[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Configuring RADIUS Server Parameters for Subscriber Access

Include the radius statement at the [edit access profile profile-name] hierarchy level to specify the RADIUS parameters for the subscriber access manager feature. You can specify the IP addresses of the RADIUS servers used for authentication and accounting, options that provide configuration information for the RADIUS servers, and how RADIUS attributes are used.

Specifying RADIUS Authentication and Accounting Servers for Subscriber Access

You can specify one or more RADIUS authentication or accounting servers to use for subscriber access management.

To configure RADIUS authentication and accounting support:

Specify that you want to configure RADIUS support.
[edit access profile isp-bos-metro-fiber-basic] user@host# edit radius
Specify the IP address of the RADIUS server used for authentication.
[edit access profile isp-bos-metro-fiber-basic radius] user@host# set authentication-server 192.168.1.251
Specify the IP address of the RADIUS server used for accounting.
[edit access profile isp-bos-metro-fiber-basic radius] user@host# set accounting-server 192.168.1.250

To configure multiple RADIUS authentication or accounting servers:

Specify the IP addresses of all RADIUS servers used for authentication or accounting.
[edit access profile isp-bos-metro-fiber-basic radius] user@host# set authentication-server 192.168.1.251 192.168.1.252 user@host# set accounting-server 192.168.1.250 192.168.1.251

Configuring RADIUS Server Options for Subscriber Access

You can configure a variety of options used by the RADIUS authentication and accounting servers.

To configuradius-serverre RADIUS authentication and accounting server options:

Specify that you want to configure RADIUS.
[edit access profile isp-bos-metro-fiber-basic] user@host# edit radius
Specify that you want to configure RADIUS options.
[edit access profile isp-bos-metro-fiber-basic radius] user@host# edit options
(Optional) Configure the format the router uses to identify the accounting session. You can specify either decimal or description. The router uses decimal format by default.
[edit access profile isp-bos-metro-fiber-basic radius options] user@host# set accounting-session-id-format decimal
(Optional) Configure the router to use a port type of virtual to authenticate clients. The port type is passed in RADIUS attribute 61 (NAS-Port-Type). By default, the router passes a port type of ethernet in RADIUS attribute 61.
[edit access profile isp-bos-metro-fiber-basic radius options] user@host# set ethernet-port-type-virtual
(Optional) Specify the information that is included in or omitted from the interface description that the router passes to RADIUS for inclusion in RADIUS attribute 87 (NAS-Port-Id). By default, the router includes both the subinterface and the adapter in the interface description.
[edit access profile isp-bos-metro-fiber-basic radius options] user@host# set interface-description-format adapter
(Optional) Configure the value for the client RADIUS attribute 32 (NAS-Identifier), which is used for authentication and accounting requests. You can specify a string in the range 1 to 64 characters.
[edit access profile isp-bos-metro-fiber-basic radius options] user@host# set nas-identifier 56
(Optional) Configure the RADIUS client to use the extended format for RADIUS attribute 5 (NAS-Port) and specify one of the following options for the width of the fields in the NAS-Port attribute:
- adapter-width width—Number of bits in the adapter field.
- port-width width—Number of bits in the port field.
- slot-width width—Number of bits in the slot field.
- stacked-vlan-width width—Number of bits in the SVLAN ID field.
- vlan-width width—Number of bits in the VLAN ID field.
[edit access profile isp-bos-metro-fiber-basic radius options] user@host# set nas-port-extended-format 16
(Optional) Configure the number of seconds that the router waits after a server has become unreachable. The router rechecks the connection to the server when the revert-interval expires. If the server is then reachable, it is used in accordance with the order of the server list.
[edit access profile isp-bos-metro-fiber-basic radius options] user@host# set revert-interval port-width 1200
(Optional) Specify that RADIUS attribute 5 (NAS-Port) includes the S-VLAN ID, in addition to the VLAN ID, for subscribers on Ethernet interfaces.
[edit access profile isp-bos-metro-fiber-basic radius options] user@host# set vlan-nas-port-stacked-format

Configuring How RADIUS Attributes Are Used for Subscriber Access

You can specify the attributes RADIUS ignores in RADIUS Access-Accept messages, and the attributes RADIUS excludes from specified message types.

