RADIUS Servers and Parameters for Subscriber Access
Configuring parameters and options for RADIUS servers is a major part of your subscriber management configuration. After defining the authentication and accounting servers, you configure options for all RADIUS servers. You also configure access profiles that enable you to specify subscriber access authentication, authorization and accounting configuration parameters for subscribers or groups of subscribers. The profile settings override global settings. Although some options are available at both the global level and the access profile level, many options are available only in access profiles.
After you have created an access profile, you must specify where
the profile is used with an access-profile statement; this
is known as attaching the profile. Access profiles can be assigned
at various levels. For example, some of places you can attach access
profiles
Globally for a routing instance.
In dynamic profiles.
In a domain map, which maps access options and session parameters for subscriber sessions.
On the interfaces for dynamic VLANs and dynamic stacked VLANs.
On the interface or in a subscriber group for subscribers with statically configured interfaces for dynamic service provisioning.
On DHCP relay agents and DHCP local servers for DHCP clients or subscribers.
Because you can attach access profiles at many levels, the most specific access profile takes precedence over any other profile assignments to avoid conflict. Authentication and accounting do not run unless you attach the profile.
RADIUS Authentication and Accounting Server Definition
When you use RADIUS for subscriber management, you must define one or more external RADIUS servers that the router communicates with for subscriber authentication and accounting. Besides specifying the IPv4 or IPv6 address of the server, you can configure options and attributes that determine how the router interacts with the specified servers.
You can define RADIUS servers and connectivity options at the [edit access radius-server] hierarchy level, at the [edit access profile name radius-server] hierarchy level, or at both levels.
The AAA process (authd) determines which server definitions to use as follows:
When RADIUS server definitions are present only in [edit access radius-server], authd uses those definitions.
When RADIUS server definitions are present only in the access profile, authd uses those definitions.
When RADIUS server definitions are present in both [edit access radius-server] and in the access profile, authd uses only the access profile definitions.
To use a RADIUS server, you must designate it as an authentication server, an accounting server, or both, in an access profile. You must do so for servers regardless of whether they are defined in an access profile or at the [edit access radius-server] hierarchy level.
To define RADIUS servers and to specify how the router interacts with the server:
This procedure shows only the [edit access radius-server] hierarchy level. You can optionally configure any of these parameters at the [edit access profile profile-name] radius-server] hierarchy level. You can do so either in addition to the global setting or instead of the global setting. When you apply a profile, the profile settings override the global configuration.
- Specify the IPv4 or IPv6 address of the RADIUS server.[edit access]user@host# edit radius-server server-address
- (Optional) Configure the RADIUS server accounting port
number.[edit access radius-server server-address]user@host# set accounting-port port-number
- (Optional) Configure the port number the router uses to
contact the RADIUS server.[edit access radius-server server-address]user@host# set port port-number
- Configure the required secret (password) that the local
router passes to the RADIUS client. Secrets enclosed in quotation
marks can contain spaces.[edit access radius-server server-address]user@host# set secret password
- (Optional) Configure the maximum number of outstanding
requests that a RADIUS server can maintain. An outstanding request
is a request to which the RADIUS server has not yet responded.[edit access radius-server server-address]user@host# set max-outstanding-requests value
- Configure the source address for the RADIUS server. Each
RADIUS request sent to a RADIUS server uses the specified source address.
The source address is a valid IPv4 or IPv6 address configured on one
of the router interfaces.[edit access radius-server server-address]user@host# set source-address source-address
- (Optional) Configure retry and timeout values for authentication
and accounting messages.
- Configure how many times the router attempts to contact
a RADIUS server when it has received no response.[edit access radius-server server-address]user@host# set retry number
- Configure how long the router waits to receive a response
from a RADIUS server before retrying the contact.[edit access radius-server server-address]user@host# set timeout seconds
Note The maximum retry duration (the number of retries times the length of the timeout) cannot exceed 2700 seconds. An error message is displayed if you configure a longer duration.
Note The retry and timeout settings apply to both authentication and accounting messages unless you configure both the accounting-retry statement and the accounting-timeout statement. In that case, the retry and timeout settings apply only to authentication messages.
- Configure how many times the router attempts to contact
a RADIUS server when it has received no response.
- (Optional) Configure retry and timeout values for accounting
messages separate from the settings for authentication messages.
