Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Configuring AAA on the Broadband Gateway

    Requirements

    This example uses the following hardware and software components:

    • Junos OS Release 11.2W
    • Juniper Networks MobileNext Broadband Gateway, including the following components:
      • MX240 3D Universal Edge Router, MX480 3D Universal Edge Router, or MX960 3D Universal Edge Router
      • Mobile Multiservices DPC (MS-DPC)
      • Mobile 10-Gigabit Ethernet MPC with SFP+ or Mobile 60-Gigabit Ethernet Enhanced Queuing MPC line card

    Overview

    This example documents an authentication, authorization, and accounting (AAA) configuration where the broadband gateway interacts with a collection of RADIUS servers to provide AAA services to mobile subscribers accessing an access point name (APN). The RADIUS servers are configured into network elements, and some of the network elements are placed into a network element group. One of the network elements provides authentication services, and the network element group receives the accounting messages.

    One of the RADIUS servers is configured to provide support for dynamic requests, such as Change of Authorization (CoA) requests and Disconnect requests. Note that this dynamic request server is not part of a network element.

    The APN is configured to use the RADIUS server for IP address assignment. When a mobile subscriber is authenticated, the Access-Accept message specifies the IP address to be assigned to the subscriber. If a mobile subscriber cannot be authenticated based on the contents of the Create PDP Context Request or Create Session Request message, then the mobile subscriber is authenticated with the username of “aaa” and the password “Password123.”

    The AAA configuration example consists of the following parts:

    1. Configuring the RADIUS servers.

      This part of the configuration establishes settings for the dynamic request server, radiusDR, and eight other RADIUS servers, radius1 through radius8. The configurations for the RADIUS servers are basically identical, with some minor differences. Server radiusDR has dynamic requests enabled, which means that the broadband gateway acts upon CoA requests and Disconnect requests originating from the radiusDR server.

      Also note that dead server detection is configured for the RADIUS servers: the dead-criteria retries 10 interval 10 and revert-interval 100 statements mean that if the broadband gateway has to retransmit a request to the server 10 times over a 10-second interval, the server is marked “dead,” and the broadband gateway starts sending requests to a different server. After the revert-interval of 100 seconds, the server is marked “alive,” and the broadband gateway can direct requests to it again.

    2. Configuring the loopback interface.

      This part of the configuration set addresses on the lo0 interface for the dynamic request server and for the other RADIUS servers.

    3. Configuring the network elements.

      This part of the configuration creates three network elements: ne1, ne2, and ne3, which are made up of the RADIUS servers configured in part 1. In network element ne1, the radius1 and radius2 servers are configured as priority 1, and radius3 is priority 2. The load-balancing algorithm is configured as Direct. When the broadband gateway sends requests to ne1, they go only to the radius1 server, up to the point where radius1 is marked dead. At that point, they go to radius2. Once the revert-interval configured for radius1 (100 seconds) expires, the broadband gateway can start directing requests to radius1 again. Only if both priority 1 servers are marked dead, does the broadband gateway start sending requests to the priority 2 server, radius3.

      Network elements ne2 and ne3 both use the round-robin load-balancing algorithm. When sending requests to ne2, the broadband gateway sends the first request to radius4, the second request to radius5, the third to radius4, and so on. For ne3, since radius6 and radius7 are priority 1 servers, the broadband gateway alternates requests between the two servers. If both of the servers are marked dead, then the broadband gateway sends requests to the priority 2 server, radius8.

    4. Configuring the network element group.

      This part of the configuration creates a network element group, ne-grp1, consisting of network elements ne2 and ne3, which were configured in part 2. The broadband gateway sends accounting messages to the network elements in the group.

      In the example, the broadcast parameter is specified, which causes the broadband gateway to send the accounting messages to all of the network elements in the group. The mandatory option is configured for network element ne2, which means that a response is required from a server in ne2 before services can be provided to the mobile subscriber. If you configure the broadcast parameter for a network element group, you must specify the mandatory parameter for at least one of the network elements.

    5. Configuring the AAA profile.

      This part of the configuration sets up an AAA profile, aaa-prof. The AAA profile specifies that network element ne1 is used for authentication, and network element group ne-grp01 is used for accounting.

