
1.
Closing Existing and Preventing New Destinations, Tunnels, and Sessions on the
Router on page 324
2. Closing Existing and Preventing New Tunnels and Sessions for a Destination on page 324
3. Closing Existing and Preventing New Sessions in a Specific Tunnel on page 324
4. Closing a Specific Session on page 325
Closing Existing and Preventing New Destinations, Tunnels, and Sessions on the Router
You use the l2tp shutdown command to close all existing destinations, tunnels, and
sessions, and to prevent the creation of new destinations, tunnels, and sessions on the
router.
The l2tp shutdown command and the l2tp drain command both affect the administrative
state of L2TP on the router. Although each command has a different effect, the no version
of each command is equivalent. Each command’s no version leaves L2TP in the enabled
state.
•
To close all destinations, tunnels, and sessions on the router:
host1(config)#l2tp shutdown
Closing Existing and Preventing New Tunnels and Sessions for a Destination
You use the l2tp shutdown destination command to close all existing tunnels and
sessions for a destination and to prevent the creation of tunnels and sessions for that
destination.
The l2tp shutdown destination command and the l2tp drain destination command
both affect the administrative state of L2TP for the destination. Although each command
has a different effect, the no version of each command is equivalent. Each command’s
no version leaves L2TP in the enabled state.
•
To close tunnels and sessions, and prevent creation of new tunnels and sessions for
the specified destination:
host1(config)#l2tp shutdown destination 1
Closing Existing and Preventing New Sessions in a Specific Tunnel
You use the l2tp shutdown tunnel command to close all sessions in a tunnel and to
prevent the creation of sessions in a tunnel.
The l2tp shutdown tunnel command and the l2tp drain tunnel command both affect
the administrative state of L2TP for the tunnel. Although each command has a different
324
Copyright © 2012, Juniper Networks, Inc.
Chapter 13: Configuring an L2TP LAC
effect, the no version of each command is equivalent. Each command’s no version leaves
L2TP in the enabled state.
•
To close all existing sessions in a specific tunnel and prevent creation of new sessions:
host1(config)#l2tp shutdown tunnel 1/isp.com
Closing a Specific Session
You use the l2tp shutdown session command to close the specified session.
•
To close a specific session:
host1(config)#l2tp shutdown session 1/1/1
Specifying the Number of Retransmission Attempts
You can specify the number of retransmission attempts the router uses for tunnels, in
the range 2–30. By default, the router uses a retry count of 5.
Use the established keyword to apply the retry count only to established tunnels. Use
the not-established keyword to apply the retry count only to tunnels that are not
established. If you do not include a keyword, the router applies the retry count to both
established and nonestablished tunnels.
•
To configure the number of retransmission attempts:
host1(config)#l2tp retransmission 4 established
If you perform a stateful SRP switchover on an LNS device, we recommend that you
configure the maximum number of retransmission attempts as 10, although the default
number of attempts is 5. This recommendation applies for all types of L2TP peer
resynchronization methods configured for LNS devices.
Related
Documentation
•
l2tp retransmission
Configuring Calling Number AVP Formats
The E Series LAC generates L2TP Calling Number AVP 22 for incoming-call request
(ICRQ) packets that the LAC sends to the LNS. By default, the E Series LAC generates
the Calling Number AVP 22 in descriptive format.
You can also prevent the E Series LAC from sending the Calling Number AVP in ICRQ
packets.
NOTE: You cannot change the L2TP Calling Number AVP on tunnel switched
interfaces.
You use the aaa tunnel calling-number-format command to configure the router to
generate AVP 22 in any of the following formats. Agent-circuit-id is suboption 1 of the
Copyright © 2012, Juniper Networks, Inc.
325
JunosE 13.3.x Broadband Access Configuration Guide
tags supplied by the PPPoE intermediate agent from the DSLAM. Agent-remote-id is
suboption 2.
•
descriptive—This is the default format, and includes the following elements:
<interface ID> <delimit> <UID> <delimit> <interface description> <delimit> <connect
info> <delimit> <PPPoE description>
•
descriptive include-agent-circuit-id—This format includes the following elements:
<interface ID> <delimit> <UID> <delimit> <interface description> <delimit> <connect
info> <delimit> <PPPoE description> <delimit> <agent-circuit-id>
•
descriptive include-agent-circuit-id include-agent-remote-id—This format includes
the following elements:
<interface ID> <delimit> <UID> <delimit> <interface description> <delimit> <connect
info> <delimit> <PPPoE description> <delimit> <agent-circuit-id> <delimit>
<agent-remote-id>
•
descriptive include-agent-remote-id—This format includes the following elements:
<interface ID> <delimit> <UID> <delimit> <interface description> <delimit> <connect
info> <delimit> <PPPoE description> <delimit> <agent-remote-id>
•
fixed—This format is similar to the fixed format of RADIUS attribute 31
(Calling-Station-Id). If you set up the router to generate the Calling Number AVP in
fixed format, the router formats the AVP to use a fixed format of up to 15 characters
consisting of all ASCII fields, as follows (the maximum number of characters for each
field is shown in brackets):
•
For ATM interfaces:
<system name [4]> <slot [2]> <port [1]> <VPI [3]> <VCI [5]>
•
For Ethernet interfaces:
<system name [4]> <slot [2]> <port [1]> <VLAN [8]>
•
Format for serial interfaces:
<system name [4]> <slot [2]> <port [1]> <0 [8]>
•
Example—The following command configures the L2TP Calling Number AVP in fixed
format:
host1(config)#aaa tunnel calling-number-format fixed
For example, when you configure this L2TP Calling Number AVP format on an E320
Broadband Services Router for an ATM interface on system name eastern, slot 14,
adapter 1, port 2, VCI 3, and VPI 4, the virtual router displays the format in ASCII as
‘14’ ‘2’ ‘003’ ‘00004’. The adapter number does not appear in this format.
•
326
fixed-adapter-embedded—If you set up the router to generate the L2TP Calling Number
AVP in fixed–adapter-embedded format, the router formats the AVP to use a fixed
format of up to 15 characters consisting of all ASCII fields with a 1-byte slot field, 1-byte
adapter field, and 1-byte port field:
Copyright © 2012, Juniper Networks, Inc.
Chapter 13: Configuring an L2TP LAC
•
Format for ATM interfaces:
systemName (up to 4 bytes) slot (1 byte) adapter (1 byte)
port (1 byte) VPI (3 bytes) VCI (5 bytes)
•
Format for Ethernet interfaces:
systemName (up to 4 bytes) slot (1 byte) adapter (1 byte)
port (1 byte) VLAN (8 bytes)
•
Format for serial interfaces:
systemName (up to 4 bytes) slot (1 byte) adapter (1 byte)
port (1 byte) 0 (8 bytes)
•
For E120 and E320 Broadband Services Routers, adapter is the number of the bay in
which the I/O adapter (IOA) resides, either 0 (representing the right IOA bay on the
E120 router and the upper IOA bay on the E320 router) or 1 (representing the left IOA
bay on the E120 router or the lower IOA bay on the E320 router). For ERX7xx models,
ERX14xx models, and ERX310 Broadband Services Routers, which do not use IOAs,
adapter is always shown as 0.
•
Slot numbers 0 through 16 are shown as ASCII characters in the 1-byte slot field
according to the following translation:
Slot
Number
ASCII
Character
Slot
Number
ASCII
Character
0
0
9
9
1
1
10
A
2
2
11
B
3
3
12
C
4
4
13
D
5
5
14
E
6
6
15
F
7
7
16
G
8
8
–
–
For example, slot 16 is shown as the ASCII character uppercase G.
•
Example—The following command configures the L2TP Calling Number AVP in
fixed-adapter-embedded format:
host1(config)#aaa tunnel calling-number-format fixed-adapter-embedded
Copyright © 2012, Juniper Networks, Inc.
327
JunosE 13.3.x Broadband Access Configuration Guide
For example, when you configure this L2TP Calling Number AVP format on an E320
router for an ATM interface on system name eastern, slot 14, adapter 1, port 2, VCI 3,
and VPI 4, the virtual router displays the format in ASCII as ‘E’ ‘1’ ‘2’ ‘003’ ‘00004’.
•
fixed-adapter-new-field—If you set up the router to generate the L2TP Calling Number
AVP in fixed–adapter-embedded-new-field format, the router formats the AVP to use
a fixed format of up to 17 characters consisting of all ASCII fields with a 2-byte slot
field, 1-byte adapter field, and 2-byte port field:
•
Format for ATM interfaces:
systemName (up to 4 bytes) slot (2 bytes) adapter (1 byte)
port (2 bytes) VPI (3 bytes) VCI (5 bytes)
•
Format for Ethernet interfaces:
systemName (up to 4 bytes) slot (2 bytes) adapter (1 byte)
port (2 bytes) VLAN (8 bytes)
•
Format for serial interfaces:
systemName (up to 4 bytes) slot (2 bytes) adapter (1 byte)
port (2 bytes) 0 (8 bytes)
•
Slot numbers 0 through 16 are shown as integers in the 2-byte slot field.
•
Example—The following command configures the L2TP Calling Number AVP in
fixed-adapter-new-field format:
host1(config)#aaa tunnel calling-number-format fixed-adapter-new-field
For example, when you configure this L2TP Calling Number AVP format on an E320
router for an ATM interface on system name eastern, slot 14, adapter 1, port 2, VCI 3,
and VPI 4, the virtual router displays the format in ASCII as ‘14’ ‘1’ ‘02’ ‘003’ ‘00004’.
•
include-agent-circuit-id format—This format includes the following element:
<agent-circuit-id>
•
include-agent-circuit-id include-agent-remote-id format—This format includes the
following elements:
<agent-circuit-id> <delimit> <agent-remote-id>
•
include-agent-remote-id format—This format includes the following element:
<agent-remote-id>
•
328
stacked—This format includes a 4-byte stacked VLAN (S-VLAN) ID in the fixed,
fixed-adapter-embedded, and fixed-adapter-new-field Calling Number AVP formats
for Ethernet interfaces. The S-VLAN ID is displayed in decimal format in the range
0–4095. By default, these formats do not include the S-VLAN ID unless you specify
the optional stacked keyword.
Copyright © 2012, Juniper Networks, Inc.
Chapter 13: Configuring an L2TP LAC
NOTE: The use of the stacked keyword is not supported for VLAN
subinterfaces based on agent-circuit-identifier information, otherwise
known as ACI VLANs. When you issue the aaa tunnel
calling-number-format fixed stacked, aaa tunnel calling-number-format
fixed-adapter-embedded stacked, or aaa tunnel calling-number-format
fixed-adapter-new-field stacked command for an ACI VLAN, the values
that appear in the 4-byte S-VLAN ID and 4-byte VLAN ID fields are incorrect.
•
Format for Ethernet interfaces that use fixed:
systemName (up to 4 bytes) slot (2 bytes) port (1 byte) S-VLAN (4 bytes) VLAN (4
bytes)
•
Format for Ethernet interfaces that use fixed-adapter-embedded:
systemName (up to 4 bytes) slot (1 byte) adapter (1 byte) port (1 byte) S-VLAN (4
bytes) VLAN (4 bytes)
•
Format for Ethernet interfaces that use fixed-adapter-new-field:
systemName (up to 4 bytes) slot (2 bytes) adapter (1 byte) port (2 bytes) S-VLAN
(4 bytes) VLAN (4 bytes)
•
The S-VLAN ID field in the Calling Number AVP is set to 0 (zero) if you do not specify
the optional stacked keyword, or if you specify the optional stacked keyword but
the Ethernet interface does not have an S-VLAN ID.
•
Example—The following command configures the L2TP Calling Number AVP in
fixed-adapter-new-field format for an Ethernet interface with an S-VLAN ID:
host1(config)#aaa tunnel calling-number-format fixed-adapter-new-field stacked
For example, when you configure this Calling-Station-Id format on an E320 router
for an Ethernet interface on system name western, slot 4, adapter 1, port 3, S-VLAN
ID 8, and VLAN ID 12, the virtual router displays the format in ASCII as ‘west’ ‘04’ ‘1’
‘03’ ‘0008’ ‘0012’.
Tasks for configuring the L2TP Calling Number AVP 22 include:
•
Calling Number AVP 22 Configuration Tasks on page 329
•
Configuring the Fallback Format on page 330
•
Disabling the Calling Number AVP on page 333
Calling Number AVP 22 Configuration Tasks
To set up the router to generate Calling Number AVP 22 for an Ethernet interface in fixed
format that includes both an S-VLAN ID and a VLAN ID:
1.
Set the calling number format of the tunnel to fixed, and specify the optional stacked
keyword to include the S-VLAN ID.
host1(config)#aaa tunnel calling-number-format fixed stacked
Copyright © 2012, Juniper Networks, Inc.
329
JunosE 13.3.x Broadband Access Configuration Guide
2. Set the format of the RADIUS Calling-Station-Id to fixed-format, and specify the
optional stacked keyword to include the S-VLAN ID.
host1(config)#radius calling-station-format fixed-format stacked
If you use a RADIUS server to authenticate the L2TP tunnel parameters, you must
configure the format for both the L2TP Calling Number AVP 22 (by using the aaa tunnel
calling-number-format command) and the RADIUS Calling-Station-ID [31] attribute
(by using the radius calling-station-format command).
However, if you use an AAA domain map to authenticate the L2TP tunnel parameters,
you need configure only the L2TP Calling Number AVP 22 format by using the aaa tunnel
calling-number-format command. You need not configure the format of the RADIUS
Calling-Station-ID [31] attribute in this case.
Configuring the Fallback Format
You can configure a fallback AVP 22 format. The E Series LAC uses the fallback format
to generate the L2TP Calling Number AVP 22 in the event that the PPPoE agent ID is null
or unavailable. The LAC uses the fallback format only when the configured calling number
format includes either or both of the agent-circuit-id and agent-remote-id suboptions.
The calling number format determines what element triggers use of the fallback format,
as shown in the following table:
Calling Number Format
Fallback Trigger
agent-circuit-id
agent-circuit-id is empty
agent-circuit-id include-agent-remote-id
Both agent-circuit-id and
agent-remote-id are empty.
agent-remote-id
agent-remote-id is empty
descriptive include-agent-circuit-id
agent-circuit-id is empty
descriptive include-agent-circuit-id
include-agent-remote-id
Both agent-circuit-id and
agent-remote-id are empty.
descriptive include-agent-remote-id
agent-remote-id is empty
You use the aaa tunnel calling-number-format-fallback command to configure the
router to generate any of the following fallback AVP 22 formats:
•
descriptive—This is the default fallback AVP 22 format, and includes the following
elements:
<interface ID> <delimit> <UID> <delimit> <interface description> <delimit> <connect
info> <delimit> <PPPoE description>
•
330
fixed—This format is similar to the fixed format of RADIUS attribute 31
(Calling-Station-Id). If you set up the router to generate the fallback AVP 22 in fixed
format, the router formats the AVP to use a fixed format of up to 15 characters consisting
Copyright © 2012, Juniper Networks, Inc.
Chapter 13: Configuring an L2TP LAC
of all ASCII fields, as follows (the maximum number of characters for each field is
shown in brackets):
•
Fallback format for ATM interfaces:
<system name [4]> <slot [2]> <port [1]> <VPI [3]> <VCI [5]>
•
Fallback format for Ethernet interfaces:
<system name [4]> <slot [2]> <port [1]> <VLAN [8]>
•
Fallback format for serial interfaces:
<system name [4]> <slot [2]> <port [1]> <0 [8]>
•
Example—The following command configures the fallback AVP 22 in fixed format:
host1(config)#aaa tunnel calling-number-format-fallback fixed
For example, when you configure this fallback format on an E320 router for an ATM
interface on system name eastern, slot 14, adapter 1, port 2, VCI 3, and VPI 4, the
virtual router displays the format in ASCII as ‘14’ ‘2’ ‘003’ ‘00004’. The adapter number
does not appear in this format.
•
fixed-adapter-embedded—If you set up the router to generate the fallback AVP 22 in
fixed–adapter-embedded format, the router formats the AVP to use a fixed format of
up to 15 characters consisting of all ASCII fields with a 1-byte slot field, 1-byte adapter
field, and 1-byte port field:
•
Fallback format for ATM interfaces:
systemName (up to 4 bytes) slot (1 byte) adapter (1 byte)
port (1 byte) VPI (3 bytes) VCI (5 bytes)
•
Fallback format for Ethernet interfaces:
systemName (up to 4 bytes) slot (1 byte) adapter (1 byte)
port (1 byte) VLAN (8 bytes)
•
Fallback format for serial interfaces:
systemName (up to 4 bytes) slot (1 byte) adapter (1 byte)
port (1 byte) 0 (8 bytes)
•
For E120 routers and E320 routers, adapter is the number of the bay in which the I/O
adapter (IOA) resides, either 0 (representing the right IOA bay on the E120 router
and the upper IOA bay on the E320 router) or 1 (representing the left IOA bay on the
E120 router or the lower IOA bay on the E320 router). For ERX7xx models, ERX14xx
models, and ERX310 routers, which do not use IOAs, adapter is always shown as 0.
•
Slot numbers 0 through 16 are shown as ASCII characters in the 1-byte slot field
according to the following translation:
Copyright © 2012, Juniper Networks, Inc.
Slot
Number
ASCII
Character
Slot
Number
ASCII
Character
0
0
9
9
1
1
10
A
331
JunosE 13.3.x Broadband Access Configuration Guide
Slot
Number
ASCII
Character
Slot
Number
ASCII
Character
2
2
11
B
3
3
12
C
4
4
13
D
5
5
14
E
6
6
15
F
7
7
16
G
8
8
–
–
For example, slot 16 is shown as the ASCII character uppercase G.
•
Example—The following command configures the fallback AVP 22 in
fixed-adapter-embedded format:
host1(config)#aaa tunnel calling-number-format-fallback fixed-adapter-embedded
For example, when you configure this fallback format on an E320 router for an ATM
interface on system name eastern, slot 14, adapter 1, port 2, VCI 3, and VPI 4, the
virtual router displays the format in ASCII as ‘E’ ‘1’ ‘2’ ‘003’ ‘00004’.
•
fixed-adapter-new-field—If you set up the router to generate the fallback AVP 22 in
fixed–adapter-embedded-new-field format, the router formats the AVP to use a fixed
format of up to 17 characters consisting of all ASCII fields with a 2-byte slot field, 1-byte
adapter field, and 2-byte port field:
•
Fallback format for ATM interfaces:
systemName (up to 4 bytes) slot (2 bytes) adapter (1 byte)
port (2 bytes) VPI (3 bytes) VCI (5 bytes)
•
Fallback format for Ethernet interfaces:
systemName (up to 4 bytes) slot (2 bytes) adapter (1 byte)
port (2 bytes) VLAN (8 bytes)
•
Fallback format for serial interfaces:
systemName (up to 4 bytes) slot (2 bytes) adapter (1 byte)
port (2 bytes) 0 (8 bytes)
•
Slot numbers 0 through 16 are shown as integers in the 2-byte slot field.
•
Example—The following command configures the fallback AVP 22 in
fixed-adapter-new-field format:
host1(config)#aaa tunnel calling-number-format-fallback fixed-adapter-new-field
332
Copyright © 2012, Juniper Networks, Inc.
Chapter 13: Configuring an L2TP LAC
For example, when you configure this fallback format on an E320 router for an ATM
interface on system name eastern, slot 14, adapter 1, port 2, VCI 3, and VPI 4, the
virtual router displays the format in ASCII as ‘14’ ‘1’ ‘02’ ‘003’ ‘00004’.
•
stacked—This format includes a 4-byte stacked VLAN (S-VLAN) ID in the fixed,
fixed-adapter-embedded, and fixed-adapter-new-field fallback AVP 22 formats for
Ethernet interfaces. The S-VLAN ID is displayed in decimal format in the range 0–4095.
By default, these formats do not include the S-VLAN ID unless you specify the optional
stacked keyword.
NOTE: The use of the stacked keyword is not supported for VLAN
subinterfaces based on agent-circuit-identifier information, otherwise
known as ACI VLANs. When you issue the aaa tunnel
calling-number-format-fallback fixed stacked, aaa tunnel
calling-number-format-fallback fixed-adapter-embedded stacked, or
aaa tunnel calling-number-format-fallback fixed-adapter-new-field
stacked command for an ACI VLAN, the values that appear in the 4-byte
S-VLAN ID and 4-byte VLAN ID fields are incorrect.
•
Fallback format for Ethernet interfaces that use fixed:
systemName (up to 4 bytes) slot (2 bytes) port (1 byte) S-VLAN (4 bytes) VLAN (4
bytes)
•
Fallback format for Ethernet interfaces that use fixed-adapter-embedded:
systemName (up to 4 bytes) slot (1 byte) adapter (1 byte) port (1 byte) S-VLAN (4
bytes) VLAN (4 bytes)
•
Fallback format for Ethernet interfaces that use fixed-adapter-new-field:
systemName (up to 4 bytes) slot (2 bytes) adapter (1 byte) port (2 bytes) S-VLAN
(4 bytes) VLAN (4 bytes)
•
The S-VLAN ID field in the fallback AVP 22 is set to 0 (zero) if you do not specify the
optional stacked keyword, or if you specify the optional stacked keyword but the
Ethernet interface does not have an S-VLAN ID.
•
Example—The following command configures the fallback AVP 22 in
fixed-adapter-new-field format for an Ethernet interface with an S-VLAN ID:
host1(config)#aaa tunnel calling-number-format-fallback fixed-adapter-new-field
stacked
For example, when you configure this fallback format on an E320 router for an
Ethernet interface on system name western, slot 4, adapter 1, port 3, S-VLAN ID 8,
and VLAN ID 12, the virtual router displays the format in ASCII as ‘west’ ‘04’ ‘1’ ‘03’
‘0008’ ‘0012’.
Disabling the Calling Number AVP
You can use the l2tp disable calling-number-avp command to prevent the E Series LAC
from sending the Calling Number AVP in ICRQ packets. You use this command in special
situations where you do not want the LAC to send this AVP.
Copyright © 2012, Juniper Networks, Inc.
333
JunosE 13.3.x Broadband Access Configuration Guide
•
To prevent the LAC from sending the Calling Number AVP:
host1(config)#l2tp disable calling-number-avp
For more information about setting up the router to generate Calling Number AVP 22 in
a format that includes either or both of the agent-circuit-id and agent-remote-id
suboptions of the tags supplied by the PPPoE intermediate agent, see Configuring PPPoE
Remote Circuit ID Capture in the JunosE Link Layer Configuration Guide .
Calling Number AVP 22
Configuration
Examples
The following examples show how you can synchronize the contents of RADIUS
Calling-Station-Id (Attribute 31) and L2TP Calling-Number (AVP 22).
•
To send the PPPoE agent-circuit-id in RADIUS Attribute 31 and L2TP AVP 22 and specify
that the fixed format is used when the PPPoE agent-circuit-id is unavailable, issue the
following commands:
host1(config)#radius calling-station-format fixed-format
host1(config)#radius remote-circuit-id-delimiter #
host1(config)#radius override calling-station-id remote-circuit-id
host1(config)#radius remote-circuit-id-format agent-circuit-id
host1(config)#aaa tunnel calling-number-format include-agent-circuit-id
host1(config)#aaa tunnel calling-number-format-fallback fixed
•
To send the PPPoE agent-circuit-id and agent-remote-id in RADIUS Attribute 31 and
L2TP AVP 22 and specify that the fixed format is used when both PPPoE agent-circuit-id
and agent-remote-id are unavailable, issue the following commands:
host1(config)#radius calling-station-format fixed-format
host1(config)#radius remote-circuit-id-delimiter #
host1(config)#radius override calling-station-id remote-circuit-id
host1(config)#radius remote-circuit-id-format agent-circuit-id agent-remote-id
host1(config)#aaa tunnel calling-number-format include-agent-circuit-id
include-agent-remote-id
host1(config)#aaa tunnel calling-number-format-fallback fixed
Mapping a User Domain Name to an L2TP Tunnel Overview
The router uses either the local database related to the domain name or a RADIUS server
to determine whether to terminate or tunnel PPP connections.
For information about setting up RADIUS to provide this mapping, see the Configuring
Remote Access chapter.
For a given domain map, you can choose one of two methods to map the domain to an
L2TP tunnel locally on the router:
•
Configure tunnels for a domain map and then define tunnel attributes from Domain
Map Tunnel configuration mode.
•
Configure a tunnel group and then define the attributes for its tunnels from Tunnel
Group Tunnel Configuration mode. Use this method only when no tunnels are currently
defined for the domain map from Domain Map Tunnel configuration mode. By default,
tunnel groups are not assigned to the domain map.
After configuring a tunnel group and the attributes for its tunnels, you can assign the
tunnel group to the domain map from Domain Map mode. The tunnel group reference
334
Copyright © 2012, Juniper Networks, Inc.
Chapter 13: Configuring an L2TP LAC
in the domain map is used instead of tunnel definitions configured from Domain Map
Tunnel configuration mode.
The RADIUS server can reference tunnel groups through the RADIUS Tunnel Group
[26-64] attribute. The advantages of RADIUS support for tunnel groups are:
•
The RADIUS server can maintain a single tunnel group attribute associated with
each user instead of sets of tunnel attributes for each user.
•
The RADIUS server can authenticate users before attempting to establish tunnels.
You can configure up to 31 tunnel definitions for an L2TP subscriber using either AAA
domain maps or RADIUS returned values. Each tunnel definition contains both fixed-length
and variable-length tunnel attributes. All tunnel definitions and their attributes that are
stored in AAA are mirrored in a single transaction. When the size of the mirrored storage
transaction exceeds 9866 bytes, the router disables stateful SRP switchover (high
availability).
The size of the transaction can exceed 9866 bytes when you configure all the variable
length tunnel attributes of more than 17 tagged tunnel definitions, using either RADIUS
or domain maps, to their maximum values. When the size of a transaction exceeds 9866
bytes, the router now mirrors the tunnel definitions in a different transaction. As a result,
stateful SRP switchover is not disabled when you configure all the variable length tunnel
attributes of all 31 tunnel definitions to their maximum values or when the RADIUS server
sends tunnel attributes whose length exceeds the maximum length.
Related
Documentation
•
Mapping User Domain Names to L2TP Tunnels from Domain Map Tunnel Mode on
page 335
•
Mapping User Domain Names to L2TP Tunnels from Tunnel Group Tunnel Mode on
page 339
Mapping User Domain Names to L2TP Tunnels from Domain Map Tunnel Mode
To map a domain to an L2TP tunnel locally on the router from Domain Map Tunnel mode,
perform the following steps:
1.
Specify a domain name and enter Domain Map Configuration mode:
host1(config)#aaa domain-map westford.com
host1(config-domain-map)#
2. Specify a virtual router; in this case, the default router is specified.
host1(config-domain-map)#router-name default
3. Specify a tunnel to configure and enter Domain Map Tunnel Configuration mode:
host1(config-domain-map)#tunnel 3
4. Specify the LNS endpoint address of a tunnel.
host1(config-domain-map-tunnel)#address 192.0.2.13
Copyright © 2012, Juniper Networks, Inc.
335
JunosE 13.3.x Broadband Access Configuration Guide
5. (Optional) Assign a tunnel group to the domain map. You can assign a tunnel group
only when no tunnels are currently defined for the domain map from AAA Domain
Map Tunnel mode.
host1(config-domain-map)#tunnel group storm
6. Specify a preference for the tunnel.
You can specify up to eight levels of preference, and you can assign the same
preference to a maximum of 31 tunnels. When you define multiple preferences for a
destination, you increase the probability of a successful connection.
host1(config-domain-map-tunnel)#preference 5
7. (Optional) Specify an authentication password for the tunnel.
host1(config-domain-map-tunnel)#password temporary
NOTE: If you specify a password for the LAC, the router requires that the
peer (the LNS) authenticate itself to the router. In this case, if the peer
fails to authenticate itself, the tunnel terminates.
8. (Optional) Specify a hostname for the LAC end of the tunnel.
The LAC sends the hostname to the LNS when communicating to the LNS about the
tunnel. The hostname can be up to 64 characters (no spaces).
host1(config-domain-map-tunnel)#client-name host4
NOTE: If the LNS does not accept tunnels from unknown hosts, and if no
hostname is specified, the LAC uses the router name as the hostname.
9. (Optional) Specify a server name for the LNS.
This name specifies the hostname expected from the peer (the LNS) when you set
up a tunnel. When this name is specified, the peer must identify itself with this name
during tunnel startup. Otherwise, the tunnel is terminated. The server name can be
up to 64 characters (no spaces).
host1(config-domain-map-tunnel)#server-name boston
10. (Optional) Specify a source IP address for the LAC tunnel endpoint. All L2TP packets
sent to the peer use this source address.
host1(config-domain-map-tunnel)#source-address 192.0.3.3
By default, the router uses the virtual router’s router ID as the source address. You can
override this behavior for an L2TP tunnel by specifying a source address. If you do
specify a source address, use the address of a stable IP interface (for example, a
loopback interface). Make sure that the address is configured in the virtual router for
this domain map, and that the address is reachable by the peer.
11. Specify a tunnel identification. (The router groups L2TP sessions with the same tunnel
identification into the same tunnel.)
336
Copyright © 2012, Juniper Networks, Inc.
Chapter 13: Configuring an L2TP LAC
host1(config-domain-map-tunnel)#identification acton
The router groups L2TP sessions with the same tunnel identification into the same
tunnel. This occurs only when both the destination (virtual router, IP address) and the
ID are the same.
12. Specify the L2TP tunnel type (RADIUS attribute 64, Tunnel-Type). Currently, the only
supported value is L2TP.
host1(config-domain-map-tunnel)#type l2tp
13. Specify a medium type for the tunnel. (L2TP supports only IP version 4 [IPv4].)
host1(config-domain-map-tunnel)#medium ipv4
14. (Optional) Specify a default tunnel client name.
host1(config-domain-map-tunnel)#exit
host1(config-domain-map)#exit
host1(config)#aaa tunnel client-name boxford
If the tunnel client name is not included in the tunnel attributes that are returned from
the domain map or authentication server, the router uses the default name.
15. (Optional) Specify a default tunnel password.
host1(config)#aaa tunnel password 3&92k%b#q4
host1(config)#exit
If the tunnel password is not included in the tunnel attributes that are returned from
the domain map or authentication server, the router uses the default password.
