RADIUS Authentication for L2TP
Configure RADIUS Authentication for L2TP
The L2TP network server (LNS) sends RADIUS
authentication requests or accounting requests. Authentication requests are sent
out to the authentication server port. Accounting requests are sent to the
accounting port. To configure RADIUS authentication for L2TP on an M10i or M7i
router, include the following statements at the [edit access]
hierarchy level:
[edit access] radius-server server-address { accounting-port port-number; port port-number; retry attempts; routing-instance routing-instance-name; secret password; source-address source-address; timeout seconds; }
The RADIUS servers at the [edit access] hierarchy level are
not used by the network access server process (NASD).
You can specify an accounting port number on which to contact the accounting
server (in the accounting-port statement). Most RADIUS servers
use port number 1813 (as specified in RFC 2866, Radius
Accounting).
If you enable RADIUS accounting at the [edit access profile
profile-name accounting-order] hierarchy
level, accounting is triggered on the default port of 1813 even if you do
not specify a value for the accounting-port statement.
server-address specifies the address of the
RADIUS authentication server (in the radius-server statement).
You can specify a port number on which to contact the RADIUS authentication
server (in the port statement). Most RADIUS servers use port
number 1812 (as specified in RFC 2865, Remote Authentication Dial In User
Service [RADIUS] ).
You must specify a password in the secret statement. If a
password includes spaces, enclose the password in quotation marks. The secret
used by the local router must match that used by the RADIUS authentication
server.
Optionally, you can specify the amount of time that the local router waits to
receive a response from a RADIUS server (in the timeout
statement) and the number of times that the router attempts to contact a RADIUS
authentication server (in the retry statement). By default, the
router waits 3 seconds. You can configure this to be a value in the range from 1
through 90 seconds. By default, the router retries connecting to the server
three times. You can configure this to be a value in the range from 1 through 30
times. If the maximum number of retries is reached, the radius server is
considered dead for 5 minutes (300 seconds).
In the source-address statement, specify a source address for
each configured RADIUS server. Each RADIUS request sent to a RADIUS server uses
the specified source address. The source address is a valid IPv4 address
configured on one of the router interfaces.
To configure multiple RADIUS servers, include multiple
radius-server statements.
When the L2TP network server (LNS) is configured with RADIUS authentication, the default behavior is to accept the preferred RADIUS-assigned IP address. Previously, the default behavior was to accept and install the nonzero peer IP address received by the Internet Protocol Control Protocol (IPCP) configuration request packet.
Configure RADIUS Authentication for an L2TP Client and Profile
On an M10i or M7i router, L2TP supports RADIUS authentication and accounting for
users with one set of RADIUS servers under the [edit access]
hierarchy. You can also configure RADIUS authentication for each tunnel client
or user profile.
To configure the RADIUS authentication for L2TP tunnel clients on an M10i or M7i
router, include the ppp-profile statement with the
l2tp attributes for tunnel clients:
[edit access profile profile-name client client-name l2tp] ppp-profile profile-name;
ppp-profile profile-name specifies the
profile used to validate PPP session requests through L2TP tunnels. Clients of
the referenced profile must have only PPP attributes. The referenced group
profile must be defined.
To configure the RADIUS authentication for a profile, include following
statements at the [edit access profile
profile-name] hierarchy level:
[edit access profile profile-name] radius-server server-address { accounting-port port-number; port port-number; retry attempts; routing-instance routing-instance-name; secret password; source-address source-address; timeout seconds; }
When a PPP user initiates a session and RADIUS authentication is configured for the user profile on the tunnel group, the following priority sequence is used to determine which RADIUS server is used for authentication and accounting:
-
If the
ppp-profilestatement is configured under the tunnel client (LAC), the RADIUS servers configured under the specifiedppp-profileare used. -
If RADIUS servers are configured under the user profile for the tunnel group, those servers will be used.
-
If no RADIUS server is configured for the tunnel client (LAC) or user profile, then the RADIUS servers configured at the
[edit access]hierarchy level are used.
RADIUS Local Loopback Interface Attribute for L2TP
You can configure the Local-Loopback-Interface attribute on a RADIUS server to manage multiple LAC devices. This attribute is used as the LAC source address on an LNS tunnel for PPPoE subscribers tunneled over L2TP.