      For accounting, Interim-Update messages are sent every 10 minutes, and when any of the trigger events occur. The one exception is if the QoS profile applied by the broadband gateway for the PDP context/EPS bearer changes; that is, the broadband gateway receives an accounting message with a 3GPP-GPRS-Negotiated-QoS-Profile attribute (3GPP VSA 26-5) that has a value different from the one previously received. In this case, it does not trigger the broadband gateway to send an Interim-Update message.

      In the RADIUS messages it generates, the broadband gateway sets values for the following RADIUS attributes:

      • For the NAS-Identifier attribute (RADIUS attribute 32), the value is the string imagio, prefixed to the ID of the services PIC handling NAS functions for the mobile subscriber.
      • For the NAS-Port-Type attribute (RADIUS attribute 61), the value is set to wireless.

      The broadband gateway excludes certain RADIUS attributes from specific types of RADIUS messages it generates:

      • The Called-Station-Id attribute (RADIUS attribute 30) is excluded from Access-Request messages.
      • The Event-Timestamp attribute (RADIUS attribute 55) is excluded from Accounting Start messages.

      The broadband gateway ignores the Framed-Ip-Netmask attribute (RADIUS attribute 9) in Access-Accept messages it receives from the RADIUS server.

    6. Applying AAA services to an APN.

      This part of the configuration applies AAA services to an APN, internet123. The AAA services are configured for the APN by specifying the AAA profile to use—in this case, aaa-prof—configured in the previous part. When mobile subscribers attempt to gain access to this APN, they receive AAA services as indicated by the settings in the aaa-prof profile.

      In addition, the APN is configured to use AAA as the address assignment method. This means that the broadband gateway assigns an IP address to a mobile subscriber using information returned from the RADIUS server in the Access-Accept message.

      If the broadband gateway cannot determine the subscriber’s username and password from the Create PDP Context Request or Create Session Request message, then the username and password configured under anonymous-user are used to authenticate the subscriber.

    Configuration

    Configuring the RADIUS Servers

    CLI Quick Configuration

    To quickly configure this example, copy the following commands and paste them into the router terminal window:

    [edit]set access radius servers radiusDR address 50.50.50.110set access radius servers radiusDR secret "$9$BWYErvx7VY2axNs4oJkq"set access radius servers radiusDR allow-dynamic-requestsset access radius servers radiusDR dynamic-request-secret "$9$rXYKWxbs4Di.Ndi"set access radius servers radiusDR source-interface lo0.0 ipv4-address 200.6.80.1set access radius servers radius1 address 200.6.101.2set access radius servers radius1 secret "$9$BWYErvx7VY2axNs4oJkq"set access radius servers radius1 accounting-secret "$9$rpEvX-Y2aUDkYgGiHqzF"set access radius servers radius1 dead-criteria retries 10 interval 10set access radius servers radius1 revert-interval 100set access radius servers radius1 source-interface lo0.0 ipv4-address 200.6.88.1set access radius servers radius2 address 200.6.102.2set access radius servers radius2 secret "$9$BWYErvx7VY2axNs4oJkq"set access radius servers radius2 accounting-secret "$9$rpEvX-Y2aUDkYgGiHqzF"set access radius servers radius2 dead-criteria retries 10 interval 10set access radius servers radius2 revert-interval 100set access radius servers radius2 source-interface lo0.0 ipv4-address 200.6.88.1set access radius servers radius3 address 200.6.103.2set access radius servers radius3 secret "$9$BWYErvx7VY2axNs4oJkq"set access radius servers radius3 accounting-secret "$9$rpEvX-Y2aUDkYgGiHqzF"set access radius servers radius3 dead-criteria retries 10 interval 10set access radius servers radius3 revert-interval 100set access radius servers radius3 source-interface lo0.0 ipv4-address 200.6.88.1set access radius servers radius4 address 200.6.104.2set access radius servers radius4 secret "$9$BWYErvx7VY2axNs4oJkq"set access radius servers radius4 accounting-secret "$9$rpEvX-Y2aUDkYgGiHqzF"set access radius servers radius4 dead-criteria retries 10 interval 10set access radius servers radius4 revert-interval 100set access radius servers radius4 source-interface lo0.0 ipv4-address 200.6.88.1set access radius servers radius5 address 200.6.105.2set access radius servers radius5 secret "$9$BWYErvx7VY2axNs4oJkq"set access radius servers radius5 accounting-secret "$9$rpEvX-Y2aUDkYgGiHqzF"set access radius servers radius5 dead-criteria retries 10 interval 10set access radius servers radius5 revert-interval 100set access radius servers radius5 source-interface lo0.0 ipv4-address 200.6.88.1set access radius servers radius6 address 200.6.106.2set access radius servers radius6 secret "$9$BWYErvx7VY2axNs4oJkq"set access radius servers radius6 accounting-secret "$9$rpEvX-Y2aUDkYgGiHqzF"set access radius servers radius6 dead-criteria retries 10 interval 10set access radius servers radius6 revert-interval 100set access radius servers radius6 source-interface lo0.0 ipv4-address 200.6.88.1set access radius servers radius7 address 200.6.107.2set access radius servers radius7 secret "$9$BWYErvx7VY2axNs4oJkq"set access radius servers radius7 accounting-secret "$9$rpEvX-Y2aUDkYgGiHqzF"set access radius servers radius7 dead-criteria retries 10 interval 10set access radius servers radius7 revert-interval 100set access radius servers radius7 source-interface lo0.0 ipv4-address 200.6.88.1set access radius servers radius8 address 200.6.108.2set access radius servers radius8 secret "$9$BWYErvx7VY2axNs4oJkq"set access radius servers radius8 accounting-secret "$9$rpEvX-Y2aUDkYgGiHqzF"set access radius servers radius8 dead-criteria retries 10 interval 10set access radius servers radius8 revert-interval 100set access radius servers radius8 source-interface lo0.0 ipv4-address 200.6.88.1

