RADIUS-Based Mirroring

RADIUS-based mirroring enables you to mirror traffic related to a specific user, without regard to how often the user logs on or off, or which E-series router or interface is used by the user. RADIUS-based mirroring is particularly appropriate for large networks, because you can use a single RADIUS server to mirror multiple E-series routers in a service provider's network.

You configure RADIUS-based mirroring independent of the actual mirroring session—you can configure the mirroring parameters at any time. RADIUS-based mirroring uses RADIUS and VSAs, rather than CLI commands, to specify the user whose traffic is to be mirrored. The VSAs specify attributes that are carried in Access-Accept messages and change-of-authorization messages from the RADIUS dynamic-request server to the E-series router.

NOTE: You cannot use RADIUS-initiated mirroring to mirror static interfaces, which might not be authenticated through RADIUS. To mirror static interfaces, you must use CLI-based IP mirroring. NOTE: Lawful intercept configuration is not supported if the LAC uses domain maps to create tunnels or if authentication is disabled for both LAC and PPP termination.

RADIUS Attributes Used for Mirroring

You must include the RADIUS attributes shown in Table 41 in the mirrored user's RADIUS record, except for IP mirroring. For IP mirroring, you must include both or neither VSA 59 and 61. If only one of these two VSAs is used, the configuration will fail.

The RADIUS attribute Acct-Session-ID [44] is needed to enable RADIUS-initiated mirroring when the user is already logged on.

 Table 41:  RADIUS-Based Mirroring Attributes

 Standard Number
 Attribute Name
 Setting

 [44]

 Acct-Session-ID

 String


 [26-58] 

 LI-Action

 0 = disable mirroring 
1 = enable mirroring
2 = no action 


 [26-59]

 Interception-Identifier

 String (not null-terminated)


 [26-60]

 MD-IP-Address

 IP address of mediation device


 [26-61]

 MD-Port-Number

 UDP port number of monitoring application in mediation device



 


 



 NOTE: An LI-Action setting of 2 specifies that the router does not perform any lawful intercept-related configuration. This setting can provide additional security by confusing unauthorized users who attempt to access lawful intercept communication between the router and the RADIUS server.



 

Mirroring MLPPP Sessions

When you use RADIUS-based lawful intercept on MLPPP traffic, RADIUS authentication and authorization is performed on the individual links. The mirroring-related VSAs are returned with the RADIUS response. For user-initiated mirroring, which starts when the user logs on, a RADIUS response is returned for each successful authentication/authorization. For RADIUS-initiated mirroring of a user who is already logged on, a single RADIUS request is sent for each link.

• If you are mirroring an L2TP session, the lawful intercept operation is enabled or disabled on a single link that is uniquely identified by the Acct-Session-ID (RADIUS attribute 44); the individual links in the MLPPP bundle are mirrored separately. Note that the lawful intercept configuration fails if you use the Acct-Multi-Session-ID attribute (RADIUS attribute 50) for the configuration.
• If you are mirroring an IP session, the lawful intercept operation is enabled or disabled on the MLPPP bundle as a whole. The Acct-Session-ID attribute (44) uniquely identifies a single link in an MLPPP bundle; then all links in that bundle are mirrored. The same is true for disabling mirroring. The Acct-Session-ID identifies a link; then mirroring is disabled for all links in the same bundle as the specified link.

Prepended Header

During a RADIUS-based mirroring operation, the router prepends a special UDP/IP header to each mirrored packet that is sent to the analyzer port. This prepended header is created by the policy-mirroring action, and is used for demultiplexing at the analyzer to sort through the multiple mirrored streams that arrive from different sources.

All mirrored L2TP session packets are prepended with UDP/IP header. However, for IP traffic mirroring, the prepend header is optional; the header is added if the mirroring-related VSAs (VSAs 59 and 61) are included in the RADIUS message. If the VSAs are not included, a CLI-based IP mirroring action is indicated, and the prepend header is not used.

NOTE: For IP mirroring, either both or neither VSA 26-59 and 26-61 must be included. If only one of the VSAs is used, the configuration will fail.

Figure 32 shows the structure of the prepended header. The values in parentheses indicate the fixed value for individual fields. For fields that do not have a fixed value listed, the value is dynamically created for each mirrored packet. Table 42 lists the fields in the prepended header and shows the values and field length.