Note You must configure both the accounting-retry and the accounting-timeout statements. If you do not, then the value you configure is ignored in favor of the values configured with the retry and timeout statements.
- Configure how many times the router attempts to send accounting
messages to the RADIUS accounting server when it has received no response.[edit access radius-server server-address]user@host# set accounting-retry number
- Configure how long the router waits to receive a response
from a RADIUS accounting server before retrying the request.[edit access radius-server server-address]user@host# set accounting-timeout seconds
- Configure how many times the router attempts to send accounting
messages to the RADIUS accounting server when it has received no response.
- (Optional) Configure the router to contact the RADIUS server for logical line identification (LLID) preauthentication requests. See RADIUS Logical Line Identification.
- (Optional) Configure the port that the router monitors for dynamic (CoA) requests from the specified server. See Dynamic Service Management with RADIUS.
Configuring Options that Apply to All RADIUS Servers
You can configure RADIUS options that apply to all RADIUS servers globally.
To configure RADIUS options globally:
- Specify that you want to configure RADIUS options.[edit access ]user@host# edit radius-options
- (Optional) Configure the rate at which RADIUS interim
update requests are sent to the server.[edit access radius-options]user@host# set interim-rate interim-rate
- (Optional) Configure the maximum allowed deviation from
the configured update interval that the router sends interim accounting
updates to the RADIUS server. The tolerance is relative to the configured
update interval.
For example, if the tolerance is set to 60 seconds, then the router sends interim accounting updates no sooner than 30 seconds earlier than the configured update interval. When a subscriber logs in, the first interim accounting update may be sent up to 30 seconds early (on average 15 seconds early).
You configure the update interval with the update-interval statement at the [edit access profile profile-name accounting] hierarchy level.
[edit access radius-options]user@host# set interim-update-tolerance seconds - (Optional) Configure the number of requests per second
that the router can send to all configured RADIUS servers collectively.
Limiting the flow of requests from the router to the RADIUS servers
enables you to prevent the RADIUS servers from being flooded with
requests.[edit access radius-options]user@host# set request-rate rate
- (Optional) Configure the number of seconds that the router
waits after a server has become unreachable before rechecking the
connection. If the router reaches the server when the revert interval
expires, the server is then used according to the order of the server
list.[edit access radius-options]user@host# set revert-interval interval
Note You can also configure the revert-interval in an access profile to override this global value. See Configuring Access Profile Options for Interactions with RADIUS Servers.
- (Optional) Configure the duration of a period during which
unresponsive RADIUS authentication servers are not yet considered
to be unreachable or down. You can vary the period depending on whether
you want to redirect authentication requests more quickly to another
server or provide the unresponsive server more time to recover and
respond.
See Configuring a Timeout Grace Period to Specify When RADIUS Servers Are Considered Down or Unreachable for more information.
[edit access radius-options]user@host# set timeout-grace seconds - (Optional) Configure a NAS-Port value that is unique across
all MX series routers in the network. You can configure a NAS-Port
value that is unique within the router only, or unique across the
different MX routers in the network.
See Enabling Unique NAS-Port Attributes (RADIUS Attribute 5) for Subscribers for more information.
[edit access radius-options]user@host# set unique-nas-port chassis-id chassis-iduser@host# set unique-nas-port chassis-id-width chassis-id-width
Configuring a Timeout Grace Period to Specify When RADIUS Servers Are Considered Down or Unreachable
When a RADIUS authentication server fails to respond to any of the attempts for a given authentication request and times out, authd notes the time for reference, but it does not immediately mark the server as down (if other servers are available) or unreachable (if it is the only configured server). Instead, a configurable grace period timer starts at the reference time. The grace period is cleared if the server responds to a subsequent request before the period expires.
During the grace period, the server is not marked as down or unreachable. Each time the server times out for subsequent requests to that server, authd checks whether the grace period has expired. When the check determines that the grace period has expired and the server has still not responded to a request, the server is marked as unreachable or down.
Using a short grace period enables you to more quickly abandon an unresponsive server and direct authentication requests to other available servers. A long grace period gives a server more opportunities to respond and may avoid needlessly abandoning a resource. You might specify a longer grace period when you have only one or a small number of configured servers.
To configure the grace period during which an unresponsive RADIUS server is not marked as unreachable or down:
Specify the duration of the grace period.