    Step-by-Step Procedure

    To configure the RADIUS servers:

    1. Configure the settings for the dynamic request server, radiusDR. Enable dynamic request support, and specify a shared secret for dynamic request messages.
      [edit]user@pe1# set access radius servers radiusDR address 50.50.50.110user@pe1# set access radius servers radiusDR secret "$9$BWYErvx7VY2axNs4oJkq"user@pe1# set access radius servers radiusDR allow-dynamic-requestsuser@pe1# set access radius servers radiusDR dynamic-request-secret "$9$rXYKWxbs4Di.Ndi"user@pe1# set access radius servers radiusDR source-interface lo0.0 ipv4-address 200.6.80.1
    2. Configure the settings for the radius1 server.
      [edit]user@pe1# set access radius servers radius1 address 200.6.101.2user@pe1# set access radius servers radius1 secret "$9$BWYErvx7VY2axNs4oJkq"user@pe1# set access radius servers radius1 accounting-secret "$9$rpEvX-Y2aUDkYgGiHqzF"user@pe1# set access radius servers radius1 dead-criteria retries 10 interval 10user@pe1# set access radius servers radius1 revert-interval 100user@pe1# set access radius servers radius1 source-interface lo0.0 ipv4-address 200.6.88.1

      Note: Apart from the server name and address, the configuration of servers radius2 through radius8 is identical.