16. (Optional) Set the format for the tunnel assignment ID that is passed to PPP/L2TP.
The tunnel assignment ID format can be either only assignmentID or clientAuthId +
serverAuthId + assignmentId.
host1(config)#aaa tunnel assignment-id-format assignmentID
If you do not set a tunnel assignment ID, the software sets it to the default
(assignmentID). This parameter is only generated and used by the L2TP LAC device.
17. (Optional) Specify whether or not to use the tunnel peer’s Nas-Port [5] and
Nas-Port-Type [61] attributes.
When enabled, the attribute is supplied by the tunnel peer. When disabled, the attribute
is not supplied. Use the no version of the command to restore the default, enable.
host1(config)#aaa tunnel ignore nas-port enable
host1(config)#aaa tunnel ignore nas-port-type disable
18. (Optional) Set up the router to ignore sequence numbers in data packets received on
L2TP tunnels.
host1(config)#l2tp ignore-receive-data-sequencing
This command does not affect the insertion of sequence numbers in packets sent
from the router.
Copyright © 2012, Juniper Networks, Inc.
337
JunosE 13.3.x Broadband Access Configuration Guide
BEST PRACTICE: We recommend that you set up the router to ignore
sequence numbers in received data packets if you are using IP reassembly.
Because IP reassembly might reorder L2TP packets, out-of-order packets
might be dropped when sequence numbers are being used on L2TP data
packets.
19. (Optional) Disable the generation of authentication challenges by the local tunnel,
so that the tunnel does not send a challenge during negotiation. However, the tunnel
does accept and respond to challenges it receives from the peer.
host1(config)#l2tp disable challenge
20. Verify the L2TP tunnel configuration.
host1(config)# show aaa domain-map
Domain: westford.com; router-name: default; ipv6-router-name: default
Tunnel
Tunnel
Client
Tag
Name
----------3
host4
Tunnel
Tag
-----3
Tunnel
Tunnel
Tunnel
Tunnel
Tunnel
Tunnel
Peer
Source
Type
Medium
Password
Id
------------
-----------
------
------
---------
------
192.168.2.13
192.168.3.3
l2tp
ipv4
temporary
acton
Tunnel
Server
Name
-----boston
Tunnel
Preference
---------5
Tunnel
Max
Sessions
-------0
Tunnel RWS
-------------system chooses
Tunnel
Virtual
Router
------vr2
host1#show aaa tunnel-parameters
Tunnel password is 3&92k%b#q4
Tunnel client-name is <NULL>
Tunnel nas-port-method is none
Tunnel nas-port ignore disabled
Tunnel nas-port-type ignore disabled
Tunnel assignmentId format is assignmentId
Tunnel calling number format is descriptive
Related
Documentation
338
•
Mapping User Domain Names to L2TP Tunnels from Tunnel Group Tunnel Mode on
page 339
•
aaa domain-map
•
aaa tunnel assignment-id-format
•
aaa tunnel client-name
•
aaa tunnel ignore
•
aaa tunnel password
•
address
•
client-name
Copyright © 2012, Juniper Networks, Inc.
Chapter 13: Configuring an L2TP LAC
•
identification
•
l2tp disable challenge
•
l2tp ignore-receive-data-sequencing
•
medium ipv4
•
password
•
preference
•
router-name
•
server-name
•
source-address
•
tunnel
•
tunnel group
•
type
Mapping User Domain Names to L2TP Tunnels from Tunnel Group Tunnel Mode
To map a domain to an L2TP tunnel locally on the router from Tunnel Group Tunnel
Configuration mode, perform the following steps:
1.
Specify an AAA tunnel group and change the mode to Tunnel Group Tunnel
Configuration mode. From Tunnel Group Tunnel Configuration mode, you can add up
to 31 tunnel definitions.
host1(config)#aaa tunnel-group westford
host1(config-tunnel-group)#
2. Specify a tunnel to configure and enter Tunnel Group Tunnel Configuration mode:
host1(config-tunnel-group)#tunnel 3
host1(config-tunnel-group-tunnel)#
3. Specify a virtual router; in this case, the default router is specified.
host1(config-tunnel-group-tunnel)#router-name default
4. Specify the LNS endpoint address of a tunnel.
host1(config-tunnel-group-tunnel)#address 192.0.2.13
5. Specify a preference for the tunnel.
You can specify up to eight levels of preference, and you can assign the same
preference to a maximum of 31 tunnels. When you define multiple preferences for a
destination, you increase the probability of a successful connection.
host1(config-tunnel-group-tunnel)#preference 5
6. (Optional) Specify an authentication password for the tunnel.
host1(config-tunnel-group-tunnel)#password temporary
Copyright © 2012, Juniper Networks, Inc.
339
JunosE 13.3.x Broadband Access Configuration Guide
NOTE: If you specify a password for the LAC, the router requires that the
peer (the LNS) authenticate itself to the router. In this case, if the peer
fails to authenticate itself, the tunnel terminates.
7. (Optional) Specify a hostname for the LAC end of the tunnel.
The LAC sends the hostname to the LNS when communicating to the LNS about the
tunnel. The hostname can be up to 64 characters (no spaces).
host1(config-tunnel-group-tunnel)#client-name host4.
NOTE: If the LNS does not accept tunnels from unknown hosts, and if no
hostname is specified, the LAC uses the router name as the hostname.
8. (Optional) Specify a server name for the LNS.
This name specifies the hostname expected from the peer (the LNS) when you set
up a tunnel. When this name is specified, the peer must identify itself with this name
during tunnel startup. Otherwise, the tunnel is terminated. The server name can be
up to 64 characters (no spaces).
host1(config-tunnel-group-tunnel)#server-name boston
9. (Optional) Specify a source IP address for the LAC tunnel endpoint. All L2TP packets
sent to the peer use this source address.
By default, the router uses the virtual router’s router ID as the source address. You can
override this behavior for an L2TP tunnel by specifying a source address. If you do
specify a source address, use the address of a stable IP interface (for example, a
loopback interface). Make sure that the address is configured in the virtual router for
this domain map, and that the address is reachable by the peer.
host1(config-tunnel-group-tunnel)#source-address 192.0.3.3
10. Specify a tunnel identification.
host1(config-tunnel-group-tunnel)#identification acton
The router groups L2TP sessions with the same tunnel identification into the same
tunnel. This occurs only when both the destination (virtual router, IP address) and the
ID are the same.
11. Specify a medium type for the tunnel. (L2TP supports only IP version 4 [IPv4].)
host1(config-tunnel-group-tunnel)#medium ipv4
12. Specify the L2TP tunnel type (RADIUS attribute 64, Tunnel-Type). Currently, the only
supported value is L2TP.
host1(config-tunnel-group-tunnel)#type l2tp
13. Verify the L2TP tunnel configuration.
host1(config)# show aaa domain-map
Domain: westford.com; router-name: default; ipv6-router-name: default
340
Copyright © 2012, Juniper Networks, Inc.
Chapter 13: Configuring an L2TP LAC
Tunnel
Tunnel
Client
Tag
Name
----------3
host4
Tunnel
Tag
-----3
Tunnel
Tunnel
Tunnel
Tunnel
Tunnel
Tunnel
Peer
Source
Type
Medium
Password
Id
------------
-----------
------
------
---------
------
192.168.2.13
192.168.3.3
l2tp
ipv4
temporary
acton
Tunnel
Server
Name
-----boston
Tunnel
Preference
---------5
Tunnel
Max
Sessions
-------0
Tunnel RWS
-------------system chooses
Tunnel
Virtual
Router
------vr2
host1#show aaa tunnel-parameters
Tunnel password is 3&92k%b#q4
Tunnel client-name is <NULL>
Tunnel nas-port-method is none
Tunnel nas-port ignore disabled
Tunnel nas-port-type ignore disabled
tunnel assignmentId format is assignmentId
aaa tunnel calling number format is descriptive
Related
Documentation
•
Mapping User Domain Names to L2TP Tunnels from Domain Map Tunnel Mode on
page 335
•
aaa tunnel-group
•
address
•
client-name
•
identification
•
medium ipv4
•
password
•
preference
•
router-name
•
server-name
•
source-address
•
tunnel
•
type
Transmission of the Subscriber Access Interface Speed to LNS Using the RX
Connect-Speed AVP
The L2TP access concentrator (LAC) conveys the speed of the subscriber access interface
to the L2TP network server (LNS) through the transmit (TX) Connect-Speed
attribute-value pair (AVP) [24] and receive (RX) Connect-Speed AVP [38] in the
Incoming-Call-Connected message, during the establishment of an L2TP session. By
Copyright © 2012, Juniper Networks, Inc.
341
JunosE 13.3.x Broadband Access Configuration Guide
default, the receive speed of the access interface is set equal to the calculated transmit
speed and the generation of RX Connect-Speed AVP is suppressed.
The RX Connect-Speed AVP is generated when the receive speed of the access interface
is set equal to the calculated transmit speed by issuing the l2tp
rx-connect-speed-when-equal command. In this scenario, the LAC transmits the same
value for transmit and receive connect speeds that are sent to the LNS through the TX
Connect-Speed AVP and RX Connect-Speed AVP in the Incoming-Call-Connected
message.
The advisory receive speeds of Ethernet VLANs and ATM1483 circuits can be configured
using the vlan advisory-rx-speed and atm atm1483 advisory-rx-speed commands.
When the advisory receive rate is configured, the LAC transmits the configured advisory
receive rate to LNS through the RX Connect-Speed AVP. If the advisory receive rate is
configured, the transmission of the advisory receive rate in the RX Connect-Speed AVP
takes precedence over the transmission of the calculated transmit speed in the RX
Connect-Speed AVP even when the l2tp rx-connect-speed-when-equal command is
issued.
The transmission of the layer 2 control (L2C) RAM actual upstream rate to the LNS can
be enabled using the l2tp rx-connect-speed-upstream-rate command. Since there is
no integration between L2C and L2TP, the actual upstream rate is sent from the L2C to
AAA, which sends the rate with tunnel parameters to the LAC during the creation of the
L2TP tunnel. The LAC transmits the actual upstream rate to the LNS through the RX
Connect-Speed AVP. If the actual upstream rate transmission is enabled, the transmission
of the actual upstream rate in the RX Connect-Speed AVP takes precedence over the
transmission of the configured advisory receive rate and transmission of the calculated
transmit speed in the RX Connect-Speed AVP.
The transmission of the actual upstream rate is applicable only for the interface in which
L2C is configured. If the interface does not have L2C configured, the actual upstream
rate is not transmitted. Instead, one of the following actions is taken:
•
The advisory receive rate is transmitted in the RX Connect-Speed AVP, if the advisory
rate is configured.
•
The calculated transmit speed is transmitted in the RX Connect-Speed AVP, if the l2tp
rx-connect-speed-when-equal command is issued and the advisory rate is not
configured.
•
The RX Connect-Speed AVP value is transmitted as 0, if the advisory rate is not
configured and the l2tp rx-connect-speed-when-equal command is not issued or the
no l2tp rx-connect-speed-when-equal command is issued.
NOTE: The actual upstream rate is independent of any QoS parameterization
since it does not influence any QoS factor.
Related
Documentation
342
•
Configuring the RX Speed on the LAC on page 343
•
atm atm1483 advisory-rx-speed
Copyright © 2012, Juniper Networks, Inc.
Chapter 13: Configuring an L2TP LAC
•
l2tp rx-connect-speed-upstream-rate
•
l2tp rx-connect-speed-when-equal
•
vlan advisory-rx-speed
Configuring the RX Speed on the LAC
You can configure the E Series LAC to generate the L2TP RX Connect-Speed AVP [38],
which is transmitted to the LNS in the Incoming-Call-Connected message. The AVP
carries one of the following subscriber access interface speeds based on the configuration:
•
L2C RAM actual upstream rate
•
Configured advisory receive speed
•
Calculated transmit speed
By default, the receive speed is set equal to the calculated transmit speed and the
generation of the RX Connect-Speed AVP is suppressed. The AVP can be used to generate
the RADIUS Connect-Info attribute [77] on the LNS.
To set up the router to generate the RX Connect-Speed AVP [38], perform all or any one
of the following steps:
•
Configure the advisory receive speed:
NOTE: The configured advisory receive speed is sent in the RX
Connect-Speed AVP, only if the generation of the AVP for transmitting the
actual upstream rate is disabled.
•
On the ATM subinterface:
host1(config-subif)#atm atm1483 advisory-rx-speed 2000
For more information about configuring the advisory speed, see Configuring ATM in
the JunosE Link Layer Configuration Guide.
•
On the VLAN subinterface:
host1(config-subif)#vlan advisory-rx-speed 2000
•
Enable generation of the RX Connect-Speed AVP when the receive speed is set equal
to the calculated transmit speed.
NOTE: The calculated transmit speed is sent in the RX Connect-Speed
AVP only if the advisory receive speed is not configured and the generation
of the AVP for transmitting the actual upstream rate is disabled.
host1(config)#l2tp rx-connect-speed-when-equal
Copyright © 2012, Juniper Networks, Inc.
343
JunosE 13.3.x Broadband Access Configuration Guide
•
Enable generation of the RX Connect-Speed AVP when you want to send the L2C RAM
actual upstream rate in the AVP.
NOTE: The actual upstream rate is sent in the AVP even if the advisory
receive speed is configured and the generation of the AVP is enabled for
sending the calculated transmit speed.
host1(config)#l2tp rx-connect-speed-upstream-rate
Related
Documentation
•
Transmission of the Subscriber Access Interface Speed to LNS Using the RX
Connect-Speed AVP on page 341
•
atm atm1483 advisory-rx-speed
•
l2tp rx-connect-speed-upstream-rate
•
l2tp rx-connect-speed-when-equal
•
vlan advisory-rx-speed
Managing the L2TP Destination Lockout Process
When multiple sets of tunneling parameters are available, L2TP uses a selection algorithm
to choose the best tunnel for subscriber traffic. As part of this selection process, the
JunosE Software’s L2TP implementation includes a lockout feature in which the router
locks out, or disregards, destinations that are assumed to be unavailable.
By default, when a destination becomes unavailable, L2TP locks out that destination for
a lockout timeout of 300 seconds (5 minutes). After the lockout timeout expires, L2TP
assumes that the destination is now available and includes the destination when
performing the selection algorithm.
Tasks to manage the L2TP lockout process include:
1.
Modifying the Lockout Procedure on page 344
2. Verifying That a Locked-Out Destination Is Available on page 346
3. Configuring a Lockout Timeout on page 346
4. Unlocking a Destination that is Currently Locked Out on page 346
5. Starting an Immediate Lockout Test on page 347
Modifying the Lockout Procedure
You can optionally configure your own lockout procedure by specifying the lockout
timeout you want to use or enabling a lockout test, or both. When the lockout timeout
expires, the destination is either immediately unlocked (if lockout testing is not enabled)
or begins the lockout test to verify that the destination is available.
L2TP performs the lockout test by attempting to establish a tunnel to the unavailable
destination. For the test, L2TP must first obtain the parameters for a tunnel to the
344
Copyright © 2012, Juniper Networks, Inc.
Chapter 13: Configuring an L2TP LAC
destination. If no such tunnel currently exists, L2TP must wait until it receives a new
session request that has tunnel parameters for the locked out destination. The destination
remains locked out while L2TP waits for the tunnel parameters and becomes available
only after successful completion of the lockout test. Therefore, if lockout testing is
enabled, the destination is actually locked out longer than the lockout timer you specify.
NOTE: Always configure the lockout timeout to be shorter than the destruct
timeout. The destruct timeout (as described in “Specifying a Destruct Timeout
for L2TP Tunnels and Sessions” on page 322) overrides the lockout
timeout—when the destruct timeout expires, all information about the locked
out destination is deleted, including the time remaining on the destination’s
lockout timeout and the requirement to run a lockout test prior to returning
the destination to service. As a result, the locked out destination might be
returned to service prior to expiration of your configured lockout timeout and
without completion of the lockout test you specified.
Figure 9 on page 345 shows how locked-out destinations transition from a locked-out
state to available status when using the default lockout configuration, a configuration
that includes a modified lockout timer, and a configuration with both a modified timer
and the lockout test.
Figure 9: Lockout States
You can use the following commands to manage L2TP destination lockout and configure
a lockout process that meets the needs of your network environment:
•
Use the l2tp destination lockout-timeout command to modify the default lockout
timeout period.
•
Use the l2tp destination lockout-test command to configure L2TP to perform a lockout
test, which verifies that a currently locked out destination is now available and to
include it in the selection algorithm.
•
Use the l2tp unlock destination command to force L2TP to immediately unlock the
specified locked out destination; the destination is then considered to be available by
the selection algorithm. L2TP disregards any time remaining in the existing lockout
timeout and also disregards the lockout test (if configured).
Copyright © 2012, Juniper Networks, Inc.
345
JunosE 13.3.x Broadband Access Configuration Guide
•
Use the l2tp unlock-test destination command to force L2TP to immediately begin
the lockout testing procedure for the specified destination; any time remaining in the
existing lockout timeout is not taken into account.
•
Use the show l2tp and show l2tp destination lockout commands to view information
about the L2TP configuration and statistics.
Verifying That a Locked-Out Destination Is Available
You can use the l2tp destination lockout-test command to configure L2TP to test
locked-out destinations; this verifies that a previously locked-out destination is available
before the router changes the destination’s status.
•
To verify the availability of locked out destinations:
host1(config)#l2tp destination lockout-test
Configuring a Lockout Timeout
You use the l2tp destination lockout-timeout command to configure the amount of
time (in seconds) between when an L2TP destination is found to be unavailable and
when it is eligible for unlocking. When the timeout period expires, L2TP either begins the
lockout test procedure (if configured to do so) or immediately returns the destination to
available state.
BEST PRACTICE: Always configure the lockout timeout to be shorter than
the destruct timeout. The destruct timeout (as described in “Specifying a
Destruct Timeout for L2TP Tunnels and Sessions” on page 322) overrides the
lockout timeout—when the destruct timeout expires, all information about
the locked out destination is deleted, including the time remaining on the
destination's lockout timeout and the requirement to run a lockout test prior
to returning the destination to service.
You can specify a lockout timeout in the range 60–3600 seconds (1 minute–1 hour). The
router uses a timeout value of 300 seconds by default.
•
To configure an L2TP lockout timeout:
host1(config)#l2tp destination lockout-timeout 500
The new lockout timeout only affects future locked-out destinations; it does not affect
destinations that are currently locked out.
Unlocking a Destination that is Currently Locked Out
You use the l2tp unlock destination command to force L2TP to immediately unlock the
specified L2TP destination, which is currently locked out and unavailable. L2TP then
considers the destination to be available. Any remaining lockout time and the lockout
test setting (if configured) are not taken into account.
You must be at privilege level 10 or higher to use this command.
346
Copyright © 2012, Juniper Networks, Inc.
Chapter 13: Configuring an L2TP LAC
•
To unlock a currently locked-out destination:
host1(config)#l2tp unlock destination ip 192.168.1.98
Starting an Immediate Lockout Test
You use the l2tp unlock-test destination command to force L2TP to immediately start
the lockout test for the specified destination—any remaining lockout time for the
destination is ignored.
You must be at privilege level 10 or higher to use this command.
NOTE: If lockout testing is not configured, this command immediately unlocks
the destination and L2TP then considers the destination to be available
•
To force an immediate lockout test for a specific destination:
host1(config)#l2tp unlock-test destination ip 192.169.110.8
Managing Address Changes Received from Remote Endpoints
A remote endpoint can use the Start-Control-Connection-Reply (SCCRP) packets that
it sends to the E Series LAC to change the address that the LAC uses to communicate
with the endpoint. By default, the LAC accepts the change and uses the new address to
communicate with the endpoint. However, you can configure the LAC to ignore or reject
the requested change. Setting up the LAC to ignore address changes in SCCRP packets
enables the router to construct tunnels with separate receive and transmit addresses
and to avoid problems due to a misconfiguration. Three possible configurations are
available:
•
Default configuration—The E Series LAC accepts the change from the endpoint. The
LAC then sends all subsequent packets to, and accepts packets from, the new address.
•
Ignore configuration (specified by the l2tp ignore-transmit-address-change
command)—The LAC continues to send packets to the original address but accepts
packets from the new address.
host1(config)#l2tp ignore-transmit-address-change
Use the ip-address or udp-port keyword to ignore the specific address component. Omit
the keywords to ignore the entire address change in the SCCRP packet.
•
Reject configuration (specified by the l2tp reject-transmit-address-change
command)—The LAC sends a Stop-Control-Connection-Notification (StopCCN) to
the original address, then terminates the connection to the endpoint.
host1(config)#l2tp reject-transmit-address-change ip-address
Use the ip-address or udp-port keyword to reject the specific address component.
Omit the keywords to reject the entire address change in the SCCRP packet.
Copyright © 2012, Juniper Networks, Inc.
347
JunosE 13.3.x Broadband Access Configuration Guide
NOTE: When an L2TP hello message contains a non-zero value in the
Reserved Bits field of the L2TP message header, and the LAC rejects the
change in the endpoint address by sending a StopCCN to the original
address, the Result Code field contains the value of 2 and the Error Code
field contains the value of 3. The Result code value denotes a generic error,
while the Error code value denotes that one of the field values was out of
range or the Reserved Bits field was non-zero in the StopCCN message
sent from the LAC to the endpoint.
The reject specification takes precedence over the ignore specification.
The router accepts a change in receive address only once, during the tunnel establishment
phase, and only on an SCCRP packet. Subsequent changes result in the router dropping
packets. Any changes do not affect established tunnels.
Use the show l2tp command to display the SCCRP address change configuration.
Related
Documentation
•
l2tp ignore-transmit-address-change
•
l2tp reject-transmit-address-change
Configuring LAC Tunnel Selection Parameters
This section presents the capabilities of the LAC’s tunnel selection process. L2TP allows
you to specify:
•
Up to 31 destinations for a domain.
•
Up to eight levels of preference. Preference indicates the order in which the router
attempts to connect to the destinations specified for a domain. Zero (0) is the highest
level of preference.
•
Up to 31 destinations for a single preference level.
For information about setting up destinations and preference levels for a domain, see
“Mapping a User Domain Name to an L2TP Tunnel Overview” on page 334.
When the E Series LAC determines that a PPP session should be tunneled, it selects a
tunnel from a set of tunnels associated with either the PPP user or the PPP user’s domain.
The router provides the following methods for selecting tunnels:
•
Tunnel selection failover between preference levels (the default behavior)
•
Tunnel selection failover within a preference level
•
Maximum sessions per tunnel
•
Weighted load balancing
1.
Configuring the Failover Between Preference Levels Method on page 349
2. Configuring the Failover Within a Preference Level Method on page 349
348
Copyright © 2012, Juniper Networks, Inc.
Chapter 13: Configuring an L2TP LAC
3. Configuring the Maximum Sessions per Tunnel on page 350
4. Configuring the Weighted Load Balancing Method on page 350
Configuring the Failover Between Preference Levels Method
When a user tries to log into a domain, in the default method, the router attempts to
connect to a destination in that domain with the highest preference level. If more than
one destination in the preference level is considered reachable, the router randomly
selects a destination and attempts to contact it. If the router is unsuccessful, it marks
the destination as unreachable and does not try to connect to that destination for five
minutes. The router then moves to the next lower preference level and repeats the
process. The router makes up to eight attempts to connect to a destination for a
domain—one attempt for each preference level.
If all destinations at a preference level are marked as unreachable, the router chooses
the destination that failed first and tries to make a connection. The key is to understand
that the router chooses a single destination at each level of preference, even if all
destinations have recently failed. Thus the 5-minute timer normally used to reinstate
failed destinations is ignored under certain conditions.
For example, suppose you have three destinations for a domain: A, B, and C. You assign
the following preferences:
•
A, B, and C at preference 0
•
A, B, and C at preference 1
•
A, B, and C at preference 2
A, B, and C are all considered reachable.
If a PPP user tries to connect to the domain, suppose the router randomly selects
destination A from preference 0. If this connection attempt fails, the router excludes
destination A for 5 minutes and goes to the next level (preference 1). From here, it
randomly selects destination B, one of the two remaining choices. If the second connection
attempt also fails, the router excludes destination B, as well as destination A, and
attempts to connect to destination C, the only destination available with preference 2.
The router has had an opportunity to connect to every destination available for the
domain.
Support for multiple destinations affects the procedure for mapping a user domain name
to an L2TP tunnel. To learn how to complete this mapping, see “Mapping a User Domain
Name to an L2TP Tunnel Overview” on page 334.
•
To enable tunnel selection failover between preference levels:
This tunnel selection method is the default method. If you do not set any tunnel
selection parameters, the router uses this method.
Configuring the Failover Within a Preference Level Method
You use the l2tp fail-over-within-preference command to enable tunnel selection failover
within a preference level. In this selection method, if the router tries to connect to a
Copyright © 2012, Juniper Networks, Inc.
349
JunosE 13.3.x Broadband Access Configuration Guide
destination and is unsuccessful, it selects a new destination at the same preference level.
If all destinations at a preference level are marked as unreachable, the router does not
attempt to connect to a destination at that level. It drops to the next lower preference
level to select a destination.
If all destinations at all preference levels are marked as unreachable, the router chooses
the destination that failed first and tries to make a connection. If the connection fails,
the router rejects the PPP user session without attempting to contact the remote router.
For example, suppose there are four tunnels for a domain: A, B, C, and D. All tunnels are
considered reachable, and the preference levels are assigned as follows:
•
A and B at preference 0
•
C and D at preference 1
When the router attempts to connect to the domain, suppose it randomly selects tunnel
B from preference 0. If it fails to connect to tunnel B, the router excludes tunnel B for five
minutes and attempts to connect to tunnel A. If this attempt also fails, the router drops
to preference 1. Then suppose the router selects tunnel C. If it also fails to connect to
tunnel C, the router excludes tunnel C for five minutes and attempts to connect to tunnel
D.
•
To enable tunnel selection failover within a preference level:
host1(config)#l2tp fail-over-within-preference
Configuring the Maximum Sessions per Tunnel
You can configure the maximum number of sessions per tunnel, either through a RADIUS
server or the command-line interface. If you set the maximum sessions per tunnel
parameter, the router takes the setting into consideration when it selects a tunnel. If a
randomly selected tunnel has a current session count equal to its maximum session
count, the router does not attempt to contact that tunnel. Instead, it makes an alternate
tunnel selection from the set of reachable tunnels at the same preference level. If no
additional reachable tunnels exist at the current preference level, the router drops to the
next lower preference level to make the next selection. This process is consistent,
regardless of which fail-over scheme is currently running on the router. A tunnel without
a configured maximum sessions value has no upper limit on the number of sessions it
can support.
The router uses a default value of 0 (zero), which allows unlimited sessions in the tunnel.
•
To configure the maximum sessions per tunnel.
host1(config)#aaa domain-map lacOne
host1(config-domain-map)#tunnel 1
host1(config-domain-map-tunnel)#max-sessions 1500
Configuring the Weighted Load Balancing Method
With the weighted load-balancing method, the router uses the maximum sessions per
tunnel to choose among multiple tunnels that share the same preference level.
350
Copyright © 2012, Juniper Networks, Inc.
Chapter 13: Configuring an L2TP LAC
The weight of a tunnel is proportional to its maximum session limit and the maximum
session limits of the other tunnels at the same preference level. The tunnel with the
largest maximum session value has the largest weight; the tunnel with the next largest
maximum session value has the next largest weight, down to the tunnel with the smallest
maximum session value that has the smallest weight. The router uses a round-robin
tunnel selection method by default.
•
To configure the router to base tunnel selection within a preference level on the
maximum sessions per tunnel.
host1(config)#l2tp weighted-load-balancing
Copyright © 2012, Juniper Networks, Inc.
351
JunosE 13.3.x Broadband Access Configuration Guide
352
Copyright © 2012, Juniper Networks, Inc.
CHAPTER 14
Configuring an L2TP LNS
An L2TP network server (LNS) is a node that acts as one side of an L2TP tunnel endpoint
and is a peer to the LAC. An LNS is the logical termination point of a PPP connection that
is being tunneled from the remote system by the LAC. You can configure your E Series
router to function as an LNS.
This chapter includes the following topics that provide information for configuring an
L2TP LNS on the E Series router:
•
LNS Configuration Prerequisites on page 354
•
Configuring an LNS on page 354
•
Creating an L2TP Destination Profile on page 357
•
Creating an L2TP Host Profile on page 357
•
Configuring the Maximum Number of LNS Sessions on page 358
•
Configuring Groups for LNS Sessions on page 359
•
Configuring the RADIUS Connect-Info Attribute on the LNS on page 360
•
Overriding LNS Out-of-Resource Result Codes 4 and 5 on page 360
•
Selecting Service Modules for LNS Sessions Using MLPPP on page 362
•
Enabling Tunnel Switching on page 363
•
Creating Persistent Tunnels on page 364
•
Testing Tunnel Configuration on page 364
•
Managing L2TP Destinations, Tunnels, and Sessions on page 364
•
Configuring Disconnect Cause Information on page 365
•
Configuring the Receive Window Size on page 367
•
Configuring Peer Resynchronization on page 369
•
Configuring L2TP Tunnel Switch Profiles on page 373
•
Configuring the Transmit Connect Speed Calculation Method on page 379
•
PPP Accounting Statistics on page 387
•
Stateful Line Module Switchover for LNS Sessions on page 388
Copyright © 2012, Juniper Networks, Inc.
353
JunosE 13.3.x Broadband Access Configuration Guide
LNS Configuration Prerequisites
Before you begin configuring the router as an LNS, perform the following steps:
1.
Create a virtual router.
host1(config)#virtual-router west
2. Assign a router ID IP address, such as that for a loopback interface, to the virtual router.
This address must be reachable by the L2TP peer.
host1:west(config)#ip router-id 10.10.45.3
CAUTION: You must explicitly assign a router ID to a virtual router rather
than using a dynamically assigned router ID. A fixed ID is required because
every time the ID changes, L2TP must disconnect all existing tunnels and
sessions that use the old ID. If you use a dynamically assigned router ID,
the value can change without warning, leading to failure of all L2TP tunnels
and sessions. Also, the router could dynamically assign a router ID that is
not reachable by the L2TP peer, causing a complete failure of L2TP. You
must set the router ID even if you specified a source address in the domain
map or a local address in the host profile.
