Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

RADIUS Servers and Parameters for Subscriber Access

Configuring parameters and options for RADIUS servers is a major part of your subscriber management configuration. After defining the authentication and accounting servers, you configure options for all RADIUS servers. You also configure access profiles that enable you to specify subscriber access authentication, authorization and accounting configuration parameters for subscribers or groups of subscribers. The profile settings override global settings. Although some options are available at both the global level and the access profile level, many options are available only in access profiles.

After you have created an access profile, you must specify where the profile is used with an access-profile statement; this is known as attaching the profile. Access profiles can be assigned at various levels. For example, some of places you can attach access profiles

  • Globally for a routing instance.

  • In dynamic profiles.

  • In a domain map, which maps access options and session parameters for subscriber sessions.

  • On the interfaces for dynamic VLANs and dynamic stacked VLANs.

  • On the interface or in a subscriber group for subscribers with statically configured interfaces for dynamic service provisioning.

  • On DHCP relay agents and DHCP local servers for DHCP clients or subscribers.

Because you can attach access profiles at many levels, the most specific access profile takes precedence over any other profile assignments to avoid conflict. Authentication and accounting do not run unless you attach the profile.

RADIUS Authentication and Accounting Server Definition

When you use RADIUS for subscriber management, you must define one or more external RADIUS servers that the router communicates with for subscriber authentication and accounting. Besides specifying the IPv4 or IPv6 address of the server, you can configure options and attributes that determine how the router interacts with the specified servers.

You can define RADIUS servers and connectivity options at the [edit access radius-server] hierarchy level, at the [edit access profile name radius-server] hierarchy level, or at both levels.

Note:

The AAA process (authd) determines which server definitions to use as follows:

  • When RADIUS server definitions are present only in [edit access radius-server], authd uses those definitions.

  • When RADIUS server definitions are present only in the access profile, authd uses those definitions.

  • When RADIUS server definitions are present in both [edit access radius-server] and in the access profile, authd uses only the access profile definitions.

To use a RADIUS server, you must designate it as an authentication server, an accounting server, or both, in an access profile. You must do so for servers regardless of whether they are defined in an access profile or at the [edit access radius-server] hierarchy level.

To define RADIUS servers and to specify how the router interacts with the server:

Note:

This procedure shows only the [edit access radius-server] hierarchy level. You can optionally configure any of these parameters at the [edit access profile profile-name] radius-server] hierarchy level. You can do so either in addition to the global setting or instead of the global setting. When you apply a profile, the profile settings override the global configuration.

  1. Specify the IPv4 or IPv6 address of the RADIUS server.
  2. (Optional) Configure the RADIUS server accounting port number.
  3. (Optional) Configure the port number the router uses to contact the RADIUS server.
  4. Configure the required secret (password) that the local router passes to the RADIUS client. Secrets enclosed in quotation marks can contain spaces.
  5. (Optional) Configure the maximum number of outstanding requests that a RADIUS server can maintain. An outstanding request is a request to which the RADIUS server has not yet responded.
  6. Configure the source address for the RADIUS server. Each RADIUS request sent to a RADIUS server uses the specified source address. The source address is a valid IPv4 or IPv6 address configured on one of the router interfaces.
  7. (Optional) Configure retry and timeout values for authentication and accounting messages.
    1. Configure how many times the router attempts to contact a RADIUS server when it has received no response.
    2. Configure how long the router waits to receive a response from a RADIUS server before retrying the contact.
    Note:

    The maximum retry duration (the number of retries times the length of the timeout) cannot exceed 2700 seconds. An error message is displayed if you configure a longer duration.

    Note:

    The retry and timeout settings apply to both authentication and accounting messages unless you configure both the accounting-retry statement and the accounting-timeout statement. In that case, the retry and timeout settings apply only to authentication messages.

  8. (Optional) Configure retry and timeout values for accounting messages separate from the settings for authentication messages.
    Note:

    You must configure both the accounting-retry and the accounting-timeout statements. If you do not, then the value you configure is ignored in favor of the values configured with the retry and timeout statements.

