This section discusses the RADIUS Internet Engineering
Task Force (IETF) attributes and the Juniper Networks vendor-specific
attributes that you can configure using CLI commands.
For a complete list of RADIUS attributes supported
by JUNOSe software, see RADIUS IETF Attributes.
RADIUS IETF Attributes
This section describes the RADIUS IETF attributes
that you can configure using CLI commands. The attributes are listed
numerically—each attribute is followed by a list of the commands
that you can use to manage the attribute and descriptions of each
command.
[4] NAS-IP-Address
Use the following commands
to configure, manage, and display information for the NAS-IP-Address
RADIUS attribute.
Use the no version to restore
the default address.
radius override nas-info
Use in the correct virtual router context to override
standard use of NAS-IP-Address and NAS-Identifier attributes for AAA
broadcast accounting; specifies that the attributes for the authentication
virtual router be included in accounting packets instead of the attributes
for the virtual router that generates the accounting information.
Example
host1(config)#virtual-router vrXyz1
host1:vrXyz1(config)#radius override nas-info
Use the no version to restore
standard use of the NAS-IP-Address and NAS-Identifier attributes.
Example: If the PPP user is received on a VC from the
card in slot 7, port 2, then the bit pattern is either 00111010 (for 0ssssppp) or 01110010 (for ssss0ppp).
host1(config)#radius nas-port-format Ossssppp
Use the no version to restore
the default.
radius nas-port-format extended atm
radius nas-port-format extended ethernet
Use to set the NAS-Port format attribute for ATM, Gigabit
Ethernet, and 10-Gigabit Ethernet interfaces on the E120 and E320
routers only.
The format attribute set using the radius
nas-port-format command does not accommodate the number
of bits required by the ATM interface specifier (slot/adapter/port/vpi/vci) or the Gigabit Ethernet and 10-Gigabit Ethernet interface specifier
[ slot/adapter/port ] [ .vlanSubinterface ]. Issuing this command enables you to encode the interface information
in the attribute by specifying the number of bits available for each
field in the interface specifier.
Note:
You must use this command with the extended keyword when you configure the NAS-Port format attribute on routers
that have line modules that support more than seven physical ports.
The default number of bits for each field in the interface
specifier for ATM interfaces are:
Slot—5 bits
Adapter—0 bits
Port—3 bits
VPI—8 bits
VCI—16 bits
The default number of bits for each field in the interface
specifier for Gigabit Ethernet and 10-Gigabit Ethernet interfaces
are:
Slot—5 bits
Adapter—0 bits
Port—3 bits
VLAN—12 bits
S-VLAN—12 bits
To set valid S-VLAN widths on Gigabit Ethernet and 10-Gigabit
Ethernet interfaces, you must include S-VLAN IDs in the NAS-Port attribute
by issuing the radius vlan nas-port-format
stacked command.
The total number of bits for all fields cannot exceed
32. When the total number of bits is less than 32, the NAS-Port attribute
is right-justified and the extra bits are set to 0. If you do not
specify a value for a field, the number of bits is set to 0.
Use the no version to restore
the default behavior of the radius nas-port-format command.
radius pppoe nas-port-format unique
Use to set the NAS-Port attribute to a unique value for
subscribers on PPPoE interface. This unique value is derived from
the subscriber’s profileHandle.
host1(config)#radius include framed-ip-netmask
acct-start enable
Use the no version to restore
the default, enable.
radius ignore framed-ip-netmask
Use to cause the Framed-Ip-Netmask attribute to be ignored
in Access-Accept messages.
You can control this behavior by enabling or disabling
this command.
If the subnet mask is specified by the Frame-Ip-Netmask
attribute in the RADIUS user profile, the router passes the mask and
IP address to the CPE during IPCP negotiations. When this command
is enabled, the default subnet mask 255.255.255.255 is provided by
AAA and used for IPCP negotiations.
Enabling the command guards against any breaks in the
negotiation.
Use to specify the format of the Calling-Station-Id [31]
attribute on a virtual router.
For each field in angle brackets (<>) in the Calling-Station-Id
formats, the virtual router supplies the actual value for your configuration,
unless otherwise specified.
To specify that the RADIUS client use the delimited format
when the PPP user is terminated at the non-LNS E Series router, use
the delimited keyword.
