Configuring Remote Access > Configuring RADIUS Authentication and Accounting Servers

Configuring RADIUS Authentication and Accounting Servers

The number of RADIUS servers you can configure depends on available memory.

The order in which you configure servers determines the order in which the router contacts those servers on behalf of clients.

Initially, a RADIUS client sends a request to a RADIUS authentication or accounting server. The RADIUS server uses the configured IP address, the UDP port number, and the secret key to make the connection. The RADIUS client waits for a response for a configurable timeout period and then retransmits the request. The RADIUS client retransmits the request for a user-configurable retry limit.

• If there is no response from the primary RADIUS server, the RADIUS client submits the request to the secondary RADIUS server using the timeout period and retry limit configured for the secondary RADIUS server.
• If the connection attempt fails for the secondary RADIUS server, the router submits the request to the tertiary server and so on until it either is granted access on behalf of the client or there are no more configured servers.
• If another authentication server is not configured, the router attempts the next method in the method list; for accounting server requests, the information is dropped.

For example, suppose that you have configured the following authentication servers: Auth1, Auth2, Auth3, Auth4, and Auth5. Your router attempts to send an authentication request to Auth1. If Auth1 is unavailable, the router submits the request to Auth2, then Auth3, and so on until an available server is found. If Auth5, the last configured authentication server, is not available, the router attempts the next method in the methods list. If the only method configured is RADIUS, then the router notifies the client that the request has been denied.

Server Access

The router offers two options by which servers are accessed:

• Direct—The first authentication or accounting server that you configure is treated as the primary authentication or accounting server, the next server configured is the secondary, and so on.
• Round-robin—The first configured server is treated as a primary for the first request, the second server configured as primary for the second request, and so on. When the router reaches the end of the list of servers, it starts again at the top of the list until it comes full cycle through the list.

Use the radius algorithm command to specify the server access method.

When you configure the first RADIUS accounting server, a RADIUS Acct-On message is sent. When you delete the last accounting server, a RADIUS Acct-Off message is sent.

Server Request Processing Limit

Authentication servers and accounting servers use different UDP ports on the router. This enables the same IP address to be used for both an authentication server and an accounting server. Note however, that the same IP address cannot be used for multiple authentication servers or for multiple accounting servers.

Each authentication and accounting server supports up to 4,000 concurrent RADIUS requests. For example, an authentication server at address 10.10.0.1, using UDP port 1812, supports a maximum of 4,000 authentication requests. The accounting server at 10.10.0.1, using UDP port 1813, supports a maximum of 4,000 accounting requests.

The E-series router listens to UDP source (or local) port 50000 for RADIUS authentication responses and to UDP source port 50016 for RADIUS accounting responses. Each UDP source port supports a maximum of 255 RADIUS requests. When the 255 limit is reached, the router opens the next source port. When the 4,000 requests-per-server limit is reached, the router submits the request to the next configured server.

Authentication and Accounting Methods

When you configure AAA authentication and accounting services for your B-RAS environment, one important task is to specify the authentication and accounting method used. The JUNOSe software gives you the flexibility to configure authentication or accounting methods based on the type of subscriber. This feature allows you to enable RADIUS authentication for some subscribers, while disabling authentication completely for other subscribers. Similarly, you can enable RADIUS accounting for some subscribers, but no accounting for others. For example, you might use RADIUS authentication for ATM 1483 subscribers, while granting IP subscriber management interfaces access without authentication (using the none keyword).

You can specify the authentication or accounting method you want to use, or you can specify multiple methods in the order in which you want them used. For example, if you specify the radius keyword followed by the none keyword when configuring authentication, AAA initially attempts to use RADIUS authentication. If no RADIUS servers are available, AAA uses no authentication. The JUNOSe software currently supports radius and none as accounting methods and radius, none, and local as authentication methods. See Configuring Local Authentication Servers on page 34 for information about local authentication.

You can configure authentication and accounting methods based on the following types of subscribers:

• ATM 1483
• Tunnels (for example, L2TP tunnels)
• PPP
• RADIUS relay server
• IP subscriber management interfaces
  

  NOTE: IP subscriber management interfaces are static or dynamic interfaces that are created or managed by the JUNOSe software's subscriber management feature.