When you use the Tunnel-Client-Endpoint attribute as the LAC source address, you must configure the Tunnel-Client-Endpoint attribute for each MX Series router that uses the same RADIUS server. Starting with this release you can use the Local-Loopback-Interface attribute, which needs to be configured only once. When the LAC initiates an Access-Request message to RADIUS for authentication, RADIUS returns the Local-Loopback-Interface attribute in the Access-Accept message. This attribute contains the name of the loopback interface, either as a generic interface name such as “lo0” or as a specific name like “lo0.0”. The MX Series router then uses the configured loopback interface IP address as the source address during tunnel negotiation with the LNS.
An MX Series router can act as the LAC and use any interface address on it as an L2TP tunnel source address. The source address can be dynamically assigned by RADIUS through the Tunnel-Client-Endpoint or Local-Loopback-Interface attribute. The tunnel source address can be statically configured on the MX Series router by using the L2TP tunnel profile. If RADIUS does not return the Tunnel-Client-Endpoint or Local-Loopback-Interface attribute, and if there is no corresponding L2TP tunnel profile configured on the MX Series router, then the L2TP tunnel fails to initiate because the router does not have a proper tunnel source address. In this case, the router can use the locally configured loopback address as the source address to successfully establish the L2TP tunnel.
Example: Configure RADIUS Authentication for L2TP
Configuration
CLI Quick Configuration
The following example shows how to configure RADIUS authentication for L2TP:
[edit access]
profile example_bldg {
client client_1 {
chap-secret "$ABC123";
ppp {
interface-id west;
}
group-profile example_users;
}
client client_2 {
chap-secret "$ABC123";
group-profile example_users;
}
authentication-order radius;
}
radius-server {
198.51.100.213 {
port 1812;
accounting-port 1813;
secret "$ABC123"; # SECRET-DATA
}
198.51.100.223 {
port 1812;
accounting-port 1813;
secret "$ABC123"; # SECRET-DATA
}
}
radius-disconnect-port 2500;
radius-disconnect {
198.51.100.152 secret "$ABC123";
# SECRET-DATA
198.51.100.153 secret "$ABC123";
# SECRET-DATA
198.51.100.157 secret "$ABC123";
# SECRET-DATA
198.51.100.173 secret "$ABC123";
# SECRET-DATA
}
Example: Configure RADIUS Authentication for an L2TP Profile
Configuration
CLI Quick Configuration
[edit access]
profile t {
client LAC_A {
l2tp {
ppp-profile u;
}
}
}
profile u {
client client_1 {
ppp {
}
}
198.51.100.5 {
port 3333;
secret $ABC123;
source-address 198.51.100.1;
retry 3;
timeout 3;
}
198.51.100.6 secret $ABC123;
198.51.100.7 secret $ABC123;
}
Configure the RADIUS Disconnect Server for L2TP
To configure the RADIUS disconnect server to listen for disconnect requests from
an administrator and process them, include the following statements at the
[edit access] hierarchy level:
[edit access] radius-disconnect-port port-number; radius-disconnect { client-address { secret password; } }
port-number is the server port to which the
RADIUS client sends disconnect requests. The L2TP network server, which accepts
these disconnect requests, is the server. You can specify a port number on which
to contact the RADIUS disconnect server. Most RADIUS servers use port number
1700.
The Junos OS accepts only disconnect requests from the client address
configured at the [edit access radius-disconnect
client-address] hierarchy level.
client-address is the host sending disconnect
requests to the RADIUS server. The client address is a valid IP address
configured on one of the router or switch interfaces.
password authenticates the RADIUS client.
Passwords can contain spaces. The secret used by the local router must match
that used by the server.
For information about how to configure RADIUS authentication for L2TP, see Configuring RADIUS Authentication for L2TP.
The following example shows the statements to be included at the [edit
access] hierarchy level to configure the RADIUS disconnect
server:
[edit access]
radius-disconnect-port 1700;
radius-disconnect {
198.51.100.153 secret "$ABC123";
# SECRET-DATA
198.51.100.162 secret "$ABC123";
# SECRET-DATA
}
Configure RADIUS Accounting Order for L2TP
You can configure RADIUS accounting for an L2TP profile. With RADIUS accounting enabled, Juniper devices can act as RADIUS clients. They can notify the RADIUS server about user activities such as software logins, configuration changes, and interactive commands. The framework for RADIUS accounting is described in RFC 2866.