    3. Configure the settings for the radius2 server.
      [edit]user@pe1# set access radius servers radius2 address 200.6.102.2user@pe1# set access radius servers radius2 secret "$9$BWYErvx7VY2axNs4oJkq"user@pe1# set access radius servers radius2 accounting-secret "$9$rpEvX-Y2aUDkYgGiHqzF"user@pe1# set access radius servers radius2 dead-criteria retries 10 interval 10user@pe1# set access radius servers radius2 revert-interval 100user@pe1# set access radius servers radius2 source-interface lo0.0 ipv4-address 200.6.88.1
    4. Configure the settings for the radius3 server.
      [edit]user@pe1# set access radius servers radius3 address 200.6.103.2user@pe1# set access radius servers radius3 secret "$9$BWYErvx7VY2axNs4oJkq"user@pe1# set access radius servers radius3 accounting-secret "$9$rpEvX-Y2aUDkYgGiHqzF"user@pe1# set access radius servers radius3 dead-criteria retries 10 interval 10user@pe1# set access radius servers radius3 revert-interval 100user@pe1# set access radius servers radius3 source-interface lo0.0 ipv4-address 200.6.88.1
    5. Configure the settings for the radius4 server.
      [edit]user@pe1# set access radius servers radius4 address 200.6.104.2user@pe1# set access radius servers radius4 secret "$9$BWYErvx7VY2axNs4oJkq"user@pe1# set access radius servers radius4 accounting-secret "$9$rpEvX-Y2aUDkYgGiHqzF"user@pe1# set access radius servers radius4 dead-criteria retries 10 interval 10user@pe1# set access radius servers radius4 revert-interval 100user@pe1# set access radius servers radius4 source-interface lo0.0 ipv4-address 200.6.88.1
    6. Configure the settings for the radius5 server.
      [edit]user@pe1# set access radius servers radius5 address 200.6.105.2user@pe1# set access radius servers radius5 secret "$9$BWYErvx7VY2axNs4oJkq"user@pe1# set access radius servers radius5 accounting-secret "$9$rpEvX-Y2aUDkYgGiHqzF"user@pe1# set access radius servers radius5 dead-criteria retries 10 interval 10user@pe1# set access radius servers radius5 revert-interval 100user@pe1# set access radius servers radius5 source-interface lo0.0 ipv4-address 200.6.88.1
    7. Configure the settings for the radius6 server.
      [edit]user@pe1# set access radius servers radius6 address 200.6.106.2user@pe1# set access radius servers radius6 secret "$9$BWYErvx7VY2axNs4oJkq"user@pe1# set access radius servers radius6 accounting-secret "$9$rpEvX-Y2aUDkYgGiHqzF"user@pe1# set access radius servers radius6 dead-criteria retries 10 interval 10user@pe1# set access radius servers radius6 revert-interval 100user@pe1# set access radius servers radius6 source-interface lo0.0 ipv4-address 200.6.88.1
    8. Configure the settings for the radius7 server.
      [edit]user@pe1# set access radius servers radius7 address 200.6.107.2user@pe1# set access radius servers radius7 secret "$9$BWYErvx7VY2axNs4oJkq"user@pe1# set access radius servers radius7 accounting-secret "$9$rpEvX-Y2aUDkYgGiHqzF"user@pe1# set access radius servers radius7 dead-criteria retries 10 interval 10user@pe1# set access radius servers radius7 revert-interval 100user@pe1# set access radius servers radius7 source-interface lo0.0 ipv4-address 200.6.88.1
    9. Configure the settings for the radius8 server.
      [edit]user@pe1# set access radius servers radius8 address 200.6.108.2user@pe1# set access radius servers radius8 secret "$9$BWYErvx7VY2axNs4oJkq"user@pe1# set access radius servers radius8 accounting-secret "$9$rpEvX-Y2aUDkYgGiHqzF"user@pe1# set access radius servers radius8 dead-criteria retries 10 interval 10user@pe1# set access radius servers radius8 revert-interval 100user@pe1# set access radius servers radius8 source-interface lo0.0 ipv4-address 200.6.88.1

    Configuring the Loopback Interface

    CLI Quick Configuration

    To quickly configure this example, copy the following commands and paste them into the router terminal window:

    [edit]set interfaces lo0 unit 0 family inet address 200.6.80.1/32set interfaces lo0 unit 0 family inet address 200.6.88.1/32

    Step-by-Step Procedure

    1. Configure a loopback address for the dynamic request server. The dynamic request server uses this as the destination address for CoA requests and Disconnect requests.
      [edit]user@pe1# set interfaces lo0 unit 0 family inet address 200.6.80.1/32
    2. Configure a loopback address for the other RADIUS servers.
      [edit]user@pe1# set interfaces lo0 unit 0 family inet address 200.6.88.1/32

    Configuring the Network Elements

    CLI Quick Configuration

    To quickly configure this example, copy the following commands and paste them into the router terminal window:

    [edit]set access radius network-elements ne1 server radius1 priority 1set access radius network-elements ne1 server radius2 priority 1set access radius network-elements ne1 server radius3 priority 2set access radius network-elements ne1 algorithm directset access radius network-elements ne1 maximum-pending-reqs-limit 2048set access radius network-elements ne2 server radius4 priority 1set access radius network-elements ne2 server radius5 priority 1set access radius network-elements ne2 algorithm round-robinset access radius network-elements ne3 server radius6 priority 1set access radius network-elements ne3 server radius7 priority 1set access radius network-elements ne3 server radius8 priority 2set access radius network-elements ne3 algorithm round-robin

