Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    How to Configure Upper-Layer Dynamic Interfaces Using the RADIUS Server

    Dynamic interfaces can be configured automatically through authentication and authorization by the RADIUS server.

    On Asynchronous Transfer Mode (ATM) interfaces, you initially create the static portion of the interface column by creating an ATM interface, ATM 1483 subinterface, and underlying ATM permanent virtual circuit (PVC).

    Configuring a Local Subscriber for a Dynamic IPoA or Bridged Ethernet Interface

    For dynamic interfaces that do not have a PPP layer, such as IPoA, you can use the subscriber command to configure an ATM 1483 subinterface to be authenticated automatically by the RADIUS server. The subscriber command uses a RADIUS username and optional password for identification and is available only for bridged Ethernet and IPoA configurations. This command is used for dynamic encapsulations that do not provide the authentication information remotely, as PPP does.

    For dynamic interfaces with a PPP layer, the RADIUS username and password are obtained from the remote client, and authentication is performed with the RADIUS server. The attributes obtained from RADIUS can then be used to configure any higher-layer dynamic interfaces, such as IP, that are built over PPP.

    If your router is running stateful SRP switchover (high availability), the use of the subscriber command to configure RADIUS authentication for subscribers on dynamic bridged Ethernet interfaces might suspend stateful SRP switchover on the router or prevent stateful SRP switchover from becoming active. For more information about using the subscriber management application to bypass this limitation, see Subscriber Authentication on Dynamic Bridged Ethernet over Static ATM Interfaces.

    To configure a local subscriber on the E Series router to support authentication and configuration from RADIUS for a dynamic IPoA or bridged Ethernet interface:

    • Issue the subscriber command in Subinterface Configuration mode.
      1. To set IP as the dynamic-layer upper interface:
        host1(config-subif)#subscriber ip user-prefix charlie domain myisp password-prefix lucy
      2. To set bridged Ethernet as the dynamic-layer upper interface:
        host1(config-subif)#subscriber bridgedEthernet user westford003 domain acmecorp.east password xyz123

      Use the no version to remove the subscriber.

    Subscriber Authentication on Dynamic Bridged Ethernet over Static ATM Interfaces

    You can use either of the following methods to configure and manage RADIUS authentication for IP subscribers on dynamic bridged Ethernet over static ATM interfaces:

    • The subscriber command
    • The subscriber management application

    The subscriber command does not support running stateful switch route processor (SRP) switchover (high availability) on the router. Therefore, the configuration method you choose depends on whether stateful SRP switchover is or is not running on your router.

    This section describes the following:

    Configuration Method Using subscriber Command

    When you use the subscriber command to configure IP subscribers on dynamic bridged Ethernet over static ATM 1483 interface columns to support RADIUS authentication, the subscriber command provides the subscriber’s authentication parameters. The static ATM 1483 subinterface acts as the authenticating layer that establishes a session with RADIUS and passes the subscriber’s locally configured username and password information to the RADIUS server.

    However, if your router is running stateful SRP switchover (high availability), the use of the subscriber command in this configuration might suspend stateful SRP switchover on the router or prevent stateful SRP switchover from becoming active. To bypass this limitation, you can use the subscriber management application to configure IP subscribers on dynamic bridged Ethernet interfaces.

    Configuration Method Using Subscriber Management Application

    You can use the JunosE subscriber management application to configure and manage IP subscribers associated with a dynamic bridged Ethernet interface column. The subscriber management application uses an IP service profile to manage and authenticate IP subscribers with RADIUS. An IP service profile contains user and password information, and is used in a route map for subscriber management and to authenticate subscribers with RADIUS.

    In this configuration, the IP service profile provides the subscriber’s authentication parameters, and the subscriber management application acts as the authenticating layer to obtain information from RADIUS for configuration of dynamic IP subscribers. To assign the IP service profile to the interface profile from which the dynamic bridged Ethernet interface is created, you use the bridge1483 service-profile command in Profile Configuration mode.

    If stateful SRP switchover is disabled or not running on your router, you can continue to use the subscriber command to configure IP subscribers on dynamic bridged Ethernet interfaces to support RADIUS authentication.

    Alternatively, you can use the subscriber management application to create and configure dynamic IP interfaces regardless of whether stateful SRP switchover is running on the router. In addition, using subscriber management enables you to take advantage of several useful features such as the IP inactivity timer.

    In the event that an interface profile for a dynamic bridged Ethernet interface includes the subscriber command to configure a local subscriber as well as the bridge1483 service-profile command to reference an IP service profile, the values specified with the subscriber command take precedence. The router ignores the values in the IP service profile in this case.

    For details about using the subscriber management application to configure RADIUS authentication for IP subscribers on dynamic bridged Ethernet interfaces, see Configuring Subscriber Management for IP Subscribers on Dynamic Bridged Ethernet Interfaces.

    For more information about using the subscriber management application, see JunosE Broadband Access Configuration Guide.

    Dynamic IP Route Insertion in the Routing Table Overview

    If you want to insert a dynamic IP route into the routing table of the relevant virtual router to point to the subscriber’s subinterface, you can use the Framed-Route [22] RADIUS attribute to do so. Defined by RFC 2865—Remote Authentication Dial In User Service (RADIUS) (June 2000), the Framed-Route attribute can be returned in Access-Accept messages to specify the route as follows:

    Framed-Route = ipAddress/mask nextHop

    For dynamic IP interfaces, the next hop might not be known when you create the user record. In this case, use the value 0.0.0.0 for the next hop; the E Series router then assigns the subinterface associated with the user as the next hop in the routing table.

    Published: 2014-08-14