  
  

Immediate Accounting Updates

You can use the aaa accounting immediate-update command to configure immediate accounting updates on a per-VR basis. If you enable this feature, the E-series router sends an Acct-Update message to the accounting server immediately on receipt of a response (ACK or timeout) to the Acct-Start message.

This feature is disabled by default. Use the enable keyword to enable immediate updates and the disable keyword to halt them.

The accounting update contains 0 (zero) values for the input/output octets/packets and 0 (zero) for uptime. If you have enabled duplicate or broadcast accounting, the accounting update goes to both the primary virtual router context and the duplicate or broadcast virtual router context.

Duplicate and Broadcast Accounting

Normally, the JUNOSe software sends subscriber-related AAA accounting information to the virtual router that authenticates the subscriber. If an operational virtual router is configured that is different from the authentication router, it also receives the accounting information. You can optionally configure duplicate or broadcast AAA accounting, which sends the accounting information to additional virtual routers simultaneously. The accounting information continues to be sent to the authenticating virtual router, but not to the operational virtual router.

Both the duplicate and broadcast accounting features are supported on a per-virtual router context, and enable you to specify particular accounting servers that you want to receive the accounting information. For example, you might use broadcast accounting to send accounting information to a group of your private accounting servers. Or you might use duplicate accounting to send the accounting information to a customer's accounting server.

• Duplicate accounting—Sends the accounting information to a particular virtual router
• Broadcast accounting—Sends the accounting information to a group of virtual routers. An accounting virtual router group can contain up to four virtual routers and the E-series router supports a maximum of 100 virtual router groups. The accounting information continues to be sent to the duplicate accounting virtual router, if one is configured.

Configuring AAA Duplicate Accounting

To configure and enable duplicate accounting on a virtual router, you use the aaa accounting duplication command with the name of the accounting server that will receive the information. For example, to enable duplicate accounting for the default virtual router:

host1(config)#aaa accounting duplication xyzCompanyServer 

Configuring AAA Broadcast Accounting

To configure and enable broadcast accounting on a virtual router:

1. Create the virtual router group and enter VR Group Configuration mode:

host1(config)#aaa accounting vr-group groupXyzCompany

host1(vr-group-config)#

2. Add up to four virtual routers to the group. The accounting information will be sent to all virtual routers in the group.

host1(vr-group-config)#aaa virtual-router 1 vrXyz1

host1(vr-group-config)#aaa virtual-router 2 vrXyz2

host1(vr-group-config)#aaa virtual-router 3 vrXyz3

host1(vr-group-config)#exit

host1(config)#

3. Enable broadcast accounting. Enter the correct virtual router context, and specify the virtual router group whose virtual routers will receive the accounting information.

host1(config)#virtual-router opVr100

host1:opVr100(config)#aaa accounting broadcast groupXyzCompany 

Overriding AAA Accounting NAS Information

AAA accounting packets normally include two RADIUS attributes—NAS-IP-Address [4] and NAS-Identifier [32]—of the virtual router that generates the accounting information. You can override the default configuration and specify that accounting packets from particular broadcast virtual routers instead include the NAS-IP-Address and NAS-Identifier attributes of the authenticating virtual router.

To override the normal AAA accounting NAS information, access the correct virtual router context, and use the radius override nas-info command. For example:

host1(config)#virtual-router vrXyz1

host1:vrXyz1(config)#radius override nas-info 

host1:vrXyz1(config)#virtual-router vrXyz2

host1:vrXyz2(config)#radius override nas-info 

host1:vrXyz3(config)#exit 

host1(config)#

UDP Checksums

Each virtual router on which you configure B-RAS is enabled to perform UDP checksums by default. You can disable and reenable UDP checksums.

Configuring RADIUS AA Servers

The number of RADIUS servers you can configure depends on available memory. The router has an embedded RADIUS client for authentication and accounting.

NOTE: You can configure B-RAS with RADIUS accounting, but without RADIUS authentication. In this configuration, the username and password on the remote end are not authenticated and can be set to any value.

You must assign an IP address to a RADIUS authentication or accounting server to configure it.

If you do not configure a primary authentication or accounting server, all authentication and accounting requests will fail. You can configure other servers as backup in the event that the primary server cannot be reached. Configure each server individually.

