Technical Documentation

Configuring Access Profiles for L2TP or PPP Parameters (NSM Procedure)

You can set up access profiles to validate Layer 2 Tunneling Protocol (L2TP) connections and session requests. You can configure multiple profiles. You can also configure multiple clients for each profile. See the following topics:

  1. Configuring Access Profile (NSM Procedure)
  2. Configuring Accounting Parameters for Access Profiles (NSM Procedure)
  3. Configuring the Accounting Order (NSM Procedure)
  4. Configuring the Authentication Order (NSM Procedure)
  5. Configuring the Authorization Order (NSM Procedure)
  6. Configuring the L2TP Client (NSM Procedure)
  7. Configuring the Client Filter Name (NSM Procedure)
  8. Configuring the LDAP Options (NSM Procedure)
  9. Configuring the LDAP Server (NSM Procedure)
  10. Configuring the Provisioning Order (NSM Procedure)
  11. Configuring RADIUS Parameters for AAA Subscriber Management (NSM Procedure)
  12. Configuring the RADIUS Parameters (NSM Procedure)
  13. Configuring the RADIUS for Subscriber Access Management, L2TP, or PPP (NSM Procedure)
  14. Configuring Session Limit (NSM Procedure)

Configuring Access Profile (NSM Procedure)

To configure an access profile in NSM:

  1. In the NSM navigation tree, select Device Manager > Devices.
  2. Click the Device Tree tab, and then double-click the device to select it.
  3. Click the Configuration tab. In the configuration tree, expand Access.
  4. Select Profile.
  5. Add or modify settings as specified in Table 1.
  6. Click one:
    • OK—Saves the changes.
    • Cancel—Cancels the modifications.

Table 1: Access Profile Properties Configuration Details

Task Your Action

Configure access profile properties.
  1. Click Add new entry next to Profile.
  2. In the Name box, enter the name of the profile.
  3. In the Comment box, enter the comment.

Configuring Accounting Parameters for Access Profiles (NSM Procedure)

To configure RADIUS accounting parameters for an access profile in NSM:

  1. In the NSM navigation tree, select Device Manager > Devices.
  2. Click the Device Tree tab, and then double-click the device to select it.
  3. Click the Configuration tab. In the configuration tree, expand Access.
  4. Select Profile.
  5. Add or modify settings as specified in Table 2.
  6. Click one:
    • OK—Saves the changes.
    • Cancel—Cancels the modifications.

Table 2: Accounting Parameter Configuration Details

Task Your Action

Configure RADIUS accounting parameters and enable RADIUS accounting for an access profile.

  1. Click Add new entry next to Profile.
  2. Click Accounting next to profile.
  3. In the Comment box, enter the comment.
  4. Select the Accounting Stop On Failure check box to configure RADIUS accounting to send an Acct-Stop message when client access fails AAA but the AAA server grants access.
  5. Select the Accounting Stop On Access Deny check box to configure RADIUS accounting to send an Acct-Stop message when the AAA server denies a client access.
  6. Select the Immediate Update check box to configure the router to send an Acct-Update message to the RADIUS accounting server on receipt of a response (for example, an ACK or timeout) to the Acct-Start message.
  7. From the Update Interval list, select the amount of time between updates, in minutes.

    Range: 10 through 1440 minutes

    Default: no updates

  8. From the Statistics list, select the time statistics for the sessions being managed by AAA.

Configuring the Accounting Order (NSM Procedure)

Beginning with JUNOS Release 8.0, you can configure RADIUS accounting for an Layer 2 Tunneling Protocol (L2TP) profile. With RADIUS accounting enabled, Juniper Networks routers, acting as RADIUS clients, can notify the RADIUS server about user activities such as software logins, configuration changes, and interactive commands. When you enable RADIUS accounting for an L2TP profile, it applies to all the clients within that profile. You must enable RADIUS accounting on at least one LT2P profile for the RADIUS authentication server to send accounting stop and start messages.

To configure accounting order in NSM:

  1. In the NSM navigation tree, select Device Manager > Devices.
  2. Click the Device Tree tab, and then double-click the device to select it.
  3. Click the Configuration tab. In the configuration tree, expand Access.
  4. Select Profile.
  5. Add or modify settings as specified in Table 3.
  6. Click one:
    • OK—Saves the changes.
    • Cancel—Cancels the modifications.

Table 3: Accounting Order Configuration Details

Task Your Action

Configure the accounting order.
  1. Click Add new entry next to Profile.
  2. Click Accounting Order next to Profile.
  3. Click Add new entry next to Accounting Order.
  4. In the New accounting-order window, select radius to use RADIUS accounting method.