Format for ATM interfaces: <delimiter>
<system name> <delimiter> <interface> <delimiter> <VPI> <delimiter> <VCI><delimiter>
Format for Ethernet interfaces: <delimiter>
<system name> <delimiter> <interface> <delimiter> <VLAN>
Where <interface> is one
of the following items:
<port name>—The default setting
<VP description>—Appears if you use the atm vp-description command to assign a text description
to an individual VP on an ATM interface
<VC description>—Appears if you use the atm atm1483 description command to assign a text description
to VCs on an ATM 1483 subinterface and you use the atm1483
export-subinterface-description command to enable sending
of VC interface descriptors to AAA
To specify that the RADIUS client use a fixed format of
up to 15 characters consisting of all ASCII fields, use the fixed-format keyword. The maximum number of characters
for each field is shown in square brackets ([ ]).
Format for ATM interfaces: <system
name [4]> <slot [2]> <port [1]> <VPI [3]> <VCI [5]>
Format for Ethernet interfaces: <system
name [4]> <slot [2]> <port [1]> <VLAN [8]>
Format for serial interfaces: <system
name [4]> <slot [2]> <port [1]> <0 [8]>
Where the final 8-byte field is always 0 (zero).
In the case of PPP terminated at the LNS, the Calling-Station-Id
attribute is based on the received L2TP calling number AVP.
To specify that the RADIUS client use a fixed format of
up to 15 characters consisting of all ASCII fields
with a 1-byte slot field, 1-byte adapter field, and 1-byte port field,
use the fixed-format-adapter-embedded keyword.
The maximum number of characters for each field is shown in square
brackets ([ ]).
Format for ATM interfaces: <system
name [4]> <slot [1]> <adapter [1]> <port [1]> <VPI [3]> <VCI [5]>
Format for Ethernet interfaces: <system
name [4]> <slot [1]> <adapter [1]> <port [1]> <VLAN [8]>
Format for serial interfaces: <system
name [4]> <slot [1]> <adapter [1]> <port [1]> <0 [8]>
Where the final 8-byte field is always 0 (zero).
For E120 and E320 routers, <adapter> is the number
of the bay in which the I/O adapter (IOA) resides, either 0 (representing
the right IOA bay on the E120 router or the upper IOA bay on the E320
router) or 1 (representing the left IOA bay on the E120 router or
the lower IOA bay on the E320 router). For ERX7xx models, ERX14xx
models, and ERX310 routers, <adapter> is always shown as 0 (zero).
Slot numbers 0 through 16 are shown as ASCII characters
in the 1-byte slot field according to the following translation:
Slot Number
ASCII Character
Slot Number
ASCII Character
0
0
9
9
1
1
10
A
2
2
11
B
3
3
12
C
4
4
13
D
5
5
14
E
6
6
15
F
7
7
16
G
8
8
–
–
For example, slot 16 is shown as the ASCII
character uppercase G.
To specify that the RADIUS client use a fixed format of
up to 17 characters consisting of all ASCII fields with a 2-byte slot
field, 1-byte adapter field, and 2-byte port field, use the fixed-format-adapter-new-field keyword. The maximum
number of characters for each field is shown in square brackets ([ ]).
Note:
You must use this command with the fixed-format-adapter-new-field keyword when you configure the format of the Calling-Station-ID attribute
on routers that have line modules that support more than seven physical
ports.
Format for ATM interfaces: <system
name [4]> <slot [2]> <adapter [1]> <port [2]> <VPI [3]> <VCI [5]>
Format for Ethernet interfaces: <system
name [4]> <slot [2]> <adapter [1]> <port [2]> <VLAN [8]>
Format for serial interfaces: <system
name [4]> <slot [2]> <adapter [1]> <port [2]> <0 [8]>
Where the final 8-byte field is always 0 (zero).
For E120 and E320 routers, <adapter> is the number
of the bay in which the I/O adapter (IOA) resides, either 0 or 1.
For ERX7xx models, ERX14xx models, and ERX310 routers, <adapter>
is always shown as 0 (zero).
Slot numbers 0 through 16 are shown as integers in the
2-byte slot field.
To specify that the format of the Calling-Station-Id [31]
attribute include a 4-byte stacked VLAN (S-VLAN) ID for Ethernet interfaces
when the RADIUS client uses the fixed-format, fixed-format-adapter-embedded,
or fixed-format-adapter-new-field format, use the fixed-format
stacked, fixed-format-adapter-embedded
stacked, or fixed-format-adapter-new-field
stacked keywords, respectively. The maximum number of
characters for each field is shown in square brackets ([ ]).
Note:
The use of the stacked keyword is
not supported for VLAN subinterfaces based on agent-circuit-identifier
information, otherwise known as ACI VLANs. When you issue the radius calling-station-format fixed-format stacked, radius calling-station-format fixed-format-adapter-embedded stacked, or radius calling-station-format fixed-format-adapter-new-field
stacked command for an ACI VLAN, the values that appear
in the 4-byte S-VLAN ID and 4-byte VLAN ID fields are incorrect.