Figure 32: Prepended Header

 Table 42:  Prepended Header Field Descriptions

 Field
 Value
 Size 

 IP Header

 Version

 4

 4 bits


 IHL

 5

 4 bits


 Type of Service

 0

 8 bits


 Total Length

 Dynamically computed

 16 bits


 Identification

 Dynamically computed

 16 bits


 Flags

 Dynamically computed

 3 bits


 Fragment Offset

 Dynamically computed

 13 bits


 Time to Live

 255

 8 bits


 Protocol

 17

 8 bits


 Header Checksum

 Dynamically computed 

 16 bits


 Source Address

 Analyzer port IP address

 32 bits


 Destination Address

 VSA 26-60

 32 bits


 UDP Header

 Source Port

 VSA 26-61

 16 bits


 Destination Port

 VSA 26-61

 16 bits


 Length

 Dynamically computed

 16 bits


 Checksum

 0

 16 bits


 Intercept Header

 IHV (intercept header value)

 0 

 2 bits


 Interception Identifier

 See Format of the Intercept Header Attributes for details

 30 bits


 Session-ID

 See Format of the Intercept Header Attributes for details 

 32 bits



 

Format of the Intercept Header Attributes

The intercept header values are determined by the value that you configure in VSA 26-59. VSA 26-59 is declared as a hexadecimal string that can be either 8 bytes or 4 bytes long. The 8-byte format enables you to further specify the value that is used for the Session-ID field. If you use the 4-byte format, the router automatically determines the Session-ID field. The value in the 2-bit version field specifies the format that is used—0 indicates the 8-byte format, and 1 indicates the 4-byte format.

8-Byte Format

The VSA 26-59 8-byte format enables you to manually specify the Session-ID value in addition to the Interception-Identifier value. To use this format, you configure the the first two most significant bits of the first word of the VSA to a value of 0. The router then expects exactly two words in VSA 26-59. The remaining 30 bits of the first word form the Interception-Identifier value, and the second word is the Session-ID field. You cannot change the order of these two words.

For example, a value of 0000030000000090 in VSA 26-59 configures the following fields in the intercept header, as shown in Figure 33:

• IHV = 0
• Interception Identifier = 0x300
• Session-ID = 0x90

Figure 33: 8-Byte Format of VSA 26-59

4-Byte Format

To use the 4-byte format of VSA 26-59, you specify a version of 1 in the first two most significant bits of the VSA. This indicates a single word in the VSA, and the router uses the remaining 30 bits of the word as the Interception Identifier value. The router then creates the Session-ID value based on the least significant 32 bits of the Acct-Session-ID (RADIUS attribute 44).

For example, a value of 40000010 for VSA 26-59 configures the following fields in the Intercept header, as shown in Figure 34:

• IHV = 1
• Interception Identifier = 0x10

Figure 34: 4-Byte Format of VSA 26-59

Secure Policies

RADIUS-based mirroring uses secure policies, which are based on the RADIUS VSAs that are created by an authorized RADIUS administrator. A policy is dynamically created when the mirroring action is initiated at the RADIUS server, and then applied to the interface that is dynamically created for the user. When the mirroring operation is disabled, the secure policy is deleted.

Secure policies are dynamically named. The E-series router creates a name that consists of the string "spl" followed by a hexadecimal integer, such as spl_0x88000008. The name is displayed by the show secure policy-list command.

Resolving and Tracking the Mediation Device's Address

The RADIUS attribute MD-IP-Address [26-60] is the address of the mediation device (the analyzer). The router performs a route lookup to resolve the mediation device's address and to ensure that traffic can be forwarded to the mediation device for analysis.

The lawful intercept secure policy is always created and attached when the mirroring is initiated. However, the mediation device is considered unreachable through that interface if the router's analyzer interface is not in analyzer mode, or is not yet created, or if the routes to the mediation device are absent.

If the mediation device is unreachable, then the mirror action in the secure policy is disabled, and no packets are mirrored at the interface at which this secure policy is attached. The show secure policy-list command output indicates that the mirror action is disabled and the mediation device is unreachable.

The router tracks the mediation device's IP address for any route changes within the router. This tracking ability provides a degree of failure recovery by enabling you to configure multiple analyzer ports to serve as redundant ports to reach the mediation device.

