[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]


Classifying Subscribers

Changes that you make to subscriber classification scripts do not affect subscriber sessions that are already established. One effect of this behavior is that static IP subscriber sessions are not closed if the classification script is changed in a way that would no longer cause the SAE to load a profile for certain subscribers.

On JUNOSe routers that use the COPS-PR or COPS XDR router drivers, you can create a subscriber session for the router interface to start services such as script services and aggregate services. The SAE creates the router interface, but does not install any policies on it. You can create a subscriber classification rule, but not an interface classification rule for this interface.

Use the following configuration statements to define subscriber classification scripts:

shared sae subscriber-classifier rule name {
target target;
script script;
}

shared sae subscriber-classifier rule name condition name ...

A classification script can contain either a target and a condition or a script. If you do not define a script, the classifier must have both a target and a condition.

To define subscriber classification scripts:

  1. From configuration mode, enter the subscriber classifier configuration. In this sample procedure, the subscriber classifier is configured in the west-region SAE group.
  2. user@host# edit shared sae group west-region subscriber-classifier
    
    
    
  3. Create a rule for the subscriber classifier. You can create multiple rules for the classifier.
  4. [edit shared sae group west-region subscriber-classifier]
    
    user@host# edit rule rule-2
    
    
    
  5. Configure either a target or a script for the rule.
  6. [edit shared sae group west-region subscriber-classifier rule rule-2]
    
    user@host# set target target
    
    
    

OR

[edit shared sae group west-region subscriber-classifier rule rule-2]
user@host# set script script

If you configure a target, see Subscriber Classification Targets.

  1. If you configured a target for the rule, configure a match condition for the rule. You can create multiple conditions for the rule. See Subscriber Classification Conditions.
  2. [edit shared sae group west-region subscriber-classifier rule rule-2]
    
    user@host# edit condition name
    
    
    
  3. (Optional) Change the order of rules.
  4. [edit shared sae group west-region subscriber-classifier]
    
    user@host# insert rule rule-5 before rule-4
    
    
    
  5. (Optional) Rename a rule.
  6. [edit shared sae group west-region subscriber-classifier]
    
    user@host# rename rule rule-5 to Retailer
    
    
    
  7. (Optional) Verify the classifier rule configuration.
  8. [edit shared sae group west-region subscriber-classifier rule rule-2]
    
    user@host# show
    
    target <-unauthenticatedUserDn->;
    
    condition {
    
      "loginType == \"ADDR\"";
    
      "loginType == \"AUTHADDR\"";
    
    }
    
    
    
  9. (Optional) Verify the subscriber classifier configuration.
  10. [edit shared sae group west-region subscriber-classifier]
    
    user@host# show
    
    rule rule-1 {
    
      script "# User Classification script
    
    #
    
    # The following attributes MAY be available for comparison.
    
    #  Attributes that are not available will have the value \"\" (empty
    string).
    
    #
    
    #   loginType: one of \"INTF\", \"AUTHINTF\", \"ADDR\", \"AUTHADDR\",
    
    #              \"PORTAL\", \"ASSIGNEDIP\"
    
    #   userName:  Everything before the \"@\" in the user's login name.
    
    #   domainName: Everything after the \"@\" in the user's login name.
    
    #   serviceBundle: A RADIUS VSA available if the login event involves
    
    #                  authentication with a properly configured RADIUS server.
    
    #   radiusClass: The RADIUS class of user's ERX interface.
    
    #   virtualRouterName: The name of the user's virtual router.
    
    #   interfaceName: The name of the user's ERX interface (e.g.
    
    #                  \"fastEthernet3/1.0\")
    
    #   ifAlias: The alias of the user's ERX interface, as configured on the
    ERX.
    
    #   ifDesc: The description of the user's ERX interface, as configured on
    
    #           the ERX.
    
    #   nasPortId: The user's ERX interface including Layer 2 access information
    
    #              (e.g. \"fastEthernet 3/1.0:3\")
    
    #   macAddress: The MAC address of the user, if he is a DHCP user.
    
    #   retailerDn: Generated by SSP for backwards compatibility; see below.
    
    #
    
    #  The loginType value available to this user classifier script will be
    
    #  one of the following:
    
    #
    
    #  \"INTF\":
    
    #  An INTF login is triggered every time an interface comes up and the
    
    #  interface classifier script determines that SAE should manage that
    
    #  interface, and the interface has not been authenticated by the router.
    
    #
    
    #  \"AUTHINTF\":
    
    #  An AUTHINTF login is triggered every time an authenticated
    
    #  interface comes up, for example as a result of an authenticated PPP
    
    #  session.
    
    #
    
    #  \"ADDR\":
    
    #  An ADDR login is triggered every time an `unauthenticated' IP
    
    #  address is handed out by the DHCP server in the ERX.
    
    #
    
    #  \"AUTHADDR\":
    
    #  An AUTHADDR login is triggered every time an `authenticated' IP
    
    #  address is handed out by the DHCP server in the ERX.
    
    #
    
    #  \"PORTAL\":
    
    #  A PORTAL login is triggered every time the portal API is invoked to
    
    #  login a user.
    
    #
    
    #  See the customer documentation for a description of the values
    
    #  for each login type available in the script.
    
    #
    
    #  One of the values available during some types of logins is the
    
    #  `retailerDn'.  This is a generated value available for backwards
    
    #  compatibility with previous versions of SAE.  SAE generates this
    
    #  value as follows:
    
    #
    
    #  The retailerDn value is generated by, first, determining an
    
    #  effective user domain name, and second, locating the retailer
    
    #  entry in LDAP that contains that effective domain name.  If no
    
    #  such retailer exists, the retailerDn value will be \"\".
    
    #
    
    #  The effective user domain name is the first of the following that yields
    
    #  a result:
    
    #
    
    #  1. For PPP, PORTAL, and PUBLIC logins where a non-empty domainName
    
    #     is supplied, that non-empty domain name is used as the effective
    
    #     domain name.
    
    #
    
    #  2. For INTF logins, and for PPP, PORTAL, and PUBLIC logins where a
    
    #     non-empty domain name is not supplied, the effective domain name
    
    #     is the name of the user's virtual router, unless that effective
    
    #     domain does not exist in some retailer in LDAP.
    
    #
    
    #  3. If neither step 1 nor step 2 yields an effective domain name,
    
    #     \"default\" is used as the effective domain name.
    
    #
    
    
    