    1. Configure how many times the router attempts to send accounting messages to the RADIUS accounting server when it has received no response.
    2. Configure how long the router waits to receive a response from a RADIUS accounting server before retrying the request.
  9. (Optional) Configure the router to contact the RADIUS server for logical line identification (LLID) preauthentication requests. See RADIUS Logical Line Identification.
  10. (Optional) Configure the port that the router monitors for dynamic (CoA) requests from the specified server. See Dynamic Service Management with RADIUS.

Configuring Options that Apply to All RADIUS Servers

You can configure RADIUS options that apply to all RADIUS servers globally.

To configure RADIUS options globally:

  1. Specify that you want to configure RADIUS options.
  2. (Optional) Configure the rate at which RADIUS interim update requests are sent to the server.
  3. (Optional) Configure the maximum allowed deviation from the configured update interval that the router sends interim accounting updates to the RADIUS server. The tolerance is relative to the configured update interval.

    For example, if the tolerance is set to 60 seconds, then the router sends interim accounting updates no sooner than 30 seconds earlier than the configured update interval. When a subscriber logs in, the first interim accounting update may be sent up to 30 seconds early (on average 15 seconds early).

    You configure the update interval with the update-interval statement at the [edit access profile profile-name accounting] hierarchy level.

  4. (Optional) Configure the number of requests per second that the router can send to all configured RADIUS servers collectively. Limiting the flow of requests from the router to the RADIUS servers enables you to prevent the RADIUS servers from being flooded with requests.
  5. (Optional) Configure the number of seconds that the router waits after a server has become unreachable before rechecking the connection. If the router reaches the server when the revert interval expires, the server is then used according to the order of the server list.
    Note:

    You can also configure the revert-interval in an access profile to override this global value. See Configuring Access Profile Options for Interactions with RADIUS Servers.

  6. (Optional) Configure the duration of a period during which unresponsive RADIUS authentication servers are not yet considered to be unreachable or down. You can vary the period depending on whether you want to redirect authentication requests more quickly to another server or provide the unresponsive server more time to recover and respond.
  7. (Optional) Configure a NAS-Port value that is unique across all MX series routers in the network. You can configure a NAS-Port value that is unique within the router only, or unique across the different MX routers in the network.

Configuring a Timeout Grace Period to Specify When RADIUS Servers Are Considered Down or Unreachable

When a RADIUS authentication server fails to respond to any of the attempts for a given authentication request and times out, authd notes the time for reference, but it does not immediately mark the server as down (if other servers are available) or unreachable (if it is the only configured server). Instead, a configurable grace period timer starts at the reference time. The grace period is cleared if the server responds to a subsequent request before the period expires.

During the grace period, the server is not marked as down or unreachable. Each time the server times out for subsequent requests to that server, authd checks whether the grace period has expired. When the check determines that the grace period has expired and the server has still not responded to a request, the server is marked as unreachable or down.

Using a short grace period enables you to more quickly abandon an unresponsive server and direct authentication requests to other available servers. A long grace period gives a server more opportunities to respond and may avoid needlessly abandoning a resource. You might specify a longer grace period when you have only one or a small number of configured servers.

To configure the grace period during which an unresponsive RADIUS server is not marked as unreachable or down:

  • Specify the duration of the grace period.

Configuring Access Profile Options for Interactions with RADIUS Servers

You can use an access profile to specify options that the router uses when communicating with RADIUS authentication and accounting servers for subscriber access. This procedure describes options that are available only in access profiles. For options that are available at both the access profile and global level, see RADIUS Servers and Parameters for Subscriber Access.

