RADIUS Authentication and Accounting Servers Configuration Overview

Initially, a RADIUS client sends a request to a RADIUS authentication or accounting server. The RADIUS server uses the configured IP address, the UDP port number, and the secret key to make the connection. The RADIUS client waits for a response for a configurable timeout period and then retransmits the request. The RADIUS client retransmits the request for a user-configurable retry limit.

For example, suppose that you have configured the following authentication servers: Auth1, Auth2, Auth3, Auth4, and Auth5. Your router attempts to send an authentication request to Auth1. If Auth1 is unavailable, the router submits the request to Auth2, then Auth3, and so on until an available server is found. If Auth5, the last configured authentication server, is not available, the router attempts the next method in the methods list. If the only method configured is RADIUS, then the router notifies the client that the request has been denied.

Note:

  • The number of RADIUS servers you can configure depends on available memory.
  • The order in which you configure servers determines the order in which the router contacts those servers on behalf of clients.

The following sections explain how to configure RADIUS authentication and accounting servers:

Server Access

The router offers two options by which servers are accessed:

Use the radius algorithm command to specify the server access method.

When you configure the first RADIUS accounting server, a RADIUS Acct-On message is sent. When you delete the last accounting server, a RADIUS Acct-Off message is sent.

Server Request Processing Limit

You can configure RADIUS authentication servers and accounting servers to use different UDP ports on the router. This enables the same IP address to be used for both an authentication server and an accounting server. However, you cannot use the same IP address for multiple authentication servers or for multiple accounting servers.

Note: For information about the number of concurrent RADIUS requests that the router supports for authentication and accounting servers, see JunosE Release Notes, Appendix A, System Maximums.

The E Series router listens to a range of UDP source (or local) ports for RADIUS responses. Each UDP source port supports a maximum of 255 RADIUS requests. When the 255 per-port limit is reached, the router opens the next source port. When the max-sessions command limit is reached, the router submits the request to the next configured server.

Table 5 lists the range of UDP ports the router uses for each type of RADIUS request.

Table 5: Local UDP Port Ranges by RADIUS Request Type

RADIUS Request Type

ERX310, ERX710, ERX1410, and E120 Broadband Services Routers

ERX1440 and E320 Broadband Services Routers

RADIUS authentication

50000–50124

50000–50124

RADIUS accounting

50125–50249

50125–50499

RADIUS preauthentication

50250–50374

50500–50624

RADIUS route-download

50375–50500

50625–50749

Authentication and Accounting Methods

When you configure authentication, authorization, and accounting (AAA) services for your B-RAS environment, one important task is to specify the authentication and accounting method used. The JunosE Software gives you the flexibility to configure authentication or accounting methods based on the type of subscriber. This feature allows you to enable RADIUS authentication for some subscribers, while disabling authentication completely for other subscribers. Similarly, you can enable RADIUS accounting for some subscribers, but no accounting for others. For example, you might use RADIUS authentication for ATM 1483 subscribers, while granting IP subscriber management interfaces access without authentication (using the none keyword).

You can specify the authentication or accounting method you want to use, or you can specify multiple methods in the order in which you want them used. For example, if you specify the radius keyword followed by the none keyword when configuring authentication, AAA initially attempts to use RADIUS authentication. If no RADIUS servers are available, AAA uses no authentication. The JunosE Software currently supports radius and none as accounting methods and radius, none, and local as authentication methods. See Local Authentication Servers Configuration Overview for information about local authentication.

You can configure authentication and accounting methods based on the following types of subscribers:

Supporting Exchange of Extensible Authentication Protocol Messages

Extensible Authentication Protocol (EAP) is a protocol that supports multiple methods for authenticating a peer before allowing network layer protocols to transmit over the link. JunosE Software supports the exchange of EAP messages between JunosE applications, such as PPP, and an external RADIUS authentication server.

The JunosE Software’s AAA service accepts and passes EAP messages between the JunosE application and the router’s internal RADIUS authentication server. The internal RADIUS authentication server, which is a RADIUS client, provides EAP pass-through—the RADIUS client accepts the EAP messages from AAA, and sends the messages to the external RADIUS server for authentication. The RADIUS client then passes the response from the external RADIUS authentication server back to the AAA service, which then sends a response to the JunosE application. The AAA service and the internal RADIUS authentication service do not process EAP information—both simply act as pass-through devices for the EAP message.

The router’s local authentication server and TACACS+ authentication servers do not support the exchange of EAP messages. These type of servers deny access if they receive an authentication request from AAA that includes an EAP message. EAP messages do not affect the none authentication configuration, which always grants access.

The local RADIUS authentication server uses the following RADIUS attributes when exchanging EAP messages with the external RADIUS authentication server:

For additional information on configuring PPP to use EAP authentication, see JunosE Link Layer Configuration Guide.

Immediate Accounting Updates

You can use the aaa accounting immediate-update command to configure immediate accounting updates on a per-VR basis. If you enable this feature, the E Series router sends an Acct-Update message to the accounting server immediately on receipt of a response (ACK or timeout) to the Acct-Start message.

This feature is disabled by default. Use the enable keyword to enable immediate updates and the disable keyword to halt them.

The accounting update contains 0 (zero) values for the input/output octets/packets and 0 (zero) for uptime. If you have enabled duplicate or broadcast accounting, the accounting update goes to both the primary virtual router context and the duplicate or broadcast virtual router context.

Interim Accounting Updates

You can use the aaa accounting interim-update command to enable or disable the interim user accounting updates feature on a per-virtual router basis. If you enable this feature, AAA periodically sends an Interim-Acct request at a configured user accounting interval to a primary accounting server. You can use the aaa user accounting interval command to configure the user accounting interval. When the user accounting interval is not configured (by default, the interval is set to zero), AAA does not send the Interim-Acct request to the primary accounting server even if the interim user accounting updates feature is enabled.

The interim user accounting updates feature is enabled by default. You can use the disable keyword with the aaa accounting interim-update command to disable the interim user accounting updates feature, which disables sending of the Interim-Acct request even though the user accounting interval is configured. You can use the enable keyword with the aaa accounting interim-update command or the no version of the aaa accounting interim-update command to enable the interim accounting updates feature.

Duplicate and Broadcast Accounting

Normally, the JunosE Software sends subscriber-related AAA accounting information to the virtual router that authenticates the subscriber. If an operational virtual router is configured that is different from the authentication router, it also receives the accounting information. You can optionally configure duplicate or broadcast AAA accounting, which sends the accounting information to additional virtual routers simultaneously. The accounting information is always sent to the authenticating virtual router. The accounting information is sent to the operational virtual router only if duplicate accounting is not enabled and if authenticating virtual router is different than the operational virtual router.

Both the duplicate and broadcast accounting features are supported on a per-virtual router context, and enable you to specify particular accounting servers that you want to receive the accounting information.

For example, you might use broadcast accounting to send accounting information to a group of your private accounting servers. Or you might use duplicate accounting to send the accounting information to a customer’s accounting server.

UDP Checksums

Each virtual router on which you configure B-RAS is enabled to perform UDP checksums by default. You can disable and reenable UDP checksums.

Related Documentation