To configure an authentication or accounting RADIUS server:

1. Specify the authentication or accounting server address.

host1(config)#radius authentication server 10.10.10.1

host1(config-radius)#

or

host1(config)#radius accounting server 10.10.10.6

host1(config-radius)#

2. (Optional) Specify a UDP port for RADIUS authentication or accounting server requests.

host1(config-radius)#udp-port 1645

3. Specify an authentication or accounting server secret.

host1(config-radius)#key gismo

4. (Optional) Specify the number of retries the router makes to an authentication or accounting server before it attempts to contact another server.

host1(config-radius)#retransmit 2

5. (Optional) Specify the number of seconds between retries.

host1(config-radius)#timeout 5

6. (Optional) Specify the maximum number of outstanding requests.

host1(config-radius)#max-sessions 100

7. (Optional) Specify the amount of time to remove a server from the available list when a timeout occurs.

host1(config-radius)#deadtime 10

8. (Optional) In Global Configuration mode, specify whether the E-series router should move on to the next RADIUS server when the router receives an Access-Reject message for the user it is authenticating.

host1(config)#radius rollover-on-reject enable

9. (Optional) Enable duplicate address checking.

host1(config)aaa duplicate-address-check enable

10. (Optional) Specify that duplicate accounting records be sent to the accounting server for a virtual router.

host1(config)#aaa accounting duplication routerBoston

11. (Optional) Enter the correct virtual router context, and specify the virtual router group to which broadcast accounting records are sent.

host1(config)#virtual-router vrSouth25

host1:vrSouth25(config)#aaa accounting broadcast westVrGroup38

host1:vrSouth25(config)#exit

12. (Optional) Specify that immediate accounting updates be sent to the accounting server when a response is received to an Acct-Start message.

host1(config)#aaa accounting immediate-update

13. (Optional) Specify that tunnel accounting be enabled or disabled.

host1(config)#radius tunnel-accounting enable

14. (Optional) Specify the default authentication and accounting methods for the subscribers.

host1(config)#aaa authentication ppp default radius none

15. (Optional) Disable UDP checksums on virtual routers you configure for B-RAS.

host1:(config)#virtual router boston

host1:boston(config)#radius udp-checksum disable

aaa accounting broadcast

• Use to enable AAA broadcast accounting on a virtual router. Specifies that accounting records be sent to the accounting servers on the virtual routers in the named virtual router group.
• A virtual router group can be used in any virtual router context, not just the context in which it is created.
• Example

host1(config)#virtual-router vrSouth25

host1:vrSouth25(config)#aaa accounting broadcast westVrGroup38

host1:vrSouth25(config)#exit

• Use the no version to disable the AAA broadcast accounting.

aaa accounting default

• Use to specify the accounting method used for a particular type of subscriber.
• Specify one of the following types of subscribers:

• atm1483
• tunnel
• ppp
• radius-relay
• ip (IP subscriber management interfaces)
  

  NOTE: IP subscriber management interfaces are static or dynamic interfaces that are created or managed by the JUNOSe software's subscriber management feature.

  
  

• Specify one of the following types of accounting methods:

• radius—RADIUS accounting for the specified subscribers.
• none—No accounting is done for the specified subscribers.
• radius none—Multiple types of accounting; used in the order specified. For example, radius none specifies that RADIUS accounting is initially used; however, if RADIUS servers are not available, no accounting is done.

• Example

host1(config)#aaa accounting atm1483 default radius

• Use the no version to set the accounting protocol to the default, radius.

aaa accounting duplication

• Use to enable AAA duplicate accounting on a virtual router. Specifies that duplicate accounting records be sent to the accounting server on another virtual router.
• Example

host1(config)#aaa accounting duplication routerBoston

• Use the no version to disable the feature.

aaa accounting immediate-update

• Use to send an accounting update to the accounting server immediately on receipt of a response for an Acct-Start message.
• Use the enable keyword to enable immediate updates. Use the disable keyword to disable immediate updates. Immediate updates are disabled by default.
• Example

host1(config)#aaa immediate-update enable

• Use the no version to restore the default condition, disabling immediate updates.

aaa accounting interval

• Use to specify the accounting interval between updates. Note that interim accounting is not supported for integrated DHCP access server (I-DAS).
• Select an interval in minutes from 10-1440. The default is 0, which means that the feature is disabled.
• Example

host1(config)#aaa accounting interval 60

• Use the no version to turn off interim accounting.