Related
Documentation
•
virtual-router
•
ip router-id
Configuring an LNS
When you configure an LNS, you can configure it to accept calls from any LAC.
NOTE: If there is no explicit LNS configuration on the router, the UDP port
used for L2TP traffic is closed, and no tunnels or sessions can be established.
To enable an LAC to connect to the LNS, you must create the following profiles:
•
An L2TP destination profile—Defines the location of each LAC
•
An L2TP host profile—Defines the attributes used when communicating with an LAC
NOTE: If you remove a destination profile or modify attributes of a host
profile, all tunnels and sessions using the profile will be dropped.
354
Copyright © 2012, Juniper Networks, Inc.
Chapter 14: Configuring an L2TP LNS
NOTE: If you are using shared tunnel-server ports, you must configure
the shared tunnel-server ports before you configure Layer 2 Tunneling
Protocol (L2TP) network server (LNS) support. You use the tunnel-server
command in Global Configuration mode to specify the physical location
of the shared tunnel-server port that you want to configure.
See virtual-router for additional information about the tunnel-server
command and shared tunnel-server ports.
To configure an LNS, perform the following steps:
1.
Create a destination profile that defines the location of the LAC, and access L2TP
Destination Profile Configuration mode. See “Creating an L2TP Destination Profile”
on page 357 .
host1:boston(config)#l2tp destination profile boston4 ip address 192.168.76.20
host1:boston(config-l2tp-dest-profile)#
2. Define the L2TP host profile and enter L2TP Destination Profile Host Configuration
mode. See “Creating an L2TP Host Profile” on page 357 .
host1:boston(config-l2tp-dest-profile)#remote host default
host1:boston(config-l2tp-dest-profile-host)#
3. (Optional) Assign a profile name for a remote host.
host1:boston(config-l2tp-dest-profile-host)#profile georgeProfile1
4. (Optional) Disable the use of proxy LCP when connecting to the selected host.
host1(config-l2tp-dest-profile-host)#disable proxy lcp
5. (Optional) Enable the use of proxy authentication when connecting to the selected
host.
host1(config-l2tp-dest-profile-host)#enable proxy authenticate
6. (Optional) Specify the local hostname to be used in any hostname AVP sends to the
LAC. By default, the router name is used as the local hostname.
host1(config-l2tp-dest-profile-host)#local host andy
7. (Optional) Specify the local IP address to be used in any packets sent to the LAC. By
default, the router ID is used.
host1(config-l2tp-dest-profile-host)#local ip address 192.168.23.1
8. (Optional) Specify the shared secret used to authenticate the tunnel. By default, there
is no tunnel authentication.
host1:boston(config-l2tp-dest-profile-host)#tunnel password saco
9. (Optional) Specify that the LNS override out-of-resource result codes 4 and 5 with
code 2 for interoperation with third-party implementations that do not support codes
4 and 5.
host1:boston(config-l2tp-dest-profile-host)#session-out-of-resource-result-code-override
Copyright © 2012, Juniper Networks, Inc.
355
JunosE 13.3.x Broadband Access Configuration Guide
10. (Optional) Specify that L2TP create an MLPPP interface when LCP proxy data is not
forwarded from the LAC.
For example, the MLPPP interface is created if the LAC does not send the initial received
or last received LCP configuration request. If full LCP proxy data is available, this
command is ignored.
host1:boston(config-l2tp-dest-profile-host)#default-upper-type mlppp
NOTE: When acting as the LNS, the E Series router supports dialed number
identification service (DNIS). With DNIS, if users have a called number
associated with them, the router searches the domain map for the called
number. If it finds a match, the router uses the matching domain map
entry information to authenticate the user. If the router does not find a
match, it searches the domain map using normal processing. See the Using
DNIS section in “Overview of Mapping a User Domain to a Virtual Router”
on page 6.
Related
Documentation
356
•
Creating an L2TP Destination Profile on page 357
•
Creating an L2TP Host Profile on page 357
•
Configuring the Maximum Number of LNS Sessions on page 358
•
Configuring the RADIUS Connect-Info Attribute on the LNS on page 360
•
Overriding LNS Out-of-Resource Result Codes 4 and 5 on page 360
•
Selecting Service Modules for LNS Sessions Using MLPPP on page 362
•
bundled-group-id
•
bundled-group-id-overrides-mlppp-ed
•
default-upper-type mlppp
•
disable proxy lcp
•
enable proxy authenticate
•
l2tp destination profile
•
local host
•
local ip address
•
max-sessions
•
radius connect-info-format
•
remote host
•
session-out-of-resource-result-code-override
•
tunnel password
Copyright © 2012, Juniper Networks, Inc.
Chapter 14: Configuring an L2TP LNS
Creating an L2TP Destination Profile
You use the l2tp destination profile command to create the destination profile that
defines the location of the LAC, and to access L2TP Destination Profile Configuration
mode.
If no virtual router is specified with the command, the current virtual router context is
used.
If the destination address is 0.0.0.0, then any LAC that can be reached via the specified
virtual router is allowed to access the LNS. If the destination address is nonzero, then it
must be a host-specific IP address.
•
To create a destination profile:
host1:boston(config)#l2tp destination profile boston ip address 10.10.76.12
host1:boston(config-l2tp-dest-profile)#
NOTE: When you change an L2TP destination profile, you must wait for
the router to delete all L2TP tunnels associated with the deleted profile
before you create the new profile.
If you remove a destination profile, all tunnels and sessions using that
profile will be dropped.
Related
Documentation
•
Creating an L2TP Host Profile on page 357
•
remote host
Creating an L2TP Host Profile
Use the remote host command to define the L2TP host profile and access L2TP
Destination Profile Host Configuration mode.
•
Each L2TP destination profile can have multiple L2TP host profiles.
•
For an LAC to connect to an LNS, the appropriate L2TP destination profile must have
at least one L2TP host profile.
•
If you specify any name other than default for the remote host, then the LAC must
supply the specified hostname in order for the tunnel to be set up. The remote hostname
is matched against the hostname AVP in the received
Start-Control-Connection-Request (SCCRQ).
•
The remote hostname can be up to 64 characters (no spaces).
•
Example
host1:boston(config)#l2tp destination profile boston1 ip address 192.168.76.12
host1:boston(config-l2tp-dest-profile)#remote host default
Copyright © 2012, Juniper Networks, Inc.
357
JunosE 13.3.x Broadband Access Configuration Guide
host1(config-l2tp-dest-profile-host)#
•
Use the no version to remove the L2TP host profile.
NOTE: If you modify any attributes of a host profile, all tunnels and sessions
using that profile will be dropped.
Related
Documentation
•
Creating an L2TP Destination Profile on page 357
•
l2tp destination profile
Configuring the Maximum Number of LNS Sessions
You can use the max-sessions command in both L2TP Destination Profile Configuration
mode and L2TP Destination Profile Host Configuration mode to configure the number
of sessions allowed by the L2TP network server (LNS).
The LNS uses a two-step process to ensure that the maximum number of allowed
sessions is not exceeded. When a session is requested, the LNS first checks the maximum
sessions set for the L2TP destination profile. If no limit is set, or if the current count is less
than the configured limit, the LNS then performs the same check on the L2TP destination
host profile limit. If the current count is also less than the L2TP destination host profile
limit, then the new session can be established. If a session request exceeds either of the
max-sessions settings, the LNS rejects the session.
NOTE: New sessions are rejected once the chassis-wide session limit is
exceeded, even if the destination profile or host profile maximum session
limit is not exceeded. For information about the maximum number of L2TP
sessions supported per chassis, see JunosE Release Notes, Appendix A, System
Maximums.
•
To set the maximum sessions allowed for the specified destination, use the
max-sessions command in L2TP Destination Profile Configuration mode:
host1(config)#l2tp destination profile westford ip address 10.10.21.2
host1(config-l2tp-destination-profile)#max-sessions 20000
•
To set the maximum session allowed for the specified host, use the max-sessions
command in L2TP Destination Profile Host Configuration mode:
host1(config-dest-profile))#remote host default
host1(config-l2tp-destination-profile-host)#max-sessions 20000
Related
Documentation
358
•
max-sessions
Copyright © 2012, Juniper Networks, Inc.
Chapter 14: Configuring an L2TP LNS
Configuring Groups for LNS Sessions
You can define and configure session limit groups under the L2TP destination profile.
Under each destination profile, you can define a maximum of 4096 session limit groups.
The maximum session limit is applied for each of the session limit groups in L2TP
Destination Profile Sessions Limit Group Configuration mode.
NOTE: The max-sessions command is also supported in L2TP Destination
Profile Configuration mode and L2TP Destination Profile Host Configuration
mode.
When a session is requested, the LNS first checks the maximum sessions set for the L2TP
destination profile. If no limit is set, or if the current session count is less than the
configured limit, the LNS then performs the same check on the L2TP destination sessions
limit profile. If no limit is set, or if the current session limit is less than the configured limit,
the LNS then performs the same check on the L2TP destination host profile limit. If no
limit is set, or if the current session count is also less than the L2TP destination host
profile limit, then the new session can be established. If a session request exceeds any
of the maximum sessions settings, the LNS rejects the session.
To set the maximum sessions allowed for a group for the specified destination, use the
max-sessions command in L2TP Destination Profile Sessions Limit Group Configuration
mode. You can configure this as follows:
1.
Define an L2TP destination profile.
host1(config)#l2tp destination profile abc virtual-router default ip address 10.10.10.1
2. Define a session limit group in L2TP Destination Profile Configuration mode.
host1(config-l2tp-dest-profile)#sessions-limit-group g1
3. Define the maximum number of sessions allowed in the group.
host1(config-l2tp-dest-profile-sessions-limit-group)#max-sessions 8000
4. To view the output, use the show l2tp destination profile command.
host1#show l2tp destination profile abc
To set the maximum sessions allowed for a group for the specified host, use the
max-sessions command in L2TP Destination Profile Sessions Limit Group Configuration
mode. You can configure this as follows:
1.
Configure a remote host name.
host1(config-l2tp-dest-profile)#remote host xyz
2. Assign a sessions limit group name for the remote host.
host1(config-l2tp-dest-profile-host)#sessions-limit-group g1
Copyright © 2012, Juniper Networks, Inc.
359
JunosE 13.3.x Broadband Access Configuration Guide
NOTE: Ensure that the group name is already defined under the destination
profile.
3. To view the output, use the show l2tp destination profile command.
host1#show l2tp destination profile abc
Related
Documentation
•
Configuring the Maximum Number of LNS Sessions on page 358
•
max-sessions
•
sessions-limit-group
Configuring the RADIUS Connect-Info Attribute on the LNS
You can configure the LNS to generate the RADIUS Connect-Info attribute [77]. Service
providers can then use the information in the RADIUS attribute to identify a customer’s
service.
On the LNS, the Connect-Info attribute is based on the L2TP connect-speed AVPs received
from the LAC. The LNS does not generate the attribute by default. The format of the
Connect-Info attribute is as follows, where the TX speed and RX speed are equal to the
respective L2TP AVPs:
tx-speed [ /rx-speed ]
The TX speed is always included in the attribute when the speed is not zero; however,
inclusion of the RX speed depends on the keyword you use with the command.
•
Use the l2tp-connect-speed keyword to specify that the RX speed is only included
when it is not zero and also is different than the TX speed.
host1(config)#radius connect-info-format l2tp-connect-speed
•
Use the l2tp-connect-speed-rx-when-equal keyword to specify that the RX speed is
always included when it is not zero.
host1(config)#radius connect-info-format l2tp-connect-speed-rx-when-equal
Related
Documentation
•
radius connect-info-format
Overriding LNS Out-of-Resource Result Codes 4 and 5
When the number of L2TP sessions reaches the configured maximum value, the LNS
sends an out-of-resource result code (4 or 5) in a CDN (Call-Disconnect-Notify) message
to the LAC. This signals the LAC to fail over to another LNS that has the resources for
more sessions.
Some third-party LAC implementations fail over only when they receive result code 2
sent in the CDN from the LNS. You can override result codes 4 and 5 with result code 2
360
Copyright © 2012, Juniper Networks, Inc.
Chapter 14: Configuring an L2TP LNS
on the LNS to enable such routers to fail over to another LNS. These codes have the
following meanings:
•
2—Call disconnected for the reason indicated in error code
•
4—Call failed due to lack of appropriate facilities being available (temporary condition)
•
5—Call failed due to lack of appropriate facilities being available (permanent condition)
The following sections describe how to override the result codes and how to display the
current code values.
•
Overriding the Result Codes on page 361
•
Displaying the Current Override Setting on page 361
Overriding the Result Codes
You can override the out-of-resource result codes 4 and 5 by issuing the
session-out-of-resource-result-code-override command on the LNS.
•
To override result codes 4 and 5:
host1:boston(config-l2tp-dest-profile-host)#session-out-of-resource-result-code-override
Displaying the Current Override Setting
You can view the current override setting for the LNS result codes in the L2TP destination
profile.
•
To display the current override setting:
ERX(config)#show l2tp destination profile boston
L2TP destination profile boston
Configuration
Destination address
Transport ipUdp
Virtual router default
Peer address 10.10.76.12
Statistics
Destination profile current session count is 0
Host profile attributes
Remote host is LAC
Configuration
Tunnel password is TunnelPass
Local host name is LNS
Local ip address is 46.1.1.2
Disconnect-cause avp is enabled
Tunnels are single-shot
Override out-of-resource-result-code is enabled
Statistics
Current session count is 0
1 L2TP host profile found
Related
Documentation
•
session-out-of-resource-result-code-override
•
show l2tp destination profile
Copyright © 2012, Juniper Networks, Inc.
361
JunosE 13.3.x Broadband Access Configuration Guide
Selecting Service Modules for LNS Sessions Using MLPPP
You can install multiple service modules in an E Series router deployed as an LNS where
the tunnel sessions carry MLPPP. To use an LNS, at least one Service line module (SM),
ES2-S1 Service IOA, or a module that supports the use of shared tunnel-server ports must
be installed in the E Series router.
The router selects service modules based on the LNS sessions that underlie the PPP link
interfaces of an MLPPP bundle, also known as bundled sessions. To determine the
appropriate SM where it places the first bundled session for an MLPPP bundle, the router
uses a load-balancing mechanism. After the router determines the appropriate SM, it
places all sessions for the same bundle on the same SM. By default, the router determines
bundled membership based on the endpoint discriminator that the LNS receives from
the LAC in the proxy LCP information.
For example, an ERX1440 Broadband Services Router has service modules installed in
slots 4, 9, and 12. Using the load-balancing mechanism, the router determines that the
SM in slot 4 can accommodate the first bundled session for MLPPP bundle A, and places
it there. The first bundled session for bundle A has an endpoint discriminator of 5. The
router subsequently places all bundled sessions for bundle A (which have an endpoint
discriminator of 5) on the SM in slot 4.
When the SM on which the bundled sessions reside has no more space for additional
sessions, the router refuses the L2TP session. This can happen even when other service
modules installed in the router have available space.
For more information about endpoint discriminators, see the Configuring Multilink PPP
chapter in JunosE Link Layer Configuration Guide.
Assigning Bundled Group Identifiers
In some cases, an endpoint discriminator is not available for the LNS to use to identify
the links in a bundled session.
This situation might occur when:
•
PPP clients provide endpoint discriminators with null values.
•
PPP clients do not provide an endpoint discriminator option when negotiating LCP
with the LAC.
•
The LAC does not include a endpoint discriminator option in the LCP proxy AVPs.
The router places all bundled sessions without endpoint discriminators on the same SM.
However, if there are many such bundled sessions, the load-balanced distribution of LNS
sessions across the service modules can deteriorate because the router places all bundled
sessions on the same SM without evenly distributing the load.
The bundled-group-id command enables you to correct this situation by assigning a
numeric bundled group identifier for the router to use when the endpoint discriminator
is unavailable to identify the bundled membership. The router places bundled sessions
362
Copyright © 2012, Juniper Networks, Inc.
Chapter 14: Configuring an L2TP LNS
with the same bundled group identifier on the same SM in the same way that it does with
endpoint discriminators.
The bundled group identifier applies to the entire router; therefore, if you assign the same
bundled group identifier for different L2TP destination host profiles, the router places all
of the bundled sessions with the same bundled group identifier on the same SM.
NOTE: We recommend that you assign bundled group identifiers only when
you are certain that endpoint discriminators are unavailable to identify bundle
membership.
•
To assign a numeric bundled group identifier:
host1:boston(config-l2tp-dest-profile-host)#bundled-group-id 4
Overriding All Endpoint Discriminators
NOTE: We strongly recommend that you use this feature only with the support
of JTAC.
You can also configure the router to ignore the value of all endpoint discriminators when
it selects a SM and to use only the bundled group identifier that you assigned by issuing
the bundled-group-overrides-mlppp-ed command.
Issuing the bundled-group-id and bundled-group-id-overrides-mlppp-ed commands
together forces the router to place the bundled sessions on the same SM when a PPP
client incorrectly specifies different endpoint discriminators for links in the same bundle.
•
To configure the router to ignore the value of all endpoint discriminators:
host1:boston(config-l2tp-dest-profile-host)#bundled-group-id-overrides-mlppp-ed
Related
Documentation
•
bundled-group-id
•
bundled-group-id-overrides-mlppp-ed
Enabling Tunnel Switching
L2TP tunnel switching allows you to switch packets between one session terminating
at an L2TP LNS and another session originating at an L2TP LAC. What distinguishes a
tunnel-switched LAC from a conventional one is that there are two interface columns:
one for the incoming session (LNS) and one for the outgoing session (LAC). The router
forwards traffic from the incoming session to the outgoing session and vice versa.
You can select tunnel switching on a per-chassis basis. By default, tunnel switching is
disabled. This preserves current behavior and prevents inadvertent attempts to switch
tunnels.
Copyright © 2012, Juniper Networks, Inc.
363
JunosE 13.3.x Broadband Access Configuration Guide
NOTE: Each individual L2TP session involved in tunnel switching is counted
toward the maximum number of sessions supported on an E Series router.
•
To enable tunnel switching:
host1(config)#l2tp tunnel-switching
Related
Documentation
•
l2tp tunnel-switching
Creating Persistent Tunnels
The E Series router supports persistent tunnels. A persistent tunnel is one that is configured
to remain available. Persistent tunnels have only local significance; that is, they apply
only to the end of the tunnel where they are set. If the other end of the tunnel chooses
to terminate the tunnel, the tunnel is removed.
•
To create a persistent tunnel, you configure an idle-timeout value of zero.
host1(config)#l2tp tunnel idle-timeout 0
Related
Documentation
•
l2tp tunnel idle-timeout
Testing Tunnel Configuration
You can use the l2tp tunnel test command to force the establishment of a tunnel—this
enables you to verify both the tunnel configuration and connectivity.
This command supports tunnel initiation: incoming calls on the LAC; outgoing calls on
the LNS. The command does not support tunnel respondent: outgoing calls on the LAC;
incoming calls on the LNS.
•
To test a tunnel configuration:
host1#l2tp tunnel test portland.com gold
Related
Documentation
•
l2tp tunnel test
Managing L2TP Destinations, Tunnels, and Sessions
When the router is established as an LNS you can manage the destinations, tunnels and
sessions.
364
•
Enable the verification of data integrity via UDP.
•
Specify the time period for which the router maintains dynamic destinations, tunnels,
or sessions after termination.
•
Prevent the creation of new sessions, tunnels, and destinations.
Copyright © 2012, Juniper Networks, Inc.
Chapter 14: Configuring an L2TP LNS
Related
Documentation
•
Close and reopen all or selected destinations, tunnels, and sessions.
•
Configure drain timeout operations, which control the amount of time a disconnected
LAC tunnel waits before restarting after receiving a restart request.
•
Configure how many times the router retries a transmission if the initial attempt is
unsuccessful.
•
Generating UDP Checksums in Packets to L2TP Peers on page 321
•
Specifying a Destruct Timeout for L2TP Tunnels and Sessions on page 322
•
Preventing Creation of New Destinations, Tunnels, and Sessions on page 322
•
Shutting Down Destinations, Tunnels, and Sessions on page 324
•
Specifying the Number of Retransmission Attempts on page 325
Configuring Disconnect Cause Information
You can configure an E Series LNS to convey PPP-related disconnect cause information
to its L2TP peer. Enabling an LNS to send disconnect cause information to an LAC is
particularly useful in an environment where the LAC initiates tunnels without a client’s
request, knowledge, or approval. In this type of environment, all PPP signaling for the
tunnel session takes place between the LNS and the client, without active participation
of the LAC. As a result, the LAC is not aware of the reason that a session has disconnected.
NOTE: An E Series LAC does not send PPP Disconnect Case Code AVPs to
an LNS. In the event that a third-party LAC does send the AVP to an E Series
LNS, the LNS discards the AVP.
1.
Generating the Disconnect Cause AVP Globally on page 365
2. Generating the Disconnect Cause AVP with a Host Profile on page 366
3. Enabling RADIUS Accounting for Disconnect Cause on page 366
4. Displaying Disconnect Cause Statistics on page 366
Generating the Disconnect Cause AVP Globally
You use the l2tp disconnect-cause command to specify that the LNS include the PPP
Disconnect Cause Code AVP in all L2TP Call-Disconnect-Notify (CDN) messages that
it sends to the LAC. For example, this feature enables the LAC to obtain information
about the cause of a session disconnection,
•
To enable disconnect cause generation chassis-wide on the LNS:
host1(config)#l2tp disconnect-cause
Copyright © 2012, Juniper Networks, Inc.
365
JunosE 13.3.x Broadband Access Configuration Guide
NOTE: Sessions for which the AVP generation is enabled by the
host-profile-specific disconnect-cause command continue to generate
the AVP.
Generating the Disconnect Cause AVP with a Host Profile
You use the disconnect-cause command in L2TP Destination Profile Host Configuration
mode to specify that the E Series LNS generate PPP Disconnect Cause Code AVPs. This
command pertains only to L2TP sessions to which the L2TP destination host profile
applies. The AVP is included in all L2TP CDN messages that the LNS sends to an LAC for
covered sessions.
NOTE: This command is used only for dial-in sessions; use the l2tp
disconnect-cause command in Global Configuration mode to generate PPP
Disconnect Cause Code AVPs for dial-out sessions.
•
To enable disconnect cause generation for all tunnels that use a particular host profile
on the LNS:
host1(config-l2tp-dest-profile-host)#disconnect-cause
Enabling RADIUS Accounting for Disconnect Cause
You use the radius include l2tp-ppp-disconnect-cause acct-stop enable command to
specify that the Disconnect-Cause RADIUS attribute (VSA 26-51) is generated and
included in RADIUS acct-stop and acct-tunnel-link-stop records. RADIUS VSA 26-51 is
not included in the accounting records by default.
At the LAC, this accounting reports remotely generated disconnect cause information
received from the LNS. At the LNS, the accounting reports locally generated disconnect
cause information.
•
To enable disconnect cause accounting:
host1(config)#radius include l2tp-ppp-disconnect-cause acct-stop enable
Displaying Disconnect Cause Statistics
You can display chassis-wide summary statistics for all disconnect cause information
received by the LAC, sorted by code number.
•
To display summary statistics for disconnect cause information:
host1(config)#show l2tp received-disconnect-cause-summary
366
Copyright © 2012, Juniper Networks, Inc.
Chapter 14: Configuring an L2TP LNS
Configuring the Receive Window Size
You can configure the L2TP receive window size (RWS) for an L2TP tunnel. L2TP uses
the RWS to implement a sliding window mechanism for the transmission of control
messages.
When you configure the RWS, you specify the number of packets that the L2TP peer can
transmit without receiving an acknowledgment from the router. If the RWS is not
configured, the router determines the RWS and uses this value for all new tunnels on
both the LAC and the LNS.
You can configure the L2TP RWS in the following ways:
•
Configure the systemwide default RWS setting for a tunnel on both the LAC and the
LNS by using the l2tp tunnel default-receive-window command (in global
Configuration mode).
•
Configure the RWS for a tunnel on the LAC by using either the receive-window
command (in Domain Map Tunnel Configuration mode) or by including the
L2tp-Recv-Window-Size RADIUS attribute (VSA 26-54) in RADIUS Access-Accept
messages.
•
Configure the RWS for all tunnels that use a particular host profile on the LNS by using
the receive-window command (in L2TP Destination Profile Host Configuration mode).
1.
Configuring the Default Receive Window Size on page 367
2. Configuring the Receive Window Size on the LAC on page 368
3. Configuring the Receive Window Size on the LNS on page 369
Configuring the Default Receive Window Size
Use the l2tp tunnel default-receive-window command to configure the default L2TP
RWS for a tunnel on both the LAC and the LNS. The default L2TP RWS is the number of
packets that the L2TP peer can transmit without receiving an acknowledgment from the
router. The only supported value is 4.
To configure the default RWS setting:
1.
From Global Configuration mode, set the L2TP default RWS. The only value supported
for the default RWS is 4.
host1(config)#l2tp tunnel default-receive-window 4
The router uses this RWS value for all new tunnels on both the LAC and the LNS. The
new command has no effect on previously configured tunnels.
2. (Optional) Use the show l2tp command to verify the default RWS configuration.
host1#show l2tp
Configuration
L2TP administrative state is enabled
Dynamic interface destruct timeout is 600 seconds
Data packet checksums are disabled
Receive data sequencing is not ignored
Copyright © 2012, Juniper Networks, Inc.
367
JunosE 13.3.x Broadband Access Configuration Guide
Tunnel switching is disabled
Retransmission retries for established tunnels is 5
Retransmission retries for not-established tunnels is 5
Tunnel idle timeout is 60 seconds
Failover within a preference level is disabled
Weighted load balancing is disabled
Tunnel authentication challenge is enabled
Calling number avp is enabled
Ignore remote transmit address change is disabled
Disconnect cause avp is disabled
Default receive window size is 4
Sub-interfaces
total
active
failed
auth-errors
Destinations
0
0
0
n/a
Tunnels
0
0
0
0
Sessions
0
0
0
n/a
Switched-sessions 0
0
0
n/a
Configuring the Receive Window Size on the LAC
Use the receive-window command to configure the L2TP RWS for a tunnel on the LAC.
Use the no version of the command to revert to the systemwide RWS setting configured
with the l2tp tunnel default-receive-window command.
TIP: The RWS setting must be the same for all users of the same tunnel.
If you modify the RWS setting for an existing tunnel, subsequent tunnel users
might be not be able to log in if their RWS setting conflicts with the new RWS
setting for the tunnel.
To configure the RWS for a tunnel on the LAC:
1.
Access Domain Map Tunnel Configuration mode as described in “Mapping a User
Domain Name to an L2TP Tunnel Overview” on page 334 . For example:
host1(config)#aaa domain-map fms.com
host1(config-domain-map)#router-name westford
host1(config-domain-map)#tunnel 3
host1(config-domain-map-tunnel)#
2. From Domain Map Tunnel Configuration mode, set the tunnel RWS. The only value
supported for the tunnel RWS is 4, and it must be the same for all users of the same
tunnel.
host1(config-domain-map-tunnel)#receive-window 4
3. (Optional) Use the show aaa domain-map command to verify the RWS configuration.
host1#show aaa domain-map
Domain: fms.com; router-name: westford; ipv6-router-name: default
Tunnel
Tag
-----3
Tunnel
368
Tunnel
Peer
-----<null>
Tunnel
Server
Tunnel
Source
-----<null>
Tunnel
Tunnel
Tunnel
Type
Medium
Password
-----------------l2tp
ipv4
<null>
Tunnel
Tunnel
Max
Tunnel
Tunnel
Id
-----<null>
Tunnel
Client
Name
-----<null>
Copyright © 2012, Juniper Networks, Inc.
Chapter 14: Configuring an L2TP LNS
Tag
-----3
Name
-----<null>
Preference
---------2000
Sessions
-------0
RWS
-----4
You can also configure the RWS for a tunnel on the LAC by including the
L2tp-Recv-Window-Size RADIUS attribute (VSA 26-54) in RADIUS Access-Accept
messages. For more information about RADIUS Access-Accept messages, see “Subscriber
AAA Access Messages Overview” on page 172. For more information about the
L2tp-Recv-Window-Size attribute, see “RADIUS IETF Attributes” on page 231.
Configuring the Receive Window Size on the LNS
Use the receive-window command to configure the L2TP RWS for a tunnel on the LNS.
Use the no version of the command to revert to the systemwide RWS setting configured
with the l2tp tunnel default-receive-window command.
To configure the RWS for a tunnel on the LNS:
1.
Access L2TP Destination Profile Host Configuration mode. For example:
host1(config)#virtual-router fms02
host1:fms02(config)#l2tp destination profile fms02 ip address 192.168.5.61
host1:fms02(config-l2tp-dest-profile)#remote host fms03
host1:fms02(config-l2tp-dest-profile-host)#
2. From Destination Profile Host Configuration mode, set the tunnel RWS. The only value
supported for the tunnel RWS is 4.
host1:fms02(config-l2tp-dest-profile-host)#receive-window 4
TIP: If you modify the RWS setting of a host profile for an existing tunnel,
the router drops the tunnel. This action is consistent with router behavior
when you modify an L2TP host profile.
3. (Optional) Use the show l2tp destination profile command to verify the RWS
configuration.
host1:fms02#show l2tp destination profile fms02
L2TP destination profile fms02
Destination address
Transport ipUdp
Virtual router fms02
Peer address 192.168.5.61
Host profile attributes
Remote host is fms03
Receive window size is 4
1 L2TP host profile found
Configuring Peer Resynchronization
The JunosE Software enables you to configure the peer resynchronization method you
want the router to use. Peer resynchronization enables L2TP to recover from a router
warm start and to allow an L2TP failed endpoint to resynchronize with its peer non-failed
endpoint.
Copyright © 2012, Juniper Networks, Inc.
369
JunosE 13.3.x Broadband Access Configuration Guide
L2TP peer resynchronization:
•
Prevents the non-failed endpoint from prematurely terminating a tunnel while the
failed endpoint is recovering
•
Reestablishes the sequence numbers required for the operation of the L2TP control
protocol
•
Resolves inconsistencies in the tunnel and session databases of the failed endpoint
and the non-failed endpoint
To ensure successful peer resynchronization between endpoints, the non-failed endpoint
must support a complete RFC-compliant L2TP implementation.
