JSRC and Subscribers on Static Interfaces

 

Subscribers on Static Interfaces Overview

You can associate subscribers with statically configured interfaces and provide dynamic service activation and deactivation for these subscribers. When the static interface comes up, the event is treated as a subscriber login. When the interface goes down, it is treated as a subscriber logout.

You can configure the static subscribers to be authenticated and authorized by means of RADIUS. In this case, RADIUS can then activate and deactivate services with change of authorization (CoA) messages. However, this configuration does not prevent the interface from coming up and forwarding traffic. Further, authorization parameters are not imposed on the subscriber interface.

Alternatively, you can use JSRC for dynamic service activation and deactivation for these subscribers. After the subscribers are present in the session database (SDB), JSRC can report the subscribers to the SAE so that the SRC software can subsequently manage the subscribers.

The following guidelines apply to static subscribers:

  • Static subscribers are supported only on Ethernet interfaces, static demux interfaces, and pseudowire interfaces over logical tunnels (PS/LT). PS/LT support, introduced in Junos OS Release 18.3R1, enables full subscriber management (equivalent to dynamic subscribers) for statically provisioned subscribers whose traffic is transported over IP/MPLS access models.

  • Only one static subscriber can exist over a given interface.

  • An interface cannot appear in more than one group.

  • Static subscribers cannot be created over dynamic interfaces.

Static subscribers are intended to work with JSRC. Include the provisioning-order jsrc statement at the [edit access profile profile-name] hierarchy level to enable JSRC to handle the subscribers at the direction of the SRC software.

If the authentication request fails for a static subscriber, a 60-minute, nonconfigurable timer begins counting down. The request is reissued when the timer expires. This action repeats for as long as the interface is operationally up.

You can force a logout of the static subscriber by issuing the request services static-subscribers logout interface interface-name command. A static subscriber can also be logged out by AAA or an external policy manager. In both cases, no subsequent logins can take place on the underlying interface until you reset the state by issuing the request services static-subscribers login interface interface-name command or the router or process reboots.

You can log out an interface group by issuing the request services static-subscriber logout group group-name command. You can subsequently log in a group of interfaces by issuing the request services static-subscriber login group group-name command.

No new CLI statements are required to configure the dynamic profile for static subscribers. The dynamic profile can be very simple; it is activated at login and deactivated at logout. If you do not configure a profile, then the junos-default-profile is automatically activated.

During a graceful Routing Engine switchover (GRES) event, active static subscribers are recovered, inactive subscribers are cleaned up, and logout continues for subscribers that were in the process of logging out.

Include the static-subscribers statement at the [edit system services] hierarchy level to configure static subscribers. Include the traceoptions statement at the [edit system processes static-subscribers] hierarchy level to configure tracing operations for static subscribers.

You can configure the access profile, dynamic profile, service profile, and authentication parameters for all static subscribers or for a particular group of static subscribers:

  • To configure the access profile that triggers AAA services for the static subscriber for all static subscribers, include the access-profile statement at the [edit system services static-subscribers] hierarchy level. Alternatively, include this statement at the [edit system services static-subscribers group group-name] hierarchy level to apply the profile to a specific group and override a top-level configuration.

  • To configure the dynamic profile that is instantiated when the static subscriber logs in for all static subscribers, include the dynamic-profile statement at the [edit system services static-subscribers] hierarchy level. Alternatively, include this statement at the [edit system services static-subscribers group group-name] hierarchy level to apply the profile to a specific group and override a top-level configuration. Do not specify a dynamic profile that creates a dynamic interface.

  • To configure the service profile for all static subscribers at the global level and at the group level, include the service-profile statement at the [edit system services static-subscribers group group-name] hierarchy level.

  • To configure the authentication parameters that trigger an Access-Request message to AAA for all static subscribers, include the authentication statement at the [edit system services static-subscribers] hierarchy level. Alternatively, include the statement at the [edit system services static-subscribers group group-name] hierarchy level to configure authentication for a specific group and override a top-level configuration. If you do not configure authentication, then by default the interface name is modified and used as the default username for the subscriber session and the authentication request.

The configurable authentication parameters include the password and details of how the username is formed. Include the password statement at the [edit system services static-subscribers authentication] hierarchy level to configure the authentication password for all static subscribers. Alternatively, include the statement at the [edit system services static-subscribers group group-name authentication] hierarchy level to configure authentication for a specific group and override a top-level configuration.

The username that is sent to AAA for authentication must include at least one of the following attributes:

  • Domain name

  • User prefix

  • Interface name

  • Logical system name

  • Routing instance name

To configure how the username is formed for all static subscribers, include the desired statements at the [edit system services static-subscribers authentication] hierarchy level: domain-name, user-prefix, logical-system-name, or routing-instance-name. Alternatively, include the desired statements at the [edit system services static-subscribers group group-name authentication] hierarchy level to configure the username for a specific group and override a top-level configuration.