[edit access radius-options]user@host# set timeout-grace seconds
Configuring Access Profile Options for Interactions with RADIUS Servers
You can use an access profile to specify options that the router uses when communicating with RADIUS authentication and accounting servers for subscriber access. This procedure describes options that are available only in access profiles. For options that are available at both the access profile and global level, see RADIUS Servers and Parameters for Subscriber Access.
To configure RADIUS authentication and accounting server options:
- Specify that you want to configure RADIUS options.
- (Optional) Configure the format the router uses to identify
the accounting session. The identifier can be in one of the following
formats:
decimal—The default format. For example, 435264
description—In the format, jnpr interface-specifier:subscriber-session-id. For example, jnpr fastEthernet 3/2.6:1010101010101
[edit access profile profile-name radius options]user@host# set accounting-session-id-format (decimal | description) - (Optional) Configure the delimiter character that the router
inserts between values in RADIUS attribute 31 (Calling-Station-Id).[edit access profile profile-name radius options]user@host# set calling-station-id-delimiter “delimiter-character”
- (Optional) Configure the information that the router includes
in RADIUS attribute 31 (Calling-Station-Id).
See Configuring a Calling-Station-ID with Additional Options for detailed information.
[edit access profile profile-name radius options]user@host# set calling-station-id-format parameter - (Optional) Configure the router to use the optional behavior
that inserts the random challenge generated by the NAS into the Request
Authenticator field of Access-Request packets, rather than sending
the random challenge as the CHAP-Challenge attribute (RADIUS attribute
60) in Access-Request packets. This optional behavior requires that
the value of the challenge must be 16 bytes; otherwise the statement
is ignored and the challenge is sent as the CHAP-Challenge attribute.[edit access profile profile-name radius options]user@host# set chap-challenge-in-request-authenticator
- (Optional) Configure the method the router uses to access
RADIUS authentication and accounting servers when multiple servers
are configured:
direct—The default method, in which there is no load balancing. The first server configured is the primary server; servers are accessed in order of configuration. If the primary server is unreachable, the router attempts to reach the second configured server, and so on.
round-robin—The method that provides load balancing by rotating router requests among the list of configured RADIUS servers. The server chosen for access is rotated based on which server was used last. The first server in the list is treated as a primary for the first authentication request, but for the second request, the second server configured is treated as primary, and so on. With this method, all of the configured servers receive roughly the same number of requests on average so that no single server has to handle all of the requests.
Note When a RADIUS server in the round-robin list becomes unreachable, the next reachable server in the round-robin list is used for the current request. That same server is also used for the next request because it is at the top of the list of available servers. As a result, after a server failure, the server that is used takes up the load of two servers.
To configure the method the router uses to access RADIUS accounting servers:
[edit access profile profile-name radius options]user@host# set client-accounting-algorithm (direct | round-robin)To configure the method the router uses to access RADIUS authentication servers:
[edit access profile profile-name radius options]user@host# set client-authentication-algorithm (direct | round-robin)
- (Optional) Configure the router to use the optional behavior
when a CoA operation is unable to apply a requested change to a client
profile dynamic variable.
The optional behavior is that subscriber management does not apply any changes to client profile dynamic variables in the CoA request and then responds with a NACK. The default behavior is that subscriber management does not apply the incorrect update but does apply the other changes to the client profile dynamic variables, and then responds with an ACK message.
[edit access profile profile-name radius options]user@host# set coa-dynamic-variable-validation - (Optional) Configure the router to use a physical port
type of virtual to authenticate clients. The port type
is passed in RADIUS attribute 61 (NAS-Port-Type). By default the router
passes a port type of ethernet in RADIUS attribute 61.[edit access profile profile-name radius options]user@host# set ethernet-port-type-virtual
Note This statement takes precedence over the nas-port-type statement if you include both in the same access profile.
- (Optional) Specify the information that is excluded from
the interface description that the router passes to RADIUS for inclusion
in RADIUS attribute 87 (NAS-Port-ID). By default, the interface description
includes adapter, channel, and subinterface information.[edit access profile profile-name radius options]user@host# set interface-description-format (exclude-adapter | exclude-channel | exclude-subinterface)
- (Optional) For dual-stack PPP subscribers, include the
IPv4-Release-Control VSA (26–164) in the Access-Request that
is sent during on-demand IP address allocation and in the Interim-Accounting
messages that are sent to report an address change.
