Configuring Snooping of RADIUS Accounting Requests for IP-Based Subscribers
If a gateway GPRS support node (GGSN), Packet Data Network Gateway (PGW), or broadband network gateway (BNG) does not treat the MX Series router as a RADIUS server, Junos OS must actively snoop RADIUS accounting requests from that gateway to set up TDF subscriber sessions. Snooping uses a filter called a snoop segment to identify the requests to send to the subscriber management module.
To configure snooping of RADIUS accounting requests:
Configure a name for the snoop segment.
[edit access radius] user@host# set snoop-segments snoop-segment-name
For example:
[edit access radius] user@host# set snoop-segments 123
Specify the destination IP address of accounting requests to snoop.
[edit access radius snoop-segments snoop-segment-name] user@host# set destination-ip-address destination-address
For example:
[edit access radius snoop-segments 123] user@host# set destination-ip-address 10.102.30.102
(Optional) Specify the destination port of accounting requests to snoop.
[edit access radius snoop-segments snoop-segment-name] user@host# set destination-port destination-port
For example:
[edit access radius snoop-segments 123] user@host# set destination-port 52000
If this statement is not included, the destination port is set to 1813.
(Optional) Specify the source IP address of accounting requests from a GGSN, PGW, or BNG to snoop.
[edit access radius snoop-segments snoop-segment-name] user@host# set source-ip-address source-address
For example:
[edit access radius snoop-segments 123] user@host# set source-ip-address 10.11.11.11
If the source IP address is not included, snooping of accounting requests is not restricted by their source.
Specify the MX Series router interface on which the accounting requests to be snooped are received.
[edit access radius snoop-segments snoop-segment-name] user@host# set source-interface source-interface
For example:
[edit access radius snoop-segments 123] user@host# set source-interface ge-0/0/0.0
If the source interface is not included, snooping of accounting requests is not restricted by the interface that receives the request.
Specify the shared secret for the MX Series router and the accounting request sender.
[edit access radius snoop-segments snoop-segment-name] user@host# set shared-secret secret
For example:
[edit access radius snoop-segments 123] user@host# set shared-secret juniper
If the shared secrets do not match, the subscriber session is not set up.
(Optional) Configure the number of seconds to cache the accounting request that was snooped. If the same request is received by the MX Series router within this time, it is considered a duplicate request and is dropped.
[edit access radius snoop-segments snoop-segment-name] user@host# set request-cache-timeout timeout
For example:
[edit access radius snoop-segments 123] user@host# set request-cache-timeout 4
Repeat Steps 1 through 7 to configure additional snoop segments.
Assign one or more snoop segments to the TDF gateway.
[edit unified-edge gateways tdf gateway-name aaa] user@host# set snoop-segments [snoop-segment-name]
For example, the following configures
gateway1to snoop accounting requests destined for the RADIUS server 10.102.30.102 on port 52000 that originate from IP address 10.11.11.11 and are received on interface ge-0/0/0.0:[edit unified-edge gateways tdf gateway1 aaa] user@host# set snoop-segments 123