JunosE Software supports both the L2TP silent failover method and the L2TP failover
protocol method, which is described in Fail Over extensions for L2TP “failover”
draft-ietf-l2tpext-failover-06.txt. You can configure L2TP to use the failover protocol
method as the primary peer resynchronization method, but then fall back to the silent
failover method if the peer does not support the failover protocol method.
The following list highlights differences between the failover protocol and silent failover
peer resynchronization methods:
•
With the L2TP failover protocol method, both endpoints must support the method or
recovery always fails. The L2TP failover protocol method also requires a non-failed
endpoint to wait an additional recovery time period while the failed endpoint is
recovering to prevent the non-failed endpoint from prematurely disconnecting the
tunnel. The additional recovery period makes L2TP less responsive to the loss of tunnel
connectivity.
•
Silent failover operates entirely within the failed endpoint and does not require
non-failed endpoint support—this improves interoperability between peers. Silent
failover does not require additional recovery time by the non-failed endpoint, which
also eliminates the potential for degraded responsiveness to the loss of tunnel
connectivity.
NOTE: L2TP silent failover is not supported on E3 ATM and CT1 line modules
in peer-facing configurations.
370
Copyright © 2012, Juniper Networks, Inc.
Chapter 14: Configuring an L2TP LNS
NOTE: If an LNS device at one end of an L2TP tunnel encounters a failure
and is not configured with the L2TP peer resynchronization method to
enable the LNS device to resynchronize with the non-failed endpoint peer
(the LAC device at the other end of the tunnel), the tunnel is brought down
immediately after the configured value for the number of retransmission
attempts is exceeded. The tunnel between the LAC device and the failed
LNS device that is recovering is not preserved for the default recovery time
period, which is 15 minutes. Instead, the tunnel is terminated immediately
and the LAC device sends the Failover Capability attribute-value pair (AVP)
in the Stop-Control-Connection-Notification (StopCCN) packet to the
original address with a failover recovery time field set to zero.
You can use the CLI or RADIUS to configure the resynchronization method for your router.
1.
Configuring Peer Resynchronization for L2TP Host Profiles and AAA Domain Map
Tunnels on page 371
2. Configuring the Global L2TP Peer Resynchronization Method on page 372
3. Using RADIUS to Configure Peer Resynchronization on page 373
Configuring Peer Resynchronization for L2TP Host Profiles and AAA Domain Map Tunnels
The JunosE CLI enables you to configure the peer resynchronization method globally, for
a host profile, or for a domain map tunnel. A host profile or domain map tunnel
configuration takes precedence over the global peer resynchronization configuration.
When you change the peer resynchronization method, the change is not immediately
applied to existing tunnels. Tunnels continue using their current resynchronization method
until the next time the tunnel is reestablished.
Use the failover-resync command to configure the L2TP peer resynchronization method
for L2TP host profiles and AAA domain map tunnels. This command takes precedence
over the global peer resynchronization configuration.
Choose one of the following keywords to specify the peer resynchronization method:
•
failover-protocol—The tunnel uses the L2TP failover protocol method. If the peer
non-failed endpoint does not support the L2TP failover protocol, a failover forces
disconnection of the tunnel and all of its sessions.
•
failover-protocol-fallback-to-silent-failover—The tunnel uses the L2TP failover
protocol method; however, if the peer non-failed endpoint does not support the L2TP
failover protocol method, the tunnel falls back to using the silent failover method.
•
silent-failover—The tunnel uses the silent failover method. The tunnel also informs
its peer that it supports the failover protocol method for the peer’s failovers.
•
disable—The tunnel does not use any peer resynchronization method for its own
failovers, The tunnel informs its peer that it supports the failover protocol method for
Copyright © 2012, Juniper Networks, Inc.
371
JunosE 13.3.x Broadband Access Configuration Guide
the peer’s failovers. A failover forces the disconnection of the tunnel and all of its
sessions.
•
not-configured—Peer resynchronization is not configured for L2TP host profiles and
AAA domain map tunnels. L2TP uses the global failover method.
By default, peer resynchronization is not configured at the L2TP profile-level or the domain
map-level—therefore, the global configuration is used. This is different than using the
disable keyword, which specifies that no peer synchronization method is used.
Use the show l2tp destination profile command to display a host profile’s peer
resynchronization configuration and the show aaa domain-map command to display a
domain map’s configuration.
•
To configure peer resynchronization for an L2TP host profile:
host1(config)#l2tp destination profile lac-dest ip address 192.168.20.2
host1(config-l2tp-dest-profile)#remote host lac-host
host1(config-l2tp-dest-host-profile-host)#failover-resync silent-failover
•
To configure peer resynchronization for an AAA domain map tunnel:
host1(config)#aaa domain-map lac-tunnel
host1(config-domain-map)#tunnel 10
host1(config-domain-map-tunnel)#failover-resync silent-failover
Configuring the Global L2TP Peer Resynchronization Method
You can configure the peer resynchronization method globally, or for L2TP host profiles
or domain map tunnels—a host profile or domain map tunnel configuration takes
precedence over the global peer resynchronization configuration.
When you change the peer resynchronization method, the change is not immediately
applied to existing tunnels. Tunnels continue using their current resynchronization method
until the next time the tunnel is reestablished.
Use the l2tp failover-resync command to configure the global L2TP peer
resynchronization method that L2TP failed endpoints use to resynchronize with a peer
non-failed endpoint.
Choose one of the following keywords to specify the peer resynchronization method. All
tunnels in the chassis use the specified method unless it is overridden by an L2TP host
profile configuration or an AAA domain map configuration.
372
•
failover-protocol—Tunnels use the L2TP failover protocol method. If the peer non-failed
endpoint does not support the L2TP failover protocol, a failover forces disconnection
of all tunnels and their sessions.
•
failover-protocol-fallback-to-silent-failover—Tunnels use the L2TP failover protocol
method; however, if the peer non-failed endpoint does not support the L2TP failover
protocol method, the tunnel falls back to using the silent failover method.
Copyright © 2012, Juniper Networks, Inc.
Chapter 14: Configuring an L2TP LNS
•
silent-failover—Tunnels use the silent failover method. The tunnels also inform their
peers that they support the failover protocol method for peer failovers.
•
disable—Tunnels do not use any peer resynchronization method for their own failovers.
Tunnels inform their peers that they support the failover protocol method for peer
failovers. A failover forces the disconnection of all tunnels and sessions.
Use the show l2tp command to display the global peer resynchronization configuration.
•
To configure peer resynchronization for an L2TP host profile or AAA domain map tunnel:
host1(config)#l2tp failover-resync silent-failover
•
To restore the global default setting, which uses the
failover-protocol-fallback-to-silent-failover method:
host1(config)#default l2tp failover-resync
•
To disable peer resynchronization, use the no version of the command—this is the
same as using the disable keyword:
host1(config)#no l2tp failover-resync
Using RADIUS to Configure Peer Resynchronization
The JunosE Software supports the use of RADIUS to configure the L2TP peer
resynchronization method used by your L2TP tunnels. You use the L2TP-Resynch-Method
RADIUS attribute (VSA 26-90) in RADIUS Access-Accept messages to specify the L2TP
peer resynchronization method.
Table 78 on page 373 describes the L2TP-Resynch-Method RADIUS attribute. For more
information about RADIUS Access-Accept messages, see “Subscriber AAA Access
Messages Overview” on page 172. For more information about the L2TP-Resynch-Method
attribute, see “RADIUS IETF Attributes” on page 231.
Table 78: L2TP-Resynch-Method RADIUS Attribute
Standard
Number
Attribute Name
Description
Length
Subtype
Length
Value
[26-90]
L2TP-Resynch-Method
L2TP peer
resynchronization method
12
6
integer:
•
0 = disabled
•
1= failover protocol
•
2 = silent failover
•
3 = failover protocol with
silent failover as backup
Configuring L2TP Tunnel Switch Profiles
You can use the l2tp switch-profile command to create an L2TP tunnel switch profile.
An L2TP tunnel switch profile is a set of characteristics that defines the behavior of L2TP
tunnel switching for the interfaces to which the profile is assigned.
Copyright © 2012, Juniper Networks, Inc.
373
JunosE 13.3.x Broadband Access Configuration Guide
Within the L2TP tunnel switch profile, you configure a particular tunnel switching behavior
for a specified L2TP AVP. For example, you can configure the router to preserve the value
of (relay) a specified AVP type across the LNS/LAC boundary in an L2TP tunnel-switched
network.
Applying the L2TP Tunnel Switch Profile
Configuring an L2TP tunnel switch profile has no effect by itself. To use the tunnel switch
profile in an L2TP tunnel-switched network, you must apply it to an L2TP outbound LAC
session by using one of the following methods:
•
Authentication, authorization, and accounting (AAA) domain maps
•
AAA tunnel groups
•
RADIUS Access-Accept messages
If none of these methods are used, you can apply the L2TP tunnel switch profile as an
AAA default tunnel parameter. The default tunnel switch profile has lower precedence
than the other methods for applying the tunnel switch profile.
For more information about the methods for applying L2TP tunnel switch profiles, see
“Configuration Tasks” on page 375 .
Configuration Guidelines
The following rules apply when you configure L2TP tunnel switch profiles:
•
L2TP tunnel switching must be enabled for tunnel switch profiles to take effect. For
information, see “Enabling Tunnel Switching” on page 363.
•
L2TP tunnel switch profiles have no effect when they are assigned to a LAC session
that is not tunnel switched.
•
The router can relay only those AVPs that are accepted at the LNS. Malformed AVPs
are never relayed.
•
If a tunnel grant response specifies a named tunnel switch profile that has not been
configured on the router, the router prohibits connection of the L2TP tunnel-switched
session.
•
If you remove a tunnel switch profile, the router also disconnects all associated L2TP
switched sessions using that profile.
•
In some cases, attributes configured in a tunnel switch profile take precedence over
similar attributes configured globally on the router.
For example, configuring L2TP Calling Number AVP 22 for relay overrides the l2tp
disable calling-number-avp command issued from Global Configuration mode to
prevent the router from sending AVP 22 in incoming-call-request (ICRQ) packets. In
this scenario, the router relays the Calling Number AVP.
374
Copyright © 2012, Juniper Networks, Inc.
Chapter 14: Configuring an L2TP LNS
Configuring L2TP AVPs for Relay
Previously, the router did not preserve the values of incoming L2TP AVPs across the
LNS/LAC boundary in an L2TP tunnel-switched network. The router regenerated most
incoming AVPs, such as L2TP Calling Number AVP 22, based on the local policy in effect.
However, some AVPs, such as Cisco NAS Port Info AVP 100, were dropped.
In an L2TP tunnel switch profile, you can define the types of AVPs that the router can
relay unchanged across the LNS/LAC boundary. You can specify that the router relay
one or more of the following AVP types:
•
L2TP Bearer Type AVP 18
•
L2TP Calling Number AVP 22
•
Cisco NAS Port Info AVP 100
When you configure any of these AVP types for relay in an L2TP tunnel-switched network,
the router preserves the value of an incoming AVP of this type when packets are switched
between the inbound LNS session and the outbound LAC session.
Configuration Tasks
To configure and use an L2TP tunnel switch profile in an L2TP tunnel-switched network:
1.
Ensure that L2TP tunnel switching is enabled on the router.
2. Configure the L2TP tunnel switch profile.
3. Apply the L2TP tunnel switch profile to the tunnel in one of the following ways:
•
To apply a named tunnel switch profile through an AAA domain map, use the
switch-profile command from Domain Map Tunnel Configuration mode. For details,
see “Applying L2TP Tunnel Switch Profiles by Using AAA Domain Maps” on page 377
.
•
To apply a named tunnel switch profile through an AAA tunnel group, use the
switch-profile command from Tunnel Group Tunnel Configuration mode. For details,
see “Applying L2TP Tunnel Switch Profiles by Using AAA Tunnel Groups” on page 377
.
•
To apply a named tunnel switch profile through RADIUS, include the
Tunnel-Switch-Profile RADIUS attribute (VSA 26-91) in RADIUS Access-Accept
messages. For details, see “Applying L2TP Tunnel Switch Profiles by Using RADIUS”
on page 379 .
•
To apply a default tunnel switch profile to a virtual router, use the aaa tunnel
switch-profile command from Global Configuration mode. For details, see “Applying
Default L2TP Tunnel Switch Profiles” on page 378 .
The following sections describe how to perform each of these tasks.
Copyright © 2012, Juniper Networks, Inc.
375
JunosE 13.3.x Broadband Access Configuration Guide
Enabling Tunnel Switching on the Router
To enable L2TP tunnel switching on the router, use the l2tp tunnel-switching command.
By default, tunnel switching is disabled.
•
To enable L2TP tunnel switching:
host1(config)#l2tp tunnel-switching
For more information, see “Enabling Tunnel Switching” on page 363.
Configuring L2TP Tunnel Switch Profiles
To configure an L2TP tunnel switch profile:
1.
Create the L2TP tunnel switch profile and assign it a name. The l2tp switch-profile
command accesses L2TP Tunnel Switch Profile Configuration mode.
host1(config)#l2tp switch-profile concord
host1(config-l2tp-tunnel-switch-profile)#
2. Configure the L2TP tunnel switching behavior for the interfaces to which this profile
is assigned. Use the avp command with the relay keyword to cause the router to
preserve the value of an incoming AVP of this type when packets are switched between
an inbound LNS session and an outbound LAC session.
You can use any of the following keywords to specify the AVPs for the router to relay:
•
bearer-type—L2TP Bearer Type AVP 18; by default, the router regenerates this AVP
at the outbound LAC session, based on the local policy in effect
•
calling-number—L2TP Calling Number AVP 22; by default, the router regenerates
this AVP at the outbound LAC session, based on the local policy in effect
•
cisco-nas-port—Cisco NAS Port Info AVP 100; by default, the router drops this AVP
Use the no version to restore the default L2TP tunnel switching behavior (regenerate
or drop) for incoming AVPs of the specified type.
The following commands configure the router to relay the Bearer Type, Calling Number,
and Cisco NAS Port Info AVP types across the LNS/LAC boundary.
host1(config-l2tp-tunnel-switch-profile)#avp bearer-type relay
host1(config-l2tp-tunnel-switch-profile)#avp calling-number relay
host1(config-l2tp-tunnel-switch-profile)#avp cisco-nas-port relay
3. (Optional) Use the show l2tp switch-profile command to verify configuration of the
tunnel switch profile.
host1(config-l2tp-tunnel-switch-profile)# run show l2tp switch-profile
L2TP tunnel switch profile concord
L2TP tunnel switch profile myProfile
2 L2TP tunnel switch profiles found
host1(config-l2tp-tunnel-switch-profile)# run show l2tp switch-profile concord
L2TP tunnel switch profile concord
AVP bearer type action is relay
AVP calling number action is relay
AVP Cisco nas port info action is relay
376
Copyright © 2012, Juniper Networks, Inc.
Chapter 14: Configuring an L2TP LNS
Applying L2TP Tunnel Switch Profiles by Using AAA Domain Maps
To apply an L2TP tunnel switch profile to sessions associated with an AAA domain map:
1.
Access Domain Map Tunnel Configuration mode.
host1(config)#aaa domain-map westford.com
host1(config-domain-map)#router-name default
host1(config-domain-map)#tunnel 3
host1(config-domain-map-tunnel)#
For more information about how to map a domain to an L2TP tunnel from Domain
Map Tunnel Configuration mode, see “Mapping a User Domain Name to an L2TP
Tunnel Overview” on page 334 .
2. From Domain Map Tunnel Configuration mode, issue the switch-profile command
to apply the specified L2TP switch profile to the sessions associated with this domain
map.
host1(config-domain-map-tunnel)#switch-profile concord
3. (Optional) Use the show aaa domain-map command to verify application of the
tunnel switch profile.
host1(config-domain-map-tunnel)#run show aaa domain-map
Domain: westford.com; router-name: default; ipv6-router-name: default
Tunnel
Tunnel
Tunnel
Tunnel
Tunnel
Tunnel
Tunnel
Tunnel
Client
Tag
Peer
Source
Type
Medium
Password
Id
Name
------------------------------------------3
<null>
<null>
l2tp
ipv4
<null>
<null>
<null>
Tunnel
Tag
-----3
Tunnel
Server
Name
-----<null>
Tunnel
Preference
---------2000
Tunnel
Max
Sessions
-------0
Tunnel
Virtual
Tunnel RWS
Router
-------------- ------system chooses <null>
Tunnel
Switch
Profile
------concord
Applying L2TP Tunnel Switch Profiles by Using AAA Tunnel Groups
To apply an L2TP tunnel switch profile to sessions associated with an AAA tunnel group:
1.
Access Tunnel Group Tunnel Configuration mode.
host1(config)#aaa tunnel-group sunnyvale
host1(config-tunnel-group)#tunnel 3
host1(config-tunnel-group-tunnel)#
For more information about how to map a domain to an L2TP tunnel from Tunnel
Group Tunnel Configuration mode, see “Mapping a User Domain Name to an L2TP
Tunnel Overview” on page 334 .
2. From Tunnel Group Tunnel Configuration mode, issue the switch-profile command
to apply the specified L2TP switch profile to the sessions associated with this tunnel
group.
host1(config-tunnel-group-tunnel)#switch-profile sanjose
Copyright © 2012, Juniper Networks, Inc.
377
JunosE 13.3.x Broadband Access Configuration Guide
3. (Optional) Use the show aaa tunnel-group command to verify application of the
tunnel switch profile.
host1(config-tunnel-group-tunnel)#run show aaa tunnel-group
Tunnel Group: sunnyvale
Tunnel
Tag
-----3
Tunnel
Tag
-----3
Tunnel
Tunnel
Peer
Source
----------<null>
<null>
Tunnel
Server
Tunnel
Name Preference
------ ---------<null>
2000
Tunnel
Type
-----l2tp
Tunnel
Max
Sessions
-------0
Tunnel
Tunnel
Tunnel
Client
Password
Id
Name
-----------------<null>
<null>
<null>
Tunnel
Tunnel
Virtual
Switch
Tunnel RWS
Router
Profile
-------------- ------------system chooses <null>
sanjose
Tunnel
Medium
-----ipv4
Applying Default L2TP Tunnel Switch Profiles
You can apply a default L2TP tunnel switch profile to a virtual router by issuing the aaa
tunnel switch-profile command from Global Configuration mode. The router uses the
default tunnel switch profile if the tunnel attributes returned from an AAA domain map
or tunnel group or from a RADIUS authentication server do not include a named tunnel
switch profile. The router ignores the default tunnel switch profile if the tunnel attributes
returned from an AAA domain map or tunnel group or from a RADIUS authentication
server do include a named tunnel switch profile.
The default L2TP tunnel switch profile applies to a specific virtual router. You can apply
a different default tunnel switch profile to each virtual router configured.
To apply a default L2TP tunnel switch profile to a virtual router:
1.
Create the virtual router to which you want to apply the default tunnel switch profile.
host1(config)#virtual-router east
host1:east(config)#
2. Issue the aaa tunnel switch-profile command to apply the default L2TP tunnel switch
profile in the context of this virtual router.
host1:east(config)#aaa tunnel switch-profile boston
3. (Optional) Use the show aaa tunnel-parameters command to verify application of
the default tunnel switch profile.
host1:east(config)#run show aaa tunnel-parameters
Tunnel password is <NULL>
Tunnel client-name is <NULL>
Tunnel nas-port-method is none
Tunnel switch-profile is boston
Tunnel nas-port ignore disabled
Tunnel nas-port-type ignore disabled
Tunnel assignmentId format is assignmentId
Tunnel calling number format is descriptive
378
Copyright © 2012, Juniper Networks, Inc.
Chapter 14: Configuring an L2TP LNS
Applying L2TP Tunnel Switch Profiles by Using RADIUS
On the LAC, the router can receive tunnel configuration attributes through a RADIUS
authentication server. To use RADIUS to apply an L2TP tunnel switch profile to a session,
you can configure RADIUS to include the Tunnel-Switch-Profile RADIUS attribute (VSA
26-91) in RADIUS Access-Accept messages.
For more information about RADIUS Access-Accept messages, see “Subscriber AAA
Access Messages Overview” on page 172. For more information about the
Tunnel-Switch-Profile attribute, see “RADIUS IETF Attributes” on page 231.
Related
Documentation
•
Enabling Tunnel Switching on the Router on page 376
•
Configuring L2TP Tunnel Switch Profiles on page 376
•
Applying L2TP Tunnel Switch Profiles by Using AAA Domain Maps on page 377
•
Applying L2TP Tunnel Switch Profiles by Using AAA Tunnel Groups on page 377
•
Applying Default L2TP Tunnel Switch Profiles on page 378
•
Applying L2TP Tunnel Switch Profiles by Using RADIUS on page 379
•
aaa tunnel switch-profile
•
avp
•
l2tp switch-profile
•
l2tp tunnel-switching
Configuring the Transmit Connect Speed Calculation Method
You can configure the method that the router uses to calculate the transmit connect
speed of the subscriber’s access interface for a tunneled L2TP session. L2TP reports the
transmit connect speed in L2TP Transmit (TX) Speed AVP 24. During the establishment
of an L2TP tunnel session, the LAC sends AVP 24 to the LNS to convey the transmit speed
of the subscriber’s access interface.
You can configure the calculation method for the transmit connect speed reported in
L2TP Transmit (TX) Speed AVP 24 in any of the following ways. The first three
methods—AAA domain maps, AAA tunnel groups, and RADIUS—are mutually exclusive.
•
AAA domain maps—Use the tx-connect-speed-method command from Domain Map
Tunnel Configuration mode. For instructions, see “Using AAA Domain Maps to Configure
the Transmit Connect Speed Calculation Method” on page 383.
•
AAA tunnel groups—Use the tx-connect-speed-method command from Tunnel Group
Tunnel Configuration mode. For instructions, see “Using AAA Tunnel Groups to Configure
the Transmit Connect Speed Calculation Method” on page 384.
•
AAA default tunnel parameters—Use the aaa tunnel tx-connect-speed-method
command from Global Configuration mode. The router uses the calculation method
specified with this command if the tunnel attributes returned from an AAA domain
map, an AAA tunnel group, or a RADIUS authentication server do not include the
Copyright © 2012, Juniper Networks, Inc.
379
JunosE 13.3.x Broadband Access Configuration Guide
transmit connect speed calculation method. For instructions, see “Using AAA Default
Tunnel Parameters to Configure the Transmit Connect Speed Calculation Method” on
page 385.
•
RADIUS Include the Tunnel-Tx-Speed-Method RADIUS attribute (Juniper Networks
VSA 26-94) in RADIUS Access-Accept messages. For instructions, see “Using AAA
Default Tunnel Parameters to Configure the Transmit Connect Speed Calculation
Method” on page 385.
Transmit Connect Speed Calculation Methods
In previous releases, the router calculated the transmit speed of the subscriber’s access
interface based only on statically configured settings for the underlying layer 2 access
interface. With this feature, you can obtain a more accurate representation of the transmit
connect speed by choosing a calculation method that reflects changes to the layer 2
interface due to statically configured settings, dynamically configured settings, or QoS
settings.
You can choose one of the following methods for calculating the transmit connect speed
that is reported in L2TP Transmit (TX) Speed AVP 24:
•
Static layer 2
•
Dynamic layer 2
•
QoS
•
Actual (lesser of dynamic layer 2 or QoS)
The following sections describe each of these calculation methods.
NOTE: Configuring the transmit connect speed calculation method has no
effect on the operation of the L2TP Receive (RX) Speed AVP 38 or the
Connect-Info RADIUS attribute [77] at the LAC.
Static Layer 2
The static layer 2 method calculates the transmit connect speed of the subscriber’s
access interface based on the statically configured settings for the underlying layer 2
ATM 1483 or Ethernet interface. The static layer 2 method does not reflect changes to
the transmit speed of the layer 2 interface due to dynamically configured settings or to
QoS.
For ATM 1483 circuits, the static layer 2 value is based on the bandwidth that the
connection requires. The router uses certain traffic parameters for each service category
to determine the required bandwidth for the connection. For more information about
how the router computes bandwidth for ATM 1483 circuits, see the Connection Admission
Control section in JunosE Link Layer Configuration Guide .
380
Copyright © 2012, Juniper Networks, Inc.
Chapter 14: Configuring an L2TP LNS
For Ethernet VLANs, the static layer 2 value is the advisory transmit speed of the VLAN
subinterface, if configured with the vlan advisory-tx-speed command, or the speed of
the underlying physical port if the advisory transmit speed is not configured.
If there is no explicit static configuration for the layer 2 interface, L2TP reports the speed
of the underlying physical port as the transmit connect speed.
Dynamic Layer 2
The dynamic layer 2 method calculates the transmit connect speed of the subscriber’s
access interface based on the dynamically configured settings for the underlying layer 2
interface.
If there is no dynamic configuration for the layer 2 interface, L2TP reports the transmit
connect speed based on statically configured settings. If there is no static speed
configuration for the layer 2 interface, L2TP reports the speed of the underlying physical
port as the transmit connect speed.
QoS
The QoS method calculates the transmit connect speed of the subscriber’s access
interface based on settings determined by static or dynamic QoS configurations. This
calculation is based on the interface columns that QoS uses to build scheduler profiles
for L2TP sessions. For example, a typical interface column might consist of an L2TP
session over an Ethernet VLAN over a Gigabit Ethernet interface.
You can configure QoS to control the rate of any logical interface in the interface column.
For those logical interfaces with a rate controlled by QoS, QoS reports this configured
rate as the transmit connect speed for that interface. For those logical interfaces that
do not have a QoS-configured rate, QoS reports the speed of the underlying physical
port as the transmit connect speed.
For more information, see QoS and L2TP TX Speed AVP 24 Overview in JunosE Quality
of Service Configuration Guide.
Actual
The actual method calculates the transmit connect speed of the subscriber’s access
interface as the lesser of the following two values:
•
Value using the dynamic layer 2 calculation method
•
Value using the QoS calculation method
Transmit Connect Speed Calculation Examples
The examples in this section illustrate how the router uses the methods described in
“Transmit Connect Speed Calculation Methods” on page 380 to calculate the transmit
connect speed.
Example 1: L2TP Session over ATM 1483 Interface
In this example, an L2TP session is established over an ATM 1483 subinterface on an
OC3/STM1 ATM IOA. The configuration has the following characteristics:
Copyright © 2012, Juniper Networks, Inc.
381
JunosE 13.3.x Broadband Access Configuration Guide
•
There is no explicit static configuration for the layer 2 (ATM 1483) interface.
•
A transmit connect speed of 10 Mbps is provided dynamically from a RADIUS
authentication server when the subscriber logs in.
•
The transmit connect speed calculated by QoS is 5 Mbps.
Based on these characteristics, Table 79 on page 382 lists the transmit connect speed
value reported in L2TP Transmit (TX) Speed AVP 24 for each calculation method, and
the reason why L2TP reports this value.
Table 79: Transmit Connect Speeds for L2TP over ATM 1483 Example
Calculation
Method
Transmit Connect
Speed Reported in
AVP 24
Static layer 2
155 Mbps
L2TP reports the speed of the underlying OC3
physical port because there is no explicit static
configuration for the layer 2 interface.
Dynamic layer 2
10 Mbps
L2TP reports the transmit connect speed provided
by RADIUS.
QoS
5 Mbps
L2TP reports the transmit connect speed calculated
by QoS.
Actual
5 Mbps
L2TP reports the lesser of the dynamic layer 2 speed
(10 Mbps) or the QoS speed (5 Mbps).
Reason
Example 2: L2TP Session over Ethernet VLAN Interface
In this example, an L2TP session is established over a PPPoE subinterface over an Ethernet
VLAN subinterface. The configuration has the following characteristics:
•
The Ethernet VLAN subinterface is configured with an advisory transmit speed of
100 Mbps.
•
The dynamic layer 2 setting does not apply to the VLAN subinterface.
•
The transmit connect speed calculated by QoS is 10 Mbps.
Based on these characteristics, Table 80 on page 382 lists the transmit connect speed
value reported in L2TP Transmit (TX) Speed AVP 24 for each calculation method, and
the reason why L2TP reports this value.
Table 80: Transmit Connect Speeds for L2TP over Ethernet Example
382
Calculation
Method
Transmit Connect
Speed Reported in
AVP 24
Static layer 2
100 Mbps
Reason
L2TP reports the advisory transmit speed configured
on the VLAN subinterface. If configured, the advisory
transmit speed takes precedence over the physical
port speed for a VLAN subinterface.
Copyright © 2012, Juniper Networks, Inc.
Chapter 14: Configuring an L2TP LNS
Table 80: Transmit Connect Speeds for L2TP over Ethernet Example
(continued)
Calculation
Method
Transmit Connect
Speed Reported in
AVP 24
Dynamic layer 2
100 Mbps
L2TP reports the static layer 2 value because the
dynamic layer 2 setting does not apply to a VLAN
subinterface.
QoS
10 Mbps
L2TP reports the transmit connect speed calculated
by QoS.
Actual
10 Mbps
L2TP reports the lesser of the dynamic layer 2 speed
(100 Mbps) or the QoS speed (10 Mbps).
Reason
Transmit Connect Speed Reporting Considerations
The following considerations affect the transmit connect speed value reported in L2TP
Transmit (TX) Speed AVP 24 when you use this feature.
Session Termination for Dynamic Speed Timeout
Under certain heavy load conditions, the router might be unable to obtain the
dynamic-layer2 value for the transmit connect speed of the subscriber’s access interface.
In this situation, the LAC sends the LNS an L2TP Call-Disconnect-Notify (CDN) message
to terminate the L2TP session.
For more information about supported L2TP terminate reasons, see “AAA Terminate
Reasons” on page 255.
Advisory Speed Precedence for VLANs over Bridged Ethernet
For interface columns that consist of an L2TP session over an Ethernet VLAN subinterface
over a bridged Ethernet interface, the advisory transmit speed of the VLAN subinterface,
if configured with the vlan advisory-tx-speed command, takes precedence over the
physical port speed of the underlying layer 2 ATM 1483 interface. As a result, if the advisory
transmit speed is configured for the VLAN subinterface, L2TP reports this value as the
transmit connect speed regardless of the port speed of the ATM 1483 interface.