If you change the authentication configuration for an existing group or for static subscribers globally, the change has no effect on existing static subscribers. The changes are applied only to any new logins that are attempted after you commit the changes.

A group configuration must specify all the interfaces that you expect to support static subscribers. Include the interface statement at the [edit system services static-subscribers group group-name] hierarchy level to specify the interfaces. This statement enables you to specify a single interface or a range of interfaces.

You must also statically configure these interfaces before any static subscribers can be supported on them. You must configure the static interfaces in the same logical system and routing instance as the group that includes the interfaces.

If you change the interfaces that are included in an existing interface group, existing static subscribers are automatically logged out and then back in when you commit the changes. However, changes made to the configuration of the interface itself have no effect on the login or logout state of the static subscriber associated with that interface.

By default, multiple subscribers are not supported on top of the same VLAN logical interface. If you want to support this behavior, then you can manage multiple subscribers on a single logical interface in one of two ways. You can either merge attributes such as firewall filters and CoS attributes for the multiple subscribers, or you can replace the current attributes with those of a new subscriber whenever a new subscriber logs into the underlying VLAN logical interface.

  • To enable attribute merging for all static interfaces, include the aggregate-clients merge statement at the [edit system services static-subscribers] hierarchy level. Alternatively, include this statement at the [edit system services static-subscribers group group-name] hierarchy level to enable attribute merging for a specific group of static interfaces and override a top-level configuration.

  • To enable attribute replacement for all static interfaces, include the aggregate-clients replace statement at the [edit system services static-subscribers] hierarchy level. Alternatively, include this statement at the [edit system services static-subscribers group group-name] hierarchy level to enable attribute replacement for a specific group of static interfaces and override a top-level configuration.

Benefits of Subscribers on Static Interfaces

  • Offers static-subscribers the ability to configure service-profile.

  • Provides dynamic service activation for the associated subscribers with statically configured interfaces.

  • Provides competitive advantage with RFC compliancy.

Subscribers over Static Interfaces Configuration Overview

This topic describes the procedure for configuring subscribers over static interfaces (static subscribers).

Before you configure subscribers over static interfaces, perform the following tasks:

  • Configure the static interfaces on which you want to create and manage subscribers.

  • Create an access profile to trigger AAA services for static subscribers.

  • Create a dynamic profile that is instantiated when static subscribers log in.

To configure static subscribers:

  1. Specify the global access profile that triggers AAA services for static subscribers.

    See Specifying the Static Subscriber Global Access Profile.

  2. Specify the global dynamic profile that is instantiated when static subscribers log in.

    See Specifying the Static Subscriber Global Dynamic Profile.

  3. Configure global method to handle multiple subscribers on a VLAN Logical Interface.

    See Enabling Multiple Subscribers on a VLAN Logical Interface for All Static Subscribers

  4. Configure the global authentication password for static subscribers.

    See Configuring the Static Subscriber Global Authentication Password.

  5. Configure the global username for static subscribers.

    See Configuring the Static Subscriber Global Username.

  6. Configure a group of subscribers to share values different from the global configuration.

    See Creating a Static Subscriber Group.

  7. Specify the access profile for the static subscriber group.

    See Specifying the Static Subscriber Group Access Profile.

  8. Specify the dynamic profile for the static subscriber group.

    See Specifying the Static Subscriber Group Dynamic Profile.

  9. Specify the service profile for the static subscriber group.

    See Specifying the Static Subscriber Group Service Profile.

  10. Configure method to handle multiple subscribers on a VLAN Logical Interface for a static subscriber group.

    See Enabling Multiple Subscribers on a VLAN Logical Interface for a Static Subscriber Group.

  11. Configure the authentication password for the static subscriber group.

    See Configuring the Static Subscriber Group Authentication Password.

  12. Configure the username for the static subscriber group.

    See Configuring the Static Subscriber Group Username.

  13. (Optional) Force a static subscriber to be logged out from an interface.

    See Forcing a Static Subscriber to Be Logged Out.

  14. (Optional) Enable an interface to accept static subscriber logins.

    See Resetting the State of an Interface for Static Subscriber Login.

  15. (Optional) Force static subscribers to be logged out from a group of interfaces.

    See Forcing a Group of Static Subscribers to Be Logged Out.

  16. (Optional) Enable a group of interfaces to accept static subscriber logins.

    See Resetting the State of an Interface Group for Static Subscriber Login.

  17. Configure trace options for troubleshooting the configuration.

    See Tracing Static Subscriber Events for Troubleshooting.

Example: Configuring Static Subscribers for Subscriber Access

This example shows a static subscriber configuration.

  1. Configure the access profile to be used for static subscribers.
  2. Configure the dynamic profile to be used for static subscribers.

