[an error occurred while processing this directive] [an error occurred while processing this directive]

Configuring RADIUS Server Parameters for Subscriber Access

Include the radius statement at the [edit access profile profile-name] hierarchy level to specify the RADIUS parameters for the subscriber access manager feature. You can specify the IP addresses of the RADIUS servers used for authentication and accounting, options that provide configuration information for the RADIUS servers, and how RADIUS attributes are used.

Specifying RADIUS Authentication and Accounting Servers for Subscriber Access

You can specify one or more RADIUS authentication or accounting servers to use for subscriber access management.

To configure RADIUS authentication and accounting support:

  1. Specify that you want to configure RADIUS support.
    [edit access profile isp-bos-metro-fiber-basic]
    user@host# edit radius
  2. Specify the IP address of the RADIUS server used for authentication.
    [edit access profile isp-bos-metro-fiber-basic radius]
    user@host# set authentication-server 192.168.1.251
  3. Specify the IP address of the RADIUS server used for accounting.
    [edit access profile isp-bos-metro-fiber-basic radius]
    user@host# set accounting-server 192.168.1.250

To configure multiple RADIUS authentication or accounting servers:

  • Specify the IP addresses of all RADIUS servers used for authentication or accounting.
    [edit access profile isp-bos-metro-fiber-basic radius]
    user@host# set authentication-server 192.168.1.251 192.168.1.252
    user@host# set accounting-server 192.168.1.250 192.168.1.251

Configuring RADIUS Server Options for Subscriber Access

You can configure a variety of options used by the RADIUS authentication and accounting servers.

To configuradius-serverre RADIUS authentication and accounting server options:

  1. Specify that you want to configure RADIUS.
    [edit access profile isp-bos-metro-fiber-basic]
    user@host# edit radius
  2. Specify that you want to configure RADIUS options.
    [edit access profile isp-bos-metro-fiber-basic radius]
    user@host# edit options
  3. (Optional) Configure the format the router uses to identify the accounting session. You can specify either decimal or description. The router uses decimal format by default.
    [edit access profile isp-bos-metro-fiber-basic radius options]
    user@host# set accounting-session-id-format decimal
  4. (Optional) Configure the router to use a port type of virtual to authenticate clients. The port type is passed in RADIUS attribute 61 (NAS-Port-Type). By default, the router passes a port type of ethernet in RADIUS attribute 61.
    [edit access profile isp-bos-metro-fiber-basic radius options]
    user@host# set ethernet-port-type-virtual
  5. (Optional) Specify the information that is included in or omitted from the interface description that the router passes to RADIUS for inclusion in RADIUS attribute 87 (NAS-Port-Id). By default, the router includes both the subinterface and the adapter in the interface description.
    [edit access profile isp-bos-metro-fiber-basic radius options]
    user@host# set interface-description-format adapter
  6. (Optional) Configure the value for the client RADIUS attribute 32 (NAS-Identifier), which is used for authentication and accounting requests. You can specify a string in the range 1 to 64 characters.
    [edit access profile isp-bos-metro-fiber-basic radius options]
    user@host# set nas-identifier 56
  7. (Optional) Configure the RADIUS client to use the extended format for RADIUS attribute 5 (NAS-Port) and specify one of the following options for the width of the fields in the NAS-Port attribute:
    • adapter-width width—Number of bits in the adapter field.
    • port-width width—Number of bits in the port field.
    • slot-width width—Number of bits in the slot field.
    • stacked-vlan-width width—Number of bits in the SVLAN ID field.
    • vlan-width width—Number of bits in the VLAN ID field.
    [edit access profile isp-bos-metro-fiber-basic radius options]
    user@host# set nas-port-extended-format 16
  8. (Optional) Configure the number of seconds that the router waits after a server has become unreachable. The router rechecks the connection to the server when the revert-interval expires. If the server is then reachable, it is used in accordance with the order of the server list.
    [edit access profile isp-bos-metro-fiber-basic radius options]
    user@host# set revert-interval port-width 1200
  9. (Optional) Specify that RADIUS attribute 5 (NAS-Port) includes the S-VLAN ID, in addition to the VLAN ID, for subscribers on Ethernet interfaces.
    [edit access profile isp-bos-metro-fiber-basic radius options]
    user@host# set vlan-nas-port-stacked-format

Configuring How RADIUS Attributes Are Used for Subscriber Access

You can specify the attributes RADIUS ignores in RADIUS Access-Accept messages, and the attributes RADIUS excludes from specified message types.