To configure RADIUS accounting, include the accounting-order
statement at the [edit access profile
profile-name] hierarchy level:
[edit access profile profile-name] accounting-order radius;
When you enable RADIUS accounting for an L2TP profile, it applies to all the clients within that profile. You must enable RADIUS accounting on at least one LT2P profile for the RADIUS authentication server to send accounting stop and start messages.
When you enable RADIUS accounting for an L2TP profile, you do not need to
configure the accounting-port statement at the
[edit access radius-server
server-address] hierarchy level. When you
enable RADIUS accounting for an L2TP profile, accounting is triggered on the
default port of 1813.
For L2TP, RADIUS authentication servers are configured at the [edit
access radius-server] hierarchy level.
Example: Configure RADIUS-Based Subscriber Authentication and Accounting
Configuration
CLI Quick Configuration
[edit access]
radius-server {
198.51.100.250 {
port 1812;
accounting-port 1813;
accounting-retry 6;
accounting-timeout 20;
retry 3;
secret $ABC123$ABC123;
source-address 198.51.100.100;
timeout 45;
}
198.51.100.251 {
port 1812;
accounting-port 1813;
accounting-retry 6;
accounting-timeout 20;
retry 3;
secret $ABC123;
source-address 198.51.100.100;
timeout 30;
}
2001:DB8:0f101::2{
port 1812;
accounting-port 1813;
accounting-retry 6;
accounting-timeout 20;
retry 4;
secret $ABC123$ABC123$ABC123-;
source-address 2001:DB8:0f101::1;
timeout 20;
}
}
profile isp-bos-metro-fiber-basic {
authentication-order radius;
accounting {
order radius;
accounting-stop-on-access-deny;
accounting-stop-on-failure;
immediate-update;
statistics time;
update-interval 12;
wait-for-acct-on-ack;
send-acct-status-on-config-change;
}
radius {
authentication-server 198.51.100.251 198.51.100.252;
accounting-server 198.51.100.250 198.51.100.251;
options {
accounting-session-id-format decimal;
client-accounting-algorithm round-robin;
client-authentication-algorithm round-robin;
nas-identifier 56;
nas-port-id-delimiter %;
nas-port-id-format {
nas-identifier;
interface-description;
}
nas-port-type {
ethernet {
wireless-80211;
}
}
}
attributes {
ignore {
framed-ip-netmask;
}
exclude {
accounting-delay-time [accounting-start accounting-stop];
accounting-session-id [access-request accounting-on accounting-off
accounting-start accounting-stop];
dhcp-gi-address [access-request accounting-start accounting-stop];
dhcp-mac-address [access-request accounting-start accounting-stop];
nas-identifier [access-request accounting-start accounting-stop];
nas-port [accounting-start accounting-stop];
nas-port-id [accounting-start accounting-stop];
nas-port-type [access-request accounting-start accounting-stop];
}
}
}
}
[edit logical-systems isp-bos-metro-12 routing-instances isp-cmbrg-12-32]
interfaces {
lo0 {
unit 0 {
family inet {
address 198.51.100.100/24;
}
}
}
ge-0/0/0 {
vlan-tagging;
unit 0 {
vlan-id 200;
family inet {
unnumbered-address lo0.0;
}
}
}
}
RADIUS Attributes for L2TP
Junos OS supports the following types of RADIUS attributes for L2TP:
-
Juniper Networks vendor-specific attributes (VSAs)
-
Attribute-value pairs (AVPs) defined by the Internet Engineering Task Force (IETF)
-
RADIUS accounting stop and start AVPs
Juniper Networks vendor-specific RADIUS attributes are described in RFC 2865, Remote Authentication Dial In User Service (RADIUS). These attributes are encapsulated with the vendor ID set to the Juniper Networks ID number 2636. Table 1 lists the Juniper Networks VSAs you can configure for L2TP.