    If you do not configure this profile, the default profile, junos-default-profile, is used.

  3. Configure the static interfaces on which to layer the static subscribers.
  4. Configure the parameters that apply globally to all static subscribers in the configuration context.
  5. If you want to override the global parameters for certain static subscribers, create a group of static interfaces for those subscribers and configure parameters to apply to that group. Repeat this step for as many groups as you need.
  6. Configure tracing options for static subscriber events.

Specifying the Static Subscriber Global Access Profile

You specify a previously created access profile that triggers AAA services for all static subscribers. This value can be overridden for a group of static subscribers when a different profile is configured for that group.

To specify the access profile used for all static subscribers:

  • Specify the profile name.

Specifying the Static Subscriber Global Dynamic Profile

You specify a previously created dynamic profile that is instantiated when a static subscriber logs in. This profile is used for all static subscribers. This value can be overridden for a group of static subscribers when a different profile is configured for that group.

To specify the dynamic profile used for all static subscribers:

  • Specify the profile name.

Enabling Multiple Subscribers on a VLAN Logical Interface for All Static Subscribers

For a given interface, only a single static subscriber (or group) is logged in. Although we do not recommend this practice, you might have other kinds of subscribers configured on the same interface, such as a DHCP subscriber managed by the DHCP application. You can use the aggregate-clients statement to extend the dynamic profile for all static subscribers to enable multiple subscribers to share the same VLAN logical interface.

You can specify that attributes (such as CoS or firewall) for the multiple subscribers are merged for the logical interface. That is, the profiles for multiple subscribers of different types are instantiated on the interface, but the profile attributes of each are merged together. Alternatively, you can specify that the instantiated profile for the current subscriber is replaced by the profile of a new subscriber that logs in using the same logical interface. This configuration can be overridden for a group of static subscribers when a different configuration is applied for that group.

Note

The aggregate-clients statement is not supported for enhanced subscriber management.

To enable multiple subscribers to share the same VLAN logical interface for all static subscribers, do one of the following:

  • Specify that the multiple subscriber attributes are merged for the logical interface.

  • Specify that the entire logical interface is replaced when a new subscriber logs into the network using the same VLAN logical interface.

Configuring the Static Subscriber Global Authentication Password

You configure a password that is included in the Access-Request message sent to AAA to authenticate all static subscribers. This value can be overridden for a group of static subscribers when a different password is configured for that group.

To specify the authentication password used for all static subscribers:

  • Specify the password.

Configuring the Static Subscriber Global Username

You configure how the username is formed. The username serves as the username for all static subscribers that are created and is included in the Access-Request message sent to AAA to authenticate all static subscribers. This value can be overridden for a group of static subscribers when a different username is configured for that group.

The username must include at least one of the possible elements. The value of each element is concatenated in a specific order; the resulting string is the username. If you specify their inclusion, the interface name, logical system name, routing instance name, and VLAN tags are derived from the configuration context. The elements are ordered as follows (shown with the default delimiter):

user-prefix.interface.outer-taginner-tag.logical-system-name.

routing-instance-name@domain-name

To configure the username for all static subscribers:

  1. (Optional) Specify a prefix for the username.
  2. (Optional) Specify that the interface name is included in the username.
  3. (Optional) Specify that the VLAN tags (VLAN IDs) associated with the static interface are included in the username. For single-tagged VLANs, the component is the outer-tag. For dual-tagged (stacked) VLANs, the component is outer-tag-inner-tag. For IP demux interfaces configured for static subscribers, the VLAN tags configured on the underlying interface are used.
  4. (Optional) Specify that the logical system name is included in the username.
  5. (Optional) Specify that the routing instance name is included in the username.
  6. (Optional) Specify a domain name to include in the username.
  7. (Optional) Specify a delimiter character to separate the username elements except for the domain name. The domain name is always preceded by the @ character. The default delimiter is a period (.)

Consider the following configuration:

Configured in the default logical system and master routing instance for interface ge-0/1/1.100, this sample configuration generates the following username:

Building5.ge-0-1-1-100.default.master@campus.example.com

Now consider a different configuration, where the static interface has a dual-tagged VLAN, with an outer VLAN ID of 4040 and an inner VLAN ID of 3000:

This sample configuration generates the following username:

Floor12$4040-3000@Bldg5.example.com

Even though a delimiter of $ is configured, outer and inner VLAN IDs are always separated by - and the domain name is always separated from preceding elements by @.

Creating a Static Subscriber Group

You can override the configuration that is applied globally to static subscribers by creating a static subscriber group that consists of a set of statically configured interfaces. You can then apply a common configuration for the group with values different from the global values for access and dynamic profiles, password, and username.