aaa accounting vr-group

• Use to create an accounting virtual router group and enter VR Group Configuration mode. Virtual routing groups are used for AAA broadcast accounting.
• A virtual router group can have up to four virtual routers. The accounting servers of the virtual routers in the group receive broadcast accounting records that are forwarded to the group.
• The E-series router supports a maximum of 100 virtual router groups.
• When creating a virtual router group, you must add at least one virtual router to the group; otherwise, the group is not created.
• A virtual router group can be used in any virtual router context, not just the context in which it is created.
• Example

host1(config)#aaa accounting vr-group westVrGroup38 

host1(config-vr-group)#

• Use the no version to delete the accounting virtual router group.

aaa authentication default

• Use to specify the authentication method used for a particular type of subscriber.
• Specify one of the following types of subscribers:

• atm1483
• tunnel
• ppp
• radius-relay
• ip (IP subscriber management interfaces)
  

  NOTE: IP subscriber management interfaces are static or dynamic interfaces that are created or managed by the JUNOSe software's subscriber management feature.

  
  

• Specify one of the following types of accounting methods:

• radius—RADIUS authentication for the specified subscribers.
• none—Grants the specified subscribers access without authentication.
• radius none—Multiple types of authentication; used in the order specified. For example, radius none specifies that RADIUS authentication is initially used; however, if RADIUS servers are not available, users are granted access without authentication.

• Example

host1(config)#aaa authentication ip default radius

• Use the no version to set the authentication protocol to the default, radius.

aaa duplicate-address-check

• Use to enable or disable routing table address lookup or duplicate address check.
• The router checks the routing table for returned addresses for PPP users. If the address existed, then the user was denied access.
• You can disable this routing table address lookup or duplicate address check with the aaa duplicate-address-check command.
• Example

host1(config)#aaa duplicate-address-check enable

• There is no no version.

aaa virtual-router

• Use to add virtual routers to a virtual router group. During AAA broadcast accounting, accounting records are sent to the accounting servers on the virtual routers in the named virtual router group.
• You can add up to four virtual routers to a virtual router group. Use the indexInteger parameter to specify the order (1-4) in which the virtual routers receive the accounting information. The indexInteger is used with the no version to delete a specific virtual router from a group (see Example 2).
• A virtual router name consists of 1-32 alphanumeric characters.
• The virtual router names in the group must be unique. An error message appears if you enter a duplicate name.
• Example 1

host1(config)#aaa accounting vr-group westVrGroup38 

host1(config-vr-group)#aaa virtual-router 1 vrWestA

host1(config-vr-group)#aaa virtual-router 2 vrWestB

host1(config-vr-group)#aaa virtual-router 4 vrSouth1

• Example 2

host1(config-vr-group)#no aaa virtual-router 2 

• Use the no version of the command with the indexInteger parameter to delete a specific virtual router from a group. If all virtual routers in a group are deleted, the group is also deleted; a group must contain at least one virtual router.

deadtime

• Use to configure the amount of time (0-30 minutes) that a server is marked as unavailable if a request times out for the configured retry count.
• If a server fails to answer a request, the router marks it unavailable. The router does not send requests to the server until the router receives a response from the server or until the configured time is reached, whichever occurs first.
• If all servers fail to answer a request, then instead of marking all servers as unavailable, all servers are marked as available.
• To turn off the deadtime mechanism, specify a value of 0.
• Example

host1(config)#radius authentication server 10.10.0.1

host1(config-radius)#deadtime 10

• Use the no version to set the time to the default value, 0

key

• Use to configure secrets on the primary, secondary, and tertiary authentication servers.
• The authentication or accounting server secret is a text string used by RADIUS to encrypt the client and server authenticator field during exchanges between the router and a RADIUS authentication server. The router encrypts PPP PAP passwords using this text string.
• The default is no server secret.
• Example

host1(config)#radius authentication server 10.10.8.1

host1(config-radius)#key gismo

• Use the no version to remove the secret.
  

  NOTE: Authentication fails if no key is specified for the authentication server.

