Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Announcement: Try the Ask AI chatbot for answers to your technical questions about Juniper products and solutions.

close
header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions discuss ongoing efforts to support digital transformation on campus.
Watch now
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Retail experts Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; Jack Stratten of Insider Trends; and Christian Gilby, Senior Director of Product Marketing at Juniper Networks, discuss customer experiences.
See the future

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Explore events
AINN AI Innovation Impact Virtual Event

AI-Native NOW: AI Innovation and Impact

Register NOW
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Home Documentation Junos OS Broadband Subscriber Sessions User Guide AAA for Subscriber Management RADIUS for Subscriber Management

Broadband Subscriber Sessions User Guide

keyboard_arrow_up
close
keyboard_arrow_left
Broadband Subscriber Sessions User Guide
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

RADIUS Logical Line Identification

date_range 06-Dec-23
arrow_backward
arrow_forward

RADIUS Logical Line Identifier (LLID) Overview

The logical line identification (LLID) feature helps service providers maintain a reliable and up-to-date customer database for those subscribers who frequently move from one physical line to another. The LLID is designed to provide the service provider with a configurable calling station ID for the subscriber access line. A calling station ID is derived from the physical line location and the subscriber client’s information. The line information derived from the facility of the service provider is not friendly for the access line wholesaler to manage access line ownership when subscribers frequently move physical locations. The LLID feature is based on a virtual port — the LLID — rather than the physical line used by the subscriber. The LLID provides AAA driven line information management with a service provider (usually a wholesaler).

The LLID is an alphanumeric string that is based on the subscriber user name and circuit ID. The LLID logically identifies the subscriber line, and is mapped to the subscriber’s physical line in the service provider customer database. When the subscriber moves to a different location and different physical line, the database is updated to map the LLID to the new physical line. Because the subscriber’s LLID remains constant, it provides service providers with a secure and reliable means for tracking subscribers and maintaining an accurate customer database. Subscriber management supports the LLID feature for PPP subscribers over PPPoE, PPPoA, and LAC.

To assign an LLID to a subscriber, the router issues two RADIUS access requests. The first request is a preauthentication request, which obtains the LLID from a RADIUS preauthentication server. The second request is the standard authentication request sent to the RADIUS authentication server.

The following sequence of steps describes how subscriber management obtains and uses the LLID. The procedure assumes that preauthentication is enabled on the router and that the RADIUS preauthentication and authentication servers are configured.

  1. The PPP subscriber sends an Authentication-Request message to the router.

  2. The router sends an Access-Request message to the RADIUS preauthentication server to obtain an LLID for the subscriber.

  3. The preauthentication server returns the LLID to the router in the Calling-Station-Id attribute (RADIUS attribute 31) in the Access-Accept message.

    Note:

    This step includes a non-standard use of the Calling-Station-Id attribute. This attribute is typically present in RADIUS request messages, such as an Access-Request, not in response messages. Also, the router ignores all RADIUS attributes, other than the Calling-Station-Id, that are returned in the preauthentication Access-Accept message. In addition, any radius options that are configured on the router, such as calling-station-id-format, have no effect on the Calling-Station-Id attribute in the preauthentication request.

  4. The router encodes the Calling-Station-Id (the LLID) in a second Access-Request message and sends the message to the RADIUS authentication server. This authentication request is the standard use of the Calling-Station-Id attribute.

  5. The RADIUS authentication server returns an Access-Accept message to the router. The Access-Accept message includes attributes for the subscriber session.

    Note:

    Once the preauthenticated subscriber has been successfully authenticated by the RADIUS authentication server, all subsequent RADIUS request messages, such as Accounting-Request messages, will include the LLID in the Calling-Station-Id attribute.

Note:

For tunneled PPP subscribers, the router, acting as an L2TP access concentrator (LAC), encodes the LLID into Calling Number AVP (L2TP attribute 22) and sends the attribute to the L2TP network server (LNS) in an Incoming-Call-Request (ICRQ) packet. After a successful preauthentication request, the router always encodes the LLID in the L2TP Calling Number AVP.

RADIUS Attributes for LLID Preauthentication Requests

Table 1 lists the RADIUS IETF attributes used in a preauthentication request to obtain a subscriber’s LLID, and describes the information that is included in the attributes. In some cases, preauthentication uses an attribute for information that is different than the IETF description—the table indicates any non-standard use of RADIUS attributes.

Table 1: RADIUS Attributes for LLID Preauthentication Requests

Attribute Number

Attribute Name

Description

1

User-Name

(Non-standard use of attribute.) Identifying information for the user associated with the LLID, in the following format.

nas-port:nas-ip-address:nas-port-id

Example: nas-port:198.51.100.117:ge-1/0/5:100

Note:

The router strips any dynamically generated information from the User-Name attribute during preauthentication.

2

User-Password

(Non-standard use of attribute.) Password of the user to be authenticated.