To configure the attributes RADIUS ignores or excludes:

  1. Specify that you want to configure RADIUS.
    [edit access profile isp-bos-metro-fiber-basic]
    user@host# edit radius
  2. Specify that you want to configure how RADIUS attributes are ignored or excluded.
    [edit access profile isp-bos-metro-fiber-basic radius]
    user@host# edit attributes
  3. Specify the attributes you want RADIUS to ignore when the attributes are in Access-Accept messages. See Table 1 for the attributes you can configure.
    [edit access profile isp-bos-metro-fiber-basic radius attributes]
    user@host# set ignore input-filter output-filter
  4. Configure RADIUS to exclude the specified attribute from the specified RADIUS message type. See Table 2 for the attributes and message type combinations you can configure.
    [edit access profile isp-bos-metro-fiber-basic radius attributes]
    user@host# set exclude input-filter output-filter

You use the ignore statement to configure the router to ignore a particular attribute in RADIUS Access-Accept messages. By default, the router processes the attributes received from the external AAA server. Table 1 lists the attributes supported in the ignore statement.

Table 1: Attributes That Can Be Ignored in RADIUS Accept-Accept Messages

CLI Entry

Attibute Name

Attribute Number

framed-ip-netmask

Framed-Ip-Netmask

RADIUS attribute 9

input-filter

Ingress-Policy-Name

Juniper VSA 26–10

logical-system:routing-instance

Virtual-Router

Juniper VSA 26–1

output-filter

Egress-Policy-Name

Juniper VSA 26–11

You use the exclude statement to configure the router to exclude the specified attributes from the specified type of RADIUS message. Not all attributes appear in all types of RADIUS messages—the CLI indicates the RADIUS message type. By default, the router includes the specified attributes in RADIUS Access-Request, Acct-On, Acct-Off, Acct-Start, and Acct-Stop messages. Table 2 lists the attributes and message types supported in the exclude statement.

Table 2: Attributes That Can Be Excluded from RADIUS Messages

CLI Entry

Attibute Name

Attribute Number

Supported Message Type

accounting-authentic

Acct-Authentic

RADIUS attribute 45

Accounting-On

Accounting-Off

accounting-delay-time

Acct-Delay-Time

RADIUS attribute 41

Accounting-On

Accounting-Off

accounting-session-id

Acct-Session-Id

RADIUS attribute 44

Access-Request

Accounting-On

Accounting-Off

Accounting-Stop

accounting-terminate-cause

Acct-Terminate-Cause

RADIUS attribute 49

Accounting-Off

called-station-id

Called-Station-Id

RADIUS attribute 30

Access-Request

Accounting-Start

Accounting-Stop

calling-station-id

Calling-Station-Id

RADIUS attribute 31

Access-Request

Accounting-Start

Accounting-Stop

class

Class

RADIUS attribute 25

Accounting-Start

Accounting-Stop

dhcp-gi-address

DHCP-GI-Address

Juniper VSA 26–57

Access-Request

Accounting-Start

Accounting-Stop

dhcp-mac-address

DHCP-MAC-Address

Juniper VSA 26–56

Access-Request

Accounting-Start

Accounting-Stop

event-timestamp

Event-Timestamp

RADIUS attribute 55

Accounting-On

Accounting-Off

Accounting-Start

Accounting-Stop

framed-ip-address

Framed-IP-Address

RADIUS attribute 8

Accounting-Start

Accounting-Stop

framed-ip-netmask

Framed-IP-Netmask

RADIUS attribute 9

Accounting-Start

Accounting-Stop

input-filter

Ingress-Policy-Name

Juniper VSA 26–10

Accounting-Start

Accounting-Stop

input-gigapackets

Acct-Input-Gigapackets

Juniper VSA 26–42

Accounting-Stop

input-gigawords

Acct-Input-Gigawords

RADIUS attribute 52

Accounting-Stop

interface-description

Interface-Desc

Juniper VSA 26–53

Access-Request

Accounting-Start

Accounting-Stop

nas-identifier

NAS-Identifier

RADIUS attribute 32

Access-Request

Accounting-on

Accounting-off

Accounting-Start

Accounting-Stop

nas-port

NAS-Port

RADIUS attribute 5

Access-Request

Accounting-Start

Accounting-Stop

nas-port-id

NAS-Port_Id

RADIUS attribute 87

Access-Request

Accounting-Start

Accounting-Stop

nas-port-type

NAS-Port-Type

RADIUS attribute 61

Access-Request

Accounting-Start

Accounting-Stop

output-filter

Egress-Policy-Name

Juniper VSA 26–11

Accounting-Start

Accounting-Stop

ouput-gigapackets

Acct-Output-Gigapackets

Juniper VSA 26–43

Accounting-Stop

output-gigawords

Acct-Output-Gigawords

RADIUS attribute 53

Accounting-Stop

Published: 2009-07-16

[an error occurred while processing this directive]