Sequence of Events

Figure 35 shows the sequence of events that take place during RADIUS-based mirroring. The tables after the figure describe the events indicated by the numbers and letters in the figure. Table 43 describes the configuration process; Table 44 describes the flow of traffic during a mirroring operation that is initiated when the user logs on; and Table 45 describes the flow of traffic when mirroring a user who is already logged on.

Figure 35: RADIUS-Based Mirroring

To create a lawful intercept environment, the processes shown in Table 43 must be completed.

 Table 43:  Setting Up the Lawful Intercept Environment

 Process
 Description

 A

 Authorized agency requests lawful intercept of the user's traffic and configures the mediation device to receive mirrored traffic.


 B

 ISP administration configures VSAs in the user's RADIUS record.


 C

 E-series router administrator configures RADIUS server information and the analyzer port connection to the mediation device.



 

Table 44 shows the sequence of steps for a lawful intercept operation that takes place when a user starts a new session.

 Table 44:  RADIUS-Based Mirroring During Session Start

 Step
 Description

 1

 User logs on to an E-series router, requesting authentication by RADIUS server


 2


  
 RADIUS server authenticates the user and sends lawful intercept VSAs and any other configured VSAs to the router. 
  
 The router creates a secure policy based on the VSAs and starts mirroring the user's traffic.



 3

 Router sends the user's original traffic to its intended destination


 4

 Router sends the mirrored traffic to mediation device. 


 5

 Mediation device provides information for the requesting agency. 



 

Table 45 shows the sequence of steps for a lawful intercept operation that is configured for a currently running session.

 Table 45:  RADIUS-Based Mirroring of Currently Running Session 

 Step
 Description

 1

 User logs on to the E-series router; no mirroring action is configured.


 2


  
 Lawful intercept is enabled on the RADIUS server.
  
 RADIUS server sends change-of-authorization messages containing lawful intercept VSAs to the router.
  
 Router creates a secure policy based on the VSAs and starts mirroring the user's traffic.



 3

 Router sends the user's original traffic to its intended destination


 4

 Router sends mirrored traffic to the mediation device. 


 5

 Mediation device provides information for the requesting agency. 



 

Configuring RADIUS-Based Mirroring

To configure the RADIUS-based mirroring environment, you must coordinate the mirroring operations of three devices in the network: the RADIUS server, the E-series router, and the mediation device. The configuration of the RADIUS server and the mediation device is described in this section for reference only. The actual configuration procedures depend on the policies and guidelines established by the responsible organizations.

Configuring the RADIUS Server

Table 41 lists the VSAs that are included for both types of RADIUS-based mirroring—user-initiated (when the user logs on to start a new session), and RADIUS-initiated (when the user is already logged on).

Disabling RADIUS-Based Mirroring

To disable mirroring, you include the Acct-Session-ID and set the LI-Action attribute to 0 in the mirrored user's RADIUS record.

Configuring the Mediation Device

The mediation device must be configured to receive the mirrored traffic from the E-series router's analyzer port.

Configuring the E-series Router: Start Mirroring When User Logs On

To configure the router to support RADIUS-based mirroring that will be started when the user logs on:

• Configure RADIUS server authentication information in the router. See JUNOSe Broadband Access Configuration Guide, Chapter 1, Configuring Remote Access for information.
• Ensure that the analyzer port is configured to send the mirrored traffic to the mediation device.

• (Optional) For increased security, create an IPSec tunnel between the analyzer port and the mediation device.

Configuring the E-series Router: Mirror User Who Is Already Logged On

To configure the router to support RADIUS-initiated mirroring when the user is already logged on:

• Specify the RADIUS server that will send change-of-authorization messages to the router.
• Specify the UDP port used to communicate with the RADIUS server.
• Configure the key used when communicating with the RADIUS server.
• Enable the router to receive change-of-authorization messages from the RADIUS server.
• Ensure that the analyzer port is configured to send the mirrored traffic to the mediation device.

• (Optional) For increased security, create an IPSec tunnel between the analyzer port and the mediation device.