To configure an interface group for static subscribers:

  1. Access the [edit system services static-subscribers] hierarchy level.
  2. Create the group and assign the name.
  3. Specify the names of one or more interfaces on which static subscribers can be created. You can repeat the interface interface-name statement to specify multiple interfaces within the group, but you cannot use the same interface in more than one group.
  4. (Optional) You can use the upto upto-interface-name option to specify a range of interfaces for a group.
  5. (Optional) You can use the exclude option to exclude a specific interface or a specified range of interfaces from the group. For example:

Specifying the Static Subscriber Group Access Profile

You can override the configured global access profile by specifying a different profile for a group of static subscribers. The access profile triggers AAA services for that group of static subscribers.

To specify the access profile used for a group of static subscribers:

  • Specify the profile name.

Specifying the Static Subscriber Group Dynamic Profile

You can override the configured global dynamic profile by specifying a different profile for a group of static subscribers. The dynamic profile is instantiated when any static subscriber in the group logs in.

To specify the dynamic profile used for a group of static subscribers:

  • Specify the profile name.

Specifying the Static Subscriber Group Service Profile

When external policy server is unavailable, you can assign a default dynamic service profile to be applied to a static subscriber session by specifying the service profile from Junos OS Release 17.4R1 onwards. The service profile can be specified at the group level and at the global level. Specify service-profile statement at the [edit system services static-subscribers group group-name] hierarchy level

To specify the service profile used for a group of static subscribers:

  • Specify the dynamic service profile name.

Enabling Multiple Subscribers on a VLAN Logical Interface for a Static Subscriber Group

For a given interface, only a single static subscriber group (or static subscriber) is logged in. Although we do not recommend this practice, you might have other kinds of subscribers configured on the same interface, such as a DHCP subscriber managed by the DHCP application. You can use the aggregate-clients statement to extend the dynamic profile for a static subscriber group to enable multiple subscribers to share the same VLAN logical interface.

You can specify that attributes (such as CoS or firewall) for the multiple subscribers are merged for the logical interface. That is, the profiles for multiple subscribers of different types are instantiated on the interface, but the profile attributes of each are merged together. Alternatively, you can specify that the instantiated profile for the current subscriber group is replaced by the profile of a new subscriber that logs in using the same logical interface. This configuration overrides the configuration applied to all static subscribers that are not members of the group.

To enable multiple subscribers to share the same VLAN logical interface for a static subscriber group, do one of the following:

  • Specify that the multiple subscriber attributes are merged for the logical interface.

  • Specify that the entire logical interface is replaced when a new subscriber logs into the network using the same VLAN logical interface.

Configuring the Static Subscriber Group Authentication Password

You can override the configured global authentication password by specifying a different password for a group of static subscribers. This password is included in the Access-Request message sent to AAA to authenticate all static subscribers in the group.

To specify the authentication password used for a group of static subscribers:

  • Specify the password.

Configuring the Static Subscriber Group Username

You can override the configured global username by specifying a different username for a group of static subscribers. The username serves as the username for a group of static subscribers that is created and is included in the Access-Request message sent to AAA to authenticate that group.

The username must include at least one of the possible elements. The value of each element is concatenated in a specific order; the resulting string is the username. If you specify their inclusion, the interface name, logical system name, routing instance name, and VLAN tags are derived from the configuration context. The elements are ordered as follows (shown with the default delimiter):

user-prefix.interface.outer-taginner-tag.logical-system-name.

routing-instance-name@domain-name

To configure the username for a group of static subscribers:

  1. (Optional) Specify a prefix for the username.
  2. (Optional) Specify that the interface name is included in the username.
  3. (Optional) Specify that the VLAN tags (VLAN IDs) associated with the static interface are included in the username. For single-tagged VLANs, the component is the outer-tag. For dual-tag (stacked) VLANs, the component is the outer-tag-inner-tag. For IP demux interfaces configured for static subscribers, the VLAN tags configured on the underlying interface are used.
  4. (Optional) Specify that the logical system name is included in the username.
  5. Specify that the routing instance name is included in the username.
  6. Specify a domain name to include in the username.
  7. (Optional) Specify a delimiter character to separate the username elements except for the domain name. The domain name is always preceded by the @ character. The default delimiter is a period (.)

Consider the following configuration for the subscriber group, shipping:

Configured in the default logical system and routing instance R5 for interface ge-0/1/2.50, this sample configuration generates the following username:

warehouse3.ge-0-1-2-50.default.R5@campus.example.com

Now consider a different configuration for the same subscriber group, where the static interface has a single-tagged VLAN with an outer VLAN ID of 2101:

This sample configuration generates the following username:

warehouse3%2101@Bldg5.example.com

Even though a delimiter of % is configured, the domain name is always separated from preceding elements by @.

Release History Table
Release
Description
PS/LT support, introduced in Junos OS Release 18.3R1, enables full subscriber management (equivalent to dynamic subscribers) for statically provisioned subscribers whose traffic is transported over IP/MPLS access models.