To configure the attributes RADIUS ignores or excludes:

Specify that you want to configure RADIUS.
[edit access profile isp-bos-metro-fiber-basic] user@host# edit radius
Specify that you want to configure how RADIUS attributes are ignored or excluded.
[edit access profile isp-bos-metro-fiber-basic radius] user@host# edit attributes
Specify the attributes you want RADIUS to ignore when the attributes are in Access-Accept messages. See Table 5 for the attributes you can configure.
[edit access profile isp-bos-metro-fiber-basic radius attributes] user@host# set ignore input-filter output-filter
Configure RADIUS to exclude the specified attribute from the specified RADIUS message type. See Table 6 for the attributes and message type combinations you can configure.
[edit access profile isp-bos-metro-fiber-basic radius attributes] user@host# set exclude input-filter output-filter

You use the ignore statement to configure the router to ignore a particular attribute in RADIUS Access-Accept messages. By default, the router processes the attributes received from the external AAA server. Table 5 lists the attributes supported in the ignore statement.

Table 5: Attributes That Can Be Ignored in RADIUS Accept-Accept Messages

CLI Entry	Attibute Name	Attribute Number
framed-ip-netmask	Framed-Ip-Netmask	RADIUS attribute 9
input-filter	Ingress-Policy-Name	Juniper VSA 26–10
logical-system:routing-instance	Virtual-Router	Juniper VSA 26–1
output-filter	Egress-Policy-Name	Juniper VSA 26–11

You use the exclude statement to configure the router to exclude the specified attributes from the specified type of RADIUS message. Not all attributes appear in all types of RADIUS messages—the CLI indicates the RADIUS message type. By default, the router includes the specified attributes in RADIUS Access-Request, Acct-On, Acct-Off, Acct-Start, and Acct-Stop messages. Table 6 lists the attributes and message types supported in the exclude statement.

Table 6: Attributes That Can Be Excluded from RADIUS Messages

CLI Entry	Attibute Name	Attribute Number	Supported Message Type
accounting-authentic	Acct-Authentic	RADIUS attribute 45	Accounting-On Accounting-Off
accounting-delay-time	Acct-Delay-Time	RADIUS attribute 41	Accounting-On Accounting-Off
accounting-session-id	Acct-Session-Id	RADIUS attribute 44	Access-Request Accounting-On Accounting-Off Accounting-Stop
accounting-terminate-cause	Acct-Terminate-Cause	RADIUS attribute 49	Accounting-Off
called-station-id	Called-Station-Id	RADIUS attribute 30	Access-Request Accounting-Start Accounting-Stop
calling-station-id	Calling-Station-Id	RADIUS attribute 31	Access-Request Accounting-Start Accounting-Stop
class	Class	RADIUS attribute 25	Accounting-Start Accounting-Stop
dhcp-gi-address	DHCP-GI-Address	Juniper VSA 26–57	Access-Request Accounting-Start Accounting-Stop
dhcp-mac-address	DHCP-MAC-Address	Juniper VSA 26–56	Access-Request Accounting-Start Accounting-Stop
event-timestamp	Event-Timestamp	RADIUS attribute 55	Accounting-On Accounting-Off Accounting-Start Accounting-Stop
framed-ip-address	Framed-IP-Address	RADIUS attribute 8	Accounting-Start Accounting-Stop
framed-ip-netmask	Framed-IP-Netmask	RADIUS attribute 9	Accounting-Start Accounting-Stop
input-filter	Ingress-Policy-Name	Juniper VSA 26–10	Accounting-Start Accounting-Stop
input-gigapackets	Acct-Input-Gigapackets	Juniper VSA 26–42	Accounting-Stop
input-gigawords	Acct-Input-Gigawords	RADIUS attribute 52	Accounting-Stop
interface-description	Interface-Desc	Juniper VSA 26–53	Access-Request Accounting-Start Accounting-Stop
nas-identifier	NAS-Identifier	RADIUS attribute 32	Access-Request Accounting-on Accounting-off Accounting-Start Accounting-Stop
nas-port	NAS-Port	RADIUS attribute 5	Access-Request Accounting-Start Accounting-Stop
nas-port-id	NAS-Port_Id	RADIUS attribute 87	Access-Request Accounting-Start Accounting-Stop
nas-port-type	NAS-Port-Type	RADIUS attribute 61	Access-Request Accounting-Start Accounting-Stop
output-filter	Egress-Policy-Name	Juniper VSA 26–11	Accounting-Start Accounting-Stop
ouput-gigapackets	Acct-Output-Gigapackets	Juniper VSA 26–43	Accounting-Stop
output-gigawords	Acct-Output-Gigawords	RADIUS attribute 53	Accounting-Stop

[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]