    Step-by-Step Procedure

    To configure the network elements:

    1. Configure the settings for network element ne1. Add RADIUS servers radius1, radius2, and radius3, set the load-balancing algorithm to direct, and set the maximum pending requests limit to 2048.
      [edit]user@pe1# set access radius network-elements ne1 server radius1 priority 1user@pe1# set access radius network-elements ne1 server radius2 priority 1user@pe1# set access radius network-elements ne1 server radius3 priority 2user@pe1# set access radius network-elements ne1 algorithm directuser@pe1# set access radius network-elements ne1 maximum-pending-reqs-limit 2048
    2. Configure the settings for network element ne2. Add RADIUS servers radius4 and radius5, and set the load-balancing algorithm to round-robin.
      [edit]user@pe1# set access radius network-elements ne2 server radius4 priority 1user@pe1# set access radius network-elements ne2 server radius5 priority 1user@pe1# set access radius network-elements ne2 algorithm round-robin
    3. Configure the settings for network element ne3. Add RADIUS servers radius6, radius7, and radius8, and set the load-balancing algorithm to round-robin.
      [edit]user@pe1# set access radius network-elements ne3 server radius6 priority 1user@pe1# set access radius network-elements ne3 server radius7 priority 1user@pe1# set access radius network-elements ne3 server radius8 priority 2user@pe1# set access radius network-elements ne3 algorithm round-robin

    Configuring the Network Element Group

    CLI Quick Configuration

    To quickly configure this example, copy the following commands and paste them into the router terminal window:

    [edit]set access radius network-element-group ne-grp1 network-element ne2 mandatoryset access radius network-element-group ne-grp1 network-element ne3set access radius network-element-group ne-grp1 broadcast

    Step-by-Step Procedure

    To configure the network element group:

    1. Add network elements ne2 and ne3 to network element group ne-grp1, and indicate that a response from ne2 is mandatory in order to provide services to the mobile subscriber.
      [edit]user@pe1# set access radius network-element-group ne-grp1 network-element ne2 mandatoryuser@pe1# set access radius network-element-group ne-grp1 network-element ne3
    2. Configure accounting messages to be broadcast to all of the network elements in the group.
      [edit]user@pe1# set access radius network-element-group ne-grp1 broadcast

    Configuring the AAA Profile

    CLI Quick Configuration

    To quickly configure this example, copy the following commands and paste them into the router terminal window:

    [edit]set unified-edge aaa mobile-profiles aaa-prof radius authentication network-element ne1 set unified-edge aaa mobile-profiles aaa-prof radius accounting network-element-group ne-grp1 set unified-edge aaa mobile-profiles aaa-prof radius trigger interim-interval 10 set unified-edge aaa mobile-profiles aaa-prof radius trigger no-qos-changeset unified-edge aaa mobile-profiles aaa-prof radius options nas-identifier-prefix imagioset unified-edge aaa mobile-profiles aaa-prof radius options nas-port-type wirelessset unified-edge aaa mobile-profiles aaa-prof radius options nas-ip-address 200.6.80.1set unified-edge aaa mobile-profiles aaa-prof radius attributes exclude called-station-id access-requestset unified-edge aaa mobile-profiles aaa-prof radius attributes exclude event-time-stamp accounting-startset unified-edge aaa mobile-profiles aaa-prof radius attributes ignore framed-ip-netmask

    Step-by-Step Procedure

    To configure the AAA profile:

