Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    RADIUS Authentication and Accounting Servers Configuration Overview

    Initially, a RADIUS client sends a request to a RADIUS authentication or accounting server. The RADIUS server uses the configured IP address, the UDP port number, and the secret key to make the connection. The RADIUS client waits for a response for a configurable timeout period and then retransmits the request. The RADIUS client retransmits the request for a user-configurable retry limit.

    • If there is no response from the primary RADIUS server, the RADIUS client submits the request to the secondary RADIUS server using the timeout period and retry limit configured for the secondary RADIUS server.
    • If the connection attempt fails for the secondary RADIUS server, the router submits the request to the tertiary server and so on until it either is granted access on behalf of the client or there are no more configured servers.
    • If another authentication server is not configured, the router attempts the next method in the method list; for accounting server requests, the information is dropped.

    For example, suppose that you have configured the following authentication servers: Auth1, Auth2, Auth3, Auth4, and Auth5. Your router attempts to send an authentication request to Auth1. If Auth1 is unavailable, the router submits the request to Auth2, then Auth3, and so on until an available server is found. If Auth5, the last configured authentication server, is not available, the router attempts the next method in the methods list. If the only method configured is RADIUS, then the router notifies the client that the request has been denied.

    Note:

    • The number of RADIUS servers you can configure depends on available memory.
    • The order in which you configure servers determines the order in which the router contacts those servers on behalf of clients.

    The following sections explain how to configure RADIUS authentication and accounting servers:

    Server Access

    The router offers two options by which servers are accessed:

    • Direct—The first authentication or accounting server that you configure is treated as the primary authentication or accounting server, the next server configured is the secondary, and so on.
    • Round-robin—The router sends the initial request to the first configured authentication or accounting server, the next request to the second configured server, and so on until the last configured server. After sending the request to the last configured server, the router again starts this cycle from the first configured server.

    Use the radius algorithm command to specify the server access method.

    When you configure the first RADIUS accounting server, a RADIUS Acct-On message is sent. When you delete the last accounting server, a RADIUS Acct-Off message is sent.

    Server Request Processing Limit

    You can configure RADIUS authentication servers and accounting servers to use different UDP ports on the router. This enables the same IP address to be used for both an authentication server and an accounting server. However, you cannot use the same IP address for multiple authentication servers or for multiple accounting servers.

    Note: For information about the number of concurrent RADIUS requests that the router supports for authentication and accounting servers, see JunosE Release Notes, Appendix A, System Maximums.

    The E Series router listens to a range of UDP source (or local) ports for RADIUS responses. Each UDP source port supports a maximum of 255 RADIUS requests. When the 255 per-port limit is reached, the router opens the next source port. When the max-sessions command limit is reached, the router submits the request to the next configured server.

    Table 1 lists the range of UDP ports the router uses for each type of RADIUS request.

    Table 1: Local UDP Port Ranges by RADIUS Request Type

    RADIUS Request Type

    ERX310, ERX710, ERX1410, and E120 Broadband Services Routers

    ERX1440 and E320 Broadband Services Routers

    RADIUS authentication

    50000–50124

    50000–50124

    RADIUS accounting

    50125–50249

    50125–50499

    RADIUS preauthentication

    50250–50374

    50500–50624

    RADIUS route-download

    50375–50500

    50625–50749

    Authentication and Accounting Methods

    When you configure authentication, authorization, and accounting (AAA) services for your B-RAS environment, one important task is to specify the authentication and accounting method used. The JunosE Software gives you the flexibility to configure authentication or accounting methods based on the type of subscriber. This feature allows you to enable RADIUS authentication for some subscribers, while disabling authentication completely for other subscribers. Similarly, you can enable RADIUS accounting for some subscribers, but no accounting for others. For example, you might use RADIUS authentication for ATM 1483 subscribers, while granting IP subscriber management interfaces access without authentication (using the none keyword).

    You can specify the authentication or accounting method you want to use, or you can specify multiple methods in the order in which you want them used. For example, if you specify the radius keyword followed by the none keyword when configuring authentication, AAA initially attempts to use RADIUS authentication. If no RADIUS servers are available, AAA uses no authentication. The JunosE Software currently supports radius and none as accounting methods and radius, none, and local as authentication methods. See Local Authentication Servers Configuration Overview for information about local authentication.

    You can configure authentication and accounting methods based on the following types of subscribers:

    • ATM 1483
    • Tunnels (for example, L2TP tunnels)
    • Point-to-Point Protocol (PPP)
    • RADIUS relay server
    • IP subscriber management interfaces

      Note: IP subscriber management interfaces are static or dynamic interfaces that are created or managed by the JunosE Software’s subscriber management feature.