To configure RADIUS authentication and accounting server options:

  1. Specify that you want to configure RADIUS options.
  2. (Optional) Configure the format the router uses to identify the accounting session. The identifier can be in one of the following formats:
    • decimal—The default format. For example, 435264

    • description—In the format, jnpr interface-specifier:subscriber-session-id. For example, jnpr fastEthernet 3/2.6:1010101010101

  3. (Optional) Configure the delimiter character that the router inserts between values in RADIUS attribute 31 (Calling-Station-Id).
  4. (Optional) Configure the information that the router includes in RADIUS attribute 31 (Calling-Station-Id).
  5. (Optional) Configure the router to use the optional behavior that inserts the random challenge generated by the NAS into the Request Authenticator field of Access-Request packets, rather than sending the random challenge as the CHAP-Challenge attribute (RADIUS attribute 60) in Access-Request packets. This optional behavior requires that the value of the challenge must be 16 bytes; otherwise the statement is ignored and the challenge is sent as the CHAP-Challenge attribute.
  6. (Optional) Configure the method the router uses to access RADIUS authentication and accounting servers when multiple servers are configured:
    • direct—The default method, in which there is no load balancing. The first server configured is the primary server; servers are accessed in order of configuration. If the primary server is unreachable, the router attempts to reach the second configured server, and so on.

    • round-robin—The method that provides load balancing by rotating router requests among the list of configured RADIUS servers. The server chosen for access is rotated based on which server was used last. The first server in the list is treated as a primary for the first authentication request, but for the second request, the second server configured is treated as primary, and so on. With this method, all of the configured servers receive roughly the same number of requests on average so that no single server has to handle all of the requests.

      Note:

      When a RADIUS server in the round-robin list becomes unreachable, the next reachable server in the round-robin list is used for the current request. That same server is also used for the next request because it is at the top of the list of available servers. As a result, after a server failure, the server that is used takes up the load of two servers.

    • To configure the method the router uses to access RADIUS accounting servers:

    • To configure the method the router uses to access RADIUS authentication servers:

  7. (Optional) Configure the router to use the optional behavior when a CoA operation is unable to apply a requested change to a client profile dynamic variable.

    The optional behavior is that subscriber management does not apply any changes to client profile dynamic variables in the CoA request and then responds with a NACK. The default behavior is that subscriber management does not apply the incorrect update but does apply the other changes to the client profile dynamic variables, and then responds with an ACK message.

  8. (Optional) Configure the router to use a physical port type of virtual to authenticate clients. The port type is passed in RADIUS attribute 61 (NAS-Port-Type). By default the router passes a port type of ethernet in RADIUS attribute 61.
    Note:

    This statement takes precedence over the nas-port-type statement if you include both in the same access profile.

  9. (Optional) Specify the information that is excluded from the interface description that the router passes to RADIUS for inclusion in RADIUS attribute 87 (NAS-Port-ID). By default, the interface description includes adapter, channel, and subinterface information.
  10. (Optional) For dual-stack PPP subscribers, include the IPv4-Release-Control VSA (26–164) in the Access-Request that is sent during on-demand IP address allocation and in the Interim-Accounting messages that are sent to report an address change.

    Optionally, configure a message that is included in the IPv4-Release-Control VSA (26–164) when it is sent to the RADIUS server

    The configuration of this statement has no effect when on-demand IP address allocation or deallocation is not configured.

  11. (Optional) Add Juniper Networks access line VSAs to the RADIUS authentication and accounting request messages for subscribers. If the router has not received and processed the corresponding ANCP attributes from the access node, then AAA provides only the following in these RADIUS messages:
    • Downstream-Calculated-QoS-Rate (IANA 4874, 26-141)—Default configured advisory transmit speed.

    • Upstream-Calculated-QoS-Rate (IANA 4874, 26-142)—Default configured advisory receive speed.

    Starting in Junos OS Release 19.2R1, the juniper-access-line-attributes option replaces the juniper-dsl-attributes option. For backward compatibility with existing scripts, the juniper-dsl-attributes option redirects to the new juniper-access-line-attributes option. We recommend that you use juniper-access-line-attributes.

