Classifying Subscribers
Changes that you make to subscriber classification scripts do not affect subscriber sessions that are already established. One effect of this behavior is that static IP subscriber sessions are not closed if the classification script is changed in a way that would no longer cause the SAE to load a profile for certain subscribers.
On JUNOSe routers that use the COPS-PR or COPS XDR router drivers, you can create a subscriber session for the router interface to start services such as script services and aggregate services. The SAE creates the router interface, but does not install any policies on it. You can create a subscriber classification rule, but not an interface classification rule for this interface.
To define subscriber classification scripts with SDX Admin:
- In the SDX Admin navigation pane, access the SAE object I=SAE, ou=staticConfiguration, ou=configuration, o=management, o=umc.
- In this folder, click on the I=POP-ID object associated with this SAE.
The SSP Configuration pane appears.
![]()
Use the information in Selecting Subscriber Classification Criteria and Configuring Subscriber Classification Targets to configure the subscriber classification script for an SAE object.
Selecting Subscriber Classification Criteria
Subscriber classification criteria define match criteria that are used to find the subscriber profile. Use the fields in this section to define classification criteria.
dhcp
- DHCP options. See Sending DHCP Options to the JUNOSe Router.
domainName
ifAlias
- Description of the interface.
- Value—Interface description that is configured on the router. For JUNOSe routers, it is the description configured with the interface description command
- Example—ifAlias="dhcp-subscriber12"
ifDesc
ip<slot>/<port>.<subinterface>On the JUNOS routing platform, ifDesc is the same as interfaceName. interfaceName
- Name of the interface in your router CLI syntax
- FORWARDING_INTERFACE for routing instance (used by traffic mirroring)
For JUNOS routing platforms: interfaceName="fe-0/1/0.0"
For forwarding interface: interfaceName="FORWARDING_INTERFACE"
loginName
- Name to be used to create a loginName attribute for a subscriber session for JUNOSe interfaces that are not otherwise assigned a loginName when a session starts, such as unauthenticated DHCP addresses, unauthenticated IP interfaces (that are not using PPP connections), or core-facing interfaces.
The loginName can also be used to identify a subscriber session through the SAE CORBA remote API.
- Value—Name in the form subscriber@domain
- <Login name>
- Guideline—The format is not defined. A loginName can be of form subscriber, domain\subscriber, subscriber@domain, or as otherwise defined by the login setup of the operator.
- Example—idp@idp
loginType
- ASSIGNEDIP—For assigned IP subscribers. Triggered when an application accesses a subscriber object for an assigned IP subscriber that is not currently loaded into memory. (Supported on JUNOSe routers.)
- AUTHINTF—For authenticated interface login requests. Triggered when a login Name is reported together with the interface, such as authenticated PPP or autoconfigured ATM interface, by means of the subscriber command. (Supported on JUNOSe routers.)
- INTF—For unauthenticated interface login requests. Triggered when an interface comes up and the interface classification script determines that the SAE should manage the interface. (Supported on JUNOS routing platforms and JUNOSe routers.)
- ADDR—For unauthenticated address login requests. Triggered when the DHCP server in the JUNOSe router provides an unauthenticated IP address. (Supported on JUNOSe routers.)
- AUTHADDR—For authenticated address login requests. Triggered when the DHCP server in the JUNOSe router provides an authenticated IP address. (Supported on JUNOSe routers.)
- PORTAL—Triggered when the portal API is invoked to log in a subscriber. (Supported on JUNOS routing platforms and JUNOSe routers.)
macAddress
- String representation of the DHCP subscriber media access control (MAC) address.
- Value—Valid MAC address
- Example—macAddress="00:11:22:33:44:55"
nasPortId
- Port identifier of an interface.
- Value—Includes interface name and additional layer 2 information
- Example—nasPortId="fastEthernet 3/1" (There is a space between fastEthernet and slot number 3/1 in the nasPortId.)
radiusClass
retailerDn
- DN of the retailer object. The object is found when the domain name is mapped to a retailer object in LDAP.
