options (Access Profile)
Syntax
options { accounting-session-id-format (decimal | description); calling-station-id-delimiter delimiter-character; calling-station-id-format { agent-circuit-id; agent-remote-id; interface-description; nas-identifier; } chap-challenge-in-request-authenticator; client-accounting-algorithm (direct | round-robin); client-authentication-algorithm (direct | round-robin); coa-dynamic-variable-validation; ethernet-port-type-virtual; interface-description-format { exclude-adapter; exclude-channel; exclude-sub-interface; } ip-address-change-notify message; juniper-access-line-attributes; nas-identifier identifier-value; nas-port-extended-format { adapter-width width; ae-width width; port-width width; slot-width width; stacked-vlan-width width; vlan-width width; atm { adapter-width width; port-width width; pw-width width; slot-width width; vci-width width; vpi-width width; } } nas-port-id-delimiter delimiter-character; nas-port-id-format { agent-circuit-id; agent-remote-id; concatenated-vlan-tags { fixed-size-inner-tag; fixed-size-outer-tag; } interface-description; interface-text-description; nas-identifier; order { agent-circuit-id; agent-remote-id; interface-description; interface-text-description; nas-identifier; postpend-vlan-tags; } postpend-vlan-tags; } nas-port-type { ethernet { port-type; } } override { calling-station-id remote-circuit-id; nas-ip-address tunnel-client-gateway-address; nas-port tunnel-client-nas-port; nas-port-type tunnel-client-nas-port-type; } remote-circuit-id-delimiter; remote-circuit-id-fallback; remote-circuit-id-format { agent-circuit-id; agent-remote-id; } revert-interval interval; service-activation { dynamic-profile (optional-at-login | required-at-login); extensible-service (optional-at-login | required-at-login); } vlan-nas-port-stacked-format; }
Hierarchy Level
[edit access profile profile-name radius]
Description
Configure the options used by RADIUS authentication and accounting servers.
Options
accounting-session-id-format | (EX Series, MX Series only) Configure the format the router
or switch uses to identify the accounting session. The default is
|
calling-station-id-delimiter | (MX Series, T Series only) Starting in Junos OS Release 13.1,
specify the character that the router uses as a separator between
the concatenated values in the Calling-Station-ID (RADIUS IETF attribute
31) string. The router uses the delimiter when you configure more
than one value in the
|
chap-challenge-in-request-authenticator | (MX Series only) Starting in Junos OS Release 15.1,
configure the |
client-accounting-algorithm | (EX Series, MX Series,
SRX3xx and
SRX550HMonly)
Starting in Junos OS Release 13.2X50-D10 for EX Series switches,
configure the access method the router uses to access RADIUS accounting
servers. The default is the
|
client-authentication-algorithm | (EX Series, M Series, MX Series only) Starting in Junos OS Release 13.2X50-D10 for EX Series switches, configure the method that the authenticator uses to access RADIUS authentication servers when there are multiple servers configured. Initially, a RADIUS client sends a request to a RADIUS authentication or accounting server. The router or switch, acting as the authenticator, waits for a response from the server before sending another request. When there are multiple RADIUS server connections configured for a client, the authenticator attempts to reach the different servers in the order that they are configured. If there is no response from the first RADIUS server, the authenticator attempts to reach the next RADIUS server. This process repeats until the client is either granted access or there are no more configured servers. If the Note:
The
|
coa-dynamic-variable-validation | (EX Series, M Series, MX Series only) Starting in Junos OS Release 13.2X50-D10 for EX Series switches, specify that when a CoA operation includes a change to a client profile dynamic variable that cannot be applied (such as an update to a non-existent filter), the router does not apply any changes to client profile dynamic variables in the request, and responds with a NACK message.
|
ethernet-port-type-virtual | (EX Series, M Series,
MX Seriesonly)
Specify the physical port type the router or switch uses to authenticate
clients. The router or switch passes a port type of
Note:
This statement takes precedence over the client-authentication-algorithm option is unavailable in SRX series
devices. Direct access method is used if multiple RADIUS authentication
servers are configured. |
access-loop-id-local | Specify that the Agent-Remote-Id and Agent-Circuit-Id are generated locally when these values are not present in the client database. |
ip-address-change-notify | (MX Series only) Starting in Junos OS Release 13.1, for on-demand address allocation for dual-stack PPP subscribers, specify that the BNG includes the IPv4-Release-Control VSA (26–164) in the Access-Request that is sent during on-demand IP address allocation and in the Interim-Accounting messages that are sent to report an address change. The configuration of this statement has no effect when on-demand IP address allocation or deallocation is not configured. Optionally, configure a message that is included in the VSA when it is sent to the RADIUS server.
