[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring RADIUS AAA Servers

The number of RADIUS servers you can configure depends on available memory. The router has an embedded RADIUS client for authentication and accounting.

Note: You can configure B-RAS with RADIUS accounting, but without RADIUS authentication. In this configuration, the username and password on the remote end are not authenticated and can be set to any value.

You must assign an IP address to a RADIUS authentication or accounting server to configure it.

If you do not configure a primary authentication or accounting server, all authentication and accounting requests will fail. You can configure other servers as backup in the event that the primary server cannot be reached. Configure each server individually.

To configure an authentication or accounting RADIUS server:

Specify the authentication or accounting server address.host1(config)#radius authentication server 10.10.10.1 host1(config-radius)# or host1(config)#radius accounting server 10.10.10.6 host1(config-radius)#
(Optional) Specify a UDP port for RADIUS authentication or accounting server requests.host1(config-radius)#udp-port 1645
Specify an authentication or accounting server secret.host1(config-radius)#key gismo
(Optional) Specify the number of retries the router makes to an authentication or accounting server before it attempts to contact another server.host1(config-radius)#retransmit 2
(Optional) Specify the number of seconds between retries.host1(config-radius)#timeout 5
(Optional) Specify the maximum number of outstanding requests.host1(config-radius)#max-sessions 100
(Optional) Specify the amount of time to remove a server from the available list when a timeout occurs.host1(config-radius)#deadtime 10
(Optional) In Global Configuration mode, specify whether the E-series router should move on to the next RADIUS server when the router receives an Access-Reject message for the user it is authenticating. host1(config)#radius rollover-on-reject enable
(Optional) Enable duplicate address checking.host1(config)aaa duplicate-address-check enable
(Optional) Specify that duplicate accounting records be sent to the accounting server for a virtual router.host1(config)#aaa accounting duplication routerBoston
(Optional) Enter the correct virtual router context, and specify the virtual router group to which broadcast accounting records are sent. host1(config)#virtual-router vrSouth25 host1:vrSouth25(config)#aaa accounting broadcast westVrGroup38 host1:vrSouth25(config)#exit
(Optional) Specify that immediate accounting updates be sent to the accounting server when a response is received to an Acct-Start message.host1(config)#aaa accounting immediate-update
(Optional) Specify whether the router collects all statistics or only the uptime status. host1(config)#aaa accounting time
(Optional) Specify that tunnel accounting be enabled or disabled.host1(config)#radius tunnel-accounting enable
(Optional) Specify the default authentication and accounting methods for the subscribers. host1(config)#aaa authentication ppp default radius none
(Optional) Disable UDP checksums on virtual routers you configure for B-RAS.host1:(config)#virtual router boston host1:boston(config)#radius udp-checksum disable

aaa accounting broadcast

Use to enable AAA broadcast accounting on a virtual router. Specifies that accounting records be sent to the accounting servers on the virtual routers in the named virtual router group.
A virtual router group can be used in any virtual router context, not just the context in which it is created.
Examplehost1(config)#virtual-router vrSouth25 host1:vrSouth25(config)#aaa accounting broadcast westVrGroup38 host1:vrSouth25(config)#exit
Use the no version to disable the AAA broadcast accounting.
See aaa accounting broadcast

aaa accounting default

Use to specify the accounting method used for a particular type of subscriber.

Specify one of the following types of subscribers:

atm1483; this keyword is not supported
tunnel
ppp
radius-relay
ipsec

ip (IP subscriber management interfaces)

Note: IP subscriber management interfaces are static or dynamic interfaces that are created or managed by the JUNOSe software’s subscriber management feature.

Although the atm1483 keyword is available in the CLI for this command, that subscriber type is not supported. The router does not support accounting for ATM 1483 subscribers.

Specify one of the following types of accounting methods:
- radius—RADIUS accounting for the specified subscribers.
- none—No accounting is done for the specified subscribers.
- radius none—Multiple types of accounting; used in the order specified. For example, radius none specifies that RADIUS accounting is initially used; however, if RADIUS servers are not available, no accounting is done.
Examplehost1(config)#aaa accounting ppp default radius
Use the no version to set the accounting protocol to the default, radius.
See aaa accounting default

aaa accounting duplication

Use to enable AAA duplicate accounting on a virtual router. Specifies that duplicate accounting records be sent to the accounting server on another virtual router.
Examplehost1(config)#aaa accounting duplication routerBoston
Use the no version to disable the feature.
See aaa accounting duplication

aaa accounting immediate-update

Use to send an accounting update to the accounting server immediately on receipt of a response for an Acct-Start message.
Use the enable keyword to enable immediate updates. Use the disable keyword to disable immediate updates. Immediate updates are disabled by default.
Examplehost1(config)#aaa accounting immediate-update enable
Use the no version to restore the default condition, disabling immediate updates.
See aaa accounting immediate-update

aaa accounting interval

Use to specify the default interval between updates for user and service interim accounting.

Note: This command is deprecated and might be removed completely in a future release. Use the aaa user accounting interval command to specify the default interval for user accounting. Use the aaa service accounting interval command to specify the default interim accounting interval used for services created by the Service Manager application. See Configuring Service Manager.