Format for Ethernet interfaces that use fixed-format
stacked: <system name [4]> <slot
[2]> <port [1] <S-VLAN [4] <VLAN [4]>
Format for Ethernet interfaces that use fixed-format-adapter-embedded
stacked: <system name [4]> <slot
[1]> <adapter [1]><port [1] <S-VLAN [4] <VLAN [4]>
Format for Ethernet interfaces that use fixed-format-adapter-new-field
stacked: <system name [4]> <slot
[2]> <adapter [1]><port [2] <S-VLAN [4] <VLAN [4]>
By default, these formats do not include the S-VLAN ID unless
you specify the optional stacked keyword.
If you include the stacked keyword, the
S-VLAN ID is displayed in decimal format in the range 0–4095.
The S-VLAN ID field in the Calling-Station-Id [31] attribute
is set to 0 (zero) under the following conditions:
You do not specify the optional stacked keyword.
You specify the optional stacked keyword but the Ethernet interface does not have an S-VLAN ID.
Attribute 31, Calling-Station-Id, is used with Attribute
30, Called-Station-Id, in a standard way when the router is the LNS
and the LAC is a dial-up LAC (not an E Series router). When the LNS
receives the Calling-Station-Id and Called-Station-Id AVPs, the router
includes the values as they are, with no format changes in the RADIUS
messages.
For example, when you configure this
Calling-Station-Id format on an E320 router for an ATM interface on
system name eastern, slot 14, adapter 1, port 2, VCI 3,
and VPI 4, the virtual router displays the format in ASCII as
‘14’ ‘2’ ‘003’ ‘00004’.
The adapter number does not appear in this format.
For example, when you configure this
Calling-Station-Id format on an E320 router for an ATM interface on
system name eastern, slot 14, adapter 1, port 2, VCI 3,
and VPI 4, the virtual router displays the format in ASCII as
‘E’ ‘1’ ‘2’ ‘003’ ‘00004’.
For example, when you configure this
Calling-Station-Id format on an E320 router for an ATM interface on
system name eastern, slot 14, adapter 1, port 2, VCI 3,
and VPI 4, the virtual router displays the format in ASCII as
‘14’ ‘1’ ‘02’ ‘003’ ‘00004’.
For example, when you configure this
Calling-Station-Id format on an E320 router for an Ethernet interface
on system name western, slot 4, adapter 1, port 3, S-VLAN ID 8, and
VLAN ID 12, the virtual router displays the format in ASCII as ‘west’
‘04’ ‘1’ ‘03’ ‘0008’
‘0012’.
Use the no version to restore
the default Calling-Station-Id format, delimited.
Use to configure RADIUS to override the standard use of
the Calling-Station-Id attribute and instead use the remote circuit
ID transmitted from a DSLAM device.
host1(config)#radius include nas-identifier
acct-start disable
Use the no version to restore
the default, enable.
radius override nas-info
Use in the correct virtual router context to override
the standard use of NAS-IP-Address and NAS-Identifier attributes for
AAA broadcast accounting; specifies that the attributes for the authentication
virtual router be included in accounting packets instead of the attributes
for the virtual router that generates the accounting information.
Use the no version to restore
the standard use of the NAS-IP-Address and NAS-Identification attributes.
radius remote-circuit-id-format
Use to configure the format of the PPPoE remote circuit
ID value captured from a DSLAM.
You can format the PPPoE remote circuit ID value to include
either or both of the agent-circuit-ID (suboption 1) and agent-remote-id
(suboption 2) suboptions of the DHCP relay agent information
option (option 82) or the PPPoE intermediate agent tags.
By default, the router formats the PPPoE remote circuit
ID to include only the agent-circuit-id suboption.
You can use this command to configure the following nondefault
formats for the PPPoE remote circuit ID value:
Include either or both of the agent-circuit-id and agent-remote-id
suboptions, with or without the NAS-Identifier [32] RADIUS attribute
Append the agent-circuit-id suboption value to an interface
specifier that is consistent with the recommended format in the DSL
Forum Technical Report (TR)-101—Migration to Ethernet-Based
DSL Aggregation (April 2006).
For more information about how to use this command, see
the Using the PPPoE Remote Circuit ID to Identify Subscribers and Configuring PPPoE Remote Circuit ID Capture sections in JUNOSe Link Layer Configuration Guide.
