• Downloads
• RADIUS Attributes Used for Subscriber Secure Policy    

• Related Topics
• Subscriber Secure Policy Overview
• Subscriber Secure Policy Traffic Mirroring Architecture
• Configuring Subscriber Secure Policy Mirroring Overview
• Dynamic Profiles Overview
• Example: Subscriber Secure Policy Dynamic Profile

RADIUS Attributes Used for Subscriber Secure Policy

Subscriber secure policy mirroring triggers are RADIUS attributes that identify a subscriber whose traffic is to be mirrored. The actual traffic mirroring session starts when the router (intercept access point) receives a RADIUS packet that contains a trigger and then applies the subscriber secure policy configuration to the appropriate interface.

The router receives subscriber secure policy triggers in the following types of RADIUS messages:

• RADIUS Access-Accept—Used to start a mirroring session when the specified subscriber logs in.
• RADIUS Change-of-Authorization-Request (CoA-Request)—Used to immediately begin mirroring traffic of the specified subscriber, who is already logged in.

Table 1 lists the mirroring triggers that the RADIUS server administrator adds to the RADIUS record of the subscriber whose traffic is to be mirrored. In addition, the RADIUS VSAs listed in Table 2 must be included in the mirrored subscriber’s RADIUS record.

RADIUS Attributes Used as Traffic Mirroring Triggers

Table 1 lists the subscriber secure policy mirroring triggers (RADIUS attributes) that can be present in RADIUS Access-Accept and CoA messages. The attributes identify the subscriber whose traffic is to be mirrored.

Table 1: RADIUS Attributes Used as Traffic Mirroring Triggers

Attribute Number	Attribute Name
[1]	User-Name
[8]	Framed-IP-Address
[31]	Calling-Station-ID
[44]	Acct-Session-ID
[87]	Nas-Port-ID

RADIUS-Based Mirroring Attributes

Table 2 lists the RADIUS VSAs that you must include in the RADIUS record of the subscriber whose traffic is to be mirrored. The VSAs carry mirroring-related information.

The AAA Service Framework uses vendor ID 4874, which is assigned to Juniper Networks by the Internet Assigned Numbers Authority (IANA).

Note: VSA 26-10 uses vendor ID 2636.

Table 2: RADIUS-Based Mirroring Attributes

Attribute Number	Attribute Name	Description	Value
[26-10] This attribute uses vendor ID 2636.	Juniper-User-Permissions	Information that specifies user permissions. This attribute is used only in Access-Accept packets.	String
[26-58]	LI-Action	Traffic mirroring action	0 = stop mirroring 1 = start mirroring 2 = no action
[26-59]	Med-Dev-Handle	Link to which traffic mirroring is applied	Salt-encrypted string
[26-60]	MD-Ip-Address	IP address of mediation device to which mirrored traffic is forwarded	Salt-encrypted IP address
[26-61]	MD-Port-Number	UDP port in the mediation device to which mirrored traffic is forwarded	Salt-encrypted integer

Considerations When Using RADIUS Attributes for Subscriber Secure Policy

When using RADIUS attributes and VSAs for the subscriber secure policy service, keep the following considerations in mind:

• A dynamic profile must exist for a subscriber whose traffic is to be mirrored. Otherwise, the subscriber is unable to log in when the mirroring-related VSAs are received in RADIUS Accept-Accept or CoA messages. See Dynamic Profiles Overview for information about dynamic profiles.
• VSA 26-60 must always be present in the RADIUS Access-Accept or CoA message, or the instantiation of the mirroring session will fail. The presence of VSA 26-60 triggers the prepending operation—all mirrored packets must be prepended with both the UDP/IP header and the MD header.
• VSA 26–58 (LI-Action) specifies the action taken by the router. The action differs if the VSA is received in an Access-Accept message or a CoA message, as indicated in Table 3.

  Table 3: LI-Action VSA Action

  LI-Action Value	Access-Accept Message Action	CoA Message Action
  0	Prevents subscriber from logging in	Immediately stops mirroring subscriber traffic; subscriber remains logged in
  1	Starts mirroring subscriber traffic when subscriber logs in	Immediately starts mirroring subscriber traffic
  2	No action	No action

• A VSA 26–58 value of 2 specifies that the router does not perform any traffic mirroring-related action. This setting can provide additional security by confusing unauthorized users who attempt to access traffic mirroring communication between the router and the RADIUS server.