|
Attribute Name |
Standard Number |
Value |
|---|---|---|
|
Juniper-Primary-DNS |
31 |
IP address |
|
Juniper-Primary-WINS |
32 |
IP address |
|
Juniper-Secondary-DNS |
33 |
IP address |
|
Juniper-Secondary-WINS |
34 |
IP address |
|
Juniper-Interface-ID |
35 |
String |
|
Juniper-IP-Pool-Name |
36 |
String |
|
Juniper-Keep-Alive |
37 |
Integer |
Table 2 lists the IETF RADIUS AVPs supported for LT2P.
|
Attribute Name |
Standard Number |
Value |
|---|---|---|
|
User-Name |
1 |
String |
|
User-Password |
2 |
String |
|
CHAP-Password |
3 |
String |
|
NAS-IP-Address |
4 |
IP address |
|
NAS-Port |
5 |
Integer |
|
Service-Type |
6 |
Integer |
|
Framed-Protocol |
7 |
Integer |
|
Framed-IP-Address |
8 |
IP address |
|
Framed-IP-Netmask |
9 |
IP address |
|
Framed-MTU |
12 |
Integer |
|
Framed-Route |
22 |
String |
|
Session-Timeout |
27 |
Integer |
|
Idle-Timeout |
28 |
Integer |
|
Called-Station-ID |
30 |
String |
|
Calling-Station-ID |
31 |
String |
|
CHAP-Challenge |
60 |
String |
|
NAS-Port-Type |
61 |
Integer |
|
Framed-Pool |
88 |
Integer |
Table 3 lists the supported RADIUS accounting start AVPs for L2TP.
|
Attribute Name |
Standard Number |
Value |
|---|---|---|
|
User-Name |
1 |
String |
|
NAS-IP-Address |
4 |
IP address |
|
NAS-Port |
5 |
Integer |
|
Service-Type |
6 |
Integer |
|
Framed-Protocol |
7 |
Integer |
|
Framed-IP-Address |
8 |
IP address |
|
Called-Station-ID |
30 |
String |
|
Calling-Station-ID |
31 |
String |
|
Acct-Status-Type |
40 |
Integer |
|
Acct-Delay-Time |
41 |
Integer |
|
Acct-Session-ID |
44 |
String |
|
Acct-Authentic |
45 |
Integer |
|
NAS-Port-Type |
61 |
Integer |
|
Tunnel-Client-Endpoint |
66 |
String |
|
Tunnel-Server-Endpoint |
67 |
String |
|
Acct-Tunnel-Connection |
68 |
String |
|
Tunnel-Client-Auth-ID |
90 |
String |
|
Tunnel-Server-Auth-ID |
91 |
String |
Table 4 lists the supported RADIUS accounting stop AVPs for L2TP.
|
Attribute Name |
Standard Number |
Value |
|---|---|---|
|
User-Name |
1 |
String |
|
Local-Loopback-Interface |
3 |
String |
|
NAS-IP-Address |
4 |
IP address |
|
NAS-Port |
5 |
Integer |
|
Service-Type |
6 |
Integer |
|
Framed-Protocol |
7 |
Integer |
|
Framed-IP-Address |
8 |
IP address |
|
Called-Station-ID |
30 |
String |
|
Calling-Station-ID |
31 |
String |
|
Acct-Status-Type |
40 |
Integer |
|
Acct-Delay-Time |
41 |
Integer |
|
Acct-Input-Octets |
42 |
Integer |
|
Acct-Output-Octets |
43 |
Integer |
|
Acct-Session-ID |
44 |
String |
|
Acct-Authentic |
45 |
Integer |
|
Acct-Session-Time |
46 |
Integer |
|
Acct-Input-Packets |
47 |
Integer |
|
Acct-Output-Packets |
48 |
Integer |
|
Acct-Terminate-Cause |
49 |
Integer |
|
Acct-Multi-Session-ID |
50 |
String |
|
Acct-Link-Count |
51 |
Integer |
|
NAS-Port-Type |
61 |
Integer |
|
Tunnel-Client-Endpoint |
66 |
String |
|
Tunnel-Server-Endpoint |
67 |
String |
|
Acct-Tunnel-Connection |
68 |
String |
|
Tunnel-Client-Auth-ID |
90 |
String |
|
Tunnel-Server-Auth-ID |
91 |
String |