Classifying Subscribers with the C-Web Interface
To define subscriber classification scripts:
The Subscriber Classifier pane appears.
- From the Create new list, select Rule.
- Type a name for the new rule in the dialog box, and click OK.
The rule appears in the side pane and the Rule pane.
- Enter a script or a target as described in the Help text in the Main pane, and click OK.
- To configure a condition for a target:
- Type the subscriber classification condition name as described in Subscriber Classification Conditions, and click OK.
The condition appears in the side pane and the Condition pane.
Subscriber Classification Conditions
Subscriber classification conditions define match criteria that are used to find the subscriber profile. Use the fields in this section to define subscriber classification conditions.
dhcp
- DHCP options. See Sending DHCP Options to the JUNOSe Router.
domainName
ifAlias
- Description of the interface.
- Value—Interface description that is configured on the router. For JUNOSe routers, it is the description configured with the
interface description
command- Example—ifAlias="dhcp-subscriber12"
ifDesc
ip<slot>/<port>.<subinterface>On the JUNOS routing platform, ifDesc is the same as interfaceName. interfaceName
- Name of the interface in your router CLI syntax
- FORWARDING_INTERFACE for routing instance (used by traffic mirroring)
- Router for a JUNOSe router instance
For JUNOS routing platforms: interfaceName="fe-0/1/0.0"
For forwarding interface: interfaceName="FORWARDING_INTERFACE"
loginName
- Name to be used to create a loginName attribute for a subscriber session for JUNOSe interfaces that are not otherwise assigned a loginName when a session starts, such as unauthenticated DHCP addresses, unauthenticated IP interfaces (that are not using PPP connections), or core-facing interfaces.
The loginName can also be used to identify a subscriber session through the SAE CORBA remote API.
- Value—Name in the form subscriber@domain
- <Login name>
- Guideline—The format is not defined. A loginName can be of form subscriber, domain\subscriber, subscriber@domain, or as otherwise defined by the login setup of the operator.
- Example—idp@idp
loginType
- ASSIGNEDIP—For assigned IP subscribers. Triggered when an application accesses a subscriber object for an assigned IP subscriber that is not currently loaded into memory. (Supported on JUNOSe routers.)
- AUTHINTF—For authenticated interface login requests. Triggered when a login Name is reported together with the interface, such as authenticated PPP or autoconfigured ATM interface, by means of the
subscriber
command. (Supported on JUNOSe routers.)- INTF—For unauthenticated interface login requests. Triggered when an interface comes up and the interface classification script determines that the SAE should manage the interface. (Supported on JUNOS routing platforms and JUNOSe routers.)
- ADDR—For unauthenticated address login requests. Triggered when the DHCP server in the JUNOSe router provides an unauthenticated IP address. (Supported on JUNOSe routers.)
- AUTHADDR—For authenticated address login requests. Triggered when the DHCP server in the JUNOSe router provides an authenticated IP address. (Supported on JUNOSe routers.)
- PORTAL—Triggered when the portal API is invoked to log in a subscriber. (Supported on JUNOS routing platforms and JUNOSe routers.)
macAddress
- String representation of the DHCP subscriber media access control (MAC) address.
- Value—Valid MAC address
- Example—macAddress="00:11:22:33:44:55"
nasPortId
- Port identifier of an interface.
- Value—Includes interface name and additional layer 2 information
- Example—nasPortId="fastEthernet 3/1" (There is a space between fastEthernet and slot number 3/1 in the nasPortId.)
radiusClass
retailerDn
- DN of the retailer object. The object is found when the domain name is mapped to a retailer object in LDAP.
- Value—DN of a retailer
serviceBundle
- Content of the vendor-specific RADIUS attribute for the service bundle.
- Value—Name of a service bundle
- Example—serviceBundle="goldSubscriber"
unauthenticatedUserDn
- DN of the unauthenticated subscriber profile (usable for target expressions only).
- Value—DN of a subscriber profile
userName
virtualRouterName
- Name of the virtual router or routing instance.
- Value—For JUNOSe routers: name of the virtual router in the format vrname@hostname
For JUNOS routing platforms: name of the routing instance
Sending DHCP Options to the JUNOSe Router
Subscriber classification scripts support DHCP options conveyed through COPS. When COPS reports an address, the JUNOSe router sends DHCP options received for DHCP requests for that address. The DHCP options are available in the subscriber classification context for selecting the subscriber profile to load.
The fields in Table 5 are in the classification context of subscriber classification scripts.
dhcp.getOption(12).getString() dhcp.getOption(15).getString()
The DHCP options are accessible to the subscriber classification script with the following syntax:
dhcp.giAddr = "match"# interpret option 61 as stringdhcp[61].string = "match"# interpret option 1 (subnet) as dotted decimal IPdhcp[1].ipAddress = "match"# option 82, suboption 1, interpreted as stringdhcp[82].subOptions[1].string = "match"The received DHCP options are also stored in the UserSession and are available through the portal API (method User.getDhcpOptions).
Subscriber Classification Targets
The target of the subscriber classification script is an LDAP search string. The search string uses a syntax similar to an LDAP URL (see RFC 2255—The LDAP URL Format (December 1997)).The syntax is:
"baseDN [ ? [ attributes ] [ ? [ scope ] [ ? [ filter ] ] ] ]"
- baseDN—Distinguished name of object where the LDAP search starts
- attributes—Can be used to override attributes in the loaded LDAP object. For example, for static IP subscribers the SAE must learn the IP address assigned to a particular subscriber. This address is defined in the ipAddress attribute of the subscriber profile. A target of the form baseDN?ipAddress=<-function(interfaceName)-> invokes function after the subscriber profile is loaded from LDAP and sets the IP address to the return value of function. The function is defined in the subscriber classification script, and can be used for a variety of things; for example, to query an external database.
- scope—Scope of search
- base—Is the default, searches the base DN only.
- one—Searches the direct children of the base DN.
- sub—Searches the complete subtree below the base DN.
- filter—Is an RFC 2254-style LDAP search filter expression; for example, (uniqueId=<-userName->). See RFC 2254—The String Representation of LDAP Search Filters (December 1997).
With the exception of baseDN all the fields are optional.
The result of the LDAP search must be exactly one directory object. If no object or more than one object is found, the subscriber session is terminated.