Using AAA Domain Maps to Configure the Transmit Connect Speed Calculation Method
To configure the transmit connect speed calculation method for a tunneled L2TP session
associated with an AAA domain map:
1.
Access Domain Map Tunnel Configuration mode.
host1(config)#aaa domain-map sunnyvale.com
host1(config-domain-map)#router-name lac
host1(config-domain-map)#tunnel 5
host1(config-domain-map-tunnel)#
Copyright © 2012, Juniper Networks, Inc.
383
JunosE 13.3.x Broadband Access Configuration Guide
For more information about how to map a domain to an L2TP tunnel from Domain
Map Tunnel Configuration mode, see “Mapping a User Domain Name to an L2TP
Tunnel Overview” on page 334 .
2. From Domain Map Tunnel Configuration mode, configure the calculation method for
the transmit connect speed of the subscriber’s access interface.
host1(config-domain-map-tunnel)#tx-connect-speed-method dynamic-layer2
3. (Optional) Use the show aaa domain-map command to verify configuration of the
transmit connect speed calculation method.
host1(config-domain-map-tunnel)#run show aaa domain-map
Domain: sunnyvale.com; router-name: lac; ipv6-router-name: default
Tunnel
Tunnel
Tunnel
Tunnel
Tunnel
Tunnel
Tunnel
Tunnel
Client
Tag
Peer
Source
Type
Medium
Password
Id
Name
------------------------------------------5
<null>
<null>
l2tp
ipv4
<null>
<null>
<null>
Tunnel
Tunnel
Tunnel
Tunnel
Server
Tunnel
Max
Virtual
Tag
Name
Preference
Sessions
Tunnel RWS
Router
---------------------------------------------5
<null>
2000
0
system chooses
<null>
Tunnel
Tunnel
Tunnel
Tunnel
Failover
Switch
Tx
Tag
Resync
Profile
Speed Method
-------------------------------5
<null>
<null>
dynamic layer2
Using AAA Tunnel Groups to Configure the Transmit Connect Speed Calculation Method
To configure the transmit connect speed calculation method for a tunneled L2TP session
associated with an AAA tunnel group:
1.
Access Tunnel Group Tunnel Configuration mode.
host1(config)#aaa tunnel-group boston
host1(config-tunnel-group)#tunnel 3
host1(config-tunnel-group-tunnel)#
For more information about how to map a domain to an L2TP tunnel from Tunnel
Group Tunnel Configuration mode, see “Mapping a User Domain Name to an L2TP
Tunnel Overview” on page 334.
2. From Tunnel Group Tunnel Configuration mode, configure the calculation method for
the transmit connect speed of the subscriber’s access interface.
host1(config-tunnel-group-tunnel)#tx-connect-speed-method qos
3. (Optional) Use the show aaa tunnel-group command to verify configuration of the
transmit connect speed calculation method.
host1(config-tunnel-group-tunnel)#run show aaa tunnel-group
Tunnel Group: boston
Tunnel
Tag
------
384
Tunnel
Peer
------
Tunnel
Source
------
Tunnel
Type
------
Tunnel
Medium
------
Tunnel
Password
--------
Tunnel
Id
------
Tunnel
Client
Name
------
Copyright © 2012, Juniper Networks, Inc.
Chapter 14: Configuring an L2TP LNS
3
Tunnel
Tag
-----3
<null>
Tunnel
Server
Name
-----<null>
Tunnel
Tag
-----3
Tunnel
Failover
Resync
-------<null>
<null>
l2tp
Tunnel
Preference
---------2000
Tunnel
Switch
Profile
------<null>
ipv4
Tunnel
Max
Sessions
-------0
Tunnel
Tx
Speed
Method
-----qos
<null>
<null>
<null>
Tunnel
Virtual
Tunnel RWS
Router
-------------------system chooses
<null>
Using AAA Default Tunnel Parameters to Configure the Transmit Connect Speed Calculation
Method
You can configure the transmit connect speed calculation method as a default AAA
tunnel parameter by using the aaa tunnel tx-connect-speed-method command from
Global Configuration mode. This command applies the specified calculation method to
all tunneled L2TP sessions associated with a particular virtual router, and thereby
alleviates the need for you to configure the transmit connect speed calculation method
for each individual subscriber.
Configuring the calculation method as a default AAA tunnel parameter for a virtual router
has lower precedence than using AAA domain maps, AAA tunnel groups, or RADIUS to
configure the transmit connect speed calculation method. The router uses the calculation
method specified with the aaa tunnel tx-connect-speed-method command if the tunnel
attributes returned from an AAA domain map, an AAA tunnel group, or a RADIUS
authentication server do not include the transmit connect speed calculation method.
To configure the transmit connect speed calculation method for all tunneled L2TP
sessions associated with a particular virtual router:
1.
Create the virtual router for which you want to configure the transmit connect speed
calculation method.
host1(config)#virtual-router north
For more information about configuring and using virtual routers, see the Configuring
Virtual Routers chapter in JunosE System Basics Configuration Guide.
2. Configure the transmit connect speed calculation method in the context of this virtual
router.
host1:north(config)#aaa tunnel tx-connect-speed-method qos
•
To specify the calculation method for the transmit connect speed, use one of the
following keywords, as described in “Using AAA Tunnel Groups to Configure the
Transmit Connect Speed Calculation Method” on page 384:
•
static-layer2
•
dynamic-layer2
•
qos
•
actual
Copyright © 2012, Juniper Networks, Inc.
385
JunosE 13.3.x Broadband Access Configuration Guide
3. (Optional) Use the show aaa tunnel-parameters command to verify configuration
of the transmit connect speed calculation method.
host1:north(config)#run show aaa tunnel-parameters
Tunnel password is <NULL>
Tunnel client-name is <NULL>
Tunnel nas-port-method is none
Tunnel switch-profile is boston
Tunnel tx-connect-speed-method is qos
Tunnel nas-port ignore disabled
Tunnel nas-port-type ignore disabled
Tunnel assignmentId format is assignmentId
Tunnel calling number format is fixed
Using RADIUS to Configure the Transmit Connect Speed Calculation Method
On the LAC, the router can receive tunnel configuration attributes through a RADIUS
authentication server. To use RADIUS to configure the transmit connect speed calculation
method for a subscriber’s access interface, you can configure RADIUS to include the
Tunnel-Tx-Speed-Method RADIUS attribute (Juniper Networks VSA 26-94) in RADIUS
Access-Accept messages.
Table 81 on page 386 describes the Tunnel-Tx-Speed-Method RADIUS attribute. For more
information about RADIUS Access-Accept messages, see “Subscriber AAA Access
Messages Overview” on page 172. For a description of the RADIUS attributes supported
by JunosE Software, see “RADIUS IETF Attributes” on page 231.
Table 81: Tunnel--Tx-Speed-Method RADIUS Attribute
Attribute
Number
Attribute Name
Description
Length
Subtype
Length
Value
[26-94]
Tunnel-Tx-Speed-Method
The method that the router
uses to calculate the transmit
connect speed of the
subscriber’s access interface
12
6
integer:
Related
Documentation
386
•
1 = static-layer2; TX speed based
on static layer 2 settings
•
2 =dynamic-layer2; TX speed
based on dynamic layer 2
settings
•
3 = qos; TX speed based on QoS
settings
•
4 = actual; TX speed that is the
lesser of the dynamic-layer2
value or the qos value
•
Transmit Connect Speed Calculation Methods on page 380
•
Using AAA Domain Maps to Configure the Transmit Connect Speed Calculation Method
on page 383
•
Using AAA Tunnel Groups to Configure the Transmit Connect Speed Calculation Method
on page 384
•
Using AAA Default Tunnel Parameters to Configure the Transmit Connect Speed
Calculation Method on page 385
Copyright © 2012, Juniper Networks, Inc.
Chapter 14: Configuring an L2TP LNS
•
Using RADIUS to Configure the Transmit Connect Speed Calculation Method on page 386
•
aaa tunnel tx-connect-speed-method
•
tx-connect-speed-method
PPP Accounting Statistics
JunosE accounting for tunneled subscribers at the L2TP LAC counts the payload that
PPP passes to or receives from L2TP for transport. At this stage in the protocol processing,
any padding outside PPP, such as that for PPPoE, has been removed. Accounting includes
the authentication acknowledgement packet, CHAP success packets, and PAP
acknowledgment packets. Accounting ends when L2TP has been notified to terminate
the session. The statistics are reported in the following RADIUS attributes:
Attribute Number
Attribute Name
42
Acct-Input-Octets
43
Acct-Output-Octets
47
Acct-Input-Packets
48
Acct-Output-Packets
Termination of a tunneled session can result from PPP termination, L2TP shutdown,
subscriber logout, or lower layer down events. When the session is terminated through
PPP, the software counts both the PPP terminate-request and the PPP
terminate-acknowledgement packets.
•
Accounting statistics reported in RADIUS octet counts (Acct-Input-Octets and
Acct-Output-Octets) for tunneled PPP customers at the L2TP LAC include the following
data:
•
All upper layer control traffic, including IPCP, IPCPv6, OSICP, and MPLSNCP
•
All data traffic, including IP, IPv6, MPLS, and OSI
•
PPP PAP or CHAP acknowledgments. and also retransmission of PAP or CHAP that
take place after the session is active (even when proxy authentication is accepted)
•
All PPP PAP or CHAP negotiations in the case where proxy authentication is disabled
or required to renegotiate at the LNS
•
All LCP traffic when proxy LCP is disabled or required to renegotiate at the LNS
•
All PPP LCP echo requests and their responses
Copyright © 2012, Juniper Networks, Inc.
387
JunosE 13.3.x Broadband Access Configuration Guide
•
•
•
PPP LCP terminate-request or terminate-acknowledgement packets from the client
or LNS when PPP initiates termination of the session
•
If present, the two PPP header bytes (Address Field 0xFF and Control Field 0x03)
as part of the L2TP payload
Accounting statistics reported in RADIUS octet counts (Acct-Input-Octets and
Acct-Output-Octets) for tunneled PPP customers at the L2TP LAC exclude the
following data:
•
LCP when Proxy LCP is enabled and accepted at the LNS
•
Initial PPP PAP request
•
Initial PPP CHAP challenge and response
Accounting statistics reported in RADIUS packet counts (Acct-Input-Packets and
Acct-Output-Packets) for tunneled PPP customers at the L2TP LAC are based on
packets delivered to or received from the L2TP session. These statistics exclude L2TP
control traffic and L2TP hello messages.
For information on accounting statistics for terminated PPP sessions, see the PPP
Accounting Statistics Overview section in JunosE Link Layer Configuration Guide .
Related
Documentation
•
Application Support for Stateful Line Module Switchover
•
Collecting Accounting Statistics on page 65
•
RADIUS IETF Attributes Supported for Subscriber AAA Accounting Messages on page 183
Stateful Line Module Switchover for LNS Sessions
In releases in which the stateful line module switchover feature is not available or in
scenarios in which this behavior is disabled, a reload of the line module disconnects user
sessions and disrupts traffic forwarding through it. In a network in which an E120 or E320
router that contains the Service IOA functions as the LNS device on one side of the L2TP
tunnel, the LNS is the logical termination point of a PPP connection that is being tunneled
from the remote system by the LAC. A LAC receives packets from a remote client and
forwards them to an LNS on a remote network. All the tunneled sessions terminate on
the LNS to provide enhanced performance during decapsulation and encapsulation of
packets, and fragmentation and reassembly of tunneled packets. If the line module in
the LNS that performs the traffic processing encounters a fault, such as a hardware or
software error, all the active subscriber sessions are disconnected.
Stateful switchover of LNS sessions avoids subscriber disconnections during the
switchover of the line module installed on the LNS device (tunnel server module or ES2-S1
Service IOA on ES2 4G LMs in this case). You can enable high availability for the line
module pairs using the mode high-availability slot command in Redundancy
Configuration mode. This command enables you to specify the slots in which the tunnel
server line modules that you want to be configured as the primary and secondary modules
reside. If HA is active between these modules, the secondary module becomes the primary
when the assigned primary module fails. The newly active primary module retains all the
388
Copyright © 2012, Juniper Networks, Inc.
Chapter 14: Configuring an L2TP LNS
subscribers that were active and were managed by the previously configured primary
module without requiring the subscribers to be reconnected. The failure of the tunnel
server module in the LNS device and the switchover from a defective module to a newly
active primary module in a seamless, undisrupted manner for subscribers is transparent
to the end users.
Line module high availability uses a 1:1 redundancy model to maintain subscriber sessions,
and this functionality is supported only on E120 and E320 routers installed with ES2 4G
LMs and Service IOAs. This feature is supported only for PPP-based stacks (such as
L2TP, PPP, and IP) and not for other applications such as GRE.
The router uses the tunnel server module to increase the performance of packet
processing by offloading the decapsulation and reassembly of packets to the tunnel
server module. All the L2TP and PPP session data are downloaded to the tunnel server
module to assist this operation. When the primary tunnel server module fails, either due
to hardware or software error, subscribers are disconnected because of the PPP keepalive
expiry mechanism and also because the forwarding path is not maintained. When stateful
switchover for LNS sessions is enabled, you can provision another tunnel server module
as the secondary module in 1:1 mode. When this feature is enabled, all the required session
data is mirrored to the secondary module. Any session data change, such as session
creation or deletion, is mirrored from the primary to the secondary module. The previously
configured primary module, after it becomes operational, takes over the role of the
secondary module.
Related
Documentation
•
Stateful Line Module Switchover Overview
•
Preservation of Statistics During Stateful Line Module Switchover
•
Application Support for Stateful Line Module Switchover
Copyright © 2012, Juniper Networks, Inc.
389
JunosE 13.3.x Broadband Access Configuration Guide
390
Copyright © 2012, Juniper Networks, Inc.
CHAPTER 15
Configuring L2TP Dial-Out
This chapter describes the Layer 2 Tunneling Protocol (L2TP) dial-out feature on your
E Series router. This chapter includes the following sections:
•
L2TP Dial-Out Overview on page 391
•
L2TP Dial-Out Terms on page 392
•
L2TP Dial-Out Platform Considerations on page 393
•
L2TP Dial-Out References on page 393
•
L2TP Dial-Out Network Model on page 393
•
L2TP Dial-Out Process on page 394
•
L2TP Dial-Out Operational States on page 395
•
L2TP Dial-Out Outgoing Call Setup Details on page 398
•
Creating a Profile Before Configuring L2TP Dial-Out on page 400
•
Configuring L2TP Dial-Out on page 401
L2TP Dial-Out Overview
L2TP dial-out provides a way for corporate virtual private networks (VPNs) that use
Broadband Remote Access Server (B-RAS) to dial out to remote offices that have only
narrowband dial-up access. The L2TP network server (LNS) function is deployed in
networks that have a combination of broadband and narrowband access.
A remote site can communicate on demand with the home site with a normal L2TP
access concentrator (LAC) to LNS session. When the communication finishes, the remote
site terminates the session. However, if the home site wishes to communicate with the
remote site and no incoming call is currently established, the home site needs a method
to dial out to the remote site. This method is L2TP dial-out, which uses the L2TP outgoing
call support defined in RFC 2661—Layer Two Tunneling Protocol “ L2TP” (August 1999).
Figure 10 on page 392 shows the dial-out model in which the LNS initiates L2TP sessions
and provides enough information to the narrowband LAC so that it can complete the
dial-out from the home site to the remote site.
Copyright © 2012, Juniper Networks, Inc.
391
JunosE 13.3.x Broadband Access Configuration Guide
Figure 10: Network Model for Dial-Out
NOTE: The dial-out feature exists in the LNS only. It does not exist in the LAC.
Related
Documentation
•
L2TP Overview on page 311
•
L2TP Dial-Out Terms on page 392
•
L2TP Dial-Out Network Model on page 393
•
L2TP Dial-Out Operational States on page 395
•
L2TP Dial-Out Process on page 394
•
L2TP Dial-Out Outgoing Call Setup Details on page 398
L2TP Dial-Out Terms
Table 82 on page 392 describes key terms used in L2TP dial-out.
Table 82: L2TP Dial-Out Terms
Related
Documentation
392
Term
Description
Dial-out trigger
IP packet that initiates a dial-out session
Dial-out session
Control entity for a triggered IP flow used to manage the establishment of
an associated L2TP session for dial-out
Dial-out target
A virtual router context and an IP address prefix, for which the arrival of an
IP packet (a dial-out trigger) initiates a dial-out session.
Dial-out route
Contains the dial-out target, as well as a domain name and profile.
•
The domain name is used in the initial Access-Request message.
•
The profile is used to create the IP/Point-to-Point Protocol (PPP) stack
for the dial-out session.
•
L2TP Dial-Out Overview on page 391
•
L2TP Dial-Out Network Model on page 393
•
L2TP Dial-Out Operational States on page 395
Copyright © 2012, Juniper Networks, Inc.
Chapter 15: Configuring L2TP Dial-Out
•
L2TP Dial-Out Process on page 394
•
L2TP Dial-Out Outgoing Call Setup Details on page 398
L2TP Dial-Out Platform Considerations
L2TP dial-out is supported on all E Series routers.
For information about the modules supported on E Series routers:
Related
Documentation
•
See the ERX Module Guide for modules supported on ERX7xx models, ERX14xx models,
and the ERX310 Broadband Services Router.
•
See the E120 and E320 Module Guide for modules supported on the E120 and E320
Broadband Services Routers.
•
L2TP Dial-Out Overview on page 391
•
L2TP Dial-Out Network Model on page 393
L2TP Dial-Out References
For more information about L2TP, see RFC 2661—Layer Two Tunneling Protocol “ L2TP”
(August 1999).
Related
Documentation
•
L2TP Dial-Out Overview on page 391
•
L2TP Dial-Out Network Model on page 393
L2TP Dial-Out Network Model
In the figure in “L2TP Dial-Out Overview” on page 391, the home site connects to the
Internet over a permanent leased line to the Internet service provider’s (ISP’s) E Series
LNS. The ISP uses an IP network to connect the LNS to the narrowband access point of
the network where the narrowband LAC exists. The narrowband LAC connects to a
narrowband network (ISDN) that the remote site is also connected to.
The figure shows three RADIUS servers. The home site maintains the home server, and
the other two servers are at the LNS and the LAC. The router accesses the home and
LNS RADIUS servers. (The separation of the RADIUS servers is transparent to the router.)
Before any attempts at connectivity can take place from the home site to the remote
site, an administrator must configure a dial-out route on the router. This route directs the
router to start a dial-out operation. The route includes a dial-out target (the virtual router
context and the IP address of the remote site). When the router receives a packet destined
for the target, it triggers a dial-out session to the target. The route is associated with a
profile that holds parameters for the interface stack that the router builds as a result of
the dial-out.
Copyright © 2012, Juniper Networks, Inc.
393
JunosE 13.3.x Broadband Access Configuration Guide
Related
Documentation
•
L2TP Dial-Out Overview on page 391
•
L2TP Dial-Out Terms on page 392
•
L2TP Dial-Out Operational States on page 395
•
L2TP Dial-Out Process on page 394
•
L2TP Dial-Out Outgoing Call Setup Details on page 398
L2TP Dial-Out Process
The following is the dial-out process used in the network model illustrated in “L2TP
Dial-Out Overview” on page 391:
1.
The router receives a trigger packet.
2. The router builds a RADIUS Access-Request message and sends it to the RADIUS
server that is associated with the virtual router on which the dial-out route is
defined—typically, the RADIUS home server.
3. The RADIUS server’s response to the Access-Request is similar to the response used
for LAC incoming calls. Notable differences are that the IP addresses of the peer are
interpreted as LAC addresses instead of LNS addresses. In addition, narrowband
details, such as calling numbers, are returned.
4. The LNS makes the outgoing call using a load-balancing or round-robin mechanism
identical to the one that the E Series LAC uses for incoming calls. The LAC may also
employ the LAC RADIUS in tunnel authentication.
5. Once the LNS successfully completes a control connection and session with the LAC,
the LAC performs the actual narrowband dial-out operation to the remote site using
the information passed by the LNS during session setup.
6. A PPP session is started on the remote customer premises equipment (CPE), and
mutual PPP authentication is performed at the remote CPE and the LNS as follows:
a. The LNS uses the LNS RADIUS server to validate the remote CPE’s PPP session,
while the CPE can use its own RADIUS server to validate the LNS’s PPP session.
b. The LNS uses the username and password that is returned in the first Access-Accept
message.
7. Once authentication is successful, an IP interface is built on top of the PPP interface
at the LNS. Internet Protocol Control Protocol (IPCP) is negotiated, and the framed
route that RADIUS returns as a result of the PPP authentication supersedes the dial-out
route.
IP traffic can now flow freely between the home and remote sites.
Related
Documentation
394
•
L2TP Dial-Out Overview on page 391
•
L2TP Dial-Out Terms on page 392
•
L2TP Dial-Out Network Model on page 393
Copyright © 2012, Juniper Networks, Inc.
Chapter 15: Configuring L2TP Dial-Out
•
L2TP Dial-Out Operational States on page 395
•
L2TP Dial-Out Outgoing Call Setup Details on page 398
L2TP Dial-Out Operational States
The dial-out state machine is a control process within the router that manages the
dial-out function for each IP flow. The dial-out state machine has four levels of control:
the router chassis, virtual router, targets, and sessions. This section describes the
operational states of each of these levels.
Chassis
Table 83 on page 395 describes the operational states of the chassis.
Table 83: Chassis Operational States
State
Description
inService
Dial-out service is operational at the chassis level.
initializationFailed
Dial-out service could not obtain enough system resources for basic
operation. All configuration commands fail, and the dial-out service does
not function.
Virtual Router
Table 84 on page 395 describes the operational states of the virtual router.
Table 84: Virtual Router Operational States
State
Description
inService
Dial-out service is operational for the virtual router.
initPending
Dial-out service is waiting for the virtual router to be operational. Targets
defined within the virtual router are not functional.
down
The dial-out interface for this virtual router is down. Targets defined within
the virtual router are not functional.
Targets
Table 85 on page 395 describes the operational states of the targets.
Table 85: Target Operational States
State
Description
inService
Dial-out route is up and operational.
Copyright © 2012, Juniper Networks, Inc.
395
JunosE 13.3.x Broadband Access Configuration Guide
Table 85: Target Operational States (continued)
State
Description
inhibited
Dial-out service cannot obtain sufficient resources to handle triggers, and
all triggers are discarded. When resources become available, a target can
transition from inhibited to inService.
Note that sessions within an inhibited target that are already in the process
of connecting or are in the inService state are not affected by this condition.
down
There are insufficient resources to support the creation of a dial-out route
for the target. When resources become available, the target can transition
to inService.
Note that sessions within a down target that are already in the process of
connecting or are in the inService state are not affected by this condition.
Sessions
Table 86 on page 396 describes operational states of the sessions.
Table 86: Session Operational States
State
Description
authenticating
New sessions start in the authenticating state. In this state, the dial-out state
machine has received a valid trigger and is waiting for authentication,
authorization, and accounting (AAA) to complete the initial authentication.
On getting a grant from AAA, the session transitions to the connecting state.
Alternatively, on getting a deny from AAA, the session transitions to the
inhibited state.
396
connecting
Sessions enter the connecting state when authentication is complete. In this
state, the dial-out state machine has initiated an outgoing L2TP call. On
entering this state, the session-connecting timer is set to the chassis-wide
trigger timer value. The session stays in this state until either the outgoing call
is successful or the connecting timer expires. Any new trigger packets received
for this session when it is in the connecting state are discarded.
inService
A session enters the inService state from the connecting state on successful
completion of the dial-out call request. The session stays in this state until
the outgoing call is closed.
Copyright © 2012, Juniper Networks, Inc.
Chapter 15: Configuring L2TP Dial-Out
Table 86: Session Operational States (continued)
State
Description
inhibited
A session enters the inhibited state from the connecting state when the
connecting timer expires (that is, the outgoing call was unsuccessful). This
state prevents the router from thrashing on an outgoing call that cannot be
completed. When in this state, the router discards all trigger packets received
for the session.
The inhibited timer controls the amount of time spent in this state. The setting
of the inhibited timer varies depending on whether the session is entering the
inhibited state for the first time or is reentering the state.
•
If it is the first time, the inhibited timer is initialized to the chassis-wide
trigger value.
•
If it is reentering the state, the inhibited timer is initialized to 2 times the
previous value of the inhibited timer, up to a maximum of 8 times the
chassis-wide trigger value. For example, if the chassis-wide trigger value
is 30 seconds, the setting of the inhibited timer within the session (on
subsequent immediate reentries; see postInhibited state) is 30, 60, 120,
240. Since 240 is 8 x 30, the inhibited timer for this session is never set
larger than 240 seconds.
postInhibited
A session enters the postInhibited state after completion of an inhibited state.
The inhibited timer is reused to control the amount of time the session stays
in postInhibited state. In this state the timer repeatedly times out and reduces
the inhibited timer by a factor of 2 on each iteration. Once the inhibited timer
reaches zero, the session transitions to dormant. The receipt of a trigger in
this state results in a transition to the authenticating state.
dormant
A session enters the dormant state after completion of a postInhibited state.
The dormant timer is initialized to the chassis-wide dormant timer value,
minus the time the session spent in the postInhibited state. Receipt of a new
trigger packet transitions the session to the authenticating state. If the dormant
timer expires, the session is deleted. The dormant state exists to allow analysis
of a dial-out session before it is deleted.
pending
A session enters the pending state when a valid trigger is received but there
already are the maximum number of connecting sessions in the router. The
router discards all subsequent trigger packets until other sessions transition
out of the connecting state. When this happens, pending sessions can
transition to the dormant state.
failed
A session enters the failed state when the router detects a configuration error
that prevents the successful operation of the session. Specifically, one of the
final steps in a dial-out request is mutual PPP authentication at the LNS. A
side-effect of authentication is the installation of an access route for the
outgoing call. If the access route does not correspond to the trigger packet
(that is, the trigger packet cannot be routed successfully by the new access
route), the router detects this discrepancy as a configuration error because
trigger packets that arrive are not forwarded into the outgoing call; rather,
they are buffered or discarded.
The only way to exit the failed state is with the l2tp dial-out session reset
command.
Copyright © 2012, Juniper Networks, Inc.
397
JunosE 13.3.x Broadband Access Configuration Guide
Related
Documentation
•
L2TP Dial-Out Overview on page 391
•
L2TP Dial-Out Terms on page 392
•
L2TP Dial-Out Network Model on page 393
•
L2TP Dial-Out Process on page 394
•
L2TP Dial-Out Outgoing Call Setup Details on page 398
L2TP Dial-Out Outgoing Call Setup Details
This section details the process described in “L2TP Dial-Out Process” on page 394.
Access-Request Message
To create the username in the authentication request, the router uses the trigger, dial-out
route, domain name, and optional Multiprotocol Label Switching (MPLS) route
distinguisher (RD). The username is constructed as follows:
[MPLS RD]/{trigger destination address}@domain-name
For example, given a dial-out route with an IP prefix of 10.10.0.0/16, a domain name of
L2TP-dial-out.de.dt, and an MPLS RD of 0.0.0.0:65000, if a trigger packet arrives with
a destination IP address of 10.10.1.1, the router creates the following username:
0.0.0.0:65000/10.10.1.1@L2TP-dial-out.de.dt
No password is offered, and the authentication request is passed to the S-series AAA
server for normal authentication processing.
Using the above example, the AAA domain map processes the L2TP-dial-out.de.dt
domain as for any other domain. If RADIUS authentication is configured for the
authenticating virtual router (VR) context, AAA passes the authentication request to the
E Series RADIUS client. The RADIUS authentication request is consistent with other
requests, except that the Service-Type attribute is set to outbound (value of 5).
Access-Accept Message
The router expects RADIUS attributes that define a tunnel to be returned with the additions
in Table 87 on page 398. If tunnel attributes are excluded from the Access-Accept message
or the returned Service-Type attribute is not set to outbound, the dial-out session is
denied.
Table 87: Additions to RADIUS Attributes in Access-Accept Messages
398
Attribute Number
Attribute Name
Content
6
Service-Type
Outbound
67
Tunnel-Server-Endpoint
IP address of LAC
Juniper VSA 26-35
Tunnel-Dialout-Number
L2TP dial-out number
Copyright © 2012, Juniper Networks, Inc.
Chapter 15: Configuring L2TP Dial-Out
Table 87: Additions to RADIUS Attributes in Access-Accept Messages
(continued)
Attribute Number
Attribute Name
Content
Juniper VSA 26-36
PPP-Username
Username used in PPP L2TP dial-out
sessions at the LNS
Juniper VSA 26-37
PPP-Password
Password used in PPP L2TP dial-out
sessions at the LNS
Juniper VSA 26-38
PPP-Protocol
Authentication protocol used for L2TP
sessions.
0 = none
1 = PAP
2 = CHAP
3 = PAP-CHAP
4 = CHAP-PAP
Juniper VSA 26-39
Tunnel-Min-Bps
Minimum line speed; passed to LAC (not
interpreted by the LNS)
Juniper VSA 26-40
Tunnel-Max-Bps
Maximum line speed; passed to LAC (not
interpreted by the LNS)
Juniper VSA 26-41
Tunnel-Bearer-Type
Bearer capability required: 0=name;
1=analog; 2=digital. Passed to LAC (not
interpreted by the LNS).
Outgoing Call
After receiving a valid tunnel definition from AAA, the E Series LNS initiates an outgoing
call. The router follows the same load-sharing mechanisms as for incoming calls. See
“Configuring LAC Tunnel Selection Parameters” on page 348.
After an outgoing call is successfully signaled, the router dynamically creates a PPP
interface. The profile in the dial-out route definition specifies any PPP configuration
options. Both the L2TP session and the PPP interface exist on a Service module, identical
to the LNS operation for incoming calls.
Once the PPP interface is created, Link Control Protocol (LCP) and IPCP are negotiated.
Mutual Authentication
Mutual authentication takes place in LCP, where the LNS validates the PPP interface on
the remote CPE and vice-versa. LNS takes the same actions to authenticate the peer as
it does on incoming calls.
The LNS obtains the PPP username and password from the initial Access-Accept
message. It then provides this information to the remote CPE for authentication.
