ON THIS PAGE
RADIUS Servers for Subscriber Access
Configuring Router or Switch Interaction with RADIUS Servers
You specify the RADIUS servers that the router or switch can use and you also configure how the router or switch interacts with the specified servers. You can configure the router or switch to connect to multiple RADIUS servers on IPv4 and IPv6 networks. You can configure the RADIUS server connectivity at the [edit access] hierarchy level or for a specific dynamic profile at the [edit access profile] hierarchy level.
To configure connectivity to a RADIUS server and to specify how the router or switch interacts with the server:
- Specify the IP address of the RADIUS server.
The example in this step shows the configuration statement for two RADIUS servers, one with an IPv4 address and the other with an IPv6 address. All other examples in this topic show an IPv4 address. The configuration is similar for IPv6.
For an IPv4 RADIUS server:
[edit access]user@host# edit radius-server 192.168.1.250For an IPv6 RADIUS server:
user@host# edit radius-server 2001:DB8:0:f101::2 - (Optional) Configure the RADIUS server accounting port
number. The default accounting port number is 1813.[edit access radius-server 192.168.1.250]user@host# set accounting-port 1813
- (Optional) Configure the port number the router or switch
uses to contact the RADIUS server. The default port number is 1812.[edit access radius-server 192.168.1.250]user@host# set port 18914
- Configure the required secret (password) that the local
router or switch passes to the RADIUS client. Secrets enclosed in
quotation marks can contain spaces. [edit access radius-server 192.168.1.250]user@host# set secret $ABC123$ABC123
- (Optional) Configure the maximum number of outstanding
requests that a RADIUS server can maintain. An outstanding request
is a request to which the RADIUS server has not yet responded. You
can limit the number from 0 through 2000 outstanding requests per
RADIUS server. The default setting is 1000 outstanding requests per
server.[edit access radius-server 192.168.1.250]user@host# set max-outstanding-requests 500
- Configure the source address for the RADIUS server. Each
RADIUS request sent to a RADIUS server uses the specified source address.
The source address is a valid IPv4 or IPv6 address configured on one
of the router or switch interfaces.
For an IPv4 source address:
[edit access radius-server 192.168.1.250]user@host# set source-address 192.168.1.100For an IPv6 source address:
[edit access radius-server 2001:DB8:0:f101::2]user@host# set source-address 2001:DB8:0:f101::1 - (Optional) Configure retry and timeout values for authentication
and accounting messages.
- Configure how many times the router or switch attempts
to contact a RADIUS server when it has received no response. You can
configure the router or switch to retry from 1 through 100 times.
The default setting is 3 retry attempts.[edit access radius-server 192.168.1.250]user@host# set retry 4
- Configure how long the router or switch waits to receive
a response from a RADIUS server before retrying the contact. By default,
the router or switch waits 3 seconds. You can configure the timeout
to be from 1 through 1000 seconds.[edit access radius-server 192.168.1.250]user@host# set timeout 20
Note The maximum retry duration (the number of retries times the length of the timeout) cannot exceed 2700 seconds. An error message is displayed if you configure a longer duration.
Note The retry and timeout settings apply to both authentication and accounting messages unless you configure both the accounting-retry statements and the accounting-timeout statement. In that case, the retry and timeout settings apply only to authentication messages.
- Configure how many times the router or switch attempts
to contact a RADIUS server when it has received no response. You can
configure the router or switch to retry from 1 through 100 times.
The default setting is 3 retry attempts.
- (Optional) Configure retry and timeout values for accounting
messages separate from the settings for authentication messages.
Note You must configure both of these options. If you do not, then the value you configure is ignored in favor of the values configured with the retry and timeout statements.
- Configure how many times the router attempts to send accounting
messages to the RADIUS accounting server when it has received no response.