  
  

logout subscribers

• Use to issue an administrative reset to the user's connection to disconnect the user.
• From Privilege Exec mode, you can logout all subscribers, or logout subscribers by username, domain, virtual-router, or port.
• This command applies only to PPP users.
• Example

host1#logout subscribers username bmurphy

• There is no no version.

max-sessions

• Use to configure the number of outstanding requests supported by an authentication or accounting server.
• The E-series router supports up to 4,000 concurrent RADIUS authentication requests and up to 4,000 concurrent accounting requests. If the 4,000 request limit is reached, the router sends the request to the next server.
• The same IP address can be used for both an authentication and accounting server (but not for multiple servers of the same type). The router uses different UDP ports for authentication servers and accounting servers.
• For each multiple of 255 requests (the RADIUS protocol limit), the router opens a new UDP source (or local) port on the server to send and receive RADIUS requests and responses.
• Example

host1(config)#radius authentication server 10.10.0.1

host1(config-radius)#max-sessions 100

• Use the no version to restore the default value, 255.

no radius client

• Use to remove all RADIUS servers for the virtual router context and to delete the E-series RADIUS client for the virtual router context.
• Example

host1:boston(config)#no radius client

• There is no no version.

radius algorithm

• Use to specify the algorithm—either direct or round-robin—that the E-series RADIUS client uses to contact the RADIUS server.
• Example

host1(config)#radius algorithm round-robin

• Use the no version to set the algorithm to the default, direct.

radius override nas-info

• Use to configure the RADIUS client to include the NAS-IP-Address [4] and NAS-Identifier [32] RADIUS attributes of the authenticating virtual router in accounting packets when the client performs AAA broadcast accounting. Normally, the accounting packets include the NAS-IP-Address and NAS-Identifier of the virtual router that generated the accounting information.
• This override operation is a per-virtual router specification; use this command in the correct virtual router context.
• This command is ignored if the authenticating virtual router does not have a configured RADIUS server.
• Example

host1(config)#virtual-router vrXyz1

host1:vrXyz1(config)#radius override nas-info 

host1:vrXyz1(config)#exit

• Use the no version to restore inclusion of the NAS-IP-Address [4] and NAS-Identifier [32] RADIUS attributes of the virtual router that requested the accounting information.

radius rollover-on-reject

• Use to specify whether the router rolls over to the next RADIUS server when the router receives an Access-Reject message for the user it is authenticating.
• Example

host1(config)#radius rollover-on-reject enable

• Use the no version to set the default of disable.

radius server

• Use to specify the IP address of authentication and accounting servers.
• Example

host1(config)#radius authentication server 10.10.10.1

host1(config-radius)exit

host1(config)#radius authentication server 10.10.10.2

host1(config-radius)exit

host1(config)#radius authentication server 10.10.10.3

host1(config-radius)exit

host1(config)#radius accounting server 10.10.10.20

host1(config-radius)exit

host1(config)#radius accounting server 10.10.10.30

• Use the no version to delete the instance of the RADIUS server.

radius tunnel-accounting

• Use to specify that tunnel accounting be enabled or disabled.
• This command turns on accounting messages: Tunnel-Start, Tunnel-Stop, Tunnel-Reject, Tunnel-Link-Start, Tunnel-Link-Stop, and Tunnel-Link-Reject, as described in RFC 2867.
• Your router supports tunnel accounting for the L2TP LAC and LNS.
• Example

host1(config)#radius tunnel-accounting enable

• Use the no version to set the default, disabled.

radius udp-checksum

• Use to disable UDP checksums on virtual routers you configure for B-RAS.
• Issue this command in the context of the appropriate virtual router.
• Example

host1(config)#virtual router boston

host1:boston(config)#radius udp-checksum disable

• Use the no version to reenable UDP checksums on virtual routers you configure for B-RAS.

radius update-source-addr

• Use to specify an alternate source IP address for the router to use rather than the default router ID.
• Example

host1(config)#radius update-source-addr 192.168.40.23

• Use the no version to delete the parameter so that the router uses the router ID.

retransmit

• Use to set the maximum number of times that the router retransmits a RADIUS packet to an authentication or accounting server.
• If there is no response from the primary RADIUS authentication or accounting server in the specified number of retries, the client sends the request to the secondary server. If there is no response from the secondary server, the router sends the request to the tertiary server, and so on.
• Example

host1(config)#radius authentication server 10.10.8.1

host1(config-radius)#retransmit 2

• Use the no version to set the value to the default, 3 retransmits.

test aaa

• Use to verify RADIUS authentication and accounting and IP address assignment setup.
• You must specify either a PPP or Multilink PPP (MLPPP) user. PPP indicates a regular PPP user. MLPPP simulates Multilink PPP so that if multiple test commands are issued, all test users are bound by the same address.
• The command uses a username and password and attempts to authenticate a user, get an address assignment, and issue a start accounting request.
• Optionally, you can specify the virtual router context in which to authenticate the user.
• The command pauses for several seconds, then terminates the session by issuing a stop accounting request and an address release.
• Example

host1#test aaa ppp jsmith mypassword virtual-router charlie2

 NOTE: Specifying the password to associate with the username is optional. Specifying a virtual router is optional.