Copyright © 2012, Juniper Networks, Inc.
399
JunosE 13.3.x Broadband Access Configuration Guide
Route Installation
Once authentication is complete, the router creates a new access route. This route directs
the forwarding of IP packets related to the original trigger packet to the newly created
interface. The route does not need to be identical to the one specified in the dial-out
route, but it must be able to forward packets that have the same destination address as
the trigger packet. However, if the access route does not encompass the dial-out route
definition, any other trigger packets initiate a new dial-out session.
The dial-out state machine verifies that the trigger packet can be forwarded over the
route.
Related
Documentation
•
If the verification is unsuccessful, the dial-out session is put into the failed state.
•
If the verification is successful, the dial-out session is put into the inService state.
•
L2TP Dial-Out Overview on page 391
•
L2TP Dial-Out Terms on page 392
•
L2TP Dial-Out Network Model on page 393
•
L2TP Dial-Out Operational States on page 395
•
L2TP Dial-Out Process on page 394
Creating a Profile Before Configuring L2TP Dial-Out
Create a profile that the router uses to create the dynamic PPP and IP interfaces on the
LNS. The profile specifies parameters that are common to all dial-out sessions that use
the profile. The following is an example of a typical profile configuration.
1.
Create a profile.
host1(config)#profile dialOut
host1(config-profile)#
2. Specify the interface used for dialout.
host1(config-profile)#ip unnumbered loopback 0/0
3. Specify the virtual router for the dial-out user’s IP interface.
host1(config-profile)#ip virtual-router lns
4. Specify the authentication mechanism.
host1(config-profile)#ppp authentication chap
Related
Documentation
400
•
L2TP Dial-Out Network Model on page 393
•
L2TP Dial-Out Process on page 394
•
L2TP Dial-Out Outgoing Call Setup Details on page 398
•
ip virtual-router
Copyright © 2012, Juniper Networks, Inc.
Chapter 15: Configuring L2TP Dial-Out
•
ip unnumbered
•
ppp authentication
•
profile
Configuring L2TP Dial-Out
L2TP dial-out configuration tasks include the following sets of tasks:
•
Creating an L2TP Dial-Out Session on page 401
•
Specifying the Maximum Timeout Period for Establishing an L2TP Dial-Out
Session on page 401
•
Specifying the Duration for an L2TP Dial-Out Session to Remain in Dormant
State on page 402
•
Specifying the Maximum Triggers to Buffer for an L2TP Dial-Out Session on page 402
•
Deleting an L2TP Dial-Out Session on page 402
•
Resetting an L2TP Dial-Out Session on page 403
Creating an L2TP Dial-Out Session
You can define an L2TP dial-out target by using the l2tp dial-out target command. When
the router receives packets destined for the target, it creates a dial-out session.
To create a dial-out session:
•
Issue the l2tp dial-out target command in Global Configuration mode.
host1(config)#l2tp dial-out target 10.10.0.0 255.255.0.0 L2TP-dial-out.de.dt profile
dialOut
When you create a target, you must specify the following:
•
ipAddress—IP address of the target
•
ipAddressMask—IP address mask of the target
•
domainName—Domain name used in the outgoing call Access-Request message
•
profileName—Name of profile used to create the interface stack
Use the default version to remove the L2TP dial-out route. Use the no version to remove
the L2TP dial-out route or target.
Specifying the Maximum Timeout Period for Establishing an L2TP Dial-Out Session
You can optionally set the maximum time allowed for successful establishment of an
L2TP dial-out session.
To set the maximum time allowed for attempts to establish L2TP dial-out sessions:
•
Issue the l2tp dial-out connecting-timer-value command in Global Configuration
mode.
Copyright © 2012, Juniper Networks, Inc.
401
JunosE 13.3.x Broadband Access Configuration Guide
host1(config)#l2tp dial-out connecting-timer-value 30
If the session fails to be established before the connecting timer expires, subsequent
attempts to establish the dial-out session to the same destination are inhibited
temporarily. The range is 30–3600 seconds.
Use the no version to set the connecting timer to the default, 30 seconds.
Specifying the Duration for an L2TP Dial-Out Session to Remain in Dormant State
You can optionally specify the duration for which the dial-out session stays in the dormant
state waiting for a new trigger after the associated L2TP outgoing call ends.
To set how long the dial-out session waits in the dormant state for a new trigger after
the associated L2TP outgoing call ends:
•
Issue the l2tp dial-out dormant-timer-value command in Global Configuration mode.
host1(config)#l2tp dial-out dormant-timer-value 300
If no trigger is received before the dormant timer expires, the dial-out session is deleted.
The range is 0–3600 seconds.
Use the no version to set the dormant timer to the default, 300 seconds (5 minutes).
Specifying the Maximum Triggers to Buffer for an L2TP Dial-Out Session
You can optionally set the maximum number of buffered trigger packets held for any
dial-out session pending the successful establishment of the L2TP session. Once the
session is established, the buffered trigger packets are transmitted.
To set the maximum number of trigger packets held in buffer while the dial-out session
is being established:
•
Issue the l2tp dial-out max-buffered-triggers command in Global Configuration mode.
host1(config)#l2tp dial-out max-buffered-triggers 50
If the configured maximum number of buffered trigger packets is exceeded, any new
trigger packets received are discarded. The range of values is 0–50.
Use the no version to set the number of trigger buffers to the default, 0.
Deleting an L2TP Dial-Out Session
You can manually delete a dial-out session to close any L2TP outgoing call associated
with the dial-out session.
To delete a dial-out session:
•
Issue the l2tp dial-out session delete command in Global Configuration mode.
host1#l2tp dial-out session delete 10.10.0.0
There is no no version.
402
Copyright © 2012, Juniper Networks, Inc.
Chapter 15: Configuring L2TP Dial-Out
Resetting an L2TP Dial-Out Session
You can reset a dial-out session by forcing it to the dormant state. After you reset a
dial-out session, any L2TP outgoing call associated with that session is closed.
To force the dial-out session to the dormant state where it remains until the dormant
timer expires or it receives a new trigger:
•
Issue the l2tp dial-out session reset command in Global Configuration mode.
host1#l2tp dial-out session reset 10.10.0.0
There is no no version.
Related
Documentation
•
L2TP Dial-Out Network Model on page 393
•
L2TP Dial-Out Process on page 394
•
L2TP Dial-Out Outgoing Call Setup Details on page 398
•
Monitoring Chassis-wide Configuration for L2TP Dial-out on page 432
•
Monitoring Status of Dial-out Sessions on page 437
•
Monitoring Dial-out Targets within the Current VR Context on page 438
•
Monitoring Operational Status within the Current VR Context on page 439
•
l2tp dial-out connecting-timer-value
•
l2tp dial-out dormant-timer-value
•
l2tp dial-out max-buffered-triggers
•
l2tp dial-out session delete
•
l2tp dial-out session reset
•
l2tp dial-out target
Copyright © 2012, Juniper Networks, Inc.
403
JunosE 13.3.x Broadband Access Configuration Guide
404
Copyright © 2012, Juniper Networks, Inc.
CHAPTER 16
L2TP Disconnect Cause Codes
•
L2TP Disconnect Cause Codes on page 405
L2TP Disconnect Cause Codes
Table 88 on page 405 describes the Point-to-Point Protocol (PPP) disconnect cause
codes that are displayed by the show l2tp received-disconnect-cause-summary
command, sorted by code number. For additional information, see RFC 3145.
Table 88: PPP Disconnect Cause Codes
Code
Name
Description
0
no info
Code 0 includes disconnect causes that are not specifically identified
by other codes. This code is generated in the following circumstances:
•
Internal resource constraints (for example, excessive load or
reduced resource availability) have prevented the generation of a
more specific disconnect code.
•
RFC 3145 does not define a disconnect code that corresponds to
the cause of the disconnection.
The following list shows current disconnection causes on an E Series
LNS that do not have a specific disconnect cause codes:
Copyright © 2012, Juniper Networks, Inc.
•
The peer initiated termination of LCP after the completion of LCP
negotiations, but prior to proceeding to authentication of NCP
negotiation. No conditions occurred that enabled the LNS to infer
a more informative disconnect code.
•
The peer initiated renegotiation of LCP.
•
Invalid local MRU (for example, MRU negotiation has been
disabled, but the lower MRU is less than the default MRU of 1500).
•
Unexpected local MLPPP MRRU for existing bundle (RFC 3145
code 10 covers peer MRRU mismatches, but not local mismatches).
•
Authentication failures not covered by any of the
authentication-related codes (codes 13-16), such as:
•
Authentication denial of the local LCP by the peer
•
Local authentication failure due to no resources
•
Local authentication failure due to no authenticator
405
JunosE 13.3.x Broadband Access Configuration Guide
Table 88: PPP Disconnect Cause Codes (continued)
Code
Name
Description
1
admin
disconnect
The disconnection was a result of direct administrative action,
including:
•
The administrator shut down the network or link interface.
•
The administrator logged out the subscriber.
2
renegotiation
disabled
Code 2 is not used; the E Series LNS is always capable of renegotiating
LCP if proxy data is not available.
3
normal
disconnect
Indicates that one of the following events occurred:
•
user-initiated logout (direction 1)
•
session timeout (direction 2)
•
inactivity timeout (direction 2)
•
address lease expired (direction 2)
The E Series LNS determines by inference that a normal disconnect
has occurred for direction 1. The LNS does this when the peer initiates
LCP termination after proceeding beyond the successful negotiation
of LCP (that is, after starting authentication signaling or NCP
negotiation).
NOTE: The Error-code field is included by default in the Result Error
Code attribute value pair (AVP) in L2TP Call-Disconnect-Notify (CDN)
messages, even in normal disconnect cases when the peer initiates
LCP termination after proceeding beyond LCP negotiation.
4
compulsory
encryption
refused
Code 4 with direction 2 is generated if the following conditions are
met:
•
The peer initiates LCP termination without having proceeded
beyond the completion of LCP negotiation, and
•
Prior to receiving the terminate request from the peer, the local
LCP has sent a Protocol Reject in response to any packet for
Encryption Control Protocol (ECP) protocols (protocol codes
0x8053, 0x8055) from the peer.
Code 4 with direction 1 is never generated, because the E Series LNS
never requests ECP.
406
5
lcp failed to
converge
An LCP configuration error prevented LCP from converging; the two
peers attempted to negotiate but did not agree on acceptable LCP
parameters.
6
lcp peer silent
LCP negotiation timed out; the LNS did not receive any LCP packets
from the LAC.
7
lcp magic
number error
A magic number error was detected; this indicates a possible looped
back link.
8
lcp keepalive
error
The keepalive drop count was exceeded.
Copyright © 2012, Juniper Networks, Inc.
Chapter 16: L2TP Disconnect Cause Codes
Table 88: PPP Disconnect Cause Codes (continued)
Code
Name
Description
9
lcp mlppp
endpoint
discriminator
mismatch
Code 9 is not used. Dynamic MLPPP bundling, which is the only kind
of MLPPP bundling supported for MLPPP/L2TP, uses the endpoint
discriminator as part of the key for bundle selection. Therefore, there
will never be an unexpected endpoint discriminator for an existing
MLPPP bundle.
10
lcp mlppp mrru
not valid
The link attempted to join an existing MLPPP bundle whose peer
maximum received reconstructed unit (MRRU) did not match the
peer MRRU negotiated by the link.
11
lcp mlppp peer
ssn invalid
Code 11 is not used; the short sequence number (SSN) option is not
supported.
12
lcp callback
refused
Code 12 with direction 2 is generated when the following conditions
are met:
•
The peer initiates LCP termination without having proceeded to
NCP negotiation, and
•
Prior to the termination, the local LCP has responded with a
negative acknowledgement (NAK) to a callback option (LCP option
13) from the peer.
The E Series LNS never generates code 12 with direction 1 because
the LNS never requests callback.
13
authenticate
timed out
Authentication failed because the authentication protocol timed out;
either the CHAP Authenticate Response or the PAP Authenticate
Request was not received.
14
authenticate
mlppp name
mismatch
Code 14 is not used. Dynamic MLPPP bundling, which is the only kind
of MLPPP bundling supported for MLPPP/L2TP, uses the
authenticated name as part of the key for bundle selection. Therefore,
there will never be an unexpected authenticated name for an existing
MLPPP bundle.
15
authenticate
protocol refused
No acceptable authentication protocol was negotiated by LCP.
Copyright © 2012, Juniper Networks, Inc.
•
Code 15 with direction 1 is generated if the peer rejected all of the
authentication protocols requested by the local LCP.
•
Code 15 with direction 2 is generated if the following conditions
are met:
•
The peer initiates LCP termination without having proceeded
beyond completion of NCP negotiation, and
•
During LCP negotiation, the local LCP responded with a NAK to
the final authentication protocol requested by the peer.
407
JunosE 13.3.x Broadband Access Configuration Guide
Table 88: PPP Disconnect Cause Codes (continued)
Code
Name
Description
16
authenticate
failure
•
Code 16 with direction 1 is generated if the local authentication of
the peer fails (that is, the authenticator sent a PAP NAK or CHAP
Failure packet)
•
Code 16 with direction 2 is generated if the peer authentication of
the local LCP fails (that is, the authenticator received a PAP NAK
or CHAP Failure packet).
Note that there are a variety of causes for authentication failures,
including bad credentials (bad name, password or secret) and
resource problems.
17
ncp no
negotiation
completed
Code 17 is generated only if an NCP configuration error has prevented
NCP negotiation from converging. This occurs when the two peers
do not agree on acceptable NCP parameters within the time allowed
for upper-layer negotiation.
Code 19 takes precedence over code 17 in situations related to address
convergence failure.
18
ncp no ncps
available
No NCPs were successfully enabled within the time allowed for
upper-layer negotiation.
19
ncp addresses
failed to
converge
An NCP configuration error has prevented NCP negotiation from
converging on acceptable addresses. This occurs if the two peers
never agree on acceptable NCP addresses within the time allowed
for upper-layer negotiation.
•
Code 19 with direction 1 is generated if the peer denies address
parameters requested by the local NCP.
•
Code 19 with direction 2 is generated if the local NCP denies
address parameters requested by the peer.
The IPv6 interface identifier is considered an address for the purposes
of code 19.
Code 19 takes precedence over code 17 in situations related to address
convergence failure.
20
Related
Documentation
408
ncp negotiation
inhibited
•
Code 20 with direction 2 indicates that an upper layer negotiation
was inhibited for any enabled NCP because the required
network-layer parameters were not available as a result of the
authentication stage.
•
Code 20 with direction 1 is never generated; the NCPs are never
enabled if there is no non-null local address.
•
L2TP Terminate Reasons on page 256
•
PPP Terminate Reasons on page 273
•
disconnect-cause
•
l2tp disconnect-cause
Copyright © 2012, Juniper Networks, Inc.
Chapter 16: L2TP Disconnect Cause Codes
•
show l2tp received-disconnect-cause-summary
Copyright © 2012, Juniper Networks, Inc.
409
JunosE 13.3.x Broadband Access Configuration Guide
410
Copyright © 2012, Juniper Networks, Inc.
CHAPTER 17
Monitoring L2TP and L2TP Dial-Out
When you have configured L2TP and L2TP dial-out on your E Series router, you can
monitor the active tunnels and sessions.
NOTE: All of the commands in this chapter apply to both the LAC and the
LNS.
L2TP and L2TP dial-out topics are described in the following sections:
•
Monitoring the Mapping for User Domains and Virtual Routers with AAA on page 411
•
Monitoring Configured Tunnel Groups with AAA on page 414
•
Monitoring Configuration of Tunnel Parameters with AAA on page 416
•
Monitoring Global Configuration Status on E Series Routers on page 417
•
Monitoring Detailed Configuration Information for Specified Destinations on page 419
•
Monitoring Locked Out Destinations on page 421
•
Monitoring Configured Destination Profiles or Host Profiles on page 421
•
Monitoring Configured and Operational Status of all Destinations on page 424
•
Monitoring Statistics on the Cause of a Session Disconnection on page 425
•
Monitoring Detailed Configuration Information about Specified Sessions on page 425
•
Monitoring Configured and Operational Summary Status on page 427
•
Monitoring Configured Switch Profiles on Router on page 428
•
Monitoring Detailed Configuration Information about Specified Tunnels on page 428
•
Monitoring Configured and Operational Status of All Tunnels on page 431
•
Monitoring Chassis-wide Configuration for L2TP Dial-out on page 432
•
Monitoring Status of Dial-out Sessions on page 437
•
Monitoring Dial-out Targets within the Current VR Context on page 438
•
Monitoring Operational Status within the Current VR Context on page 439
Monitoring the Mapping for User Domains and Virtual Routers with AAA
Purpose
Display the mapping between user domains and virtual routers.
Copyright © 2012, Juniper Networks, Inc.
411
JunosE 13.3.x Broadband Access Configuration Guide
Action
To display the mapping between user domains and virtual routers:
host1#show aaa domain-map
Domain: lac-tunnel; router-name: lac; ipv6-router-name: default
Tunnel
Tunnel
Tunnel
Tunnel
Tunnel
Tag
Tunnel Peer
Source
Type
Medium
Password
Tunnel Id
-----------------------------------------------5
192.168.1.1
<null>
l2tp
ipv4
welcome
lac-tunnel
Meaning
Tunnel
Tag
-----5
Tunnel
Client Name
----------lac
Tunnel
Tag
-----5
Tunnel
Virtual
Router
------<null>
Tunnel
Server
Name
-----boston
Tunnel
Failover
Resync
-------<null>
Tunnel
Max
Sessions
-------0
Tunnel
Preference
---------5
Tunnel
Switch
Profile
--------denver
Tunnel RWS
-------------4
Tunnel
Tx
Speed
Method
-----qos
Table 89 on page 412 lists the show aaa domain-map command output fields.
Table 89: show aaa domain-map Output Fields
412
Field Name
Field Description
Domain
Name of the domain
router-name
Virtual router to which user domain name is mapped
router-mask
IPv4 mask of the local interface
tunnel-group
Name of the tunnel group assigned to the domain
map
ipv6-router-name
IPv6 virtual router to which user domain name is
mapped
local-interface
Interface information to use on the local (E Series)
side of the subscriber’s interface
ipv6-local-interface
IPv6 interface information to use on the local (E
Series) side of the subscriber’s interface
poolname
Local address pool from which the router allocates
addresses for this domain
IP hint
IP hint is enabled
strip-domain
Strip domain is enabled
override-username
Single username used for all users from a domain in
place of the values received from the remote client
Copyright © 2012, Juniper Networks, Inc.
Chapter 17: Monitoring L2TP and L2TP Dial-Out
Table 89: show aaa domain-map Output Fields (continued)
Related
Documentation
•
Field Name
Field Description
override-password
Single password used for all users from a domain in
place of the values received from the remote client
Tunnel Tag
Tag that identifies the tunnel
Tunnel Peer
Destination address of the tunnel
Tunnel Source
Source address of the tunnel
Tunnel Type
L2TP
Tunnel Medium
Type of medium for the tunnel; only IPv4 is supported
Tunnel Password
Password for the tunnel
Tunnel Id
ID of the tunnel
Tunnel Client Name
Host name that the LAC sends to the LNS when
communicating to the LNS about the tunnel
Tunnel Server Name
Host name expected from the peer (the LNS) when
during tunnel startup
Tunnel Preference
Preference level for the tunnel
Tunnel Max Sessions
Maximum number of sessions allowed on a tunnel
Tunnel RWS
L2TP receive window size (RWS) for a tunnel on the
LAC; displays either the configured value or the default
behavior, which is indicated by system chooses
Tunnel Virtual Router
Name of the virtual router to map to the user domain
name
Tunnel Failover Resync
L2TP peer resynchronization method
Field descriptions
The actual fields displayed depend on your
configuration
Tunnel Switch Profile
Name of the L2TP tunnel switch profile
Tunnel Tx Speed Method
Method that the router uses to calculate the transmit
connect speed of the subscriber’s access interface:
static layer2, dynamic layer2, qos, actual, not set
show aaa domain-map
Copyright © 2012, Juniper Networks, Inc.
413
JunosE 13.3.x Broadband Access Configuration Guide
Monitoring Configured Tunnel Groups with AAA
Purpose
Action
Display the currently configured tunnel groups.
To display information about currently configured tunnel groups:
host1#show aaa tunnel-group
Meaning
Tunnel Group: boston
Tunnel
Tag
Tunnel Peer
---------------3
192.168.1.1
Tunnel
Source
-----<null>
Tunnel
Type
-----l2tp
Tunnel
Tag
-----3
Tunnel
Client Name
----------msn.del.com
Tunnel
Server
Name
-----<null>
Tunnel
Preference
---------2000
Tunnel
Tag
-----3
Tunnel
Virtual
Router
------<null>
Tunnel
Failover
Resync
-------<null>
Tunnel
Switch
Profile
--------sanjose
Tunnel
Medium
-----ipv4
Tunnel
Password
-------msn
Tunnel
Max
Sessions
-------0
Tunnel Id
----------<null>
Tunnel RWS
-------------4
Tunnel
Tx
Speed
Method
-----qos
Table 90 on page 414 lists the show aaa tunnel-group command output fields.
Table 90: show aaa tunnel-group Output Fields
414
Field Name
Field Description
Domain
Name of the domain
router-name
Virtual router to which user domain name is mapped
router-mask
IPv4 mask of the local interface
tunnel-group
Name of the tunnel group assigned to the domain
map
ipv6-router-name
IPv6 virtual router to which user domain name is
mapped
local-interface
Interface information to use on the local (E Series)
side of the subscriber’s interface
ipv6-local-interface
IPv6 interface information to use on the local (E
Series) side of the subscriber’s interface
poolname
Local address pool from which the router allocates
addresses for this domain
IP hint
IP hint is enabled
Copyright © 2012, Juniper Networks, Inc.
Chapter 17: Monitoring L2TP and L2TP Dial-Out
Table 90: show aaa tunnel-group Output Fields (continued)
Field Name
Field Description
strip-domain
Strip domain is enabled
override-username
Single username used for all users from a domain in
place of the values received from the remote client
override-password
Single password used for all users from a domain in
place of the values received from the remote client
Tunnel Tag
Tag that identifies the tunnel
Tunnel Peer
Destination address of the tunnel
Tunnel Source
Source address of the tunnel
Tunnel Type
L2TP
Tunnel Medium
Type of medium for the tunnel; only IPv4 is supported
Tunnel Password
Password for the tunnel
Tunnel Id
ID of the tunnel
Tunnel Client Name
Host name that the LAC sends to the LNS when
communicating to the LNS about the tunnel
Tunnel Server Name
Host name expected from the peer (the LNS) when
during tunnel startup
Tunnel Preference
Preference level for the tunnel
Tunnel Max Sessions
Maximum number of sessions allowed on a tunnel
Tunnel RWS
L2TP receive window size (RWS) for a tunnel on the
LAC; displays either the configured value or the default
behavior, which is indicated by system chooses
Tunnel Virtual Router
Name of the virtual router to map to the user domain
name
Tunnel Failover Resync
L2TP peer resynchronization method
Field descriptions
The actual fields displayed depend on your
configuration
Tunnel Switch Profile
Name of the L2TP tunnel switch profile
Tunnel Tx Speed Method
Method that the router uses to calculate the transmit
connect speed of the subscriber’s access interface:
static layer2, dynamic layer2, qos, actual, not set
Copyright © 2012, Juniper Networks, Inc.
415
JunosE 13.3.x Broadband Access Configuration Guide
Related
Documentation
•
The information displayed is almost identical to the tunnel information displayed using
the show aaa domain-map command. See Monitoring the Mapping for User Domains
and Virtual Routers with AAA on page 411.
•
show aaa tunnel-group
Monitoring Configuration of Tunnel Parameters with AAA
Purpose
Action
Display configuration of tunnel parameters used for tunnel definitions.
To display the configuration of tunnel parameters used for tunnel definitions:
host1#show aaa tunnel-parameters
Tunnel password is 3&92k%b#q4
Tunnel client-name is <NULL>
Tunnel nas-port-method is none
Tunnel switch profile is boston
Tunnel tx-connect-speed-method is qos
Tunnel nas-port ignore disabled
Tunnel nas-port-type ignore disabled
Tunnel assignmentId format is assignmentId
Tunnel calling number format is fixed (stacked)
Tunnel calling number format fallback is fixed
Meaning
Table 91 on page 416 lists the show aaa tunnel-parameters command output fields.
Table 91: show aaa tunnel-parameters Output Fields
416
Field Name
Field Description
Tunnel password
Default tunnel password
Tunnel client-name
Hostname that the LAC sends to the LNS when
communicating about the tunnel
Tunnel nas-port-method
Default NAS port type
Tunnel switch profile is
Name of the default L2TP tunnel switch profile
Tunnel
tx-connect-speed-method is
Method that the router uses to calculate the transmit
connect speed of the subscriber’s access interface:
static layer2, dynamic layer2, qos, actual, not set
Tunnel nas-port ignore
Whether the router uses the tunnel peer’s NAS-Port
[5] attribute; enabled or disabled
Tunnel nas-port-type ignore
Whether the router uses the tunnel peer’s
NAS-Port-Type [61] attribute; enabled or disabled
Tunnel assignmentId format
Value of the tunnel assignment ID that is passed to
PPP/L2TP
Tunnel calling number format
Format configured for L2TP Calling Number AVP 22
generated by the LAC
Copyright © 2012, Juniper Networks, Inc.
Chapter 17: Monitoring L2TP and L2TP Dial-Out
Table 91: show aaa tunnel-parameters Output Fields (continued)
Related
Documentation
•
Field Name
Field Description
Tunnel calling number format
fallback
Fallback format configured for L2TP Calling Number
AVP 22 generated by the LAC
show aaa tunnel-parameters
Monitoring Global Configuration Status on E Series Routers
Purpose
Action
Display the global configuration and status for L2TP on E Series routers, including switched
sessions.
To display the global configuration and status for L2TP on E Series routers, including
switched sessions:
host1#show l2tp
Configuration
L2TP administrative state is enabled
Dynamic interface destruct timeout is 600 seconds
Data packet checksums are disabled
Receive data sequencing is not ignored
Tunnel switching is disabled
Retransmission retries for established tunnels is 5
Retransmission retries for not-established tunnels is 5
Tunnel idle timeout is 60 seconds
Failover within a preference level is disabled
Weighted load balancing is disabled
Tunnel authentication challenge is enabled
Calling number avp is enabled
Reject remote transmit address change is enabled for ip address
Ignore remote transmit address change is disabled
Disconnect-cause avp generation is enabled
Default receive window size is system chooses
Rx speed avp when equal is enabled
Destination lockout timeout is 300 seconds
Destination lockout test is disabled
Failover resync is silent-failover
Sub-interfaces
total
active
failed
auth-errors
Destinations
0
0
0
n/a
Tunnels
0
0
0
0
Sessions
0
0
0
n/a
Switched-sessions 0
0
0
n/a
Meaning
Table 92 on page 417 lists the show l2tp command output fields.
Table 92: show l2tp Output Fields
Field Name
Field Description
Configuration
Configuration and status for L2TP on E Series routers,
including switched sessions
L2TP administrative state
Status of L2TP on the router; enabled or disabled
Copyright © 2012, Juniper Networks, Inc.
417
JunosE 13.3.x Broadband Access Configuration Guide
Table 92: show l2tp Output Fields (continued)
418
Field Name
Field Description
Dynamic interface destruct
timeout
Number of seconds that the router maintains dynamic
destinations, tunnels, and sessions after they have
terminated
Data packet checksums
Status of checking data integrity via UDP; enabled or
disabled
Receive data sequencing
Whether the router processes or ignores sequence
numbers in incoming data packets
Tunnel switching
Enabled or disabled
Retransmission retries for
established tunnels
Number of retries configured for established tunnels
Retransmission retries for
not-established tunnels
Number of retries configured for tunnels not
established
Tunnel idle timeout
Length of the tunnel idle timeout, in seconds
Failover within a preference level
Enabled or disabled
Weighted load balancing
Enabled or disabled
Tunnel authentication challenge
Enabled or disabled
Calling number avp
Whether the E Series LAC sends Calling-Station-Id
and Called-Station-Id AVPs in ICRQ packets, enabled
or disabled
Reject remote transmit address
change
Enabled or disabled for IP address, UDP port, or both
Ignore remote transmit address
change
Enabled or disabled for IP address, UDP port, or both
Disconnect-cause avp generation
Enabled or disabled
Default receive window size
Default L2TP RWS for a tunnel on both the LAC and
the LNS; displays either the configured value or the
default behavior, indicated by system chooses
Rx speed avp when equal
Enabled or disabled
Destination lockout timeout
Number of seconds that L2TP destinations remain in
the lockout state after they become unavailable
Destination lockout test
Status of the L2TP destination lockout test, enabled
or disabled
Copyright © 2012, Juniper Networks, Inc.
Chapter 17: Monitoring L2TP and L2TP Dial-Out
Table 92: show l2tp Output Fields (continued)
Related
Documentation
•
Field Name
Field Description
Failover resync
Global L2TP peer resynchronization configuration
Sub-interfaces
Sub-interface information about L2TP
total
Number of destinations, tunnels, and sessions that
the router created
active
Number of operational destinations, tunnels, and
sessions
failed
Number of requests that did not reach an operational
state
auth-errors
Number of requests that failed because the tunnel
password was invalid
show l2tp
Monitoring Detailed Configuration Information for Specified Destinations
Purpose
Action
Display detailed configuration information about specified destinations.
To display detailed configuration information about specified destinations:
To display information about a specific destination:
host1#show l2tp destination ip 172.31.1.98
L2TP destination 1 is Up with 5 active tunnels and 64 active sessions
To display information about all destinations:
host1#show l2tp destination detail 1
L2TP destination 1 is Up with 5 active tunnels and 64 active sessions
Configuration
Administrative state is enabled
SNMP traps are enabled
Destination address
Transport ipUdp
Virtual router default
Local address 192.168.1.230, peer address 172.31.1.98
Destination status
Effective administrative state is enabled
Sub-interfaces total active failed auth-errors
Tunnels
5
5
0
0
Sessions
64
64
0
n/a
Statistics
packets
octets
discards
errors
Control rx 69
3251
2
0
Control tx 195
23939
0
0
Data rx
68383456
68383456
0
0
Data tx
68383456
68383456
0
0
Copyright © 2012, Juniper Networks, Inc.