Optionally, configure a message that is included in the IPv4-Release-Control VSA (26–164) when it is sent to the RADIUS server
The configuration of this statement has no effect when on-demand IP address allocation or deallocation is not configured.
[edit access profile profile-name radius options]user@host# set ip-address-change-notify message message - (Optional) Add Juniper Networks access line VSAs to the
RADIUS authentication and accounting request messages for subscribers.
If the router has not received and processed the corresponding ANCP
attributes from the access node, then AAA provides only the following
in these RADIUS messages:
Downstream-Calculated-QoS-Rate (IANA 4874, 26-141)—Default configured advisory transmit speed.
Upstream-Calculated-QoS-Rate (IANA 4874, 26-142)—Default configured advisory receive speed.
[edit access profile profile-name radius options]user@host# set juniper-access-line-attributesStarting in Junos OS Release 19.2R1, the juniper-access-line-attributes option replaces the juniper-dsl-attributes option. For backward compatibility with existing scripts, the juniper-dsl-attributes option redirects to the new juniper-access-line-attributes option. We recommend that you use juniper-access-line-attributes.
Note The juniper-access-line-attributes option is not backward compatible with Junos OS Release 19.1 or earlier releases. This means that if you have configured juniper-access-line-attributes option in Junos OS Release 19.2 or higher releases, you must perform the following steps to downgrade to Junos OS Release 19.1 or earlier releases:
Delete the juniper-access-line-attributes option from all access profiles that include it.
Perform the software downgrade.
Add the juniper-dsl-attributes option to the affected access profiles.
- (Optional) Configure the value for the client RADIUS attribute
32 (NAS-Identifier), which is used for authentication and accounting
requests.[edit access profile profile-name radius options]user@host# set nas-identifier identifier-value
- (Optional) Configure the RADIUS client to use the extended format for RADIUS attribute 5 (NAS-Port) and specify the width of fields in the NAS-Port attribute, which specifies the physical port number of the NAS that is authenticating the user.
- (Optional) Configure the delimiter character that the
router inserts between values in RADIUS attribute 87 (NAS-Port-Id).[edit access profile profile-name radius options]user@host# set nas-port-id-delimiter delimiter-character
- (Optional) Configure the optional information that the
router includes in RADIUS attribute 87 (NAS-Port-Id). You can specify
one or more options to appear in the default order. Alternatively,
you can specify both the options and the order in which they appear.
The orders are mutually exclusive and the configuration fails if you
configure a NAS-Port-ID that includes values in both types of order.
See Configuring a NAS-Port-ID with Additional Options and Configuring the Order in Which Optional Values Appear in the NAS-Port-ID for detailed information.
[edit access profile profile-name radius options]user@host# set nas-port-id-format optional-parameters - (Optional) Configure the port type that is included in
RADIUS attribute 61 (NAS-Port-Type). This specifies the port type
the router uses to authenticate subscribers. [edit access profile profile-name radius options]user@host# set nas-port-type port-type
Note This statement is ignored if you configure the ethernet-port-type-virtual in the same access profile.
- (Optional) Configure the LAC to override the configured Calling-Station-ID
format for the value sent in the L2TP Calling Number AVP 22. You can
override the Calling-Station-ID format and configure the LAC to use
the ACI, the ARI, or both the ACI and ARI that are received from the
L2TP client in the PADR packet. You can also specify a delimiter to
use between components of the AVP string and a fallback value to use
when the configured override components are not received in the PADR
packet.
Note SeeOverride the Calling-Station-ID Format for the Calling Number AVP for more information.