 

• There is no no version.

timeout

• Use to set the number of seconds before the router retransmits a RADIUS packet to an authentication or accounting server.
• If the interval is reached and there is no response from the primary RADIUS authentication or accounting server, the router attempts another retry. When the retry limit is reached, the client sends the request to the secondary server. When the retry limit for the secondary server is reached, the router attempts to reach the tertiary server, and so on.
  

  NOTE: After the fourth retransmission, the configured timeout value is ignored, and the router uses a backoff algorithm that increases the timeout between each succeeding transmission. The backoff algorithm is:

  
  
• Example

host1(config)#radius authentication server 10.10.0.1

host1(config-radius)#timeout 5

• Use the no version to restore the default value, 3 seconds.
  

  NOTE: When a RADIUS server times out or when it has no available RADIUS identifier values, the router removes the RADIUS server from the list of available servers for a period of time. The router restores all configured servers to the list if it is about to remove the last server. Restoring the servers avoids having an empty server list.

  
  

udp-port

• Use to configure the UDP port on the router where the RADIUS authentication servers reside. The router uses this port to communicate with the RADIUS authentication servers.
• For an authentication server, specify a port number in the range 0-65536. The default is 1812.
• For an accounting server, specify a port number in the range 0-65536. The default is 1813.
• Example

host1(config)#radius authentication server 10.10.9.1

host1(config-radius)#udp-port 1645

• Use the no version to set the port number to the default value.

SNMP Traps and System Log Messages

The router can send Simple Network Management Protocol (SNMP) traps to alert network managers when:

• A RADIUS server fails to respond to a request.
• A RADIUS server that previously failed to respond to a request (and was consequently removed from the list of active servers) returns to active service.

Returning to active service means that the E-series RADIUS client receives a valid response to an outstanding RADIUS request after the server is marked unavailable.

• All RADIUS servers within a VR context fail to respond to a request.

The router also generates system log messages when RADIUS servers fail to respond or when they return to active service; no configuration is required for system log messages.

SNMP Traps

The router generates SNMP traps and system log messages as follows:

• If the first RADIUS server fails to respond to the RADIUS request, the E-series RADIUS client issues a system log message and, if configured, an SNMP trap indicating that the RADIUS server timed out. The E-series RADIUS client will not issue another system log message or SNMP trap regarding this RADIUS server until the deadtime expires, if configured, or for 3 minutes if deadtime is not configured.
• The E-series RADIUS client then sends the RADIUS request to the second configured RADIUS server. If the second RADIUS server fails to respond to the RADIUS request, the E-series RADIUS client again issues a system log message and, if configured, an SNMP trap indicating that the RADIUS server timed out.
• This process continues until either the E-series RADIUS client receives a valid response from a RADIUS server or the list of configured RADIUS servers is exhausted. If the list of RADIUS servers is exhausted, the E-series RADIUS client issues a system log message and, if configured, an SNMP trap indicating that all RADIUS servers have timed out.

If the E-series RADIUS client receives a RADIUS response from a "dead" RADIUS server during the deadtime period, the RADIUS server is restored to active status.

If the router receives a valid RADIUS response to an outstanding RADIUS request, the E-series client issues a system log message and, if configured, an SNMP trap indicating that the RADIUS server is now available.

System Log Messages

You do not need to configure system log messages. The router automatically sends them when individual servers do not respond to RADIUS requests and when all servers on a VR fail to respond to requests. The following are the formats of the warning level system log messages:

RADIUS [ authentication | accounting ] server serverAddress unavailable in VR 
virtualRouterName [; trying nextServerAddress]

RADIUS no [ authentication | accounting ] servers responding in VR 
virtualRouterName

RADIUS [ authentication | accounting ] server serverAddress available in VR 
virtualRouterName

Configuring SNMP Traps

This section describes how to configure the router to send traps to SNMP when RADIUS servers fail to respond to messages, and how to configure SNMP to receive the traps.