419
JunosE 13.3.x Broadband Access Configuration Guide
Meaning
Table 93 on page 420 lists the show l2tp destination command output fields.
Table 93: show l2tp destination Output Fields
420
Field Name
Field Description
Configuration
Configured status of the destination
Administrative state
Administrative status of the destination:
•
enabled—No restrictions on creation and operation
of sessions and tunnels for this destination
•
disabled—Router disabled existing sessions and
tunnels and will not create new sessions or tunnels
for this destination
•
drain—Router will not create new sessions or
tunnels for this destination
SNMP traps
Whether or not the router sends traps to SNMP for
operational state changes
Destination address
Address information for the specified destination
Transport
Method used to transfer traffic
Virtual
Name of the virtual router on which the tunnel is
configured
Local and peer addresses
Addresses of the local and remote interfaces
Destination status
Effective administrative state—The more restrictive
of the router and destination administrative states.
This setting, rather than the administrative state of
the destination, determines whether the router can
create new sessions or tunnels and whether the
sessions or tunnels are disabled for this destination.
Sub-interfaces
Sub-interface information about the L2TP destination
total
Number of sessions or tunnels that the router created
for this destination
active
Number of operational sessions or tunnels for this
destination
failed
Number of requests that did not reach an operational
state for this destination
auth-errors
Number of requests that failed because the tunnel
password was invalid for this destination
Statistics
Information about the traffic sent and received
Copyright © 2012, Juniper Networks, Inc.
Chapter 17: Monitoring L2TP and L2TP Dial-Out
Related
Documentation
•
show l2tp destination
Monitoring Locked Out Destinations
Purpose
Action
Display information about the L2TP destinations that are currently locked out.
To display information about the L2TP destinations that are currently locked out:
host1#show l2tp destination lockout
L2TP destination 36 is waiting for lockout timeout (45 seconds remaining)
L2TP destination 54 is waiting for lockout test start
L2TP destination 76 is waiting for lockout test complete
3 L2TP lockout destinations found
Meaning
Table 94 on page 421 lists the show l2tp destination lockout command output fields.
Table 94: show l2tp destination lockout Output Fields
Related
Documentation
•
Field Name
Field Description
L2TP destination waiting
Name of destination and its lockout status. The status
indicates whether the destination is waiting for the
lockout timeout to expire (and how much time is left),
or waiting for the lockout test to start or finish
L2TP lockout destinations found
Number of destinations that are currently in lockout
state
show l2tp destination lockout
Monitoring Configured Destination Profiles or Host Profiles
Purpose
Display either a list of configured L2TP destination profiles or the host profiles defined
in a particular profile.
If a nondefault L2TP RWS is configured for a particular host profile, the command displays
the RWS setting as an attribute of that host profile. (See Example 2.)
Action
To display either a list of configured L2TP destination profiles or the host profiles defined
in a particular profile:
host1#show l2tp destination profile
L2TP destination profile westford
1 L2TP destination profile found
If a nondefault L2TP RWS is configured for a particular host profile, to display the RWS
setting as an attribute of that host profile:
host1#show l2tp destination profile westford
L2TP destination profile westford
Configuration
Destination address
Transport ipUdp
Copyright © 2012, Juniper Networks, Inc.
421
JunosE 13.3.x Broadband Access Configuration Guide
Virtual router lns
Peer address 192.168.1.99
Destination profile maximum sessions is 5000
Current session count in group-A is 14, max-sessions configured is 3400
Current session count in group-B is 2, max-sessions configured is 4600
Statistics
Destination profile current session count is 30
Host profile attributes
Remote host is remhost22.xyz.com
Configuration
Tunnel password is 23erf5
Interface profile is ebcints
Bundled group id is 1
Bundled group id override is enabled
Maximum sessions is 400
Failover resync is failover-protocol
Sessions-limit-group is group-A
Statistics
Current session count is 14
Remote host is asciitext
Configuration
Bundled group id is 0
Tunnel password is 222
Interface profile is ascints
Default upper binding type mlppp
Maximum sessions is 250
Failover resync is failover-protocol
Sessions-limit-group is group-B
Statistics
Current session count is 2
Remote host is mexico
Configuration
Local ip address is 10.10.2.2
Proxy lcp is disabled
Proxy authenticate is enabled
mlppp upper binding type
Disconnect-cause avp is enabled
Receive window size is 4
Maximum sessions is 500
Failover resync is failover-protocol
Statistics
Current session count is 14
Remote host is LAC
Configuration
Tunnel password is TunnelPass
Local host name is LNS
Local ip address is 46.1.1.2
Disconnect-cause avp is enabled
Tunnels are single-shot
Override out-of-resource-result-code is enabled
Statistics
Current session count is 0
5 L2TP host profiles found
Meaning
422
Table 95 on page 423 lists the show l2tp destination profile command output fields.
Copyright © 2012, Juniper Networks, Inc.
Chapter 17: Monitoring L2TP and L2TP Dial-Out
Table 95: show l2tp destination profile Output Fields
Field Name
Field Description
Destination profile attributes
Destination profile attributes of L2TP destination
Transport
Method used to transfer traffic
Virtual Router
Method used to transfer traffic
Peer address
IP address of the LAC
Destination profile maximum
sessions
Maximum number of sessions allowed for the
destination profile
Destination profile current session
count
Number of current sessions for the destination profile
Host profile attributes
Host profile attributes of L2TP destination
Remote host
Name of the remote host
Local hostname
Name of the local host
Local IP address
IP address of the local host
Bundled group id
Identifier for bundled sessions
Tunnel password
Password for the tunnel
Interface profile
Name of the host profile
Proxy lcp
Status of proxy LCP for the remote host
mlppp upper binding type
Default upper binding type
Disconnect-cause avp generation
Status of the disconnect cause generation
Receive window size
Number of packets that the peer can transmit without
receiving an acknowledgment from the router
Maximum sessions
Maximum number of sessions allowed for the host
profile
Failover resync
L2TP peer resynchronization method for the host
profile
Override
out-of-resource-result-code
State of result code override, enabled or disabled
Current session count
Number of current sessions for the host profile
Copyright © 2012, Juniper Networks, Inc.
423
JunosE 13.3.x Broadband Access Configuration Guide
Table 95: show l2tp destination profile Output Fields (continued)
Related
Documentation
•
Field Name
Field Description
Sessions-limit-group
Name of the session limit group
show l2tp destination profile
Monitoring Configured and Operational Status of all Destinations
Purpose
Action
Display summary of the configured and operational status of all L2TP destinations.
To display a summary of the configured and operational status of all L2TP destinations.:
host1#show l2tp destination summary
Administrative status
enabled
0
Operational status
up
0
Meaning
drain
0
down
0
disabled
0
lower-down not-present
0
0
Table 96 on page 424 lists the show l2tp destination summary command output fields.
Table 96: show l2tp destination summary Output Fields
Field Name
Field Description
Administrative status
Administrative status of the L2TP destination:
Operational status
Related
Documentation
424
•
•
enabled—No restrictions on creation and operation
of sessions and tunnels for this destination
•
drain—Router will not create new sessions or
tunnels for this destination
•
disabled—Router disabled existing sessions and
tunnels and will not create new sessions or tunnels
for this destination
Operational status of the L2TP destination:
•
up—Destination is available for tunnels
•
down—Destination is not available for tunnels
•
lower-down—Underlying transport is unavailable;
for example, you removed the virtual router
•
not-present—Hardware supporting the destination
is unavailable; for example, you removed a required
line module
show l2tp destination
Copyright © 2012, Juniper Networks, Inc.
Chapter 17: Monitoring L2TP and L2TP Dial-Out
Monitoring Statistics on the Cause of a Session Disconnection
Purpose
Action
Display statistics for all information the LAC receives from an LNS about the cause of an
L2TP session disconnection.
To display statistics for all information the LAC receives from an LNS about the cause
of an L2TP session disconnection.
host1# show l2tp received-disconnect-cause-summary
Disconnect Cause (Code)
Global
--------------------------------------------- ---------no info (0)
0
admin disconnect (1)
0
renegotiation disabled (2)
0
normal disconnect (3)
0
compulsory encryption refused (4)
0
lcp failed to converge (5)
0
lcp peer silent (6)
0
lcp magic number error (7)
0
lcp keepalive failure (8)
0
lcp mlppp endpoint discriminator mismatch (9) 0
lcp mlppp peer mrru not valid (10)
0
lcp mlppp peer ssn invalid (11)
0
lcp callback refused (12)
0
authenticate timed out (13)
0
authenticate mlppp name mismatch (14)
0
authenticate protocol refused (15)
0
authenticate failure (16)
0
ncp no negotiation completed (17)
0
ncp no ncps available (18)
0
ncp addresses failed to converge (19)
0
ncp negotiation inhibited (20)
0
Meaning
Peer
---------0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Local
---------0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Table 97 on page 425 lists the show l2tp received-disconnect-cause-summary command
details.
Table 97: show l2tp received-disconnect-cause-summary Output Fields
Related
Documentation
•
Field Name
Field Description
show l2tp
received-disconnect-cause-summary
Display statistics for all information the LAC receives
from an LNS about the cause of an L2TP session
disconnection.
show l2tp received-disconnect-cause-summary
Monitoring Detailed Configuration Information about Specified Sessions
Purpose
Action
Display detailed configuration information about specified sessions.
To display detailed configuration information about specified sessions:
To display L2TP session:
Copyright © 2012, Juniper Networks, Inc.
425
JunosE 13.3.x Broadband Access Configuration Guide
host1#show l2tp session
L2TP session 1/1/1 is Up
1 L2TP session found
To display L2TP session details:
host1#show l2tp session detail
L2TP session 1/1/1 is Up
Configuration
Administrative state is enabled
SNMP traps are enabled
Session status
Effective administrative state is enabled
State is established
Local session id is 25959, peer session id is 2
Statistics packets octets discards errors
Data rx 7
237
1
0
Data tx 6
160
0
0
Session operational configuration
User name is 't1.s1@local'
Tunneling PPP interface atm 0/0.1
Call type is lacIncoming
Call serial number is 0
Bearer type is none
Framing type is none
Proxy LCP was provided
Authentication method was chap
Tunnel switch profile is chicago
Meaning
Table 98 on page 426 lists the show l2tp session command output fields.
Table 98: show l2tp session Output Fields
426
Field Name
Field Description
Configuration
Configured status of the session
Administrative state
Administrative status of the destination:
•
enabled—No restrictions on the operation of this
session
•
disabled—Router terminated this session
SNMP traps
Whether or not the router sends traps to Simple
Network Management Protocol (SNMP) for
operational state changes
Session status
Session status of the destination
Effective administrative state
Most restrictive of the following administrative states:
router, destination, tunnel, and session. This setting,
rather than the administrative state of the session,
determines whether the router can maintain this
session or not.
State
Status of the session: idle, connecting, established,
or disconnecting
Copyright © 2012, Juniper Networks, Inc.
Chapter 17: Monitoring L2TP and L2TP Dial-Out
Table 98: show l2tp session Output Fields (continued)
Related
Documentation
•
Field Name
Field Description
Local and peer session id
Names the router uses to identify the session locally
and remotely
Statistics
Information about the traffic for this session
Session operational configuration
Information received from the peer when the session
was created
show l2tp session
Monitoring Configured and Operational Summary Status
Purpose
Action
Display a summary of the configured and operational status of all L2TP sessions.
To display a summary of the configured and operational status of all L2TP sessions:
host1#show l2tp session summary
Administrative status enabled
64
Operational status
up
64
Meaning
disabled
0
down
lower-down
0
0
not-present
0
Table 99 on page 427 lists the show l2tp session summary command output fields.
Table 99: show l2tp session summary Output Fields
Field Name
Field Description
Administrative status:
Administrative status of the session:
Operational status:
Related
Documentation
•
•
enabled—No restrictions on the creation of sessions
•
disabled—Router disabled these sessions
Operational status of the session:
•
up—Session is available
•
down—Session is unavailable
•
lower-down—Session is unavailable because the
tunnel supporting it is inaccessible
•
not-present—Session is unavailable because the
hardware (such as a line module) supporting it is
inaccessible
show l2tp session summary
Copyright © 2012, Juniper Networks, Inc.
427
JunosE 13.3.x Broadband Access Configuration Guide
Monitoring Configured Switch Profiles on Router
Purpose
Action
Display information about the L2TP switch profiles configured on the router.
To display only the names of the L2TP tunnel switch profiles configured on the router:
host1#show l2tp switch-profile
L2TP tunnel switch profile concord
L2TP tunnel switch profile myProfile
2 L2TP tunnel switch profiles found
To display information about the settings in a particular L2TP tunnel switch profile:
host1#show l2tp switch-profile concord
L2TP tunnel switch profile concord
AVP bearer type action is relay
AVP calling number action is relay
AVP Cisco nas port info action is relay
Meaning
Table 100 on page 428 lists the show l2tp switch-profile command output fields.
Table 100: show l2tp switch-profile Output Fields
Related
Documentation
•
Field Name
Field Description
L2TP tunnel switch profile
Name of the L2TP tunnel switch profile
AVP actionType action is
Indicates the tunnel switching behavior or action type
(for example, relay) configured for the specified L2TP
AVP type
show l2tp switch-profile
Monitoring Detailed Configuration Information about Specified Tunnels
Purpose
Action
Display detailed configuration information about specified tunnels.
To display detailed configuration information about specified tunnel by ip address:
host1#show l2tp tunnel virtual router default ip 172.31.1.98
L2TP tunnel 1/xyz is Up with 13 active sessions
L2TP tunnel 1/aol.com is Up with 13 active sessions
L2TP tunnel 1/isp.com is Up with 13 active sessions
L2TP tunnel 1/msn.com is Up with 13 active sessions
L2TP tunnel 1/mv.com is Up with 12 active sessions
5 L2TP tunnels found
To display detailed configuration information about specified tunnel:
host1#show l2tp tunnel detail 1/xyz
L2TP tunnel 1/xyz is Up with 13 active sessions
Configuration
Administrative state is enabled
SNMP traps are enabled
Tunnel address
428
Copyright © 2012, Juniper Networks, Inc.
Chapter 17: Monitoring L2TP and L2TP Dial-Out
Transport ipUdp
Virtual router default
Local address 192.168.1.230, peer address 172.31.1.98
Local UDP port 1701, peer UDP port: 1701
Tunnel status
Effective administrative state is enabled
State is established
Local tunnel id is 14529, peer tunnel id is 34
Host profile is none
Tunnel is Up for: 12 days, 8 hours, 24 minutes, 23 seconds
Sub-interfaces
total
active
failed
Sessions
13
13
0
Statistics
packets
octets
discards
errors
Control rx 14
683
0
0
Control tx 41
4666
0
0
Data rx
67900944
67900944
0
0
Data tx
67900944
67900944
0
0
Control channel statistics
Receive window size = 4
Receive ZLB = 17
Receive out-of-sequence = 0
Receive out-of-window = 0
Transmit window size = 4
Transmit ZLB = 12
Transmit queue depth = 0
Retransmissions = 8
Tunnel operational configuration
Peer host name is 'Juniper-POS'
Peer vendor name is 'XYZ, Inc.'
Peer protocol version is 1.1
Peer firmware revision is 0x1120
Peer bearer capabilities are digital and analog
Peer framing capabilities are sync and async
Meaning
Table 101 on page 429 lists the show l2tp tunnel command output fields.
Table 101: show l2tp tunnel Output Fields
Field Name
Field Description
Configuration
Configured status of the tunnel enabled.
Administrative state
Administrative status of the enabled tunnel:
•
enabled—No restrictions on creation and operation
of sessions for this tunnel
•
disabled—Router disabled existing sessions and
will not create new sessions on this tunnel
•
drain—Router will not create new sessions on this
tunnel
SNMP traps
Whether or not the router sends traps to SNMP for
operational state changes.
Tunnel address
Tunnel address information.
Transport
Method used to transfer traffic.
Copyright © 2012, Juniper Networks, Inc.
429
JunosE 13.3.x Broadband Access Configuration Guide
Table 101: show l2tp tunnel Output Fields (continued)
Field Name
Field Description
Virtual router
Name of the virtual router on which the tunnel is
configured.
Local and peer addresses
IP addresses of the local and remote ends of the
tunnel. If the router is set up to ignore address and
port changes in SCCRP packets, both the transmit
and receive addresses are listed for the peer.
Local and peer UDP ports
UDP ports for the local and remote ends of the tunnel.
If the router is set up to accept address and port
changes in SCCRP packets, both the transmit and
receive UDP ports are listed for the peer.
Tunnel status
Tunnel status information.
Effective administrative state
Most restrictive of the following administrative states:
E Series router, destination, and tunnel. This setting,
rather than the administrative state of the tunnel,
determines whether the router can create new
sessions on a tunnel or whether the sessions on a
tunnel are disabled or not.
State
Status of the enabled tunnel:
idle
•
connecting
•
established
•
disconnecting
Local and peer tunnel id
Names the router used to identify the tunnel locally
and remotely.
Host profile
Name of the L2TP host profile, if it is configured.
Otherwise, the label “none” is displayed to specify
that a host profile is not enabled.
Tunnel is Up for
Duration for which the tunnel is operationally up,
which is denoted in terms of days, hours, minutes, and
seconds.
Sub-interfaces:
Sub-interface information for the enabled tunnel:
Statistics
430
•
•
total—Number of sessions that the router has
created on this tunnel
•
active—Number of operational sessions on the
tunnel
•
failed—Number of requests that did not reach an
operational state
Information about the traffic sent and received.
Copyright © 2012, Juniper Networks, Inc.
Chapter 17: Monitoring L2TP and L2TP Dial-Out
Table 101: show l2tp tunnel Output Fields (continued)
Related
Documentation
•
Field Name
Field Description
Control channel statistics
Tunnel control channel information.
Receive window size
Number of packets that the peer can transmit without
receiving an acknowledgment from the router.
Receive ZLB
Number of acknowledgments that the router has
received from the peer.
Receive out-of-sequence
Number of received control packets that were out of
order.
Receive out-of-window
Number of packets that arrived at the router outside
the receiving window.
Transmit window size
Number of packets that the router can transmit before
receiving an acknowledgment from the peer.
Transmit ZLB
Number of acknowledgments that the router has sent
to the peer.
Transmit queue depth
Number of packets that the router is waiting to send
to the peer, plus the number of packets for which the
peer has not yet acknowledged receipt.
Tunnel operation configuration
Information received from the peer when the tunnel
was created.
show l2tp tunnel
Monitoring Configured and Operational Status of All Tunnels
Purpose
Action
Display a summary of the configured and operational status of all L2TP tunnels.
To display a summary of the configured and operational status of all L2TP tunnels:
host1#show l2tp tunnel summary
Administrative status
Operational status
5
Meaning
enabled
5
up
0
drain
0
down
0
disabled
0
lower-down
0
not-present
0
Table 102 on page 432 lists the show l2tp tunnel summary command output fields.
Copyright © 2012, Juniper Networks, Inc.
431
JunosE 13.3.x Broadband Access Configuration Guide
Table 102: show l2tp tunnel summary Output Fields
Field Name
Field Description
Administrative status
Administrative status of all tunnels:
Operational status
Related
Documentation
•
•
enabled—No restrictions on the creation and
operation of sessions for this tunnel
•
drain—Router will not create new sessions for this
tunnel
•
disabled—Router disabled existing sessions and
will not create new sessions for this tunnel
Operational status of all tunnels:
•
up—Tunnel is available
•
down—Tunnel is unavailable
•
lower-down—Tunnel is unavailable because the
destination supporting it is inaccessible
•
not-present—Tunnel is unavailable because the
hardware (such as a line module) supporting the
tunnel is inaccessible
show l2tp tunnel summary
Monitoring Chassis-wide Configuration for L2TP Dial-out
Purpose
To display the chassis-wide configuration, operational state, and statistics for L2TP
dial-out.
This command displays aspects of the dial-out state machine and details about the
dial-out routes themselves. This section presents sample output. The actual output on
your router may differ significantly.
Action
To display chassis-wide configuration, operational state, and statistics for L2TP dial-out:
host1#show l2tp dial-out
Operational status: inService
Connecting timer value: 30 seconds
Dormant timer value: 300 seconds
To display detailed chassis-wide configuration information:
host1#show l2tp dial-out detail
Dial-out Chassis Configuration and Operational Status
Chassis operational status :
inService
Dormant timeout
:
30 seconds
Connecting timeout
:
30 seconds
Dial-out Chassis Statistics
Current sessions:
Maximum sessions:
Current sessions in the process of connecting:
Maximum sessions connecting at one time:
Current sessions pending:
432
0
0
0
0
0
Copyright © 2012, Juniper Networks, Inc.
Chapter 17: Monitoring L2TP and L2TP Dial-Out
Maximum sessions pending:
Current targets inhibited:
Maximum targets inhibited:
Authentication grant for nonexistent session:
Authentication deny for nonexistent session:
Dial-out Virtual router statistics
Virtual routers active:
Virtual routers created:
Virtual routers removed:
Virtual routers in init-pending state:
Virtual routers in init-failed state:
Virtual routers in down state:
Virtual routers in in-service state:
IP Discarded trigger frames:
Trigger frames received for unknown route:
Sessions in dormant state:
Sessions in pending state:
Sessions in authenticating state:
Sessions in connecting state:
Sessions in in-service state:
Sessions in inhibited state:
Sessions in post-inhibited state:
Sessions in failed state:
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Dial-out target statistics
Targets active:
Targets created:
Targets removed:
Targets in down state:
Targets in inhibited state:
Targets in in-service state:
Triggers discarded:
Dial-out session statistics
Sessions active:
Sessions created:
Sessions removed:
Sessions reset:
Triggers received:
Triggers enqueued:
Triggers discarded:
Triggers forwarded:
Triggers max enqueued:
Authentication requests:
No resources for authentication:
Authentication grants:
Authentication Denies:
Dial-outs requested:
Dial-outs rejected:
Dial-outs established:
Dial-outs timed out:
Dial-outs torn down:
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
To display summary information for chassis-wide configuration:
host1#show l2tp dial-out summary
Virtual routers in init pending state
Virtual routers in init failed state
Virtual routers in down state
Virtual routers in inService state
Targets in down state
Targets in inhibited state
Copyright © 2012, Juniper Networks, Inc.
:
:
:
:
:
:
0
0
0
0
0
0
433
JunosE 13.3.x Broadband Access Configuration Guide
Targets in inService state
Sessions in dormant state
Sessions in pending state
Sessions in authenticating state
Sessions in connecting state
Sessions in inService state
Sessions in inhibited state
Sessions in postInhibited state
Sessions in failed state
:
:
:
:
:
:
:
:
:
0
0
0
0
0
0
0
0
0
To display information about the operational or administrative state:
host1#show l2tp dial-out state inService
Meaning
Table 103 on page 434 lists the show l2tp dial-out command output fields.
Table 103: show l2tp dial-out Output Fields
434
Field Name
Field Description
Operational status
Current operational status of the chassis
Connecting timer value
Configuration of the connecting timeout
Dormant timer value
Configuration of the dormant timeout
Dial-out Chassis Statistics
Statistics at the chassis level
Current sessions
Total number of session currently active on the
chassis
Maximum sessions
Highest value of current sessions recorded on the
chassis since the last router restart
Current sessions in the process of
connecting
Sessions currently in the connecting state
Maximum sessions connecting at
one time
Highest number of sessions recorded on the chassis
at the same time since the last router restart
Current sessions pending
Sessions in the pending state
Maximum sessions pending
Highest number of sessions recorded in the pending
state since the last router restart
Current targets inhibited
Targets currently in the inhibited state
Maximum targets inhibited
Highest value of targets recorded in the inhibited state
since the last router restart
Authentication grant for
nonexistent session
Number of authentication requests granted to
nonexistent sessions
Authentication deny for
nonexistent session
Number of authentication requests denied to
nonexistent sessions
Copyright © 2012, Juniper Networks, Inc.
Chapter 17: Monitoring L2TP and L2TP Dial-Out
Table 103: show l2tp dial-out Output Fields (continued)
Field Name
Field Description
Dial-out Virtual router statistics
Statistics at the virtual router level
Virtual routers active
VRs in use by the state machine
Virtual routers created
VRs that have been used by the state machine
Virtual routers removed
VRs no longer used by the state machine
Virtual routers in init-pending
state
VRs in the initializationPending state
Virtual routers in init-failed state
VRs in the initializationFailed state
Virtual routers in down state
VRs in the down state
Virtual routers in in-service state
VRs in the inService state
IP Discarded trigger frames
Trigger frames that IP discarded
Trigger frames received for
unknown route
Trigger frames received for an unknown route
Sessions in dormant state
Sessions on the VR that are in the dormant state
Sessions in pending state
Sessions on the VR that are in the pending state
Sessions in authenticating state
Sessions on the VR that are in the authenticating state
Sessions in connecting state
Sessions on the VR that are in the connecting state
Sessions in in-service state
Sessions on the VR that are in the inService state
Sessions in inhibited state
Sessions on the VR that are in the inhibited state
Sessions in post-inhibited state
Sessions on the VR that are in the postInhibited state
Sessions in failed state
Sessions on the VR that are in the failed state
Dial-out target statistics
Statistics at the route target level
Targets active
Current active targets
Targets created
All targets created
Targets removed
Targets deleted
Targets in down state
Targets in the down state
Copyright © 2012, Juniper Networks, Inc.
435
JunosE 13.3.x Broadband Access Configuration Guide
Table 103: show l2tp dial-out Output Fields (continued)
436
Field Name
Field Description
Targets in inhibited state
Targets in the inhibited state
Targets in in-service state
Targets in the inService state
Triggers discarded
Trigger packets discarded
Dial-out session statistics
Statistics at the session level
Sessions active
Currently active sessions
Sessions created
All sessions created
Sessions removed
Sessions deleted
Sessions reset
Sessions reset using the l2tp dial-out session reset
command
Triggers received
Triggers received for dial-out sessions
Triggers enqueued
Triggers that have been put into the queue
Triggers discarded
Trigger packets discarded
Triggers forwarded
Trigger packets forwarded
Triggers max enqueued
Maximum number of triggers that have been
enqueued simultaneously since the last router reset
Authentication requests
Authentication requests received
No resources for authentication
Authentication requests not processed because of
insufficient resources
Authentication grants
Authentication requests granted
Authentication Denies
Authentication requests denied
Dial-outs requested
Outgoing calls requested for sessions
Dial-outs rejected
Outgoing call requests that were rejected
Dial-outs established
Successful outgoing calls before the connecting timer
expired
Dial-outs timed out
Number of times the connecting timer expired
Dial-outs torn down
Successful outgoing calls that were terminated
Copyright © 2012, Juniper Networks, Inc.
Chapter 17: Monitoring L2TP and L2TP Dial-Out
Related
Documentation
•
L2TP Dial-Out Operational States on page 395
•
show l2tp dial-out
•
show l2tp dial-out virtual-router
Monitoring Status of Dial-out Sessions
Purpose
Display the status of dial-out sessions.
This command displays aspects of the dial-out state machine and details about the
dial-out routes themselves. This section presents sample output. The actual output on
your router may differ significantly.
Action
To display all sessions within the current virtual router context:
host1#show l2tp dial-out session
Session
Status
----------------10.10.1.1
connected
10.10.2.1
dormant
To display detailed information about a particular session, specify the trigger IP address
for the session:
host1#show l2tp dial-out session 10.1.1.1
Session 10.1.1.1
Operational status: dormant
To display aggregate counts for dial-out sessions in each of the possible operational and
administrative states:
host1#show l2tp dial-out session summary
To display detailed configuration, state, and statistics:
host1#show l2tp dial-out session detail
To display information about the operational or administrative state:
host1#show l2tp dial-out session state connecting
To display dial-out information across all virtual routers
host1#show l2tp dial-out session allVirtualRouters
NOTE: The level of a user’s permission determines the use of the
allVirtualRouters option. For example, if you have permission to view only
the current virtual router, then that is all that is displayed when you enter a
command.
Meaning
Table 104 on page 438 lists the show l2tp dial-out session command output fields.
Copyright © 2012, Juniper Networks, Inc.
437
JunosE 13.3.x Broadband Access Configuration Guide
Table 104: show l2tp dial-out session Output Fields
Related
Documentation
Field Name
Field Description
Session
IP address of the session
Status
Current status of the session
Operational status
Current operational status of session
•
L2TP Dial-Out Operational States on page 395
•
show l2tp dial-out session
Monitoring Dial-out Targets within the Current VR Context
Purpose
Display configured dial-out targets within the current virtual router context.
This command displays aspects of the dial-out state machine and details about the
dial-out routes themselves. This section presents sample output. The actual output on
your router may differ significantly.
Action
To display general information for all targets within the virtual router:
host1:dialout#show l2tp dial-out target
Target
Status
Active Sessions
-----------------------10.10.1.1/16
up
14
10.1.1.0/24
up
10
To display detailed information about a particular target, specify the target IP address
and mask:
host1:dialout#show l2tp dial-out target 10.1.1.0/24
Target 10.1.1.0/24
Operational status: up
Active sessions: 10
Total triggers: 127
Failed sessions: 2
Connected sessions: 8
To display aggregate counts for targets in each of the possible operational and
administrative states:
host1:dialout#show l2tp dial-out target summary
To display detailed configuration, state, and statistics:
host1:dialout#show l2tp dial-out target detail
To display information about the operational or administrative state:
host1:dialout#show l2tp dial-out target state inService
To displays dial-out information across all virtual routers:
438
Copyright © 2012, Juniper Networks, Inc.
Chapter 17: Monitoring L2TP and L2TP Dial-Out
host1:dialout#show l2tp dial-out target allVirtualRouters
NOTE: The level of a user’s permission determines the use of the
allVirtualRouters option. For example, if you have permission to view only
the current virtual router, then that is all that is displayed when you enter a
command.
Meaning
Table 105 on page 439 lists the show l2tp dial-out target command output fields.
Table 105: show l2tp dial-out target Output Fields
Related
Documentation
Field Name
Field Description
Target
Address of the target
Status
Status of the connection to the target
Active Sessions
Currently active session to the target
Total triggers
Trigger packets received for the target
Failed sessions
Sessions that are currently in the failed state
Connected sessions
Sessions that are currently in the connected state
•
L2TP Dial-Out Operational States on page 395
•
show l2tp dial-out target
Monitoring Operational Status within the Current VR Context
Purpose
Display dial-out state machine operational status and statistics within the current VR
context.