    Note:

    The juniper-access-line-attributes option is not backward compatible with Junos OS Release 19.1 or earlier releases. This means that if you have configured juniper-access-line-attributes option in Junos OS Release 19.2 or higher releases, you must perform the following steps to downgrade to Junos OS Release 19.1 or earlier releases:

    1. Delete the juniper-access-line-attributes option from all access profiles that include it.

    2. Perform the software downgrade.

    3. Add the juniper-dsl-attributes option to the affected access profiles.

  12. (Optional) Configure the value for the client RADIUS attribute 32 (NAS-Identifier), which is used for authentication and accounting requests.
  13. (Optional) Configure the RADIUS client to use the extended format for RADIUS attribute 5 (NAS-Port) and specify the width of fields in the NAS-Port attribute, which specifies the physical port number of the NAS that is authenticating the user.
    • For Ethernet subscribers:

    • For ATM subscribers:

  14. (Optional) Configure the delimiter character that the router inserts between values in RADIUS attribute 87 (NAS-Port-Id).
  15. (Optional) Configure the optional information that the router includes in RADIUS attribute 87 (NAS-Port-Id). You can specify one or more options to appear in the default order. Alternatively, you can specify both the options and the order in which they appear. The orders are mutually exclusive and the configuration fails if you configure a NAS-Port-ID that includes values in both types of order.
  16. (Optional) Configure the port type that is included in RADIUS attribute 61 (NAS-Port-Type). This specifies the port type the router uses to authenticate subscribers.
    Note:

    This statement is ignored if you configure the ethernet-port-type-virtual in the same access profile.

  17. (Optional) Configure the LAC to override the configured Calling-Station-ID format for the value sent in the L2TP Calling Number AVP 22. You can override the Calling-Station-ID format and configure the LAC to use the ACI, the ARI, or both the ACI and ARI that are received from the L2TP client in the PADR packet. You can also specify a delimiter to use between components of the AVP string and a fallback value to use when the configured override components are not received in the PADR packet.
  18. (Optional) Override the value of the RADIUS NAS-IP-Address attribute (4) at the LNS with the value of the session’s LAC endpoint IP address if it is present in the session database. If it is not present, the original attribute value is used.
  19. (Optional) Override the value of the RADIUS NAS-Port attribute (5) at the LNS with the value from the session database if the LAC NAS port information was conveyed to the LNS in the Cisco Systems NAS Port Info AVP (100). If it is not present, the original attribute value is used.
  20. (Optional) Override the value of the RADIUS NAS-Port-Type attribute (61) at the LNS with the value from the session database if the LAC NAS port information was conveyed to the LNS in the Cisco Systems NAS Port Info AVP (100). If it is not present, the original attribute value is used.
  21. (Optional) Configure a delimiter character for the remote circuit ID string when you use the remote-circuit-id-format statement to configure the string to use instead of the Calling-Station ID in L2TP Calling Number AVP 22. If more than one value is configured for the remote circuit ID format, the delimiter character is used as a separator between the concatenated values in the resulting remote circuit ID string.
    Note:

    You must configure the override calling-circuit-id remote-circuit-id statement for the remote circuit ID format to be used in the calling number AVP.

  22. (Optional) Configure the fallback value for the LAC to send in L2TP Calling Number AVP 22, either the configured Calling-Station-ID or the default underlying interface. Use of the fallback value is triggered when the components of the override string you configured with the remote-circuit-id-format statement—the ACI, the ARI, or both ACI and ARI—are not received by the LAC in the PPPoE Active Discovery Request (PADR) packet.
  23. (Optional) Configure the format of the string that overrides the Calling-Station-ID format in the L2TP Calling Number AVP. You can specify the ACI, the ARI, or both the ACI and ARI.
    Note:

    You must configure the override calling-circuit-id remote-circuit-id statement for the remote circuit ID format to be used in the calling number AVP.

  24. (Optional) Configure the number of seconds that the router waits after a server has become unreachable before making another attempt to reach the server. If the server is then reachable, it is used in accordance with the order of the server list.
    Note:

    You can also configure this option for all RADIUS servers. See Configuring Options for RADIUS Servers.

  25. (Optional) Configure whether newly authenticated subscriber can successfully log in when service activation failures related to configuration errors occur during authd processing of the activation request for the subscriber’s address family. You can specify this behavior for services configured in dynamic profiles or in Extensible Subscriber Services Manager (ESSM) operation scripts:
    • optional-at-login—Service activation is optional. Activation failure due to configuration errors does not prevent activation of the address family; it allows subscriber access. Service activation failures due to causes other than configuration errors cause network family activation to fail. The login attempt is terminated unless another address family is already active for the subscriber.