Use the no version to restore
the default format, agent-circuit-id.
radius remote-circuit-id-delimiter
Use to configure the delimiter character that the router
uses to set off multiple components in the format of the PPPoE remote
circuit ID value captured from a DSLAM.
For information about how to use this command, see the Configuring PPPoE Remote Circuit ID Capture section in JUNOSe Link Layer Configuration Guide.
host1(config)#radius include acct-delay-time
acct-on enable
Use the no version to restore
the default, enable.
[44] Acct-Session-Id
Use the following commands to manage and display information
for the Acct-Session-Id RADIUS attribute.
radius include acct-session-id
radius acct-session-id-format
Note:
The Acct-Session-Id VSA is used:
In the RADIUS-initiated change-of-authorization (CoA)
message to start the mirroring session when the user is already logged
in
As a trigger in user-initiated mirroring to identify the
user whose traffic is to be mirrored
This VSA can be optionally included in the CoA message from
the RADIUS server or in the user login request if the packet mirroring
operation is required.
radius include acct-session-id
Use to include the Acct-Session-Id attribute in Access-Request,
Acct-On, or Acct-Off messages.
You can control inclusion of the Acct-Session-Id attribute
by enabling or disabling this command.
host1(config)#radius include event-timestamp
acct-on enable
Use the no version to restore
the default, enable.
[61] NAS-Port-Type
Use the following commands to manage and display information
for the NAS-Port-Type RADIUS attribute.
radius dsl-port-type
radius ethernet-port-type
radius include nas-port-type
radius dsl-port-type
Use to configure the NAS-Port-Type attribute for the DSL
port type.
This attribute can have several values. If the interface
(port) is DSL, then the attribute can have any value listed in the
command and uses the value configured. If the interface (port) is
Ethernet, then it sets the attribute to Ethernet and disregards the
parameter set with this command. Options include:
host1(config)#radius include acct-tunnel-connection
acct-stop enable
Use the no version to restore
the default, enable.
[77] Connect-Info
Use the following commands to manage and display information
for the Connect-Info RADIUS attribute.
radius connect-info-format l2tp-connect-speed
radius include connect-info
radius connect-info-format
Use on the LNS to enable the generation of the RADIUS
Connect-Info attribute and to specify the attribute’s format.
The attribute is based on the L2TP connect-speed AVPs for received
(RX) speed (AVP 38) and transmit (TX) speed (AVP 24). See Configuring the RX Speed on the LAC for
information about generating the RX and TX speed AVPs.
The Connect-Info attribute is a string in the following
format; the attribute is generated whenever the TX speed is not zero.
tx-speed [ /rx-speed ]
The TX speed is always included in the attribute when
the speed is not zero; however, inclusion of the RX speed depends
on the keyword you use with the command.
Use the l2tp-connect-speed keyword
to specify that the RX speed is only included when it is not zero
and differs from the TX speed.
host1(config)#radius include tunnel-preference
acct-start enable
Use the no version to restore
the default, enable.
[87] NAS-Port-Id
Use the following commands to manage and show information for
the NAS-Port-Id RADIUS attribute.
aaa intf-desc-format include
radius include nas-port-id
radius override nas-port-id remote-circuit-id
aaa intf-desc-format include
Use to specify whether the router includes the subinterface
number or adapter in the interface description it passes to RADIUS
for inclusion in the NAS-Port-Id attribute. By default, the subinterface
and adapter are sent (the commands are enabled).
Examples
host1#aaa intf-desc-format include sub-intf
disable
host1(config)#radius include nas-port-id access-request
enable
Use the no version to restore
the default, enable.
radius override nas-port-id remote-circuit-id
Use to configure RADIUS to override the standard use of
the NAS-Port-Id attribute and instead use the remote circuit ID transmitted
from a DSLAM device.
host1(config)#radius include framed-ipv6-prefix
acct-start enable
Use the no version to restore
the default, disable.
[99] Framed-Ipv6-Route
Use the following command to manage the Framed-Ipv6-Route RADIUS
attribute.
radius include framed-ipv6-route
radius include framed-ipv6-route
Use to include the Framed-Ipv6-Route attribute in Acct-Start
or Acct-Stop messages.
You can control inclusion of the Framed-Ipv6-Route attribute
by enabling or disabling this command.
For this attribute, the value received from the RADIUS
server in the Access-Accept message is used in the accounting messages.
When the Framed-Ipv6-Route attribute is not returned from
the RADIUS server in the Access-Accept message, the immediate accounting,
Acct-Stop, or Interim-Acct messages do not report this attribute.
host1(config)#radius include framed- ipv6-route
acct-start enable
Use the no version to restore
the default, disable.