[edit access profile profile-name radius options]user@host# set override calling-station-id remote-circuit-id - (Optional) Override the value of the RADIUS NAS-IP-Address
attribute (4) at the LNS with the value of the session’s LAC
endpoint IP address if it is present in the session database. If it
is not present, the original attribute value is used.[edit access profile profile-name radius options]user@host# set override nas-ip-address tunnel-client-gateway-address
- (Optional) Override the value of the RADIUS NAS-Port attribute
(5) at the LNS with the value from the session database if the LAC
NAS port information was conveyed to the LNS in the Cisco Systems
NAS Port Info AVP (100). If it is not present, the original attribute
value is used.[edit access profile profile-name radius options]user@host# set override nas-port tunnel-client-nas-port
- (Optional) Override the value of the RADIUS NAS-Port-Type
attribute (61) at the LNS with the value from the session database
if the LAC NAS port information was conveyed to the LNS in the Cisco
Systems NAS Port Info AVP (100). If it is not present, the original
attribute value is used.[edit access profile profile-name radius options]user@host# set override nas-port-type tunnel-client-nas-port-type
- (Optional) Configure a delimiter character for the remote
circuit ID string when you use the remote-circuit-id-format statement to configure the string to use instead of the Calling-Station
ID in L2TP Calling Number AVP 22. If more than one value is configured
for the remote circuit ID format, the delimiter character is used
as a separator between the concatenated values in the resulting remote
circuit ID string.
Note You must configure the override calling-circuit-id remote-circuit-id statement for the remote circuit ID format to be used in the calling number AVP.
[edit access profile profile-name radius options]user@host# set remote-circuit-id-delimiter “delimiter” - (Optional) Configure the fallback value for the LAC to
send in L2TP Calling Number AVP 22, either the configured Calling-Station-ID
or the default underlying interface. Use of the fallback value is
triggered when the components of the override string you configured
with the remote-circuit-id-format statement—the ACI,
the ARI, or both ACI and ARI—are not received by the LAC in
the PPPoE Active Discovery Request (PADR) packet.[edit access profile profile-name radius options]user@host# set remote-circuit-id-fallback {configured-calling-station-id | default}
- (Optional) Configure the format of the string that overrides
the Calling-Station-ID format in the L2TP Calling Number AVP. You
can specify the ACI, the ARI, or both the ACI and ARI.
Note You must configure the override calling-circuit-id remote-circuit-id statement for the remote circuit ID format to be used in the calling number AVP.
[edit access profile profile-name radius options]user@host# set remote-circuit-id-format format - (Optional) Configure the number of seconds that the router
waits after a server has become unreachable before making another
attempt to reach the server. If the server is then reachable, it is
used in accordance with the order of the server list.[edit access profile profile-name radius options]user@host# set revert-interval interval
Note You can also configure this option for all RADIUS servers. See Configuring Options that Apply to All RADIUS Servers.
- (Optional) Configure whether newly authenticated subscriber
can successfully log in when service activation failures related to
configuration errors occur during authd processing of the activation
request for the subscriber’s address family. You can specify
this behavior for services configured in dynamic profiles or in Extensible
Subscriber Services Manager (ESSM) operation scripts:
optional-at-login—Service activation is optional. Activation failure due to configuration errors does not prevent activation of the address family; it allows subscriber access. Service activation failures due to causes other than configuration errors cause network family activation to fail. The login attempt is terminated unless another address family is already active for the subscriber.
required-at-login—Service activation is required. Activation failure for any reason causes network family activation to fail. The login attempt is terminated unless another address family is already active for the subscriber.
[edit access profile profile-name radius options]user@host# set service-activation (dynamic-profile | extensible-service) (optional-at-login | required-at-login) - (Optional) Specify that RADIUS attribute 5 (NAS-Port)
includes the S-VLAN ID, in addition to the VLAN ID, for subscribers
on Ethernet interfaces.[edit access profile profile-name radius options]user@host# set vlan-nas-port-stacked-format
Configuring a Calling-Station-ID with Additional Options
Use this section to configure an alternative value for the Calling-Station-ID (RADIUS IETF attribute 31) in an access profile on the MX Series router.
You can configure the Calling-Station-ID to include one or more of the following options, in any combination, at the [edit access profile profile-name radius options calling-station-id-format] hierarchy:
Agent circuit identifier (agent-circuit-id)—Identifier of the subscriber’s access node and the digital subscriber line (DSL) on the access node. The agent circuit identifier (ACI) string is stored in either the DHCP option 82 field of DHCP messages for DHCP traffic, or in the DSL Forum Agent-Circuit-ID VSA [26-1] of PPPoE Active Discovery Initiation (PADI) and PPPoE Active Discovery Request (PADR) control packets for PPPoE traffic.
Agent remote identifier (agent-remote-id)—Identifier of the subscriber on the digital subscriber line access multiplexer (DSLAM) interface that initiated the service request. The agent remote identifier (ARI) string is stored in either the DHCP option 82 field for DHCP traffic, or in the DSL Forum Agent-Remote-ID VSA [26-2] for PPPoE traffic.
