JSRC and Subscribers on Static Interfaces

You can associate subscribers with statically configured interfaces and provide dynamic service activation and deactivation for these subscribers. When the static interface comes up, the event is treated as a subscriber login. When the interface goes down, it is treated as a subscriber logout.

You can configure the static subscribers to be authenticated and authorized by means of RADIUS. In this case, RADIUS can then activate and deactivate services with change of authorization (CoA) messages. However, this configuration does not prevent the interface from coming up and forwarding traffic. Further, authorization parameters are not imposed on the subscriber interface.

Alternatively, you can use JSRC for dynamic service activation and deactivation for these subscribers. After the subscribers are present in the session database (SDB), JSRC can report the subscribers to the SAE so that the SRC software can subsequently manage the subscribers.

The following guidelines apply to static subscribers:

• Static subscribers are supported only on Ethernet interfaces, static demux interfaces, and pseudowire interfaces over logical tunnels (PS/LT). PS/LT support, introduced in Junos OS Release 18.3R1, enables full subscriber management (equivalent to dynamic subscribers) for statically provisioned subscribers whose traffic is transported over IP/MPLS access models.

• Only one static subscriber can exist over a given interface.

• An interface cannot appear in more than one group.

• Static subscribers cannot be created over dynamic interfaces.

Static subscribers are intended to work with JSRC. Include the provisioning-order jsrc statement at the [edit access profile profile-name] hierarchy level to enable JSRC to handle the subscribers at the direction of the SRC software.

If the authentication request fails for a static subscriber, a 60-minute, nonconfigurable timer begins counting down. The request is reissued when the timer expires. This action repeats for as long as the interface is operationally up.

You can force a logout of the static subscriber by issuing the request services static-subscribers logout interface interface-name command. A static subscriber can also be logged out by AAA or an external policy manager. In both cases, no subsequent logins can take place on the underlying interface until you reset the state by issuing the request services static-subscribers login interface interface-name command or the router or process reboots.

You can log out an interface group by issuing the request services static-subscriber logout group group-name command. You can subsequently log in a group of interfaces by issuing the request services static-subscriber login group group-name command.

No new CLI statements are required to configure the dynamic profile for static subscribers. The dynamic profile can be very simple; it is activated at login and deactivated at logout. If you do not configure a profile, then the junos-default-profile is automatically activated.

During a graceful Routing Engine switchover (GRES) event, active static subscribers are recovered, inactive subscribers are cleaned up, and logout continues for subscribers that were in the process of logging out.

Include the static-subscribers statement at the [edit system services] hierarchy level to configure static subscribers. Include the traceoptions statement at the [edit system processes static-subscribers] hierarchy level to configure tracing operations for static subscribers.

You can configure the access profile, dynamic profile, service profile, and authentication parameters for all static subscribers or for a particular group of static subscribers:

• To configure the access profile that triggers AAA services for the static subscriber for all static subscribers, include the access-profile statement at the [edit system services static-subscribers] hierarchy level. Alternatively, include this statement at the [edit system services static-subscribers group group-name] hierarchy level to apply the profile to a specific group and override a top-level configuration.

• To configure the dynamic profile that is instantiated when the static subscriber logs in for all static subscribers, include the dynamic-profile statement at the [edit system services static-subscribers] hierarchy level. Alternatively, include this statement at the [edit system services static-subscribers group group-name] hierarchy level to apply the profile to a specific group and override a top-level configuration. Do not specify a dynamic profile that creates a dynamic interface.

• To configure the service profile for all static subscribers at the global level and at the group level, include the service-profile statement at the [edit system services static-subscribers group group-name] hierarchy level.

• To configure the authentication parameters that trigger an Access-Request message to AAA for all static subscribers, include the authentication statement at the [edit system services static-subscribers] hierarchy level. Alternatively, include the statement at the [edit system services static-subscribers group group-name] hierarchy level to configure authentication for a specific group and override a top-level configuration. If you do not configure authentication, then by default the interface name is modified and used as the default username for the subscriber session and the authentication request.

The configurable authentication parameters include the password and details of how the username is formed. Include the password statement at the [edit system services static-subscribers authentication] hierarchy level to configure the authentication password for all static subscribers. Alternatively, include the statement at the [edit system services static-subscribers group group-name authentication] hierarchy level to configure authentication for a specific group and override a top-level configuration.

The username that is sent to AAA for authentication must include at least one of the following attributes:

• Domain name

• User prefix

• Interface name

• Logical system name

• Routing instance name

To configure how the username is formed for all static subscribers, include the desired statements at the [edit system services static-subscribers authentication] hierarchy level: domain-name, user-prefix, logical-system-name, or routing-instance-name. Alternatively, include the desired statements at the [edit system services static-subscribers group group-name authentication] hierarchy level to configure the username for a specific group and override a top-level configuration.

If you change the authentication configuration for an existing group or for static subscribers globally, the change has no effect on existing static subscribers. The changes are applied only to any new logins that are attempted after you commit the changes.

A group configuration must specify all the interfaces that you expect to support static subscribers. Include the interface statement at the [edit system services static-subscribers group group-name] hierarchy level to specify the interfaces. This statement enables you to specify a single interface or a range of interfaces.

You must also statically configure these interfaces before any static subscribers can be supported on them. You must configure the static interfaces in the same logical system and routing instance as the group that includes the interfaces.

If you change the interfaces that are included in an existing interface group, existing static subscribers are automatically logged out and then back in when you commit the changes. However, changes made to the configuration of the interface itself have no effect on the login or logout state of the static subscriber associated with that interface.

By default, multiple subscribers are not supported on top of the same VLAN logical interface. If you want to support this behavior, then you can manage multiple subscribers on a single logical interface in one of two ways. You can either merge attributes such as firewall filters and CoS attributes for the multiple subscribers, or you can replace the current attributes with those of a new subscriber whenever a new subscriber logs into the underlying VLAN logical interface.

• To enable attribute merging for all static interfaces, include the aggregate-clients merge statement at the [edit system services static-subscribers] hierarchy level. Alternatively, include this statement at the [edit system services static-subscribers group group-name] hierarchy level to enable attribute merging for a specific group of static interfaces and override a top-level configuration.

• To enable attribute replacement for all static interfaces, include the aggregate-clients replace statement at the [edit system services static-subscribers] hierarchy level. Alternatively, include this statement at the [edit system services static-subscribers group group-name] hierarchy level to enable attribute replacement for a specific group of static interfaces and override a top-level configuration.

This example shows a static subscriber configuration.

1. Configure the access profile to be used for static subscribers.

2. Configure the dynamic profile to be used for static subscribers.

   If you do not configure this profile, the default profile, junos-default-profile, is used.

3. Configure the static interfaces on which to layer the static subscribers.

4. Configure the parameters that apply globally to all static subscribers in the configuration context.

5. If you want to override the global parameters for certain static subscribers, create a group of static interfaces for those subscribers and configure parameters to apply to that group. Repeat this step for as many groups as you need.

6. Configure tracing options for static subscriber events.