To set up the router to send traps:

1. (Optional) Enable SNMP traps when a particular RADIUS authentication server fails to respond to Access-Request messages.

host1(config)#radius trap auth-server-not-responding enable 

2. (Optional) Enable SNMP traps when all of the configured RADIUS authentication servers on a VR fail to respond to Access-Request messages.

host1(config)#radius trap no-auth-server-responding enable

3. (Optional) Enable SNMP traps when a RADIUS authentication server returns to active service.

host1(config)#radius trap auth-server-responding enable

4. (Optional) Enable SNMP traps when a RADIUS accounting server fails to respond to a RADIUS accounting request.

host1(config)#radius trap acct-server-not-responding enable

5. (Optional) Enable SNMP traps when all of the RADIUS accounting servers on a VR fail to respond to a RADIUS accounting request.

host1(config)#radius trap no-acct-server-responding enable

6. (Optional) Enable SNMP traps when a RADIUS accounting server returns to active service.

host1(config)#radius trap acct-server-responding enable

To set up SNMP to receive RADIUS traps:

1. Set up the appropriate SNMP community strings.

host1(config)#snmp-server community admin view everything rw

host1(config)#snmp-server community private view user rw 

host1(config)#snmp-server community public view everything ro 

2. Specify the interface whose IP address is the source address for SNMP traps.

host1(config)#snmp-server trap-source fastEthernet 0/0

3. Configure the host that should receive the SNMP traps.

host1(config)#snmp-server host 10.10.132.93 version 2c 3 udp-port 162 radius 

4. Enable the SNMP router agent to receive and forward RADIUS traps.

host1(config)#snmp-server enable traps radius 

5. Enable the SNMP on the router.

host1(config)#snmp-server

 NOTE: For more information about these SNMP commands, see Configuring Traps in JUNOSe System Basics Configuration Guide, Chapter 3, Configuring SNMP.



 

radius trap acct-server-not-responding

• Use to enable or disable SNMP traps when a particular RADIUS accounting server fails to respond to a RADIUS accounting request.
• The associated SNMP object is rsRadiusClientTrapOnAcctServerUnavailable.
• Example

host1(config)#radius trap acct-server-not-responding enable

• Use the no version to return to the default setting, disable.

radius trap acct-server-responding

• Use to enable or disable SNMP traps when a RADIUS accounting server returns to service after being marked as unavailable.
• The associated SNMP object is rsRadiusClientTrapOnAcctServerAvailable.
• This command affects only the current VR context.
• Example

host1(config)#radius trap acct-server-responding enable

• Use the no version to restore the default, disable.

radius trap auth-server-not-responding

• Use to enable or disable SNMP traps when a RADIUS authentication server fails to respond to a RADIUS Access-Request message.
• The associated SNMP object is rsRadiusClientTrapOnAuthServerUnavailable.
• Example

host1(config)#radius trap auth-server-not-responding enable 

• Use the no version to return to the default setting, disabled.

radius trap auth-server-responding

• Use to enable RADIUS to send SNMP traps when a RADIUS authentication server returns to service after being marked as unavailable.
• The associated SNMP object is rsRadiusClientTrapOnAuthServerAvailable.
• This command affects only the current VR context.
• Example

host1(config)#radius trap auth-server-responding enable

• Use the no version to restore the default setting, disabled.

radius trap no-acct-server-responding

• Use to enable or disable SNMP traps when all of the configured RADIUS accounting servers per VR fail to respond to a RADIUS accounting request.
• The associated SNMP object is rsRadiusClientTrapOnNoAcctServerAvailable.
• Example

host1(config)#radius trap no-acct-server-responding enable

• Use the no version to return to the default setting, disabled.

radius trap no-auth-server-responding

• Use to enable or disable SNMP traps when all of the configured RADIUS authentication servers per VR fail to respond to a RADIUS Access-Request message.
• The associated SNMP object is rsRadiusClientTrapOnNoAuthServerAvailable.
• Example

host1(config)#radius trap no-auth-server-responding enable

• Use the no version to return to the default setting, disabled.