The AAA Service Framework provides a single point of contact
for all the authentication, authorization, accounting, address assignment,
and dynamic request services that the router supports for network
access. The framework supports authentication and authorization through
external servers, such as RADIUS. The framework also supports accounting
and dynamic-request CoA and disconnect operations through external
servers, and address assignment through a combination of local address-assignment
pools and RADIUS.
When interacting with external back-end RADIUS servers, the
AAA Service Framework supports standard RADIUS attributes and Juniper
Networks vendor specific attributes (VSAs). The AAA Service Framework
also includes an integrated RADIUS client that is compatible with
RADIUS servers that conform to RFC-2865, RFC-2866, and RFC-3576, and
which can initiate requests.
You create the following types of configurations
to manage subscriber access.
Authentication—Authentication parameters defined
in the access profile determine the authentication component of the
AAA processing. For example, subscribers can be authenticated using
an external authentication service such as RADIUS.
Accounting— Accounting parameters in the access
profile specify the accounting part of the AAA processing. For example,
the parameters determine how the router collects and uses subscriber
statistics.
RADIUS-initiated dynamic requests—A list of authentication
server IP addresses in the access profile specify the RADIUS servers
that can initiate dynamic requests to the router. Dynamic requests
include CoA requests, which specify VSA modifications and service
changes, and disconnect requests, which terminate subscriber sessions.
The list of authentication servers also provide RADIUS-based dynamic
service activation and deactivation during subscriber login.
Address assignment—The AAA Service Framework assigns
addresses to subscribers based on the configuration of local address-assignment
pools. For example, the AAA framework collaborates with RADIUS servers
to assign addresses from the specified pools.
Subscriber secure policy—RADIUS VSAs and attributes
provide RADIUS-initiated traffic mirroring on a per-subscriber basis.