    Supporting Exchange of Extensible Authentication Protocol Messages

    Extensible Authentication Protocol (EAP) is a protocol that supports multiple methods for authenticating a peer before allowing network layer protocols to transmit over the link. JunosE Software supports the exchange of EAP messages between JunosE applications, such as PPP, and an external RADIUS authentication server.

    The JunosE Software’s AAA service accepts and passes EAP messages between the JunosE application and the router’s internal RADIUS authentication server. The internal RADIUS authentication server, which is a RADIUS client, provides EAP pass-through—the RADIUS client accepts the EAP messages from AAA, and sends the messages to the external RADIUS server for authentication. The RADIUS client then passes the response from the external RADIUS authentication server back to the AAA service, which then sends a response to the JunosE application. The AAA service and the internal RADIUS authentication service do not process EAP information—both simply act as pass-through devices for the EAP message.

    The router’s local authentication server and TACACS+ authentication servers do not support the exchange of EAP messages. These type of servers deny access if they receive an authentication request from AAA that includes an EAP message. EAP messages do not affect the none authentication configuration, which always grants access.

    The local RADIUS authentication server uses the following RADIUS attributes when exchanging EAP messages with the external RADIUS authentication server:

    • Framed-MTU (attribute 12)—Used if AAA passes an MTU value to the internal RADIUS client
    • State (attribute 24)—Used in Challenge-Response messages from the external server and returned to the external server on the subsequent Access-Request
    • Session-Timeout (attribute 27)—Used in Challenge-Response messages from the external server
    • EAP-Message (attribute 79)—Used to fragment EAP strings into 253-byte fragments (the RADIUS limit)
    • Message-Authenticator (attribute 80)—Used to authenticate messages that include an EAP-Message attribute

    For additional information on configuring PPP to use EAP authentication, see JunosE Link Layer Configuration Guide.

    Immediate Accounting Updates

    You can use the aaa accounting immediate-update command to configure immediate accounting updates on a per-VR basis. If you enable this feature, the E Series router sends an Acct-Update message to the accounting server immediately on receipt of a response (ACK or timeout) to the Acct-Start message.

    This feature is disabled by default. Use the enable keyword to enable immediate updates and the disable keyword to halt them.

    The accounting update contains 0 (zero) values for the input/output octets/packets and 0 (zero) for uptime. If you have enabled duplicate or broadcast accounting, the accounting update goes to both the primary virtual router context and the duplicate or broadcast virtual router context.

    Interim Accounting Updates

    You can use the aaa accounting interim-update command to enable or disable the interim user accounting updates feature on a per-virtual router basis. If you enable this feature, AAA periodically sends an Interim-Acct request at a configured user accounting interval to a primary accounting server. You can use the aaa user accounting interval command to configure the user accounting interval. When the user accounting interval is not configured (by default, the interval is set to zero), AAA does not send the Interim-Acct request to the primary accounting server even if the interim user accounting updates feature is enabled.

    The interim user accounting updates feature is enabled by default. You can use the disable keyword with the aaa accounting interim-update command to disable the interim user accounting updates feature, which disables sending of the Interim-Acct request even though the user accounting interval is configured. You can use the enable keyword with the aaa accounting interim-update command or the no version of the aaa accounting interim-update command to enable the interim accounting updates feature.

    Duplicate and Broadcast Accounting

    Normally, the JunosE Software sends subscriber-related AAA accounting information to the virtual router that authenticates the subscriber. If an operational virtual router is configured that is different from the authentication router, it also receives the accounting information. You can optionally configure duplicate or broadcast AAA accounting, which sends the accounting information to additional virtual routers simultaneously. The accounting information is always sent to the authenticating virtual router. The accounting information is sent to the operational virtual router only if duplicate accounting is not enabled and if authenticating virtual router is different than the operational virtual router.

    Both the duplicate and broadcast accounting features are supported on a per-virtual router context, and enable you to specify particular accounting servers that you want to receive the accounting information.

    For example, you might use broadcast accounting to send accounting information to a group of your private accounting servers. Or you might use duplicate accounting to send the accounting information to a customer’s accounting server.

    • Duplicate accounting—Sends the accounting information to a particular virtual router
    • Broadcast accounting—Sends the accounting information to a group of virtual routers. An accounting virtual router group can contain up to four virtual routers and the E Series router supports a maximum of 100 virtual router groups. The accounting information continues to be sent to the duplicate accounting virtual router, if one is configured.

    UDP Checksums

    Each virtual router on which you configure B-RAS is enabled to perform UDP checksums by default. You can disable and reenable UDP checksums.

    Published: 2014-08-20