Overview of Classification Scripts
The SAE uses classification scripts to determine whether it manages router interfaces, to select default policies, to find subscriber profiles, and to choose DHCP profiles. The SAE has three classification scripts:
- Interface classification script—When a subscriber's IP interface comes up on the router, the router sends the subscriber's login and interface information to the SAE. The SAE runs the interface classification script to determine whether the SAE manages the interface and if so, what default policies to send to the router.
- Subscriber classification script—If the SAE is managing the interface, the SAE uses the login and interface information that the router sends to run the subscriber classification script to determine which subscriber session to load into memory.
- DHCP classification script—For DHCP subscribers, the SAE runs DHCP classification scripts to choose DHCP profiles.
How Classification Scripts Work
Classification scripts consist of targets and criteria.
- A target is the result of the classification script. For example, the result of subscriber classification scripts is an LDAP search string that is used to find a unique subscriber profile in the directory. The result of interface classification scripts is a policy group in the directory.
- Criteria are match criteria. The script attempts to match criteria in the script to information sent from the router. For example, match criteria for a subscriber classification script might be login type or domain name. Match criteria for an interface classification script could be interface IP address or interface description.
Each script can have multiple targets, and each target can have multiple criteria. When an object needs classification, the script processes the targets in turn. Within each target, the script processes criteria sequentially. When it finds that the classification criteria for a target match, it returns the target to the SAE. If the script does not find any targets that can be matched, the classifier engine returns a no match message to the SAE.
Because classification scripts examine criteria sequentially as the criteria appear in the script, you should put more specific criteria at the beginning of the script and less specific criteria at the end of the script.
Interface Classification Scripts
When a subscriber's IP interface comes up on the router, the router sends the subscriber's login and interface information to the SAE. For example, the router might send the following information:
IP address=0.0.0.0Virtual router name=default@erx5_ssp58Interface name=FastEthernet3/1.1PPP login name (PPP)=pebbles@virneo.netUser IP address (PPP)=192.168.55.5Interface speed=100000000Interface description=P3/1.1Interface alias=1st pppoe intRADIUS class=nullThe SAE invokes the interface classification script and provides to the script the information that it received from the router. The script engine matches the information sent from the router to the criteria in the interface classification script. The script examines each criterion in sequential order to find a match.
- If it finds a match, the script processing stops, and the target for that criterion is returned to the SAE. The target is the distinguished name (DN) of a policy group in the directory. This policy group is the default policy. The SAE installs the policy on the interface and begins managing the interface.
- If it does not find a match, the script sends a no match message to the SAE. The SAE does not manage the interface; that is, the policies installed through RADIUS or command-line interface (CLI) remain in effect. The SAE does not install policies, and the JUNOSe router does not send reports for this interface anymore.
Subscriber Classification Scripts
When the SAE begins managing an interface, it determines whether a subscriber is associated with the interface by running the subscriber classification script. The SAE also runs the subscriber classification script when certain login events occur. See Login Events for a description of login event types.
To find the matching subscriber profile, the SAE uses interface information that it received from the router when the interface became operational (for example, virtual router name, interface name, interface alias). It also uses login information that it received from the router when the subscriber attempted to log in (for example, interface name, subscriber IP address, login name, or login event type).
When the SAE runs the subscriber classification script, the script engine matches the information sent from the router to the criteria in the subscriber classification script. The script examines each criterion in sequential order to find a match.
- If it finds a match, the script processing stops, and the target for the matching criterion is returned to the SAE. The target is an LDAP query that uniquely identifies a subscriber entry in the directory. The SAE loads the subscriber entry from the directory and uses the entry to create a subscriber session in memory.
- If it does not find a match, the script sends a no match message to the SAE. The SAE does not load a subscriber session onto the interface, and services cannot be activated on the interface.
DHCP Classification Scripts
DHCP classification scripts choose DHCP profiles. See Assigning DHCP Addresses to Subscribers for information about how DHCP classification scripts are used.