Configuring the Authentication Order (NSM Procedure)

You can configure the order in which the JUNOS Software tries different authentication methods when authenticating peers. For each access attempt, the software tries the authentication methods in order, from first to last.

To configure authentication order in NSM:

  1. In the NSM navigation tree, select Device Manager > Devices.
  2. Click the Device Tree tab, and then double-click the device to select it.
  3. Click the Configuration tab. In the configuration tree, expand Access.
  4. Select Profile.
  5. Add or modify settings as specified in Table 4.
  6. Click one:
    • OK—Saves the changes.
    • Cancel—Cancels the modifications.

Table 4: Authentication Order Configuration Details

Task Your Action

Configure the authentication order.
  1. Click Add new entry next to Profile.
  2. Click Authentication Order next to Profile.
  3. Click Add new entry next to Accounting Order.
  4. In the New authentication-order window, select the order in which the JUNOS Software tries different authentication methods when verifying that a client can access the router.

Configuring the Authorization Order (NSM Procedure)

To configure authorization order in NSM:

  1. In the NSM navigation tree, select Device Manager > Devices.
  2. Click the Device Tree tab, and then double-click the device to select it.
  3. Click the Configuration tab. In the configuration tree, expand Access.
  4. Select Profile.
  5. Add or modify settings as specified in Table 5.
  6. Click one:
    • OK—Saves the changes.
    • Cancel—Cancels the modifications.

Table 5: Authorization Order Configuration Details

Task Your Action

Configure the authorization order.
  1. Click Add new entry next to Profile.
  2. Click Authorization Order next to Profile.
  3. Click Add new entry next to Authorization Order.
  4. In the New authorization-order window, select the authorization order.

Configuring the L2TP Client (NSM Procedure)

To configure the Layer 2 Tunneling Protocol (L2TP) Client in NSM:

  1. In the NSM navigation tree, select Device Manager > Devices.
  2. Click the Device Tree tab, and then double-click the device to select it.
  3. Click the Configuration tab. In the configuration tree, expand Access.
  4. Select Profile.
  5. Add or modify settings as specified in Table 6.
  6. Click one:
    • OK—Saves the changes.
    • Cancel—Cancels the modifications.

Table 6: Client Configuration Details

Task Your Action

Configure the client.
  1. Click Add new entry next to Profile.
  2. Click Client next to Profile.
  3. Click Add new entry next to Client.
  4. In the Name box, enter the client name.
  5. In the Comment box, enter the comment.
  6. In the Chap Secret box, enter the secret key associated with a peer.
  7. In the pap password box, enter the Password Authentication Protocol (PAP) password.

Configure a client group.
  1. Click Client Group next to client.
  2. Click Add new entry next to Client Group.
  3. In the New client-group window, enter the client group.

Configure a firewall user.
  1. Click Firewall User next to client.
  2. In the Comment box, enter the comment.
  3. In the Password box, enter the password.

Configure PPP properties for a client profile.
  1. Click Ppp next to client.
  2. Select ike to configure an IKE access profile.
    1. In the Comment box, enter the comment.
    2. Select Initiate Dead Peer Detection to detect inactive peers on dynamic IPSec tunnels.
    3. In the Interface Id box, enter the interface identifier.
    4. Click Allowed Proxy Pair next to Ike.
    5. Click Add new entry next to Allowed Proxy Pair.
    6. In the Local box, enter the network address of the local peer.
    7. In the Remote box, enter the network address of the remote peer.
    8. In the Comment box, enter the comment.
    9. Click Pre Shared Key next to Ike.
      1. Select pre-shared-key to configure the key used to authenticate a dynamic peer during IKE phase 1 negotiation and select the key.
      2. In the Comment box, enter the comment.
      3. Click Ascii Text next to Pre Shared key.
      4. In the ascii-text box, enter the string.
      5. Select Ike-policy to authenticate dynamic peers during IKE negotiation and select the policy name.

Configuring the Client Filter Name (NSM Procedure)

To configure restrictions on client names in NSM:

  1. In the NSM navigation tree, select Device Manager > Devices.
  2. Click the Device Tree tab, and then double-click the device to select it.
  3. Click the Configuration tab. In the configuration tree, expand Access.
  4. Select Profile.
  5. Add or modify settings as specified in Table 10.
  6. Click one:
    • OK—Saves the changes.
    • Cancel—Cancels the modifications.

