Configuring a Username for Authentication of Out-of-Band Triggered Dynamic VLANs
When a subscriber logs in, the Access-Request message that is sent to the RADIUS server includes a username and optionally a password generated locally on the router to authenticate the subscriber during the VLAN authorization process. For a Layer 2 network that is wholesaled to a retailer where the dynamic VLANs are instantiated by out-of-band ANCP Port Up messages, you can configure the router to create a unique username with the value of the ANCP TLVs—Access-Loop-Circuit-ID, Access-Loop-Remote-Id, or both—as received in the ANCP Port Up message from the access node.
This configuration assumes the following:
The ANCP agent is configured to notify AAA when it receives ANCP Port Up and Port Down messages.
The dynamic profile is configured to instantiate a dynamic VLAN when notified by the ANCP agent that it has received an out-of-band ANCP Port Up message.
The RADIUS authentication server is properly configured.
To include ANCP TLVs in the authentication username
- (Optional) Specify inclusion of the Access-Loop-Circuit-ID TLV value.
- (Optional) Specify inclusion of the Access-Loop-Remote-ID TLV value.
This ANCP information is not supported in stacked VLANs.
You can use any of the attributes available to the username-include statement, except: mac-address, option-18, option-37, and option-82.
You can include other information in the username as for conventional autosensed dynamic VLANs. Alternatively, if you configure the router to convey ANCP-sourced access loop attributes as Juniper Networks VSAs—in this case Acc-Loop-Cir-Id (26-110) and Acc-Loop-Remote-Id (26-182)—the Access-Request message includes sufficient unique access line information for the RADIUS server to determine whether the access loop is wholesaled to a retailer or retained for the wholesaler.