Interface description (interface-description)—Value of the interface.
Interface text description (interface-text-description)—Text description of the interface. The interface text description is configured separately, using either the set interfaces interface-name description description statement or the set interfaces interface-name unit unit-number description description statement
MAC address (mac-address)—MAC address of the source device for the subscriber.
NAS identifier (nas-identifier)—Name of the NAS that originated the authentication or accounting request. NAS-Identifier is RADIUS IETF attribute 32.
Stacked VLAN (stacked-vlan)—Stacked VLAN ID.
VLAN (vlan)—VLAN ID.
If you configure the format of the Calling-Station-ID with more than one optional value, a hash character (#) is the default delimiter that the router uses as a separator between the concatenated values in the resulting Calling-Station-ID string. Optionally, you can configure an alternative delimiter character for the Calling-Station-ID to use. The following example shows the order of output when you configure multiple optional values:
To configure an access profile to provide optional information in the Calling-Station-ID:
- Specify the access profile you want to configure.[edit]user@host# edit access profile profile-name
- Specify that you want to configure RADIUS options.
- Specify the nondefault character to use as the delimiter
between the concatenated values in the Calling-Station-ID.
By default, subscriber management uses the hash character (#) as the delimiter in Calling-Station-ID strings that contain more than one optional value.
[edit access profile profile-name radius options]user@host# set calling-station-id-delimiter delimiter-character - Configure the value for the NAS-Identifier (RADIUS attribute
32), which is used for authentication and accounting requests.[edit access profile profile-name radius options]user@host# set nas-identifier identifier-value
- Specify that you want to configure the format of the Calling-Station-ID.[edit access profile profile-name radius options]user@host# edit calling-station-id-format
- (Optional) Include the interface text description in the
Calling-Station-ID.[edit access profile profile-name radius options calling-station-id-format]user@host# set interface-text-description
- (Optional) Include the interface description value in
the Calling-Station-ID.[edit access profile profile-name radius options calling-station-id-format]user@host# set interface-description
- (Optional) Include the agent circuit identifier in the
Calling-Station-ID.[edit access profile profile-name radius options calling-station-id-format]user@host# set agent-circuit-id
- (Optional) Include the agent remote identifier in the
Calling-Station-ID.[edit access profile profile-name radius options calling-station-id-format]user@host# set agent-remote-id
- (Optional) Include the configured NAS identifier value
in the Calling-Station-ID.[edit access profile profile-name radius options calling-station-id-format]user@host# set nas-identifier
- (Optional) Include the stacked VLAN ID in the Calling-Station-ID.[edit access profile profile-name radius options calling-station-id-format]user@host# set stacked-vlan
- (Optional) Include the VLAN ID in the Calling-Station-ID.[edit access profile profile-name radius options calling-station-id-format]user@host# set vlan
- (Optional) Include the MAC address in the Calling-Station-ID.[edit access profile profile-name radius options calling-station-id-format]user@host# set mac-address
Example: Calling-Station-ID with Additional Options in an Access
Profile
The following example creates an access profile named retailer01 that configures a Calling-Station-ID string that includes the NAS-Identifier (fox), interface description, agent circuit identifier, and agent remote identifier options.
The resulting Calling-Station-ID string is formatted as follows:
fox*ge-1/2/0.100:100*as007*ar921
where:
The NAS-Identifier value is fox.
The Calling-Station-ID delimiter character is * (asterisk).
The interface description value is ge-1/2/0.100:100.
The agent circuit identifier value is as007.
The agent remote identifier value is ar921.
Consider an example where all options are configured, but no values are available for the Agent-Circuit-ID, the Agent-Remote-Id, or the stacked VLAN identifier. The other values are as follows:
NAS identifier—solarium
interface description—ge-1/0/0.1073741824:101
interface text description—example-interface
MAC address—00:00:5E:00:53:00
VLAN identifier—101
These values result in the following Calling-Station-ID:
Filtering RADIUS Attributes and VSAs from RADIUS Messages
Standard attributes and vendor-specific attributes (VSAs) received in RADIUS messages take precedence over internally provisioned attribute values. Filtering attributes consists of choosing to ignore certain attributes when they are received in Access Accept packets and to exclude certain attributes from being sent to the RADIUS server. Ignoring attributes received from the RADIUS server enables your locally provisioned values to be used instead. Excluding attributes from being sent is useful, for example, for attributes that do not change for the lifetime of a subscriber. It enables you to reduce the packet size without loss of information.