[100] Framed-Ipv6-Pool
Use the following command to manage the Framed-Ipv6-Pool RADIUS
attribute.
radius include framed-ipv6-pool
radius include framed-ipv6-pool
Use to include the Framed-Ipv6-Pool attribute in Acct-Start
or Acct-Stop messages.
You can control inclusion of the Framed-Ipv6-Pool attribute
by enabling or disabling this command.
For this attribute, the value received from the RADIUS
server in the Access-Accept message is used in the accounting messages.
If the IPv6 pool name is configured in the AAA domain
map using the CLI and is not returned from RADIUS server, the Acct-Start,
Acct-Stop, or Interim-Acct messages report the value configured in
the domain map.
host1(config)#radius include framed- ipv6-pool
acct-start enable
Use the no version to restore
the default, disable.
[123] Delegated-Ipv6-Prefix
Use the following command to manage the Delegated-Ipv6-Prefix
RADIUS attribute.
radius include delegated-ipv6-prefix
radius include delegated-ipv6-prefix
Use to include the Delegated-Ipv6-Prefix attribute in
Acct-Start or Acct-Stop messages.
You can control inclusion of the Delegated-Ipv6-Prefix
attribute by enabling or disabling this command.
For this attribute, the value received from the RADIUS
server in the Access-Accept message is used in the accounting messages.
When prefix delegation occurs, an immediate-update (if
enabled) message, which contains the delegated prefix information,
is sent to the RADIUS server.
When the prefix to be delegated to clients is obtained
from the IPv6 local address server than the RADIUS server and the aaa dhcpv6-delegated-prefix delegated-ipv6-prefix command
is configured, the delegated prefix is sent to the RADIUS server in
the Delegated-Ipv6-Prefix attribute in the immediate accounting, Acct-Stop,
or Interim-Acct messages.
When the prefix to be delegated to clients is allocated
from the IPv6 local address server and the aaa dhcpv6-delegated-prefix
delegated-ipv6-prefix command is not configured, the
delegated prefix is sent to the RADIUS server in the Framed-Ipv6-Prefix
attribute in the immediate accounting, Acct-Stop, or Interim-Acct
messages.
For static interfaces, although the prefix configured
using the CLI command is used for DHCPv6 Prefix Delegation instead
of the value returned by the RADIUS server, the immediate accounting,
Acct-Stop, or Interim-Acct messages contain the prefix returned from
the RADIUS server. If this attribute is not returned from the RADIUS
server, the immediate accounting, Acct-Stop, or Interim-Acct messages
do not report this attribute.
host1(config)#radius include tunnel-server-attributes
access-request enable
Use the no version to restore
the default, disable.
Juniper Networks Vendor-Specific Attributes
This section describes the Juniper Networks vendor-specific
attributes (VSAs) that you can configure using CLI commands. The attributes
are listed numerically and are followed by descriptions about the
commands that you can use to manage the attribute.
[26-1] Virtual-Router
Use the following command to manage the Virtual-Router RADIUS
attribute.
radius ignore virtual-router
radius ignore virtual-router
Use to cause the Virtual-Router attribute to be ignored
in Access-Accept messages.
You can control this behavior by enabling or disabling
this command.
host1(config)#radius include tunnel-interface-id
enable
Use the no version to restore
the default, disable.
[26-45] Ipv6-Virtual-Router
Use the following command to manage the IPv6-Virtual-Router
RADIUS attribute.
radius include ipv6-virtual-router
radius include ipv6-virtual-router
Use to include the Ipv6-Virtual-Router attribute in Acct-Start,
or Acct-Stop messages.
You can control inclusion of the attribute by enabling
or disabling this command.
For this attribute, the value received from the RADIUS
server in the Access-Accept message is used in the accounting messages.
If the IPv6 virtual router is configured in the AAA domain
map and is not returned from the RADIUS server, the Acct-Start, Acct-Stop,
or Interim-Acct messages report the value configured in the domain
map.
If IPv6 virtual router is not configured in the AAA domain
map and is not returned from the RADIUS server, it is not included
in the Acct-Start message because the value is not yet known. If the
IPv6 virtual router context is configured from the profile, it is
reported in the immediate-update message for DHCPv6 prefix delegation.
host1(config)#radius include ipv6-virtual-router
acct-start enable
Use the no version to restore
the default, disable.