Table 7: Client Filter Name Configuration Details

Task Your Action

Configure the restrictions on client names.
  1. Click Add new entry next to Profile.
  2. Click Client Name Filter next to profile.
  3. In the Comment box, enter the comment.
  4. In the Domain Name box, enter the domain name.
  5. In the Separator box, enter the separator character in domain name.
  6. From the Count list, select the number of separator instances.

    Range: 0 through 255

Configuring the LDAP Options (NSM Procedure)

To configure Lightweight Directory Access Protocol (LDAP) options in NSM:

  1. In the NSM navigation tree, select Device Manager > Devices.
  2. Click the Device Tree tab, and then double-click the device to select it.
  3. Click the Configuration tab. In the configuration tree, expand Access.
  4. Select Profile.
  5. Add or modify settings as specified in Table 8.
  6. Click one:
    • OK—Saves the changes.
    • Cancel—Cancels the modifications.

Table 8: Ldap Options Configuration Details

Task Your Action

Configure lightweight directory access protocol options.
  1. Click Add new entry next to Profile.
  2. Click Ldap Options next to profile.
  3. In the Comment box, enter the comment.
  4. From the Revert Interval list, select the amount of time the router waits after a server has become unreachable.

    Range: 60 through 4294967295

    Default: 600

  5. In the Base Distinguished Name box, enter the suffix when assembling user distinguished name (DN) or base DN under which to search for user DN.

Derive user distinguished name from common-name and base-distinguished-name.
  1. Click Assemble next to Ldap Options.
  2. Select one of the following:
    • assemble—To derive user distinguished name from common-name and base-distinguished-name.
      1. In the Comment box, enter the comment.
      2. In the Common Name box, enter the common name.
    • search—To search for user's distinguished name.
      1. In the Comment box, enter the comment.
      2. In the Search Filter box, enter the filter to use in search.
      3. Click Admin Search next to Search.
      4. In the Comment box, enter the comment.
      5. In the Distinguished Name box, enter the user distinguished name.
      6. In the Password box, enter the password.

Configuring the LDAP Server (NSM Procedure)

To configure Lightweight Directory Access Protocol (LDAP) server in NSM:

  1. In the NSM navigation tree, select Device Manager > Devices.
  2. Click the Device Tree tab, and then double-click the device to select it.
  3. Click the Configuration tab. In the configuration tree, expand Access.
  4. Select Profile.
  5. Add or modify settings as specified in Table 9.
  6. Click one:
    • OK—Saves the changes.
    • Cancel—Cancels the modifications.

Table 9: Ldap Server Configuration Details

Task Your Action

Configure LDAP server.
  1. Click Add new entry next to Profile.
  2. Click Ldap Server next to profile.
  3. Click Add new entry next to Ldap Server.
  4. In the Name box, enter the name of the server.
  5. In the Comment box, enter the comment.
  6. From the Port list, select the port number on which to contact the RADIUS server (LDAP server)
  7. In the Source Address box, enter a valid IPv4 address configured on one of the router interfaces. On M Series routers only, the source address can be an IPv6 address and the UDP source port is 514.
  8. From the Routing Instances list, select the routing instance name.
  9. From the Retry list, select the number of times that the router is allowed to attempt to contact a RADIUS server.

    Range: 1 through 10

    Default: 3

  10. From the Timeout list, select the amount of time that the local router waits to receive a response from a RADIUS server.

    Range: 3 through 90

    Default: 5

Configuring the Provisioning Order (NSM Procedure)

To configure the provisioning order in NSM:

  1. In the NSM navigation tree, select Device Manager > Devices.
  2. Click the Device Tree tab, and then double-click the device to select it.
  3. Click the Configuration tab. In the configuration tree, expand Access.
  4. Select Profile.
  5. Add or modify settings as specified in Table 10.
  6. Click one:
    • OK—Saves the changes.
    • Cancel—Cancels the modifications.

Table 10: Provisioning Order Configuration Details

Task Your Action

Configure the provisioning order.
  1. Click Add new entry next to Profile.
  2. Click Provisioning Order next to profile.
  3. Click Add new entry next to Provisioning Order.
  4. In the New provisioning-order window, select the order in which provisioning mechanisms are used.

Configuring RADIUS Parameters for AAA Subscriber Management (NSM Procedure)

You can specify the RADIUS parameters for the subscriber access manager feature. You can specify the IP addresses of the RADIUS servers used for authentication and accounting, options that provide configuration information for the RADIUS servers, and how RADIUS attributes are used.