- Value—DN of a retailer
serviceBundle
- Content of the vendor-specific RADIUS attribute for the service bundle.
- Value—Name of a service bundle
- Example—serviceBundle="goldSubscriber"
unauthenticatedUserDn
- DN of the unauthenticated subscriber profile (usable for target expressions only).
- Value—DN of a subscriber profile
userName
virtualRouterName
- Name of the virtual router or routing instance.
- Value—For JUNOSe routers: name of the virtual router in the format vrname@hostname
For JUNOS routing platforms: name of the routing instance
Sending DHCP Options to the JUNOSe Router
Subscriber classification scripts support DHCP options conveyed through COPS. When COPS reports an address, the JUNOSe router sends DHCP options received for DHCP requests for that address. The DHCP options are available in the subscriber classification context for selecting the subscriber profile to load.
The fields in Table 14 are in the user classification context of subscriber classification scripts.
dhcp.getOption(12).getString() dhcp.getOption(15).getString()
The DHCP options are accessible for the subscriber classification script with the following syntax:
dhcp.giAddr = "match"# interpret option 61 as stringdhcp[61].string = "match"# interpret option 1 (subnet) as dotted decimal IPdhcp[1].ipAddress = "match"# option 82, suboption 1, interpreted as stringdhcp[82].subOptions[1].string = "match"The received DHCP options are also stored in the UserSession and are available through the portal API (method User.getDhcpOptions).
Configuring Subscriber Classification Targets
The target of the subscriber classification script is an LDAP search string. The search string uses a syntax similar to an LDAP URL (see RFC 2255—The LDAP URL Format (December 1997)). The syntax is:
baseDN [ ? [ attributes ] [ ? [ scope ] [ ? [ filter ] ] ] ]
- baseDN—Distinguished name of object where the LDAP search starts
- attributes—Can be used to override attributes in the loaded LDAP object. For example, for static IP subscribers the SAE must learn the IP address assigned to a particular subscriber. This address is defined in the ipAddress attribute of the subscriber profile. A target of the form baseDN?ipAddress=<-function(interfaceName)-> invokes function after the subscriber profile is loaded from LDAP and sets the IP address to the return value of function. The function is defined in the subscriber classification script, and can be used for a variety of things; for example, to query an external database.
- scope—Scope of search in the directory
- base—Is the default, searches the base DN only.
- one—Searches the direct children of the base DN.
- sub—Searches the complete subtree below the base DN.
- filter—Is an RFC 2254-style LDAP search filter expression; for example, (uniqueId=<-userName->). See RFC 2254—The String Representation of LDAP Search Filters (December 1997).
With the exception of baseDN all the fields are optional.
The result of the LDAP search must be exactly one directory object. If no object or more than one object is found, the subscriber session is terminated.
Example: Subscriber Classification Scripts for Static IP Subscriber
In cases such as bridged 1483 DSL with a single subscriber, you can write the subscriber classification script so that it loads a specific subscriber profile. If the interface is matched to a subscriber profile, a subscriber session is immediately established. An SAE application (for example, a portal) can still force the subscriber with this subscriber profile to perform a Web login.
One way to achieve the mapping of subscriber interface to subscriber profile is to provision the assigned interface name in the associated subscriber profile in LDAP. In this case the subscriber classification script can include a rule like this:
[retailerName=default,o=Users,o=umc??sub?(interfaceName=<-interfaceName->)] # all fastEthernet interfaces are connected to static IP subscriber loginType = INTF & interfaceName = fastEthernet*Another way may include a special encoding of the interface alias (ifAlias) field of the subscriber interface. This encoding must then be provisioned when the interface for the subscriber is provisioned. In this example, the encoding SSP-username is chosen for ifAlias; for example, for subscriber juser the interface alias would be set to SSP-juser. The match is performed with a regular expression, which separates the user ID from the ifAlias prefix.
[retailerName=default,o=Users,o=umc??sub?(uniqueID=<-userId->)] loginType = INTF & ifAlias =~ SSP-(?P<userId>.*)