You can configure the router to retry from 0 through 100 times. The
default setting is 0, meaning that this option is disabled.[edit access radius-server 192.168.1.250]user@host# set accounting-retry 6
- Configure how long the router waits to receive a response
from a RADIUS accounting server before retrying the request. You can
configure the timeout to be from 0 through 1000 seconds. The default
setting is 0, meaning that this option is disabled.[edit access radius-server 192.168.1.250]user@host# set accounting-timeout 20
- Configure how many times the router attempts to send accounting
messages to the RADIUS accounting server when it has received no response.
You can configure the router to retry from 0 through 100 times. The
default setting is 0, meaning that this option is disabled.
Configuring Options that Apply to All RADIUS Servers
You can configure RADIUS options that apply to all RADIUS servers globally.
To configure RADIUS options globally:
- Specify that you want to configure RADIUS options.[edit access ]user@host# edit radius-options
- (Optional) Configure the number of requests per second
that the router can send to all the RADIUS servers collectively.[edit access radius-options]user@host# set request-rate rate
- (Optional) Configure the number of seconds that the router
or switch waits after a server has become unreachable. [edit access radius-options]user@host# set revert-interval interval
- (Optional) Configure the number of seconds during which
a failing authentication server is not marked as down or unreachable.[edit access radius-options]user@host# set timeout-grace seconds
- (Optional) Configure a NAS-Port value that is unique across
all MX series routers in the network.[edit access radius-options]user@host# set unique-nas-port chassis-id-width chassis-id-widthuser@host# set unique-nas-port chassis-id chassid-id
Configuring a Timeout Grace Period to Specify When RADIUS Servers Are Considered Down or Unreachable
When a RADIUS authentication server fails to respond to any of the attempts for a given authentication request and times out, authd notes the time for reference, but it does not immediately mark the server as down (if other servers are available) or unreachable (if it is the only configured server). Instead, a configurable grace period timer starts at the reference time. The grace period is cleared if the server responds to a subsequent request before the period expires.
During the grace period, the server is not marked as down or unreachable. Each time the server times out for subsequent requests to that server, authd checks whether the grace period has expired. When the check determines that the grace period has expired and the server has still not responded to a request, the server is marked as unreachable or down.
Using a short grace period enables you to more quickly abandon an unresponsive server and direct authentication requests to other available servers. A long grace period gives a server more opportunities to respond and may avoid needlessly abandoning a resource. You might specify a longer grace period when you have only one or a small number of configured servers.
To configure the grace period during which an unresponsive RADIUS server is not marked as unreachable or down:
Specify the duration of the grace period.
[edit access radius-options]user@host# set timeout-grace seconds
Storage and Reporting of Interface Descriptions to Uniquely Identify Subscribers
Interface Description Storage and Reporting Overview
You can configure Junos OS to store subscriber access interface descriptions and report the interface description through RADIUS. This capability enables you to uniquely identify subscribers on a particular logical or physical interface. When you enable storing of the interface descriptions, RADIUS requests include the interface description in VSA 26-63, if the subscriber’s access interface has been configured with an interface description. All interface descriptions must be statically configured using the Junos OS CLI. Storing and reporting of interface descriptions is supported for DHCP, PPP, and authenticated dynamic VLANS, and applies to any client session that either authenticates or uses the RADIUS accounting service. The description can contain letters, numbers, and hyphens (-), and can be up to 64 characters long.
Interface Description Precedence
The interface description sent in the VSA depends on the configured interface. Two configuration models apply across topologies and protocols for subscriber management.
Subscriber logical interface directly over a physical interface (non-underlying logical interfaces).
Subscriber logical interface over an underlying logical interface and physical interface.
In both models, Junos OS selects the interface description to report based on order of precedence. Interfaces not configured with interface descriptions are excluded when selecting an interface by precedence. If no interface description is configured on any of the static interfaces in the subscriber interface hierarchy, VSA 26-63 is not sent in any of the RADIUS messages.
For aggregated Ethernet physical interfaces, the interface description on the aggregated Ethernet interface, for example AE0 or AE1, serves as the physical interface description.
If the subscriber’s access is a combination of dynamic and static interfaces, Junos OS uses the description on the static interface.