    1. Indicate that network element ne1 is to be used for authentication.
      [edit]user@pe1# set unified-edge aaa mobile-profiles aaa-prof radius authentication network-element ne1
    2. Indicate that network element group ne-grp1 is to be used for accounting.
      [edit]user@pe1# set unified-edge aaa mobile-profiles aaa-prof radius accounting network-element-group ne-grp1
    3. Configure the broadband gateway to send accounting Interim-Update messages every 10 minutes.
      [edit]user@pe1# set unified-edge aaa mobile-profiles aaa-prof radius trigger interim-interval 10
    4. Configure the broadband gateway so that it does not trigger an accounting Interim-Update message if the QoS profile applied to the PDP context/EPS bearer changes.
      [edit]user@pe1# set unified-edge aaa mobile-profiles aaa-prof radius trigger no-qos-change
    5. Configure the broadband gateway to set the NAS-Identifier attribute in RADIUS messages to the string imagio, prefixed to the ID of the services PIC handling NAS functions for the mobile subscriber.
      [edit]user@pe1# set unified-edge aaa mobile-profiles aaa-prof radius options nas-identifier-prefix imagio
    6. Configure the broadband gateway to set the NAS-Port-Type attribute in RADIUS messages to wireless.
      [edit]user@pe1# set unified-edge aaa mobile-profiles aaa-prof radius options nas-port-type wireless
    7. Configure the broadband gateway to use 200.6.80.1 as the value for the NAS-IP-Address attribute in RADIUS requests. (This causes the CoA requests and Disconnect requests sent from the dynamic request server to have a source address of 50.50.50.110 and a destination address of 200.6.80.1.)
      [edit]user@pe1# set unified-edge aaa mobile-profiles aaa-prof radius options nas-ip-address 200.6.80.1
    8. Configure the broadband gateway to exclude the Called-Station-Id attribute from RADIUS Access-Request messages.
      [edit]user@pe1# set unified-edge aaa mobile-profiles aaa-prof radius attributes exclude called-station-id access-request
    9. Configure the broadband gateway to exclude the Event-Timestamp attribute from RADIUS Accounting Start messages.
      [edit]user@pe1# set unified-edge aaa mobile-profiles aaa-prof radius attributes exclude event-time-stamp accounting-start
    10. Configure the broadband gateway to ignore the Framed-Ip-Netmask attribute in Access-Accept messages it receives from the RADIUS server.
      [edit]user@pe1# set unified-edge aaa mobile-profiles aaa-prof radius attributes ignore framed-ip-netmask

    Applying AAA Services to an APN

    CLI Quick Configuration

    To quickly configure this example, copy the following commands and paste them into the router terminal window:

    [edit]set unified-edge gateways ggsn-pgw MBG1 apn-services apns internet123 apn-data-type ipv4set unified-edge gateways ggsn-pgw MBG1 apn-services apns internet123 mobile-interface mif.0set unified-edge gateways ggsn-pgw MBG1 apn-services apns internet123 aaa-profile aaa-profset unified-edge gateways ggsn-pgw MBG1 apn-services apns internet123 address-assignment aaaset unified-edge gateways ggsn-pgw MBG1 apn-services apns internet123 anonymous-user user-name aaaset unified-edge gateways ggsn-pgw MBG1 apn-services apns internet123 anonymous-user password "Password123"

    Step-by-Step Procedure

    To configure AAA services for the APN:

    1. If not set already, set the data type and mobile interface for APN internet123.
      [edit]user@pe1# set unified-edge gateways ggsn-pgw MBG1 apn-services apns internet123 apn-data-type ipv4user@pe1# set unified-edge gateways ggsn-pgw MBG1 apn-services apns internet123 mobile-interface mif.0
    2. Configure the APN to use the settings in the aaa-prof AAA profile.
      [edit]user@pe1# set unified-edge gateways ggsn-pgw MBG1 apn-services apns internet123 aaa-profile aaa-prof
    3. Configure the broadband gateway to use the AAA server for IP address assignment. IP addresses are assigned to mobile subscribers using information returned in RADIUS Access-Accept messages.
      [edit]user@pe1# set unified-edge gateways ggsn-pgw MBG1 apn-services apns internet123 address-assignment aaa
    4. Configure the broadband gateway to authenticate a mobile subscriber using the username “aaa” and the password “Password123” if username and password information cannot be determined from the Protocol Configuration Options (PCO) received in the Create PDP Context Request or Create Session Request message.
      [edit]user@pe1# set unified-edge gateways ggsn-pgw MBG1 apn-services apns internet123 anonymous-user user-name aaauser@pe1# set unified-edge gateways ggsn-pgw MBG1 apn-services apns internet123 anonymous-user password "Password123"

    Verification

    Verifying Authentication

    Purpose

    Verify that authentication functions are working on the broadband gateway and for the individual RADIUS servers.