    • required-at-login—Service activation is required. Activation failure for any reason causes network family activation to fail. The login attempt is terminated unless another address family is already active for the subscriber.

  26. (Optional) Specify that RADIUS attribute 5 (NAS-Port) includes the S-VLAN ID, in addition to the VLAN ID, for subscribers on Ethernet interfaces.

Configuring a Calling-Station-ID with Additional Options

Use this section to configure an alternative value for the Calling-Station-ID (RADIUS IETF attribute 31) in an access profile on the MX Series router.

You can configure the Calling-Station-ID to include one or more of the following options, in any combination, at the [edit access profile profile-name radius options calling-station-id-format] hierarchy:

  • Agent circuit identifier (agent-circuit-id)—Identifier of the subscriber’s access node and the digital subscriber line (DSL) on the access node. The agent circuit identifier (ACI) string is stored in either the DHCP option 82 field of DHCP messages for DHCP traffic, or in the DSL Forum Agent-Circuit-ID VSA [26-1] of PPPoE Active Discovery Initiation (PADI) and PPPoE Active Discovery Request (PADR) control packets for PPPoE traffic.

  • Agent remote identifier (agent-remote-id)—Identifier of the subscriber on the digital subscriber line access multiplexer (DSLAM) interface that initiated the service request. The agent remote identifier (ARI) string is stored in either the DHCP option 82 field for DHCP traffic, or in the DSL Forum Agent-Remote-ID VSA [26-2] for PPPoE traffic.

  • Interface description (interface-description)—Value of the interface.

  • Interface text description (interface-text-description)—Text description of the interface. The interface text description is configured separately, using either the set interfaces interface-name description description statement or the set interfaces interface-name unit unit-number description description statement

  • MAC address (mac-address)—MAC address of the source device for the subscriber.

  • NAS identifier (nas-identifier)—Name of the NAS that originated the authentication or accounting request. NAS-Identifier is RADIUS IETF attribute 32.

  • Stacked VLAN (stacked-vlan)—Stacked VLAN ID.

  • VLAN (vlan)—VLAN ID.

If you configure the format of the Calling-Station-ID with more than one optional value, a hash character (#) is the default delimiter that the router uses as a separator between the concatenated values in the resulting Calling-Station-ID string. Optionally, you can configure an alternative delimiter character for the Calling-Station-ID to use. The following example shows the order of output when you configure multiple optional values:

To configure an access profile to provide optional information in the Calling-Station-ID:

  1. Specify the access profile you want to configure.
  2. Specify that you want to configure RADIUS options.
  3. Specify the nondefault character to use as the delimiter between the concatenated values in the Calling-Station-ID.

    By default, subscriber management uses the hash character (#) as the delimiter in Calling-Station-ID strings that contain more than one optional value.

  4. Configure the value for the NAS-Identifier (RADIUS attribute 32), which is used for authentication and accounting requests.
  5. Specify that you want to configure the format of the Calling-Station-ID.
  6. (Optional) Include the interface text description in the Calling-Station-ID.
  7. (Optional) Include the interface description value in the Calling-Station-ID.
  8. (Optional) Include the agent circuit identifier in the Calling-Station-ID.
  9. (Optional) Include the agent remote identifier in the Calling-Station-ID.
  10. (Optional) Include the configured NAS identifier value in the Calling-Station-ID.
  11. (Optional) Include the stacked VLAN ID in the Calling-Station-ID.
  12. (Optional) Include the VLAN ID in the Calling-Station-ID.
  13. (Optional) Include the MAC address in the Calling-Station-ID.

Example: Calling-Station-ID with Additional Options in an Access Profile

The following example creates an access profile named retailer01 that configures a Calling-Station-ID string that includes the NAS-Identifier (fox), interface description, agent circuit identifier, and agent remote identifier options.

The resulting Calling-Station-ID string is formatted as follows:

fox*ge-1/2/0.100:100*as007*ar921

where:

  • The NAS-Identifier value is fox.