[26-46] Ipv6-Local-Interface
Use the following command to manage the Ipv6-Local-Interface
RADIUS attribute.
radius include ipv6-local-interface
radius include ipv6-local-interface
Use to include the Ipv6-Local-Interface attribute in Acct-Start,
or Acct-Stop messages.
You can control inclusion of the attribute by enabling
or disabling this command.
For this attribute, the value received from the RADIUS
server in the Access-Accept message is used in the accounting messages.
If IPv6 local interface is configured in the AAA domain
map and is not returned from the RADIUS server, the Acct-Start, Acct-Stop,
or Interim-Acct messages report the value configured in the domain
map.
host1(config)#radius include ipv6-local-interface
acct-start enable
Use the no version to restore
the default, disable.
[26-47] Ipv6-Primary-DNS
Use the following command to manage the IPv6-Primary-DNS RADIUS
attribute.
radius include ipv6-primary-dns
radius include ipv6-primary-dns
Use to include the IPv6-Primary-DNS attribute in Acct-Start,
or Acct-Stop messages.
You can control inclusion of the attribute by enabling
or disabling this command.
For this attribute, the value received from the RADIUS
server in the Access-Accept message is used in the accounting messages.
If the IPv6 primary DNS server is configured in the AAA
domain map and is not returned from the RADIUS server, the Acct-Start,
Acct-Stop, or Interim-Acct messages report the value configured in
the AAA domain map.
host1(config)#radius include ipv6-primary-dns
acct-start enable
Use the no version to restore
the default, disable.
[26-48] Ipv6-Secondary-DNS
Use the following command to manage the Ipv6-Secondary-DNS RADIUS
attribute.
radius include ipv6-secondary-dns
radius include ipv6-secondary-dns
Use to include the Ipv6-Secondary-DNS attribute in Acct-Start,
or Acct-Stop messages.
You can control inclusion of the attribute by enabling
or disabling this command.
For this attribute, the value received from the RADIUS
server in the Access-Accept message is used in the accounting messages.
If the IPv6 secondary DNS server is configured in the
AAA domain map and is not returned from the RADIUS server, the Acct-Start,
Acct-Stop, or Interim-Acct messages report the value configured in
the AAA domain map.
host1(config)#radius include dhcp-gi-address
acct-stop enable
Use the no version to restore
the default, disable.
[26-62] MLPPP-Bundle-Name
Use the following command to manage the MLPPP-Bundle-Name RADIUS
attribute.
radius include mlppp-bundle-name
radius include mlppp-bundle-name
Use to include the MLPPP-Bundle-Name attribute in Access-Request,
Acct-Start, Interim-Acct, or Acct-Stop messages.
You can control inclusion of the MLPPP-Bundle-Name attribute
by enabling or disabling this command.
There is no explicit command to include the MLPPP-Bundle-Name
attribute in Interim-Acct messages; however, the attribute is automatically
included in Interim-Acct messages when the attribute is enabled for
Acct-Stop messages.
host1(config)#radius include mlppp-bundle-name
acct-start enable
Use the no version to restore
the default, disable.
[26-63] Interface-Desc
Use the following command to manage the Interface-Desc RADIUS
attribute.
radius include interface-description
radius include interface-description
Use to include the Interface-Desc attribute, with the
subscriber’s access interface description, in Access-Request,
Acct-Start, Interim-Acct, or Acct-Stop messages.
You can control inclusion of the Interface-Desc attribute
by enabling or disabling this command. Inclusion is disabled by default.
There is no explicit command to include the Interface-Desc
attribute in Interim-Acct messages; however, the attribute is automatically
included in Interim-Acct messages when the attribute is enabled for
Acct-Stop messages.
Use the following command to manage the Ipv6-NdRa-Prefix RADIUS
attribute.
radius include ipv6-nd-ra-prefix
radius include ipv6-nd-ra-prefix
Use to include the IPv6-NdRa-Prefix attribute in Acct-Start,
or Acct-Stop messages.
You can control inclusion of the attribute by enabling
or disabling this command.
The value of this attribute received from the RADIUS server
in the Access-Accept message is included in the accounting messages.
For dynamic interfaces, if the Ipv6-NdRa-Prefix attribute
is configured in the profile and is not returned from RADIUS server,
this attribute is not included in the Acct-Start, Acct-Stop, and Interim-Acct
messages.
The Max-Clients-Per-Interface RADIUS attribute is the maximum
number of PPPoE client sessions supported per interface. For DHCP
clients, this value is the maximum number of PPPoE sessions per logical
interface. For PPPoE, this value is the maximum number of PPPoE subinterfaces
per PPPoE major interface. See JUNOSe Release Notes, Appendix
A, System Maximums corresponding to your software release
for information about the maximum number of PPPoE subinterfaces per
PPPoE major interface supported for each line module.