Example: Reporting Interface Descriptions on Non-Underlying Logical Interfaces
This topic shows an example of subscriber access with non-underlying logical interfaces. In this case, the logical interface can be a VLAN or a VLAN demux interface. This example shows a DHCP subscriber logical interface over a VLAN without a demux interface. For non-underlying interfaces, Junos OS selects which interface description to report based on the following order of precedence:
Logical interface description
Physical interface description
Based on the order of precedence that Junos OS uses to select the interface description for non-underlying interfaces, Junos OS reports subscriber_ifl_descr as the interface description.
system {
services {
dhcp-local-server {
group LSG1 {
authentication {
password $ABC123;
username-include {
user-prefix rich;
}
}
}
interface ge-1/0/0.100;
}
}
}
}
interfaces {
ge-1/0/0 {
description subscriber_ifd_descr;
vlan-tagging;
unit 100 {
description subscriber_ifl_descr;
vlan-id 100;
family inet {
unnumbered-address lo0.0 preferred-source-address 198.51.100.20;
}
}
}
}
Reporting Interface Descriptions on Underlying Logical Interfaces
Underlying logical interfaces can apply to both DHCP and PPP.
For DHCP, Junos OS selects which interface description to report based on the following order of precedence:
Underlying logical interface description
Underlying physical interface description
For DHCP, Junos OS does not report the IP demux logical interface description.
For PPP over an underlying VLAN or VLAN demux interface, Junos OS selects which interface description to report based on the following order of precedence:
PPP interface description
Underlying VLAN without a demux interface or VLAN demux logical interface description
Underlying physical interface description
Example: PPP over an Underlying VLAN Demux Interface
The following example shows a PPP subscriber over an underlying VLAN demux interface. This configuration includes three possible interface descriptions. Based on the order of precedence that Junos OS uses to select the interface description for PPP, the interface description is reported as subscriber_ppp_ifl_descr_0.
interfaces {
ge-1/0/0 {
description subscriber_ifd_descr;
hierarchical-scheduler maximum-hierarchy-levels 2;
flexible-vlan-tagging;
}
demux0 {
unit 0 {
vlan-tags outer 1 inner 1;
description subscriber_under_ifl_descr_1_1;
demux-options {
underlying-interface ge-1/0/0;
}
family pppoe {
duplicate-protection;
}
}
unit 1 {
vlan-tags outer 1 inner 2;
description subscriber_under_ifl_descr_1_2;
demux-options {
underlying-interface ge-1/0/0;
}
family pppoe {
duplicate-protection;
}
}
}
pp0 {
unit 0 {
description subscriber_ppp_ifl_descr_0;
ppp-options {
chap;
pap;
}
pppoe-options {
underlying-interface demux0.0;
server;
}
}
unit 1 {
description subscriber_ppp_ifl_descr_1;
ppp-options {
chap;
pap;
}
pppoe-options {
underlying-interface demux0.1;
server;
}
}
}
}
Example: Reporting Interface Descriptions on Dynamic VLANs
If you create dynamic VLANs with authentication, Junos OS reports the interface description on the physical interface. In the following example, dynamic VLANs created over the ge-1/2/0 interface are authenticated with an interface description of ge-1/2/0-bos-mktg-group.
ge-1/2/0 {
description ge-1/2/0-bos-mktg-group;
flexible-vlan-tagging;
auto-configure {
vlan-ranges {
dynamic-profile vlan-prof {
accept inet;
ranges {
any;
}
}
authentication {
password $ABC123;
username-include {
user-prefix rich;
}
}
}
}
}
Interface Description Storage and Reporting Configuration
To enable or disable storage and reporting of interface descriptions:
Enable storing and reporting of interface descriptions.
[edit access]user@host# set report-interface-descriptionsDisable storing and reporting of interface descriptions per RADIUS message type.
[edit access profile profile-name radius attributes]user@host# set exclude interface-description [ access-request | accounting-start | accounting-stop ]