|
juniper-access-line-attributes | Configure AAA to add Juniper Networks access line VSAs to the RADIUS authentication and accounting request messages for subscribers. If the router has not received and processed the corresponding ANCP attributes from the access node, then AAA provides only the following in these RADIUS messages:
Note:
Starting in Junos OS Release 19.2R1, the For backward compatibility with existing scripts, the Note:
The
|
nas-identifier | (EX Series, MX Series, SRX Series only) Configure the value for the client RADIUS attribute 32 (NAS-Identifier). This attribute is used for authentication and accounting requests. This statement was introduced in Junos OS Release 15.1X49-D110 for SRX300, SRX320, SRX340, SRX345, and SRX550M Series devices.
|
nas-port-id-delimiter | (MX Series only) Starting in Junos OS Release 11.4, specify the character
that the router uses as a separator between the concatenated values
in the NAS-Port-ID string. The router uses the delimiter when you
configure more than one value in the
|
remote-circuit-id-delimiter | (MX Series only) Starting in Junos OS Release 13.3R1 on MX Series,
configure a delimiter character for the remote circuit ID string when
you use the
|
remote-circuit-id-fallback | (MX Series only) Starting in Junos OS Release 13.3R1 on MX Series,
configure the fallback value for the LAC to send in L2TP Calling Number
AVP 22, either the configured Calling-Station-ID or the default underlying
interface. Use of the fallback value is triggered when the components
of the override string you configured with the
|
remote-circuit-id-format | (MX Series only) Starting in Junos OS Release 13.3R1 on MX Series,
configure the format of the string that overrides the Calling-Station-ID
format in the Calling Number AVP 22 sent by the LAC to the LNS in
the ICRQ packet when an L2TP session is being established. You can
specify the ACI, the ARI, or both the ACI and ARI. This statement
enables you to decouple the AVP 22 value from the RADIUS Calling-Station-ID
attribute (31); the values for AVP 22 and the Calling-Station-ID attribute
are the same when you use the Note:
You must configure the
|
service-activation | (MX Series only) Starting in Junos OS Release 16.2, specify whether subscribers are allowed to log in even when service activation failures related to configuration errors occur during family activation request processing by authd for a newly authenticated subscriber. Configuration errors include missing or incorrect syntax, missing or incomplete references to dynamic profiles, and missing or incomplete variables. Note:
This configuration does not apply to services activated by means of RADIUS CoA requests, JSRC Push-Profile-Request (PPR) messages, or subscriber secure policies. You can enable separate configurations for subscriber login
services for two
|
vlan-nas-port-stacked-format | (MX Series only) Configure RADIUS attribute 5 (NAS-Port) to include the S-VLAN ID, in addition to the VLAN ID, for subscribers on Ethernet interfaces. |
The remaining statements are explained separately. Search for a statement in CLI Explorer or click a linked statement in the Syntax section for details.
Required Privilege Level
admin—To view this statement in the configuration.
admin-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 9.1.
juniper-dsl-attributes
introduced in Junos OS Release
11.4.
nas-port-id-delimiter
introduced in Junos OS Release
11.4. Statement introduced in Junos OS Release 13.2X50-D10 for EX
Series switches.
calling-station-id-delimiter
introduced in Junos
OS Release 13.1.
ip-address-change-notify
introduced in Junos OS Release
13.1.
coa-dynamic-variable-validation
, client-authentication-algorithm
, and client-accounting-algorithm
introduced in Junos
OS Release 13.2X50-D10 for EX Series switches.
remote-circuit-id-delimiter
, remote-circuit-id-fallback
, and remote-circuit-id-format
introduced in Junos OS
Release 13.3R1 on MX Series.
chap-challenge-in-request-authenticator
introduced
in Junos OS Release 15.1.
nas-identifier
introduced in Junos OS Release 15.1X49-D110
for SRX300, SRX320, SRX340, SRX345, and SRX550M Series devices.
service-activation
introduced in Junos OS Release
16.2.
juniper-access-line-attributes
introduced in Junos OS Release 19.2R1.