  • The Calling-Station-ID delimiter character is * (asterisk).

  • The interface description value is ge-1/2/0.100:100.

  • The agent circuit identifier value is as007.

  • The agent remote identifier value is ar921.

Consider an example where all options are configured, but no values are available for the Agent-Circuit-ID, the Agent-Remote-Id, or the stacked VLAN identifier. The other values are as follows:

  • NAS identifier—solarium

  • interface description—ge-1/0/0.1073741824:101

  • interface text description—example-interface

  • MAC address—00:00:5E:00:53:00

  • VLAN identifier—101

These values result in the following Calling-Station-ID:

Filtering RADIUS Attributes and VSAs from RADIUS Messages

Standard attributes and vendor-specific attributes (VSAs) received in RADIUS messages take precedence over internally provisioned attribute values. Filtering attributes consists of choosing to ignore certain attributes when they are received in Access Accept packets and to exclude certain attributes from being sent to the RADIUS server. Ignoring attributes received from the RADIUS server enables your locally provisioned values to be used instead. Excluding attributes from being sent is useful, for example, for attributes that do not change for the lifetime of a subscriber. It enables you to reduce the packet size without loss of information.

You can specify standard RADIUS attributes and VSAs that the router or switch subsequently ignores when they are received in RADIUS Access-Accept messages. You can also specify attributes and VSAs that the router or switch excludes from specified RADIUS message types. Exclusion means that the router or switch does not include the attribute in specified messages that it sends to the RADIUS server.

Starting in Junos OS Release 18.1R1, you can configure the router or switch to ignore or exclude RADIUS standard attributes and VSAs by specifying the standard attribute number or the IANA-assigned vendor ID and the VSA number, respectively. With this flexible configuration method, you can configure any standard attribute and VSA supported by your platform to be ignored or excluded. The configuration has no effect if you configure unsupported attributes, vendors, and VSAs.

The legacy method allows you to configure only those attributes and VSAs for which the statement syntax includes a specific option. Consequently, you can use the legacy method to ignore only a subset of all attributes that can be received in Access-Accept messages.

To configure the attributes ignored or excluded by your router or switch:

  1. Specify that you want to configure RADIUS in the access profile.
  2. Specify that you want to configure how RADIUS attributes are filtered.
  3. (Optional) Specify one or more attributes you want your router or switch to ignore when the attributes are in Access-Accept messages.
    • Legacy method: Specify dedicated option for attribute:

    • Flexible method: Specify standard attribute number or the IANA-assigned vendor ID and the VSA number:

  4. (Optional) Configure an attribute that you want your router or switch to exclude from one or more specified RADIUS message types. You cannot configure a list of attributes, but you can specify a list of message types for each attribute.
    • Legacy method: Specify dedicated option for attribute and message type:

    • Flexible method: Specify standard attribute number or the IANA-assigned vendor ID, the VSA number, and the message type:

The following example compares the legacy and flexible configuration methods to ignore the standard RADIUS attribute, Framed-IP-Netmask (9), and the Juniper Networks VSAs, Ingress-Policy-Name (26-10) and Egress-Policy-Name (26-11).

  • Legacy method:

  • Flexible method:

The following example compares the legacy and flexible configuration methods to exclude the standard RADIUS attribute, Framed-IP-Netmask (9), and the Juniper Networks VSAs, Ingress-Policy-Name (26-10) and Egress-Policy-Name (26-11).

  • Legacy method:

  • Flexible method: Specify standard attribute number or the IANA-assigned vendor ID, the VSA number, and the message type:

What happens if you specify an attribute with both methods in the same profile? The effective configuration is the logical OR of the two methods. Consider the following example for the standard attribute, accounting-delay-time (41):

The result is that the attribute is excluded from all four message types: Accounting-Off, Accounting-On, Accounting-Start, and Accounting-Stop. The effect is the same as if either of the following configurations is used:

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
18.1R1
Starting in Junos OS Release 18.1R1, you can configure the router or switch to ignore or exclude RADIUS standard attributes and VSAs by specifying the standard attribute number or the IANA-assigned vendor ID and the VSA number, respectively.