Use the following command to manage the Max-Clients-Per-Interface
RADIUS attribute.
radius ignore pppoe-max-session
radius ignore pppoe-max-session
Use to cause the Max-Clients-Per-Interface attribute to
be ignored in Access-Accept messages returned by the RADIUS server.
You can control this behavior by enabling or disabling
this command. Ignoring the Max-Clients-Per-Interface attribute is
enabled by default.
Example 1—Ignores the Max-Clients-Per-Interface
attribute returned by the RADIUS server; this is the default behavior
When you issue this command, the router passes the
value of the Max-Clients-Per-Interface attribute to the PPP application.
PPP, in turn, sends this value to the PPPoE application, which determines
whether or not to tear down the PPPoe interface based on the maximum
session limit for this subscriber.
Use the no version to restore
the default, enable.
[26-150]
ICR-Partition-Id
Use the following commands to manage the ICR-Partition-Id RADIUS
attribute.
radius include icr-partition-id
radius icr-partition-accounting
radius include icr-partition-id
Use to include the ICR-Partition-Id attribute in Access-Request,
Acct-Start, or Acct-Stop messages.
You can control inclusion of the attribute by enabling
or disabling this command.
Example
host1(config)#radius include icr-partition-id
acct-start enable
Use the no version to restore
the default, disable.
radius icr-partition-accounting
Use to enable or disable sending of the ICR Partition-Accounting-On
or Partition-Accounting-Off messages to the RADIUS servers
Both Partition-Accounting messages include the ICR-Partition-Id
VSA. Also, both these messages are sent to the RADIUS accounting server
configured on the virtual router where the ICR partition is configured
or the virtual router on which the ICR control interface is set up.
You can configure ICR partition accounting per virtual
router.
host1(config)#radius include ipv6-accounting
acct-stop enable
Use the no version to restore
the default, disable.
ANCP-Related Juniper Networks VSAs
You
use the radius include command to specify
information about Access Node Control Protocol (ANCP), also known
as Layer 2 Control (L2C), that you want to include in the RADIUS Access-Request,
Acct-Start, and Acct-Stop messages. Also, if you specify Acct-Stop
messages, the router includes ANCP information in Interim-Acct messages
that the router sends to RADIUS. By default, the router does not include
the ANCP-related information provided by the Juniper Networks VSAs
in RADIUS messages.
These Juniper Networks ANCP-related VSAs are based on definitions
in GSMP extensions for layer2 control (L2C) Topology Discovery and
Line Configuration—draft-wadhwa-gsmp-l2control-configuration-00.txt
(July 2006 expiration).
radius include l2cd-keyword
Use to include ANCP-related Juniper Networks VSAs in Access-Request,
Acct-Start, and Acct-Stop messages that the router sends to RADIUS.
If you enable inclusion of the ANCP-related VSAs in Acct-Stop messages,
the router also includes the VSAs in Interim-Acct messages. Inclusion
is disabled by default.
You must enable ANCP discovery with the discovery-mode command prior to configuring the radius include command with the ANCP-related VSAs. Configuring discovery mode enables
the RADIUS authentication server to retrieve ANCP information.
Table 43 lists the ANCP (L2C)-related
keywords that you can use in the radius include command and the associated Juniper
Networks VSAs. The table also indicates the mappings between ANCP
parameters and the VSAs.
