Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring a Username for Authentication of Out-of-Band Triggered Dynamic VLANs

 

When a subscriber logs in, the Access-Request message that is sent to the RADIUS server includes a username and optionally a password generated locally on the router to authenticate the subscriber during the VLAN authorization process. For a Layer 2 network that is wholesaled to a retailer where the dynamic VLANs are instantiated by out-of-band ANCP Port Up messages, you can configure the router to create a unique username with the value of the ANCP TLVs—Access-Loop-Circuit-ID, Access-Loop-Remote-Id, or both—as received in the ANCP Port Up message from the access node.

This configuration assumes the following:

  • The ANCP agent is configured to notify AAA when it receives ANCP Port Up and Port Down messages.

  • The dynamic profile is configured to instantiate a dynamic VLAN when notified by the ANCP agent that it has received an out-of-band ANCP Port Up message.

  • The RADIUS authentication server is properly configured.

To include ANCP TLVs in the authentication username

  1. (Optional) Specify inclusion of the Access-Loop-Circuit-ID TLV value.
  2. (Optional) Specify inclusion of the Access-Loop-Remote-ID TLV value.
Note

This ANCP information is not supported in stacked VLANs.

Note

You can use any of the attributes available to the username-include statement, except: mac-address, option-18, option-37, and option-82.

You can include other information in the username as for conventional autosensed dynamic VLANs. Alternatively, if you configure the router to convey ANCP-sourced access loop attributes as Juniper Networks VSAs—in this case Acc-Loop-Cir-Id (26-110) and Acc-Loop-Remote-Id (26-182)—the Access-Request message includes sufficient unique access line information for the RADIUS server to determine whether the access loop is wholesaled to a retailer or retained for the wholesaler.

Related Documentation