To configure radius parameters for AAA subscriber management in NSM:

  1. In the NSM navigation tree, select Device Manager > Devices.
  2. Click the Device Tree tab, and then double-click the device to select it.
  3. Click the Configuration tab. In the configuration tree, expand Access.
  4. Select Profile.
  5. Add or modify settings as specified in Table 11.
  6. Click one:
    • OK—Saves the changes.
    • Cancel—Cancels the modifications.

Table 11: Radius Parameter Configuration Details

Task Your Action

Configure the RADIUS parameters.
  1. Click Add new entry next to Profile.
  2. Click Radius next to Profile.
  3. In the Comment box, enter the comment.

Specify a list of the RADIUS accounting servers used for accounting for Dynamic Host Configuration Protocol (DHCP), Layer 2 Tunneling Protocol (L2TP), and Point-to-Point Protocol (PPP) clients.

  1. Click Attributes next to Radius.
  2. In the Comment box, enter the comment.

Configure the router to exclude the specified attributes from the specified type of RADIUS message.

  1. Click Exclude next to Radius.
  2. In the Comment box, enter the comment.
  3. From the listed RADIUS attribute type, select the attributes to be excluded.

    RADIUS attribute types are:

    • accounting-authentic—RADIUS attribute 45, Acct-Authentic
    • accounting-delay-time—RADIUS attribute 41, Acct-Delay-Time
    • accounting-session-id—RADIUS attribute 44, Acct-Session-Id
    • accounting-terminate-cause—RADIUS attribute 49, Acct-Terminate-Cause
    • called-station-id—RADIUS attribute 30, Called-Station-Id
    • calling-station-id—RADIUS attribute 31, Calling-Station-Id
    • class—RADIUS attribute 25, Class
    • dhcp-gi-address—Juniper VSA 26-57, DHCP-GI-Address
    • dhcp-mac-address—Juniper VSA 26-56, DHCP-MAC-Address
    • Dhcp Options— Excludes RADIUS attribute 26-55
    • event-timestamp—RADIUS attribute 55, Event-Timestamp
    • framed-ip-address—RADIUS attribute 8, Framed-IP-Address
    • framed-ip-netmask—RADIUS attribute 9, Framed-IP-Netmask
    • input-filter—Juniper VSA 26-10, Ingress-Policy-Name
    • input-gigapackets—Juniper VSA 26-42, Acct-Input-Gigapackets
    • input-gigawords—RADIUS attribute 52, Acct-Input-Gigawords
    • interface-description—Juniper VSA 26-53, Interface-Desc
    • nas-identifier—RADIUS attribute 32, NAS-Identifier
    • nas-port—RADIUS attribute 5, NAS-Port
    • nas-port-id—RADIUS attribute 87, NAS-Port-Id.
    • nas-port-type—RADIUS attribute 61, NAS-Port-Type
    • output-filter—Juniper VSA 26-11, Egress-Policy-Name
    • output-gigapackets—Juniper VSA 25-43, Acct-Output-Gigapackets
    • output-gigawords—RADIUS attribute 53, Acct-Output-Gigawords

Configure the router to ignore the specified attributes in RADIUS Access-Accept messages.

  1. Click Ignore next to client.
  2. In the Comment box, enter the comment.
  3. Select the following check boxes to ignore the specified attributes:
    • output-filter—Egress-Policy-Name (VSA 26-11)
    • input-filter—Ingress-Policy-Name (VSA 26-10)
    • framed-ip-netmask—Framed-IP-Netmask (RADIUS attribute 9
    • logical-system-routing-instance—Virtual-Router (VSA 26-1)

Specify a list of the RADIUS authentication servers used to authenticate DHCP, L2TP, and PPP clients.

  1. Click Authentication Server next to Radius.
  2. Click Add new entry next to Authentication Server.
  3. In the New authentication-server window, enter the IPv4 address.

Configure the options used by RADIUS authentication and accounting servers.

  1. Click Options next to Radius.
  2. In the Comment box, enter the comment.
  3. Select the Ethernet Port Type Virtual check box to specify a port type of virtual.
  4. From the Interface Description Format list, select the information that is included in or omitted from the interface description that the router passes to RADIUS for inclusion in the RADIUS attribute 87 (NAS-Port-Id).

    Select one of the following:

    • sub-interface—To specify the subinterface.
    • adapter—To specify the adapter.
  5. In the Nas Identifier box, enter a string in the range from 1 to 64 characters.
  6. From the Accounting Session Id Format list, select the format the router uses to identify the accounting session. Select one of the following:
    • decimal—To use the decimal format.
    • description—To use the generic format, in the form jnpr interface-specifier:subscriber-session-id.