Example: Always set to juniper

4

NAS-IP-Address

IP address of the network access server (NAS) that is requesting authentication of the user

Example: 198.51.100.117

5

NAS-Port

Physical port number of the NAS that is authenticating the user. Always interpreted as a bit field

6

Service-Type

Type of service the user requested or the type of service to be provided.

Example: gold-service

61

NAS-Port-Type

Type of physical port the NAS is using to authenticate the user. You can use the ethernet-port-type-virtual statement to configure this to virtual (type 5).

77

Connect-Info

(Non-standard use of attribute.) The user name.

Example: jdoe@xyzcorp.example.com

87

NAS-Port-Id

Text string that identifies the physical interface of the NAS that is authenticating the user. Includes any dynamically generated information.

Example: ge 1/0/5:100

Configuring Logical Line Identification (LLID) Preauthentication

The logical line identification (LLID) feature enables service providers to track subscribers on the basis of a virtual port — the LLID — rather than by the physical port used by the subscriber. The LLID is assigned by a RADIUS preauthentication server, which you configure in an access profile.

To configure the router to support preauthentication for the LLID feature:

Note:

You cannot configure the preauthentication statements in this procedure if you have configured the radius attributes exclude statement to exclude the Calling-Station-ID attribute from RADIUS Access-Request messages.

  1. Specify the access profile you want to use for the subscriber preauthentication support.

    content_copy zoom_out_map
    [edit]
user@host# edit access profile profile-name

  2. Specify the order in which the router uses the supported preauthentication methods. radius is the only supported authentication method.

    content_copy zoom_out_map
    [edit access profile profile-name]
user@host# set preauthentication-order radius

  3. Specify that you want to configure RADIUS support.

    content_copy zoom_out_map
    [edit access profile profile-name]
user@host# edit radius

  4. Specify the IP address of the RADIUS server used for preauthentication.

    content_copy zoom_out_map
    [edit access profile profile-name radius]
user@host# set preauthentication-server 192.168.100.10
    Note:

    The preauthentication feature uses the retry and timeout parameters that are configured for the RADIUS authentication server.

  5. (Optional) Display AAA preauthentication statistics.

    content_copy zoom_out_map
    user@host> show network-access aaa statistics preauthentication
Preauthentication module statistics
  Requests received: 2118
  Multistack requests: 0
  Accepts: 261
  Rejects: 975
  Challenges: 0
  Requests timed out: 882

  6. (Optional) Verify configuration of the RADIUS preauthentication server.

    content_copy zoom_out_map
    user@host1> show radius pre-authentication servers


               RADIUS Pre-Authentication Configuration
               ---------------------------------------
                Udp    Retry             Maximum    Dead
 IP Address     Port   Count   Timeout   Sessions   Time   Secret
-------------   ----   -----   -------   --------   ----   ------
203.0.113.168   1812   3       3         255        0      radius

Configuring a Port and Password for LLID Preauthentication Requests

You can configure a router that operates as the RADIUS client to contact a RADIUS server for authentication and preauthentication requests on two different UDP ports and using different secret passwords. Similar to configuring the port numbers for authentication and accounting requests, you can define a unique port number that the router uses to contact the RADIUS server for logical line identification (LLID) preauthentication requests. You can also define a unique password for preauthentication requests. If you do not configure a separate UDP port or secret for preauthentication purposes, the same UDP port and secret that you configure for authentication messages is used.

To configure a unique UDP port number to be used to contact the RADIUS server for preauthentication requests, include the preauthentication-port port-number statement at the [edit access radius-server server-address] or [edit access profile profile-name radius-server server-address] hierarchy level.

  • To specify the UDP port for all of the access profiles:

    content_copy zoom_out_map
    [edit access]
radius-server server-address {
    preauthentication-port port-number;
}

  • To specify the UDP port for a specific access profile:

    content_copy zoom_out_map
    [edit access]
profile profile-name {
    radius-server server-address {
        preauthentication-port port-number;
    }
}

To configure the password to be used to contact the RADIUS preauthentication server, include the preauthentication-secret password statement at the [edit access radius-server server-address] or [edit access profile profile-name radius-server server-address] hierarchy level.

  • To specify the password for all of the access profiles:

    content_copy zoom_out_map
    [edit access]
radius-server server-address {
    preauthentication-secret password;
}

  • To specify the password for a specific access profile:

    content_copy zoom_out_map
    [edit access]
profile profile-name {
    radius-server server-address {
        preauthentication-secret password;
    }
}

Verifying and Managing LLID Preauthentication Configuration

Purpose

Display statistics and configuration information related to logical line identification (LLID) preauthenticaion.

Action

  • To display LLID preauthentication statistics:

    content_copy zoom_out_map
    user@host> show network-access aaa statistics preauthentication

  • To display information about preauthentication servers:

    content_copy zoom_out_map
    user@host> show network-access aaa radius-servers
arrow_backward PREVIOUS RADIUS NAS Port Attributes and Options
NEXT arrow_forward RADIUS Authentication and Accounting Basic Configuration
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top