Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

RADIUS Servers for Subscriber Access

 

Configuring Router or Switch Interaction with RADIUS Servers

You specify the RADIUS servers that the router or switch can use and you also configure how the router or switch interacts with the specified servers. You can configure the router or switch to connect to multiple RADIUS servers on IPv4 and IPv6 networks. You can configure the RADIUS server connectivity at the [edit access] hierarchy level or for a specific dynamic profile at the [edit access profile] hierarchy level.

To configure connectivity to a RADIUS server and to specify how the router or switch interacts with the server:

  1. Specify the IP address of the RADIUS server.

    The example in this step shows the configuration statement for two RADIUS servers, one with an IPv4 address and the other with an IPv6 address. All other examples in this topic show an IPv4 address. The configuration is similar for IPv6.

    For an IPv4 RADIUS server:

    For an IPv6 RADIUS server:

  2. (Optional) Configure the RADIUS server accounting port number. The default accounting port number is 1813.
  3. (Optional) Configure the port number the router or switch uses to contact the RADIUS server. The default port number is 1812.
  4. Configure the required secret (password) that the local router or switch passes to the RADIUS client. Secrets enclosed in quotation marks can contain spaces.
  5. (Optional) Configure the maximum number of outstanding requests that a RADIUS server can maintain. An outstanding request is a request to which the RADIUS server has not yet responded. You can limit the number from 0 through 2000 outstanding requests per RADIUS server. The default setting is 1000 outstanding requests per server.
  6. Configure the source address for the RADIUS server. Each RADIUS request sent to a RADIUS server uses the specified source address. The source address is a valid IPv4 or IPv6 address configured on one of the router or switch interfaces.

    For an IPv4 source address:

    For an IPv6 source address:

  7. (Optional) Configure retry and timeout values for authentication and accounting messages.
    1. Configure how many times the router or switch attempts to contact a RADIUS server when it has received no response. You can configure the router or switch to retry from 1 through 100 times. The default setting is 3 retry attempts.
    2. Configure how long the router or switch waits to receive a response from a RADIUS server before retrying the contact. By default, the router or switch waits 3 seconds. You can configure the timeout to be from 1 through 1000 seconds.
    Note

    The maximum retry duration (the number of retries times the length of the timeout) cannot exceed 2700 seconds. An error message is displayed if you configure a longer duration.

    Note

    The retry and timeout settings apply to both authentication and accounting messages unless you configure both the accounting-retry statements and the accounting-timeout statement. In that case, the retry and timeout settings apply only to authentication messages.

  8. (Optional) Configure retry and timeout values for accounting messages separate from the settings for authentication messages. Note

    You must configure both of these options. If you do not, then the value you configure is ignored in favor of the values configured with the retry and timeout statements.

    1. Configure how many times the router attempts to send accounting messages to the RADIUS accounting server when it has received no response. You can configure the router to retry from 0 through 100 times. The default setting is 0, meaning that this option is disabled.
    2. Configure how long the router waits to receive a response from a RADIUS accounting server before retrying the request. You can configure the timeout to be from 0 through 1000 seconds. The default setting is 0, meaning that this option is disabled.

Configuring Options that Apply to All RADIUS Servers

You can configure RADIUS options that apply to all RADIUS servers globally.

To configure RADIUS options globally:

  1. Specify that you want to configure RADIUS options.
  2. (Optional) Configure the number of requests per second that the router can send to all the RADIUS servers collectively.
  3. (Optional) Configure the number of seconds that the router or switch waits after a server has become unreachable.
  4. (Optional) Configure the number of seconds during which a failing authentication server is not marked as down or unreachable.
  5. (Optional) Configure a NAS-Port value that is unique across all MX series routers in the network.

Configuring a Timeout Grace Period to Specify When RADIUS Servers Are Considered Down or Unreachable

When a RADIUS authentication server fails to respond to any of the attempts for a given authentication request and times out, authd notes the time for reference, but it does not immediately mark the server as down (if other servers are available) or unreachable (if it is the only configured server). Instead, a configurable grace period timer starts at the reference time. The grace period is cleared if the server responds to a subsequent request before the period expires.