    ";
    
    }
    
    rule rule-2 {
    
      target <-unauthenticatedUserDn->;
    
      condition {
    
        "loginType == \"ADDR\"";
    
        "loginType == \"AUTHADDR\"";
    
      }
    
    }
    
    rule rule-3 {
    
      target <-retailerDn->??sub?(uniqueID=<-userName->);
    
      condition {
    
        "retailerDn != \"\"";
    
        "& userName != \"\"";
    
      }
    
    }
    

Subscriber Classification Conditions

Subscriber classification conditions define match criteria that are used to find the subscriber profile. Use the fields in this section to define subscriber classification conditions.

dhcp

domainName

ifAlias

ifDesc

interfaceName

For JUNOS routing platforms: interfaceName="fe-0/1/0.0"

For forwarding interface: interfaceName="FORWARDING_INTERFACE"

loginName

The loginName can also be used to identify a subscriber session through the SAE CORBA remote API.

loginType

macAddress

nasPortId

radiusClass

retailerDn

serviceBundle

unauthenticatedUserDn

userName

virtualRouterName

For JUNOS routing platforms: name of the routing instance

Sending DHCP Options to the JUNOSe Router

Subscriber classification scripts support DHCP options conveyed through COPS. When COPS reports an address, the JUNOSe router sends DHCP options received for DHCP requests for that address. The DHCP options are available in the subscriber classification context for selecting the subscriber profile to load.

The fields in Table 12 are in the classification context of subscriber classification scripts.




Table 12: DHCP Options in UserClassificationContext Field 
DHCP Option
UserClassificationContext Field
Comments

giAddr

dhcp.giAddr

Relay agent gateway address

Option 82 data

dhcp.getOption(82)

Content is accessible with getSubOptions()

Client ID

dhcp.getOption(61).getString()

Lease time

dhcp.getOption(51).getInt()

Client requested parameter list

dhcp.getOption(55).getBytes()

Domain name sent to client

dhcp.getOption(12).getString() dhcp.getOption(15).getString()

12 = HostName 15 = DomainName

DNS server address(es) sent to client

dhcp.getOption(6).getIpAddresses()

Subnet mask

dhcp.getOption(1).getIpAddress()

NetBios name server address(es) sent to client

dhcp.getOption(44).getIpAddresses()

NetBios node type

dhcp.getOption(46).getBytes()

Default router address(es) sent to client

dhcp.getOption(3).getIpAddresses()

The DHCP options are accessible to the subscriber classification script with the following syntax:

dhcp.giAddr = "match"

# interpret option 61 as string
dhcp[61].string = "match"

# interpret option 1 (subnet) as dotted decimal IP
dhcp[1].ipAddress = "match"

# option 82, suboption 1, interpreted as string
dhcp[82].subOptions[1].string = "match"

The received DHCP options are also stored in the UserSession and are available through the portal API (method User.getDhcpOptions).

Subscriber Classification Targets

The target of the subscriber classification script is an LDAP search string. The search string uses a syntax similar to an LDAP URL (see RFC 2255—The LDAP URL Format (December 1997)). The syntax is:

"baseDN [ ? [ attributes ] [ ? [ scope ] [ ? [ filter ] ] ] ]"

With the exception of baseDN all the fields are optional.

The result of the LDAP search must be exactly one directory object. If no object or more than one object is found, the subscriber session is terminated.

Example: Subscriber Classification Scripts for Static IP Subscriber

In cases such as bridged 1483 DSL with a single subscriber, you can write the subscriber classification script so that it loads a specific subscriber profile. If the interface is matched to a subscriber profile, a subscriber session is immediately established. An SAE application (for example, a portal) can still force the subscriber with this subscriber profile to perform a Web login.

One way to achieve the mapping of subscriber interface to subscriber profile is to provision the assigned interface name in the associated subscriber profile in LDAP. In this case the subscriber classification script can include a rule like this:

[edit shared sae group west-region subscriber-classifier rule rule-1]
user@host# show
target retailerName=default,o=Users,o=umc??sub?(interfaceName=<-interfaceName->);
condition {
  "loginType==\"INTF\"";
  "&interfaceName=fastEthernet*";
}

Another way may include a special encoding of the interface alias (ifAlias) field of the subscriber interface. This encoding must then be provisioned when the interface for the subscriber is provisioned. In this example, the encoding SAE-username is chosen for ifAlias; for example, for subscriber juser the interface alias would be set to SAE-juser. The match is performed with a regular expression, which separates the user ID from the ifAlias prefix.

[edit shared sae group west-region subscriber-classifier rule rule-1]
user@host# show
target retailerName=default,o=Users,o=umc??sub?(uniqueID=<-userId>);
condition {
  "loginType==\"INTF\"";
  "&ifAlias=~SAE-(?P<userId>.*)";
}

[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]