Interaction with RADIUS for ICR

Authorization and authentication access messages identify subscribers before the RADIUS server grants or denies those subscribers access to the network or network services. When an application requests user authentication, the request must have certain authenticating attributes, such as a user’s name, password, and the particular type of service the user is requesting. This information is sent in the authentication request via the RADIUS protocol to the RADIUS server. In response, the RADIUS server grants or denies the request.

JunosE Software supports certain RADIUS vendor-specific attributes (VSAs) that define specific authentication, authorization, and accounting elements in a user’s profile. The profile is stored on the RADIUS server. RADIUS messages contain RADIUS attributes to communicate information between an E Series Broadband Services Router and the RADIUS server. For complete information on VSAs, see Configuring RADIUS Attributes in the JunosE Broadband Access Configuration Guide. JunosE Software Release 10.3.x and later supports the ICR-Partition-Id VSA [26-150]. You can use this VSA to collect information on the ICR partition configured on the VLAN or S-VLAN subinterface on which subscribers are logged in.

You can include an ICR-Partition-Id vendor-specific attribute (VSA) in the following RADIUS messages:

Note: For more information about the ICR partition accounting messages, see the Configuring RADIUS Attributes chapter in the JunosE Broadband Access Configuration Guide.

Determining the ICR partition is useful for accounting and authentication of subscribers in RADIUS messages.

Use the ICR-Partition-Id VSA to determine the ICR partition on which subscribers are logged in. You can configure the same ICR-Partition-Id string for an active ICR partition and its corresponding backup partition.

To configure inclusion of ICR-Partition-Id in RADIUS Access-Request, Acct-Start, and Acct-Stop messages, you can use the ICR-Partition-Id attribute in the radius include command. When included in Acct-Stop messages, the attributes are also included in Interim-Acct messages.

In addition to including the ICR-Partition-Id VSA in RADIUS Access-Request, Acct-Start, Acct-Stop, and Interim-Acct messages, the router also sends the Partition-Accounting-On and Partition-Accounting-Off messages:

Both Partition-Accounting messages include the ICR-Partition-Id VSA. Also, both these messages are sent to the RADIUS accounting server configured on the virtual router where the ICR partition is configured or the virtual router on which the corresponding ICR interface is configured.

You can optionally configure duplicate or broadcast AAA accounting on a virtual router, which sends the accounting information to additional virtual router simultaneously, so that the Partition-Accounting-On and Partition-Accounting-Off messages can also be sent to the duplicate and broadcast virtual routers.

ICR Partition Accounting Overview

To enable or disable sending of the ICR Partition-Accounting-On or Partition-Accounting-Off messages to the RADIUS servers, you can now use the radius icr-partition-accounting command.

The transition of the ICR partition states from master to backup and backup to master can occur because of chassis failure, an administrative switchover, or an interface or line module reset action. The following scenarios describe how ICR partition accounting messages are processed and subscriber logging is handled:

Related Documentation