    Action

    To show authentication statistics for the broadband gateway:

    user@host> show unified-edge ggsn-pgw aaa statistics authentication
    Authentication module statistics
      Requests: 3
      Accepts: 3
      Rejects: 0
      Challenges: 0
      Requests timed out: 0
      Transmit errors: 0
      Response errors: 0
      Pending requests: 0
    

    To show authentication statistics for an individual RADIUS server:

    user@host> show unified-edge ggsn-pgw aaa radius statistics authentication detail name radius1
    RADIUS server: radius1 (FPC/PIC: 1/0)
      Address: 200.6.101.2 Port: 1812
      Routing-instance: default
      State: Active  Duration: 00:28:01      
      Prev duration: 00:00:00      Flaps: 0    
      Access requests: 0
      Access req retransmissions: 0
      Access accepts: 0
      Access rejects: 0
      Access challenges: 0
      Malformed responses: 0
      Bad authenticators: 0
      Pending requests: 0
      Timeouts: 0
      Unknown types: 0
      Packets dropped: 0
      Round trip time (ms): 0 (Min: 0 Max: 0 Avg: 0)
      Time since counters were last cleared: 00:00:00

    Verifying Accounting

    Purpose

    Verify that accounting functions are working on the broadband gateway and for the individual RADIUS servers.

    Action

    To show accounting statistics for the broadband gateway:

    user@host> show unified-edge ggsn-pgw aaa statistics accounting
    Accounting module statistics
      Requests: 12
      Responses success: 12
      Requests timed out: 0
      Transmit errors: 0
      Response errors: 0
      Pending requests: 0

    To show accounting statistics for an individual RADIUS server:

    user@host> show unified-edge ggsn-pgw aaa radius statistics accounting detail name radius1
    RADIUS server: radius1 (FPC/PIC: 1/0)
      Address: 200.6.101.2 Port: 1813
      Routing-instance: default
      State: Active  Duration: 00:28:21      
      Prev duration: 00:00:00      Flaps: 0    
      Accounting requests: 0 
        Start: 0      Stop: 0      Interim: 0      On: 0      Off: 0     
      Accounting req retransmissions: 0
      Accounting responses: 0
      Malformed responses: 0
      Bad authenticators: 0
      Pending requests: 0
      Timeouts: 0
      Unknown types: 0
      Packets dropped: 0
      Round trip time (ms): 0 (Min: 0 Max: 0 Avg: 0)
      Time since counters were last cleared: 00:00:00

    Verifying Dynamic Requests

    Purpose

    Verify that dynamic request functions are working on the broadband gateway and for the dynamic request server.

    Action

    To show dynamic request statistics for the broadband gateway:

    user@host> show unified-edge ggsn-pgw aaa statistics dynamic-requests
    Dynamic Requests module statistics
      Requests received: 8
      CoA Requests received: 8
      Dm Requests received: 0
      CoA Acks sent: 7
      CoA Nacks sent: 1
      Dm Acks sent: 0
      Dm Nacks sent: 0
      Dropped: 0

    To show dynamic request statistics for the dynamic request server radiusDR:

    user@host> show unified-edge ggsn-pgw aaa radius statistics dynamic-requests detail name radiusDR
    RADIUS client: radiusDR (FPC/PIC: 3/0)
      Address: 50.50.50.110
      CoA Requests received: 0
      Dm Requests received: 0
      CoA Acks sent: 0
      CoA Nacks sent: 0
      Dm Acks sent: 0
      Dm Nacks sent: 0
      Dropped: 0
      Duplicates: 0
      Dispatched: 0
      Timeouts: 0  
      Sent to SMd: 0
      Invalid RADIUS codes: 0
      Errors during processing: 0
      Invalid RADIUS authenticators: 0
      Invalid or missing Charging Ids: 0
      RCM errors: 0
      Time since counters were last cleared: 00:00:00

    Verifying Network Element Status

    Purpose

    Verify that the RADIUS servers in the network elements are active.

    Action

    user@host> show unified-edge ggsn-pgw aaa network-element status name ne1
    Network-element: ne1
      Server: radius1, Priority: 1, State: Active
      Server: radius2, Priority: 1, State: Active
      Server: radius3, Priority: 2, State: Active
    

    Verifying Address Assignment

    Purpose

    Verify that address assignment by the AAA server is working properly.

    Action

    user@host> show unified-edge ggsn-pgw address-assignment statistics
    Address assignment statistics
      Total address allocations: 0
      Total allocation failures: 0
      Total address releases: 0
    

    Published: 2011-11-23