      Default: decimal

  7. From the Revert Interval list, select the amount of time the router waits after a server has become unreachable.

    Range: 60 through 4294967295 seconds

    Default: 600 seconds

  8. Select the vlan-nas-port-stacked-format check box to configure RADIUS attribute 5 (NAS-Port) to include the S-VLAN ID, in addition to the VLAN ID, for subscribers on Ethernet interfaces.

Configure the RADIUS client to use the extended format for RADIUS attribute 5 (NAS-Port) and specify the width of the fields in the NAS-Port attribute.

  1. Click Nas Port Extended Format next to Options.
  2. In the Comment box, enter the comment.
  3. From the Slot Width list, select the number of bits in the slot field.
  4. From the Adapter Width list, select the number of bits in the adapter field.
  5. From the Port Width list, select the number of bits in the port field.
  6. From the Stacked Vlan Width list, select the number of bits in the SVLAN ID field.
  7. From the Vlan Width list, select the number of bits in the VLAN ID field.

Configuring the RADIUS Parameters (NSM Procedure)

You can specify the options used by the RADIUS authentication and accounting servers.

To configure the radius parameters in NSM:

  1. In the NSM navigation tree, select Device Manager > Devices.
  2. Click the Device Tree tab, and then double-click the device to select it.
  3. Click the Configuration tab. In the configuration tree, expand Access.
  4. Select Profile.
  5. Add or modify settings as specified in Table 12.
  6. Click one:
    • OK—Saves the changes.
    • Cancel—Cancels the modifications.

Note: To create a profile, the device should be in the in-device policy mode.

Table 12: Radius Parameters Configuration Details

Task Your Action

Configure the radius parameters.
  1. Click Add new entry next to Profile.
  2. Click Radius Options next to Profile.
  3. In the Comment box, enter the comment.
  4. From the Revert Interval list, select the amount of time the router waits after a server has become unreachable.

    Default: 600 seconds

Configuring the RADIUS for Subscriber Access Management, L2TP, or PPP (NSM Procedure)

You can configure RADIUS for subscriber access management, L2TP, or PPP. The servers are tried in order and in a round-robin fashion until a valid response is received from one of the servers or until all the configured retry limits are reached.

To configure the radius server in NSM:

  1. In the NSM navigation tree, select Device Manager > Devices.
  2. Click the Device Tree tab, and then double-click the device to select it.
  3. Click the Configuration tab. In the configuration tree, expand Access.
  4. Select Profile.
  5. Add or modify settings as specified in Table 13.
  6. Click one:
    • OK—Saves the changes.
    • Cancel—Cancels the modifications.

Table 13: Radius Server Configuration Details

Task Your Action

Configure the RADIUS servers.
  1. Click Add new entry next to Profile
  2. Click Radius Server next to Profile.
  3. In the Name box, enter the profile name.
  4. In the Comment box, enter the comment.
  5. From the Port list, select the port number on which to contact the RADIUS server.

    Default: 1812 (as specified in RFC 2865)

  6. In the Secret box, enter the password to use with the RADIUS server. The secret password used by the local router must match that used by the server.
  7. From the Timeout list, select the amount of time that the local router waits to receive a response from a RADIUS server.

    Range: 3 through 90 seconds

    Default: 3 seconds

  8. From the Retry list, select the number of times that the router is allowed to attempt to contact a RADIUS server.

    Range: 1 through 10

    Default: 3

  9. In the Source Address box, enter a valid IPv4 address configured on one of the router interfaces.
  10. From the Routing Instance list, select the routing instance name.

Configuring Session Limit (NSM Procedure)

To configure the timeout limit in NSM:

  1. In the NSM navigation tree, select Device Manager > Devices.
  2. Click the Device Tree tab, and then double-click the device to select it.
  3. Click the Configuration tab. In the configuration tree, expand Access.
  4. Select Profile.
  5. Add or modify settings as specified in Table 14.
  6. Click one:
    • OK—Saves the changes.
    • Cancel—Cancels the modifications.

Table 14: Session Limit Configuration Details

Task Your Action

Configure the timeout interval.
  1. Click Add new entry next to Profile.
  2. Click Session Options next to Profile.
  3. In the Comment box, enter the comment.
  4. From the Client Idle Timeout list, select the time in minutes of idleness after which access is denied.

    Range: 1 through 255 minutes

  5. From the Client Session Timeout list, select the time in minutes since initial access after which access is denied.

Configure a client group.
  1. Click Client Group next to Session Option.
  2. Click Add new entry next to Client Group.
  3. In the New client-group window, enter the client group.

Published: 2009-08-23