During the grace period, the server is not marked as down or unreachable. Each time the server times out for subsequent requests to that server, authd checks whether the grace period has expired. When the check determines that the grace period has expired and the server has still not responded to a request, the server is marked as unreachable or down.

Using a short grace period enables you to more quickly abandon an unresponsive server and direct authentication requests to other available servers. A long grace period gives a server more opportunities to respond and may avoid needlessly abandoning a resource. You might specify a longer grace period when you have only one or a small number of configured servers.

To configure the grace period during which an unresponsive RADIUS server is not marked as unreachable or down:

  • Specify the duration of the grace period.

Storage and Reporting of Interface Descriptions to Uniquely Identify Subscribers

Interface Description Storage and Reporting Overview

You can configure Junos OS to store subscriber access interface descriptions and report the interface description through RADIUS. This capability enables you to uniquely identify subscribers on a particular logical or physical interface. When you enable storing of the interface descriptions, RADIUS requests include the interface description in VSA 26-63, if the subscriber’s access interface has been configured with an interface description. All interface descriptions must be statically configured using the Junos OS CLI. Storing and reporting of interface descriptions is supported for DHCP, PPP, and authenticated dynamic VLANS, and applies to any client session that either authenticates or uses the RADIUS accounting service. The description can contain letters, numbers, and hyphens (-), and can be up to 64 characters long.

Interface Description Precedence

The interface description sent in the VSA depends on the configured interface. Two configuration models apply across topologies and protocols for subscriber management.

  • Subscriber logical interface directly over a physical interface (non-underlying logical interfaces).

  • Subscriber logical interface over an underlying logical interface and physical interface.

In both models, Junos OS selects the interface description to report based on order of precedence. Interfaces not configured with interface descriptions are excluded when selecting an interface by precedence. If no interface description is configured on any of the static interfaces in the subscriber interface hierarchy, VSA 26-63 is not sent in any of the RADIUS messages.

Note
  • For aggregated Ethernet physical interfaces, the interface description on the aggregated Ethernet interface, for example AE0 or AE1, serves as the physical interface description.

  • If the subscriber’s access is a combination of dynamic and static interfaces, Junos OS uses the description on the static interface.

Example: Reporting Interface Descriptions on Non-Underlying Logical Interfaces

This topic shows an example of subscriber access with non-underlying logical interfaces. In this case, the logical interface can be a VLAN or a VLAN demux interface. This example shows a DHCP subscriber logical interface over a VLAN without a demux interface. For non-underlying interfaces, Junos OS selects which interface description to report based on the following order of precedence:

  1. Logical interface description

  2. Physical interface description

Based on the order of precedence that Junos OS uses to select the interface description for non-underlying interfaces, Junos OS reports subscriber_ifl_descr as the interface description.

Reporting Interface Descriptions on Underlying Logical Interfaces

Underlying logical interfaces can apply to both DHCP and PPP.

For DHCP, Junos OS selects which interface description to report based on the following order of precedence:

  1. Underlying logical interface description

  2. Underlying physical interface description

Note

For DHCP, Junos OS does not report the IP demux logical interface description.

For PPP over an underlying VLAN or VLAN demux interface, Junos OS selects which interface description to report based on the following order of precedence:

  1. PPP interface description

  2. Underlying VLAN without a demux interface or VLAN demux logical interface description

  3. Underlying physical interface description

Example: PPP over an Underlying VLAN Demux Interface

The following example shows a PPP subscriber over an underlying VLAN demux interface. This configuration includes three possible interface descriptions. Based on the order of precedence that Junos OS uses to select the interface description for PPP, the interface description is reported as subscriber_ppp_ifl_descr_0.

Example: Reporting Interface Descriptions on Dynamic VLANs

If you create dynamic VLANs with authentication, Junos OS reports the interface description on the physical interface. In the following example, dynamic VLANs created over the ge-1/2/0 interface are authenticated with an interface description of ge-1/2/0-bos-mktg-group.

Interface Description Storage and Reporting Configuration

To enable or disable storage and reporting of interface descriptions:

  • Enable storing and reporting of interface descriptions.

  • Disable storing and reporting of interface descriptions per RADIUS message type.