Table 43: ANCP (L2C)-Related
Keywords for radius include Command
Command Keyword
Juniper Networks VSA Number
Juniper Networks VSA Name
ANCP Type
ANCP Subtype
l2cd-acc-loop-cir-id
[26-110]
Acc-Loop-Cir-Id
1
–
l2cd-acc-aggr-cir-id-bin
[26-111]
Acc-Aggr-Cir-Id-Bin
2
–
l2cd-acc-aggr-cir-id-asc
[26-112]
Acc-Aggr-Cir-Id-Asc
3
–
l2cd-act-data-rate-up
[26-113]
Act-Data-Rate-Up
4
129
l2cd-act-data-rate-dn
[26-114]
Act-Data-Rate-Dn
4
130
l2cd-min-data-rate-up
[26-115]
Min-Data-Rate-Up
4
131
l2cd-min-data-rate-dn
[26-116]
Min-Data-Rate-Dn
4
132
l2cd-att-data-rate-up
[26-117]
Att-Data-Rate-Up
4
133
l2cd-att-data-rate-dn
[26-118]
Att-Data-Rate-Dn
4
134
l2cd-max-data-rate-up
[26-119]
Max-Data-Rate-Up
4
135
l2cd-max-data-rate-dn
[26-120]
Max-Data-Rate-Dn
4
136
l2cd-min-lp-data-rate-up
[26-121]
Min-LP-Data-Rate-Up
4
137
l2cd-min-lp-data-rate-dn
[26-122]
Min-LP-Data-Rate-Dn
4
138
l2cd-max-interlv-delay-up
[26-123]
Max-Interlv-Delay-Up
4
139
l2cd-act-interlv-delay-up
[26-124]
Act-Interlv-Delay-Up
4
140
l2cd-max-interlv-delay-dn
[26-125]
Max-Interlv-Delay-Dn
4
141
l2cd-act-interlv-delay-dn
[26-126]
Act-Interlv-Delay-Dn
4
142
l2cd-dsl-line-state
[26-127]
DSL-Line-State
4
143
l2cd-dsl-type
[26-128]
DSL-Type
4
144
Example
host1(config)#radius include l2cd-acc-loop-cir-id
acct-start enable
Use the no version to restore
the default behavior, disable.
Note:
JUNOSe software continues to support DSL Forum VSAs (vendor
ID 3561) that you can use to include DSL-related information in RADIUS
messages. See DSL Forum VSAs.
You can use the radius include dsl-forum-attributes command to control the inclusion of a set of DSL Forum VSAs in Access-Request,
Acct-Start, Acct-Stop, and (if Acct-Stop messages are specified) Interim-Acct
messages that the router sends to RADIUS.
The DSL Forum VSAs, as defined in RFC 4679—DSL Forum Vendor-Specific
RADIUS Attributes (September 2006), convey information about
the associated subscriber for and data rate of the DSL. A service
provider might find it useful to enable inclusion of the DSL Forum
VSAs in RADIUS messages in order to bill subscribers for different
classes of service based on the data rate of their DSL connection.
The router receives data containing one or more of the DSL Forum
VSAs from a DSLAM connected to the router via a PPPoE interface. When
you enable the inclusion of the DSL Forum VSAs in these RADIUS messages,
the router includes all of the following attributes in the specified
message type, provided that the VSA is available in the information
that the router receives from the DSLAM.
Note:
The router uses the vendor ID assigned to the DSL Forum (3561,
or DE9 in hexadecimal format) by the Internet Assigned Numbers Authority
(IANA) for the DSL Forum VSAs.
Agent-Circuit-Id [26-1]
Maximum-Data-Rate-Downstream [26-136]
Agent-Remote-Id [26-2]
Minimum-Data-Rate-Upstream-Low-Power [26-137]
Actual-Data-Rate-Upstream [26-129]
Minimum-Data-Rate-Downstream-Low-Power [26-138]
Actual-Data-Rate-Downstream [26-130]
Maximum-Interleaving-Delay-Upstream [26-139]
Minimum-Data-Rate-Upstream [26-131]
Actual-Interleaving-Delay-Upstream [26-140]
Minimum-Data-Rate-Downstream [26-132]
Maximum-Interleaving-Delay-Downstream [26-141]
Attainable-Data-Rate-Upstream [26-133]
Actual-Interleaving-Delay-Downstream [26-142]
Attainable-Data-Rate-Downstream [26-134]
Access-Loop-Encapsulation [26-144]
Maximum-Data-Rate-Upstream [26-135]
IWF-Session [26-254]
For information about enabling the QoS downstream rate application
to obtain downstream rates from the Actual-Data-Rate-Downstream [26-130]
DSL Forum VSA, see the Configuring the Downstream Rate Using
QoS Parameters chapter in JUNOSe Quality of Service Configuration Guide.
For a more detailed description of the DSL Forum VSAs, see DSL Forum VSAs .
radius include dsl-forum-attributes
Use to include the set of DSL Forum VSAs in Access-Request,
Acct-Start, and Acct-Stop messages that the router sends to RADIUS.
If you enable inclusion of the DSL Forum VSAs in Acct-Stop messages,
the router also includes the VSAs in Interim-Acct messages.
You can control inclusion of the DSL Forum VSAs in the
specified message type by enabling or disabling this command. Inclusion
is disabled by default.
When you enable inclusion of the DSL Forum VSAs for a
specified message type, the router includes in that message all of
the DSL Forum attributes that it receives from the DSLAM.
Example
host1(config)#radius include dsl-forum-attributes
access-request enable
Use the no version to restore
the default behavior, disable.