This command displays aspects of the dial-out state machine and details about the
dial-out routes themselves. This section presents sample output. The actual output on
your router may differ significantly.
Action
To display dial-out state machine operational status and statistics within the current VR
context:
host1#show l2tp dial-out virtual-router
Dial-out Virtual Router Configuration and Operational Status
Virtual router host1:
Virtual router operational status: inService
Maximum trigger buffers per session: 0
Copyright © 2012, Juniper Networks, Inc.
439
JunosE 13.3.x Broadband Access Configuration Guide
To display aggregate counts for dial-out state machines in each of the possible operational
and administrative states:
host1:dialout#show l2tp dial-out virtual-router summary
To display detailed configuration, state, and statistics:
host1:dialout#show l2tp dial-out virtual-router detail
To display information about the operational or administrative state:
host1:dialout#show l2tp dial-out virtual-router state down
To displays dial-out information across all virtual routers:
host1:dialout#show l2tp dial-out virtual-router allVirtualRouters
NOTE: The level of a user’s permission determines the use of the
allVirtualRouters option. For example, if you have permission to view only
the current virtual router, then that is all that is displayed when you enter a
command.
Meaning
Table 106 on page 440 lists the show l2tp dial-out virtual-router command output fields.
Table 106: show l2tp dial-out virtual-router Output Fields
Related
Documentation
440
Field Name
Field Description
Virtual router
Name of VR
Virtual router operational status
Operational status of the VR
Maximum trigger buffers per
session
Maximum number of trigger packets held in buffer
while the dial-out session is being established
•
L2TP Dial-Out Operational States on page 395
•
show l2tp dial-out virtual-router
Copyright © 2012, Juniper Networks, Inc.
PART 4
Managing DHCP
•
DHCP Overview on page 443
•
DHCP Local Server Overview on page 453
•
Configuring DHCP Local Server on page 467
•
Configuring DHCP Relay on page 491
•
Configuring the DHCP External Server Application on page 523
•
Monitoring and Troubleshooting DHCP on page 537
Copyright © 2012, Juniper Networks, Inc.
441
JunosE 13.3.x Broadband Access Configuration Guide
442
Copyright © 2012, Juniper Networks, Inc.
CHAPTER 18
DHCP Overview
The Dynamic Host Configuration Protocol (DHCP) provides a mechanism through which
computers using Transmission Control Protocol/IP (TCP/IP) can obtain protocol
configuration parameters automatically from a DHCP server on the network.
The following sections provide overview information for the E Series router DHCP support:
•
DHCP Overview Information on page 443
•
DHCP Platform Considerations on page 444
•
DHCP References on page 445
•
Configuring the DHCP Access Model on page 446
•
Configuring DHCP Proxy Clients on page 446
•
Logging DHCP Packet Information on page 447
•
Viewing and Deleting DHCP Client Bindings on page 448
•
DHCP Client Bindings and Duplicate MAC Addresses for Subinterfaces
Overview on page 450
DHCP Overview Information
The most important configuration parameter carried by DHCP is the IP address. A
computer must be initially assigned a specific IP address that is appropriate to the network
to which the computer is attached and that is not assigned to any other computer on
that network. If you move a computer to a new network, it must be assigned a new IP
address for that new network. You can use DHCP to manage these assignments
automatically.
An IP client contacts a DHCP server for configuration parameters. The DHCP server is
typically centrally located and operated by the network administrator. Because the server
is run by a network administrator, DHCP clients can be reliably and dynamically configured
with parameters appropriate to the current network architecture.
You can configure the E Series router to support the following DHCP features:
•
DHCP access model
•
DHCP proxy client
•
DHCP relay
Copyright © 2012, Juniper Networks, Inc.
443
JunosE 13.3.x Broadband Access Configuration Guide
•
DHCP relay proxy
•
DHCP local server
•
DHCP external server
Session and Resource Control Software
The Session and Resource Control (SRC) software, formerly the Service Deployment
System (SDX) software is a component of Juniper Networks management products.
The SRC software provides a Web-based interface that allows subscribers to access
services, such as the Internet, an intranet, or an extranet.
When a DHCP subscriber logs in, the SRC software can authorize the address request
and select the DHCP address pool on the router from which the DHCP address is selected.
The SRC software can also control the number of IP addresses that are given to a
particular retailer or subscriber and control the lease time of IP addresses assigned to
DHCP subscribers.
The router retrieves the DSL line rate parameters from Access Node Control Protocol
(ANCP) and reports this information to the SRC software with the corresponding COPS
messages. If the router cannot retrieve the DSL line rate parameters from ANCP, it retrieves
the DSL information in the following ways:
•
From AAA layer—For PPP interfaces, the router retrieves the DSL line rate parameters
from the AAA layer and reports this information to the SRC software.
•
From DHCP options—For DHCP external server and DHCP local server in equal-access
mode, the router retrieves the DSL line rate parameters from DHCP options and reports
this information to the SRC software. To enable the DHCP external server to receive
the DHCP options if the router blocks the DHCP options on the DHCP application, you
must use the set dhcp relay preserve-trusted-client-option command.
NOTE: The SRC client configured on the E Series router does not send Delete
Request (DRQ) messages for interfaces that are bounced during the address
mode and are in the administratively up state. Bouncing of an interface refers
to shutting down and restarting the interface, releasing the IP address
allocated to the clients connected on that interface, and obtaining a fresh IP
address for the clients using a rediscovery process. For such interfaces,
interface DRQ messages are not sent to the COPS server (or PDP) after DRQ
messages for the address configured on the interface are sent from the SRC
client.
Related
Documentation
•
set dhcp relay preserve-trusted-client-option
DHCP Platform Considerations
For information about modules that support DHCP on the ERX7xx models, ERX14xx
models, and the ERX310 Broadband Services Router:
444
Copyright © 2012, Juniper Networks, Inc.
Chapter 18: DHCP Overview
•
See ERX Module Guide, Table 1, ERX Module Combinations for detailed module
specifications.
•
See ERX Module Guide, Appendix A, Module Protocol Support for information about the
modules that support DHCP.
For information about modules that support DHCP on the E120 and E320 Broadband
Services Routers:
Related
Documentation
•
See E120 and E320 Module Guide, Table 1, Module and IOAs for detailed module
specifications.
•
See E120 and E320 Module Guide, Appendix A, IOA Protocol Support for information
about the modules that support DHCP.
•
DHCP Overview Information on page 443
•
DHCP References on page 445
DHCP References
For more information about DHCP, consult the following resources:
•
DSL Forum Technical Report (TR)-101—Migration to Ethernet-Based DSL Aggregation
(April 2006)
•
RFC 2131—Dynamic Host Configuration Protocol (March 1997)
•
RFC 2132—DHCP Options and BOOTP Vendor Extensions (March 1997)
•
RFC 3046—DHCP Relay Agent Information Option (January 2001)
•
RFC 3315—Dynamic Host Configuration Protocol for IPv6 (DHCPv6) (July 2003)
•
RFC 3633—IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP)
Version 6 (December 2003)
•
RFC 4243—Vendor-Specific Information Suboption for the Dynamic Host Configuration
Protocol (DHCP) Relay Agent Option (December 2005)
NOTE: IETF drafts are valid for only 6 months from the date of issuance.
They must be considered as works in progress. Please refer to the IETF
Web site at http://www.ietf.org for the latest drafts.
Related
Documentation
•
DHCP Overview Information on page 443
•
DHCP Platform Considerations on page 444
•
RADIUS IETF Attributes Supported for Subscriber AAA Accounting Messages on page 183
•
RADIUS IETF Attributes Supported for AAA Tunnel Accounting Messages on page 190
•
RADIUS IETF Attributes on page 231
Copyright © 2012, Juniper Networks, Inc.
445
JunosE 13.3.x Broadband Access Configuration Guide
Configuring the DHCP Access Model
The E Series router provides a DHCP access model, which enables you to integrate the
router into an existing RADIUS-based operation support system (OSS). In the DHCP
access model, a DHCP local server or DHCP external service is configured, but the E Series
router does not have direct interaction with an OSS or a policy server, such as the SRC
software. The router passes the client’s DHCP options, client’s media access control
(MAC) address and, if appropriate, the DHCP relay’s IP address in RADIUS requests for
authentication.
To configure the DHCP access model to pass the client’s information in RADIUS requests,
you enable the DHCP options feature, then specify the client information to be passed
to RADIUS. You can specify that the client’s MAC address be included in the request. You
can also specify that the DHCP relay’s IP address be sent, if appropriate. For descriptions
of the RADIUS attributes used with the DHCP access model, see “Juniper Networks VSAs
Supported for Subscriber AAA Access Messages” on page 176 and “Juniper Networks
VSAs Supported for Subscriber AAA Accounting Messages” on page 186.
Configuring DHCP Proxy Clients
DHCP proxy client support enables the router to obtain an IP address from a DHCP server
for a remote PPP client. Each virtual router (acting as a DHCP proxy client) can query up
to five DHCP servers.
For PPP users, the router acts as a DHCP client to obtain an address for the user. This is
referred to as DHCP proxy.
The process for PPP users is as follows:
1.
The remote user dials in, and the client requests RADIUS authentication.
2. The AAA server on the router sends a request to the DHCP proxy client on the router
for an IP address to be assigned to the remote user’s host.
3. The proxy client assumes the role of DHCP client and sends a discovery message to
each DHCP server.
4. One or more of the DHCP servers responds with an offer message containing an IP
address.
5. The proxy client determines which offer to accept and sends a message to that DHCP
server requesting that IP address.
6. The DHCP server responds to the proxy client with an acknowledgment message.
7. The proxy client passes the IP address to the authentication, authorization, and
accounting (AAA) server on the router, and the AAA server returns the address to PPP.
PPP then assigns the address to the remote host. The new IP address is included
when the router next updates its routing table.
Dynamic IP addresses are leased to the remote host for a specific period of time, which
can range from minutes to days. At the halfway point in the lease period, the proxy client
446
Copyright © 2012, Juniper Networks, Inc.
Chapter 18: DHCP Overview
requests an extension from the DHCP server on behalf of the remote host. The lease is
extended for a period specified in the acknowledgment (ACK) message returned by the
DHCP server—typically equal to the original lease. If the DHCP server returns a negative
acknowledgment (NAK) message to the proxy client, the proxy client notifies the server
on the router that the extension has been denied. The AAA server logs out the remote
host and frees the IP address for reuse.
When a remote host disconnects, the AAA server notifies the proxy client that the IP
address is available for reuse. The proxy client informs the DHCP server, which can now
reassign that IP address.
NOTE: The maximum number of DHCP proxy client bindings that are stored
on the router chassis is 48,000.
For additional information on managing client bindings, see “Viewing and Deleting DHCP
Client Bindings” on page 448.
To configure a proxy client from Global Configuration mode:
1.
Specify the address of the DHCP server that will provide IP addresses for remote hosts.
You can specify a maximum of five DHCP servers.
host1(config)#ip dhcp-server 10.6.128.10
2. Direct the router to request IP addresses for remote users from the DHCP server(s).
host1(config)#ip address-pool dhcp
Related
Documentation
•
ip address-pool
•
ip dhcp-server
Logging DHCP Packet Information
The JunosE Software enables you to collect and log DHCP packet information for all
JunosE DHCP access models on a per-interface basis. To log packets for a specific DHCP
application, you enable DHCP packet logging on the interface that serves the application.
JunosE Software supports per-interface DHCP packet logging on a maximum of 16
interfaces. Per-interface DHCP packet logging is disabled by default.
You can specify which packets are logged—receive, transmit, or all. You can optionally
assign low or high priority to the logged packets. Packets are assigned a low priority by
default, which does not interfere with router DHCP packet processing. The logged packets
are output to the dhcpCapture event logging category.
You can configure per-interface DHCP packet logging on statically configured and
dynamically created IP interfaces. However, configuration information for dynamic
interface configurations is lost after a cold restart. Both static and dynamic interface
configuration information is maintained after a warm restart.
Copyright © 2012, Juniper Networks, Inc.
447
JunosE 13.3.x Broadband Access Configuration Guide
You use the ip dhcp-capture command with the following keywords to enable DHCP
packet logging for all DHCP applications on the interface.
•
Use the receive, transmit, and all keywords to specify the type of DHCP packets that
is logged.
•
Use the optional priority keyword to assign a low or high priority to logged packets. By
default, logged packets have a low priority and do not interfere with the router’s DHCP
packet processing.
You can specify DHCP packet logging on a maximum of 16 interfaces.
•
To enable DHCP packet logging:
host1(config-if)#ip dhcp-capture all
Related
Documentation
•
ip dhcp-capture
Viewing and Deleting DHCP Client Bindings
The JunosE Software provides commands that enable you to manage your router’s DHCP
external server, DHCP local server, and DHCP relay proxy client bindings. A client binding
associates an IP address with a DHCP client, and describes both the client (for example,
hardware address and state) and the IP address (for example, subnet and lease time).
The following commands enable you to view information about current DHCP client
bindings:
•
To display information and track lease times and status for specified DHCP client
bindings, with results arranged in ascending order by binding ID, use the show dhcp
binding command.
•
To display information and track lease times and status for specified DHCP client
bindings, with results arranged in ascending order by IP address, use the show dhcp
host command. This command displays information only for DHCP client bindings
with assigned IP addresses.
•
To display count information for DHCP client bindings and interfaces, use the show
dhcp count command.
To delete a connected user's IP address lease and the associated route configuration
when the DHCP client binding is no longer needed, use the dhcp delete-binding command.
When you delete a DHCP client binding, the lease is removed on the router. You might
delete client bindings to:
448
•
Recover functional resources from a user who has not explicitly terminated connectivity
and whose lease is unexpired.
•
Discontinue connectivity to a user, prompting or forcing the user to request a new lease
in order to reestablish network connectivity.
Copyright © 2012, Juniper Networks, Inc.
Chapter 18: DHCP Overview
The router does not notify the DHCP client or the DHCP server when you issue the dhcp
delete-binding command.
NOTE: The dhcp delete-binding command replaces the clear ip dhcp-local
binding and dhcp-external delete-binding commands, which are deprecated
and might be removed in a future release.
Use the following keywords and variables with the dhcp delete-binding command to
specify (filter) the client bindings you want to delete:
•
all—All DHCP local server, DHCP external server, and DHCP relay proxy client bindings
•
all-local—All DHCP local server client bindings
•
all-external—All DHCP external server client bindings
•
all-relay-proxy—All DHCP relay proxy client bindings
•
binding-id—DHCP binding ID for a specific client
•
circuit-id—Agent-circuit-id suboption (suboption 1) string of the DHCP relay agent
information option (option 82); the circuit ID string supports matching of both regular
expression metacharacters and nonprintable ASCII characters in binary sequences
•
external—DHCP external server bindings that meet the deletion criteria
•
interface—Interface string associated with DHCP client bindings; the interface string
supports matching of regular expression metacharacters, and must be specified as a
regular expression without spaces
•
ip-prefix—IP prefix (address and subnetwork mask) of the DHCP client
•
local—DHCP local server bindings that meet the deletion criteria
•
no-interface—DHCP clients without a lower-layer interface; use this keyword to delete
DHCP client bindings configured over dynamic interfaces for which the lower-layer
interface has been shut down
•
relay-proxy—DHCP relay proxy bindings that meet the deletion criteria
•
remote-id—Agent-remote-id suboption (suboption 2) string of the DHCP relay agent
information option (option 82); the remote ID string supports matching of both regular
expression metacharacters and nonprintable ASCII characters in binary sequences
•
subnetAddress—IP address of the subnet on which the DHCP client resides
Filtering the deletion of DHCP client bindings by the circuit ID string or remote ID string
is not supported for the DHCP external server application. DHCP external server does
not store information about the agent-circuit-id suboption or agent-remote-id suboption
of option 82.
You can remove all DHCP client bindings, all DHCP client bindings of a particular type,
or a specified DHCP client binding that meets the deletion criteria you specify.
•
To delete all DHCP client bindings on virtual router vr1:
Copyright © 2012, Juniper Networks, Inc.
449
JunosE 13.3.x Broadband Access Configuration Guide
host1:vr1#dhcp delete-binding all
•
To delete DHCP local server client bindings with the specified subnet address:
host1:vr2#dhcp delete-binding local 0.0.0.0
When you delete DHCP client bindings of a particular type on a specified subnet, you
must specify the local, external, or relay-proxy type keyword to prevent accidental
deletion of all DHCP client bindings.
•
To delete a specific DHCP client binding:
host1:vr1#dhcp delete-binding 3972819365
•
To delete DHCP client bindings with the specified IP prefix:
host1:vr1#dhcp delete-binding ip-prefix 10.1.0.0/28
•
To delete DHCP client bindings without a lower-layer interface:
host1:vr1#dhcp delete-binding no-interface
•
To delete DHCP client bindings with the specified interface string:
host1:vr2#dhcp delete-binding interface ip71.*4
This dhcp delete-binding command uses the * (asterisk) regular expression
metacharacter in the interface string to delete DHCP client bindings on virtual router
vr2 with an IP address beginning with 71 and ending with 4.
•
To delete DHCP client bindings that match the specified circuit ID string:
host1:vr3#dhcp delete-binding circuit-id \\xe3
To specify nonprintable byte codes in the circuit ID string or remote ID string, you can
use the string \\xab, where ab is a hex code of the byte. This dhcp delete-binding
command uses the string \\xe3 to represent byte E3 in the circuit ID string. This
command deletes DHCP client bindings on virtual router vr3 with the specified circuit
ID string.
Related
Documentation
•
dhcp delete-binding
•
show dhcp binding
•
show dhcp count
•
show dhcp host
DHCP Client Bindings and Duplicate MAC Addresses for Subinterfaces Overview
In certain network scenarios, active VLAN subinterfaces of subscribers might be transferred
from one virtual router to another, and later retransitioned to the original virtual router
for correct computation of subscription and billing costs for customers being serviced
by an enterprise provider. Also, addition and removal of active VLAN subinterfaces might
be performed during troubleshooting with the customer premises equipment (CPE)
devices. Such changes in the configuration of active VLAN subinterfaces causes
differences in the subscriber entries displayed in the output of the show dhcp bindings
(and other commands used to monitor DHCP bindings) and show subscribers commands.
450
Copyright © 2012, Juniper Networks, Inc.
Chapter 18: DHCP Overview
When the DHCP client is bound to an IP address, deletion of the active VLAN subinterface
causes the subscriber entry to be removed from the AAA database and the access-internal
route for that client to be deleted. In such a scenario, if the client binding was still retained
in the DHCP database, the entries for that subscriber for which the binding is removed
from the AAA database are not displayed in the output of the show subscribers (under
the User Name field) and show ip route access-internal (under the Prefix/Length field)
commands.
When the VLAN subinterface associated with a DHCP client, which was previously deleted
when the client binding was removed, is reconfigured, the entries for that subscriber are
not displayed in the output of the following show commands until the DHCP client sends
a discover or renew request to the DHCP server for an IP address to be allocated to it:
•
show ip dhcp-local binding interface (under the Address field)
•
show ip route access-internal (under the Prefix/Length field)
•
show subscribers (under the User Name field)
When some DHCP packets flow between the subscriber and the router, the following
events take place:
•
During the process of allocating IP addresses to the DHCP client, which involves the
discovery, offer, request, and acknowledgment messages between the server and the
client, the client binding already exists in the database and the DHCP server does not
contact AAA for authentication. At this point, the subscriber entry is not present in the
AAA database. The access-internal route is created for the client and the subscriber
connection becomes active. The client does not receive Acct-Request packets because
the entry for this subscriber is not available in the AAA database.
•
When the client sends a renew request to renew its address, the request does not reach
the interface on the DHCP server. The DHCP server sends a NAK message to the client,
forcing the client to begin the DHCP connection process again.
•
When the client sends a rebind request for the IP address to be bound again to it, the
existing binding for this client is deleted and re-created during the next discovery
process. All the databases are synchronized and the entry for the client is correctly
displayed in the output of the show subscribers and show dhcp bindings commands.
In this scenario, the subscriber session might be established and active without accounting
records for Acct-Stop and Interim-Acct messages sent to the RADIUS server during the
process of allocating addresses to DHCP clients in JunosE releases numbered lower than
9.3.x.
Beginning with JunosE Release 9.3.x, support for configuring DHCP external server to
uniquely identify clients with duplicate MAC addresses is available. This functionality
causes a new IP address to be assigned to a client during the process of DHCP address
allocation by the DHCP server using the discovery, offer, request, and acknowledgment
sequence. The previously configured binding for the same client is deleted from the
database before the lease period expires for that address, immediately after the VLAN
subinterface for that client is deleted. Because the DHCP bindings are stored in a server
management table that includes the VLAN subinterface user ID (UID), when the server
Copyright © 2012, Juniper Networks, Inc.
451
JunosE 13.3.x Broadband Access Configuration Guide
queries the management table to check whether a binding for a client already exists, no
match is found and a fresh client binding is created when the VLAN subinterface is
reconfigured.
To prevent the problem of incorrect and inconsistent parameters being displayed in the
show commands used to monitor subscriber information and DHCP binding attributes,
the client binding is removed from the DHCP database after the VLAN subinterface
associated with that subscriber is deleted. Retaining the client binding is not effective
after the primary interface is deleted because when the client logs in again, it is assigned
a different user ID unless a rollover of the user ID occurs. This rollover causes the user ID
assigned to the client prior to the logout to be reassigned to it upon logging in again and
a fresh IP address is bound to the client. When a stateful SRP switchover operation is
performed before the transaction is posted to the standby SRP module, the client binding
remains in the database because it is added again when the configuration data is restored
from the mirrored containers. The client binding stays in the database until its lease
expires.
452
Copyright © 2012, Juniper Networks, Inc.
CHAPTER 19
DHCP Local Server Overview
This chapter provides an overview of the DHCP local server on the E Series router. This
chapter contains the following sections:
•
Embedded DHCP Local Server Overview on page 453
•
Equal-Access Mode Overview on page 454
•
Standalone Mode Overview on page 456
•
DHCP Local Server Prerequisites on page 458
•
DHCP Local Server Configuration Tasks on page 459
•
DHCP Unique ID for Clients and Servers Overview on page 460
•
Authentication and Accounting of IPv6 Subscribers Using the DHCPv6 Local Server
Overview on page 461
•
Interoperation of Authentication of IPv6 Clients and Display of Active Subscriber
Information on page 463
•
Limiting the Maximum Number of IPv6 Prefixes Delegated Per Interface by the DHCPv6
Local Server Overview on page 464
Embedded DHCP Local Server Overview
The router offers an embedded DHCP server, known as the DHCP local server. The DHCP
local server has two modes: equal-access and standalone.
NOTE: E Series routers also support an embedded DHCP version 6 (DHCPv6)
local server. The DHCPv6 local server provides a subset of the features of
the DHCP local server. For information about configuring the DHCPv6 local
server, see “Configuring the DHCPv6 Local Server” on page 483.
•
In equal-access mode, the DHCP local server works with the Juniper Networks SRC
software to provide an advanced subscriber configuration and management service.
•
In standalone mode, the DHCP local server provides a basic DHCP service, and also
allows you to configure AAA authentication for incoming DHCP clients. Also, after
successful authentication, the DHCP local server uses the information in the client’s
AAA subscriber record together with the client’s DHCP parameters to select the IP
address pool used for address assignment.
Copyright © 2012, Juniper Networks, Inc.
453
JunosE 13.3.x Broadband Access Configuration Guide
DHCP local server also supports RADIUS accounting, including interim accounting, in
standalone mode. This feature allows you to use RADIUS start and stop attributes to
track user events such as the lifetime of an IP address.
DHCP Local Server and Client Configuration
You can use DHCP to configure the router to allow remote access to non-PPP clients.
DHCP-based access is also an alternative to PPP in environments such as Public Wireless
LANs (PWLANs). In PWLANS, a user scans for available broadband networks, then is
redirected to a web-based authentication mechanism to request service.
DHCP provides address assignment information for users. Authentication, authorization,
and accounting are separate processes, and are up to the Internet service provider (ISP)
to define.
The DHCP local server can configure a client with the following DHCP options:
Related
Documentation
•
Default router
•
DNS server
•
Domain name
•
Lease time
•
Grace period for address lease
•
NetBIOS name server
•
NetBIOS node type
•
Subnet mask
•
Equal-Access Mode Overview on page 454
•
Standalone Mode Overview on page 456
•
DHCP Local Server Prerequisites on page 458
•
DHCP Local Server Configuration Tasks on page 459
•
Viewing and Deleting DHCP Client Bindings on page 448
Equal-Access Mode Overview
In equal-access mode, the router enables access to non-PPP users. Non-PPP equal
access requires the use of the router’s DHCP local server and SRC software, which
communicates with a RADIUS server.
The DHCP local server performs the following functions in equal-access mode:
454
•
Communicates with SRC software.
•
Assigns an IP address that enables the subscriber to access services.
Copyright © 2012, Juniper Networks, Inc.
Chapter 19: DHCP Local Server Overview
Local Pool Selection and Address Allocation
The DHCP local server selects a DHCP pool from which to allocate an address using a
number of parameters in a certain predefined sequence. The router compares the
parameters with the local DHCP pools in the order presented in Table 107 on page 455.
When the router finds a match, it selects a pool based on the match and does not examine
other parameters.
Table 107: Local Pool Selection in Equal-Access Mode
Field
How the DHCP Local Server Uses the Field
Framed IP address
The client’s entry can be configured with a framed IP address, which the DHCP local server can get from
the SRC software (formerly the SDX software).
If the router selects a pool using a framed IP address, the DHCP local server attempts to allocate the
framed IP address from the pool. If the framed IP address is not available, then the server allocates the
next available address in the pool to the client.
Pool name
Each DHCP local pool has a pool name. The client’s entry can also be configured with a pool name, which
the DHCP local server can get from the SRC software. The SRC software must be configured to send
RADIUS attributes to DHCP.
Domain name
You can use a domain name as the name of a DHCP local pool. If the client logs onto the SRC software
and RADIUS authenticates the client using a domain name, the DHCP local server receives the domain
name from the SRC software.
If the client’s domain name does not match the name of the DHCP local pool, the router attempts to match
the client’s domain name to the domain name field within the pool.
Giaddr
A DHCP local pool is configured with a network address. A gateway IP address (giaddr), which indicates
a client’s subnetwork, can be presented to the DHCP local server in the client’s DHCP request message.
The giaddr field in the DHCP request message contains the IP address of a DHCP relay agent. The router
attempts to match the giaddr address in the DHCP request message with the network address of a DHCP
local pool.
Received interface
IP address
The router uses the IP address of the interface on which the DHCP packet is being processed and attempts
to match it with the network address of a DHCP local pool. If the interface address matches with the IP
address configured in the DHCP local address pool on the router, that pool is used to delegate the address
to the client.
The Connection Process
The following sequence describes how the subscriber connects to the network for the
first time using equal-access mode. Figure 11 on page 456 illustrates the process.
1.
The subscriber’s computer boots and issues a DHCP request.
2. The DHCP local server uses the SRC client to issue a COPS request to retrieve address
pool information.
3. After standard DHCP negotiations, the DHCP local server supplies an IP address to
the subscriber’s computer from a local address pool, as described in the previous
section.
Copyright © 2012, Juniper Networks, Inc.
455
JunosE 13.3.x Broadband Access Configuration Guide
The router maintains a host route that maps the IP address to the router’s interface
associated with the subscriber’s computer.
4. The subscriber’s computer retains the IP address until the subscriber turns off the
computer.
NOTE: If a DHCP client attempts to renew its address and the DHCP server
receives the request on a different interface than the interface that the
client originally used, the DHCP server sends a NAK message to the client,
forcing the client to begin the DHCP connection process again.
Figure 11: Non-PPP Equal Access via the Router
E Series router
SRC client
SRC
Subscriber requests IP address
DHCP server asks SRC software for subscriber information
SRC software gets subscriber information from RADIUS
SRC software gives subscriber information to DHCP
DHCP picks IP address from address pool
DHCP gives IP address to subscriber
Subscriber logs on to SRC application
Related
Documentation
•
Embedded DHCP Local Server Overview on page 453
•
Standalone Mode Overview on page 456
•
DHCP Local Server Prerequisites on page 458
•
DHCP Local Server Configuration Tasks on page 459
Standalone Mode Overview
In standalone mode, the DHCP local server operates as a basic DHCP server. Clients are
not authenticated by default; however, you can optionally configure the DHCP local
server to use AAA authentication for the incoming clients. The DHCP local server receives
DHCP client requests for addresses, selects DHCP local pools from which to allocate
addresses, distributes addresses to the clients, and maintains the resulting DHCP bindings
in a server management table.
456
Copyright © 2012, Juniper Networks, Inc.
Chapter 19: DHCP Local Server Overview
Local Pool Selection and Address Allocation
In standalone mode, the DHCP local server selects a pool to allocate an address for a
client; the SRC software is never notified or queried. The process used depends on whether
AAA authentication is configured.
•
If AAA authentication is not configured, the DHCP local server selects a pool by matching
the local pool network address to the giaddr or the received interface IP address. The
router compares the parameters with the local DHCP pools in the order presented in
Table 108 on page 457. When the router finds a match, it selects a pool based on the
match and does not examine other parameters.
Table 108: Local Pool Selection in Standalone Mode Without AAA Authentication
Field
How the DHCP Local Server Uses the Field
Giaddr
A giaddr, which indicates a client’s subnetwork, can be presented to the DHCP local server
in the client DHCP REQUEST message. The giaddr field in the DHCP request message usually
contains the IP address of a DHCP relay agent. The router attempts to match the giaddr
address in the DHCP request message with the network address of a DHCP local pool. If it
finds a match, the router uses the matching DHCP local pool.
Received interface IP address
The router uses the IP address of the interface on which the DHCP packet is being processed
and attempts to match it with the network address of a DHCP local pool.
After the router selects a DHCP local pool, the DHCP local server first tries to find a
reserved IP address for the client in the selected pool. If no reserved address is available,
the router attempts to allocate a client’s requeste