You can specify standard RADIUS attributes and VSAs that the router or switch subsequently ignores when they are received in RADIUS Access-Accept messages. You can also specify attributes and VSAs that the router or switch excludes from specified RADIUS message types. Exclusion means that the router or switch does not include the attribute in specified messages that it sends to the RADIUS server.
Starting in Junos OS Release 18.1R1, you can configure the router or switch to ignore or exclude RADIUS standard attributes and VSAs by specifying the standard attribute number or the IANA-assigned vendor ID and the VSA number, respectively. With this flexible configuration method, you can configure any standard attribute and VSA supported by your platform to be ignored or excluded. The configuration has no effect if you configure unsupported attributes, vendors, and VSAs.
The legacy method allows you to configure only those attributes and VSAs for which the statement syntax includes a specific option. Consequently, you can use the legacy method to ignore only a subset of all attributes that can be received in Access-Accept messages.
To configure the attributes ignored or excluded by your router or switch:
- Specify that you want to configure RADIUS in the access
profile.[edit access profile profile-name]user@host# edit radius
- Specify that you want to configure how RADIUS attributes
are filtered.[edit access profile profile-name radius]user@host# edit attributes
- (Optional) Specify one or more attributes you want your
router or switch to ignore when the attributes are in Access-Accept
messages.
Legacy method: Specify dedicated option for attribute:
[edit access profile profile-name radius attributes]user@host# set ignore attribute-nameFlexible method: Specify standard attribute number or the IANA-assigned vendor ID and the VSA number:
[edit access profile profile-name radius attributes]user@host# set ignore standard-attribute numberuser@host# set ignore vendor-id id-number vendor-attribute vsa-number
- (Optional) Configure an attribute that you want your router
or switch to exclude from one or more specified RADIUS message types.
You cannot configure a list of attributes, but you can specify a list
of message types for each attribute.
Legacy method: Specify dedicated option for attribute and message type:
[edit access profile profile-name radius attributes]user@host# set exclude attribute-name [packet-type]Flexible method: Specify standard attribute number or the IANA-assigned vendor ID, the VSA number, and the message type:
The following example compares the legacy and flexible configuration methods to ignore the standard RADIUS attribute, Framed-IP-Netmask (9), and the Juniper Networks VSAs, Ingress-Policy-Name (26-10) and Egress-Policy-Name (26-11).
Legacy method:
[edit access profile prof-ign radius attributes]user@host# set ignore framed-ip-netmask input-filter output-filterFlexible method:
[edit access profile prof-ign radius attributes]user@host# set ignore standard-attribute 9user@host# set ignore vendor-id 4874 vendor-attribute [ 10 11 ]
The following example compares the legacy and flexible configuration methods to exclude the standard RADIUS attribute, Framed-IP-Netmask (9), and the Juniper Networks VSAs, Ingress-Policy-Name (26-10) and Egress-Policy-Name (26-11).
Legacy method:
Flexible method: Specify standard attribute number or the IANA-assigned vendor ID, the VSA number, and the message type:
[edit access profile prof-exc radius attributes]user@host# set exclude standard-attribute 9 packet-type accounting-stopuser@host# set exclude vendor-id 4874 vendor-attribute 10 packet-type [ accounting-start accounting-stop ]user@host# set exclude vendor-id 4874 vendor-attribute 11 packet-type [ accounting-start accounting-stop ]
What happens if you specify an attribute with both methods in the same profile? The effective configuration is the logical OR of the two methods. Consider the following example for the standard attribute, accounting-delay-time (41):
The result is that the attribute is excluded from all four message types: Accounting-Off, Accounting-On, Accounting-Start, and Accounting-Stop. The effect is the same as if either of the following configurations is used:
- [edit access profile prof-3 radius attributes]user@host# set exclude accounting-delay-time [ accounting-off accounting-on accounting-start accounting-stop ]
- [edit access profile prof-3 radius attributes]user@host# set exclude standard-attribute 41 packet-type [ accounting-off accounting-on accounting-start accounting-stop ]