Example—Configuring RADIUS-Initiated Mirroring When a User is Already Logged On

When a mirroring operation is initiated for a user who is already logged on, the RADIUS server uses change-of-authorization messages and passes the required RADIUS attributes and the identifier of the currently running session to the E-series router. The router uses this information to create the secure policy and attaches it to the interface that is created for the user. The E-series router must be configured to accept change-of-authorization messages from the RADIUS server.

1. Specify the RADIUS dynamic-request server, and enter RADIUS configuration mode.

host1(config)#radius dynamic-request server 192.168.11.0 

2. Specify the UDP port used to communicate with the RADIUS server.

host1(config-radius)#udp-port 3799

3. Create the key used to communicate with the RADIUS server.

host1(config-radius)#key mysecret

4. Configure the router to receive change-of-authorization messages from the RADIUS server.

host1(config-radius)#lawful-intercept change 

host1(config-radius)#exit

host1(config)#exit

5. Verify your RADIUS-initiated mirroring configuration.

host1#show radius dynamic-request servers

RADIUS Dynamic Request Configuration

-------------------------------

   IP       Udp

 Address    Port   Secret   Disconnect   Lawful-Intercept

---------   ----   ------   ----------   ----------------

 10.10.3.4  3799   secret    enabled         enabled 

6. Create the analyzer port.

host1(config)#interface fastEthernet 4/0

host1(config-if)#ip analyzer

Commands

This section lists the commands you use to configure RADIUS-based IP interface mirroring.

ip analyzer

• Use to configure an interface as an analyzer port. The analyzer port directs mirrored traffic to the specified mediation device for analysis.
• You can configure the interface as the virtual router's default analyzer port. Multiaccess interfaces, such as IP over Ethernet, cannot be configured as default analyzer ports.
• When mirroring an IP interface, the analyzer port must reside in the same virtual router as the mirrored interface. When mirroring an L2TP interface, the analyzer port must reside in the default virtual router.
  

  NOTE: You must configure a static route to reach the mediation device through the analyzer port. If the analyzer port is an IP over Ethernet interface, you must also configure a static Address Resolution Protocol (ARP) entry to reach the mediation device.

  
  
• Any type of IP interface on the E-series router can be configured as an analyzer port, except for special interfaces such as SRP interfaces, null interfaces, and loopback interfaces.
• An interface cannot be both an analyzer port and a mirrored interface at the same time.
• A single analyzer port can support multiple mirrored interfaces.
• The receive side of the analyzer port is disabled. All traffic attempting to access the router through an analyzer port is dropped.
• Analyzer ports drop all nonmirrored traffic.
• Policies are not supported. When you configure an analyzer port, existing policies are disabled, and no new policies are accepted.
• Example

host1(config-if)#ip analyzer default 

• Use the no version to remove the analyzer port configuration from the interface.

key

• A text string used by RADIUS to encrypt the client and server authenticator field during exchanges between the E-series router's RADIUS dynamic-request server and a RADIUS server. The key is used during RADIUS-initiated mirroring operations when the user is already logged on. The router salt-encrypts VSAs using this text string.
• The key can be a maximum of 32 characters.
• The default is no server secret.
• Connection to the RADIUS server fails if you do not specify a key.
• Example

host1(config)#radius dynamic-request server 192.168.5.3

host1(config-radius)#key mysecret

• Use the no version to remove the secret.

lawful-intercept change

• Enables receipt of change-of-authorization messages from the RADIUS server, which are used during RADIUS-initiated mirroring of a user who is already logged on.
• Example

host1(config)#radius dynamic-request server 192.168.5.3

host1(config-radius)#lawful-intercept change

• Use the no version to disable the creation of new RADIUS-initiated mirroring sessions. Current RADIUS-initiated mirrored sessions continue to be mirrored.

radius server

• Use to specify the IP address of the RADIUS server and enter RADIUS configuration mode.
• The dynamic-request server is used during RADIUS-initiated mirroring of a user who is already logged on.
• Example

host1(config)#radius dynamic-request server 192.168.5.3

host1(config-radius)#

• Use the no version to remove the RADIUS server.

udp-port

• Use to configure the UDP port that the router uses to communicate with the RADIUS server and to receive change of authorization messages.
• Specify a port number in the range 1-65535.
• Example

host1(config)#radius dynamic-request server 192.168.5.3

host1(config-radius)#udp-port 1645 

• Use the no version to set the port number to the default value, 1700.