Select an interval in the range 10–1440 minutes. The default is 0, which means that the feature is disabled.
Examplehost1(config)#aaa accounting interval 60
Use the no version to turn off interim accounting for both users and services.
See aaa accounting interval

aaa accounting statistics

Use to specify how the AAA server collects statistics on the sessions it manages.
Use the volume-time keyword to collect all statistics for the sessions.
Use the time keyword to collect only the uptime status of the sessions. Collecting only uptime information is more efficient because less data is sent to AAA.
Examplehost1(config)#aaa accounting statistics time
Use the no version to restore the default, in which all statistics are collected.
See aaa accounting statistics

aaa accounting vr-group

Use to create an accounting virtual router group and enter VR Group Configuration mode. Virtual routing groups are used for AAA broadcast accounting.
A virtual router group can have up to four virtual routers. The accounting servers of the virtual routers in the group receive broadcast accounting records that are forwarded to the group.
The E-series router supports a maximum of 100 virtual router groups.
When creating a virtual router group, you must add at least one virtual router to the group; otherwise, the group is not created.
A virtual router group can be used in any virtual router context, not just the context in which it is created.
Examplehost1(config)#aaa accounting vr-group westVrGroup38 host1(config-vr-group)#
Use the no version to delete the accounting virtual router group.
See aaa accounting vr-group

aaa authentication default

Use to specify the authentication method used for a particular type of subscriber.
Specify one of the following types of subscribers:
- atm1483
- tunnel
- ppp
- radius-relay
- ipsec
- ip (IP subscriber management interfaces)
  
  Note: IP subscriber management interfaces are static or dynamic interfaces that are created or managed by the JUNOSe software’s subscriber management feature.
Specify one of the following types of accounting methods:
- radius—RADIUS authentication for the specified subscribers.
- none—Grants the specified subscribers access without authentication.
- radius none—Multiple types of authentication; used in the order specified. For example, radius none specifies that RADIUS authentication is initially used; however, if RADIUS servers are not available, users are granted access without authentication.
Examplehost1(config)#aaa authentication ip default radius
Use the no version to set the authentication protocol to the default, radius.
See aaa authentication default

aaa duplicate-address-check

Use to enable or disable routing table address lookup or duplicate address check.
The router checks the routing table for returned addresses for PPP users. If the address existed, then the user was denied access.
You can disable this routing table address lookup or duplicate address check with the aaa duplicate-address-check command.
Examplehost1(config)#aaa duplicate-address-check enable
There is no no version.
See aaa duplicate-address-check

aaa user accounting interval

Use to specify the default interval between user accounting updates. The router uses the default interval when no value is specified in the RADIUS Acct-Interim-Interval attribute (RADIUS attribute 85).
This command and the aaa service accounting interval command replace the aaa accounting interval command, which is deprecated and might be removed in a future release. For information about setting the default interim accounting interval for services, see Configuring Service Manager.
The default interval is applied on a virtual router basis—this setting is used for all users who attach to the corresponding virtual router.
Specify the user accounting interval in the range 10–1440 minutes. The default setting is 0, which disables the feature.
Examplehost1(config)#aaa user accounting interval 20
Use the no version to reset the accounting interval to 0, which turns off interim user accounting when no value is specified in the RADIUS Acct-Interim-Interval attribute.
See aaa user accounting interval

aaa virtual-router

Use to add virtual routers to a virtual router group. During AAA broadcast accounting, accounting records are sent to the accounting servers on the virtual routers in the named virtual router group.
You can add up to four virtual routers to a virtual router group. Use the indexInteger parameter to specify the order (1–4) in which the virtual routers receive the accounting information. The indexInteger is used with the no version to delete a specific virtual router from a group (see Example 2).
A virtual router name consists of 1–32 alphanumeric characters.
The virtual router names in the group must be unique. An error message appears if you enter a duplicate name.
Example 1host1(config)#aaa accounting vr-group westVrGroup38 host1(config-vr-group)#aaa virtual-router 1 vrWestA host1(config-vr-group)#aaa virtual-router 2 vrWestB host1(config-vr-group)#aaa virtual-router 4 vrSouth1
Example 2host1(config-vr-group)#no aaa virtual-router 2
Use the no version of the command with the indexInteger parameter to delete a specific virtual router from a group. If all virtual routers in a group are deleted, the group is also deleted; a group must contain at least one virtual router.
See aaa virtual-router

deadtime

Use to configure the amount of time (0–30 minutes) that a server is marked as unavailable if a request times out for the configured retry count.
If a server fails to answer a request, the router marks it unavailable. The router does not send requests to the server until the router receives a response from the server or until the configured time is reached, whichever occurs first.
If all servers fail to answer a request, then instead of marking all servers as unavailable, all servers are marked as available.
To turn off the deadtime mechanism, specify a value of 0.
Examplehost1(config)#radius authentication server 10.10.0.1 host1(config-radius)#deadtime 10
Use the no version to set the time to the default value, 0
See deadtime

key

Use to configure secrets on the primary, secondary, and tertiary authentication servers.
The authentication or accounting server secret is a text string used by RADIUS to encrypt the client and server authenticator field during exchanges between the router and a RADIUS authentication server. The router encrypts PPP PAP passwords using this text string.
The default is no server secret.
Examplehost1(config)#radius authentication server 10.10.8.1 host1(config-radius)#key gismo
Use the no version to remove the secret.

Note: Authentication fails if no key is specified for the authentication server.
See key

logout subscribers

Use to issue an administrative reset to the user’s connection to disconnect the user.
From Privileged Exec mode, you can log out all subscribers, or log out subscribers by username, domain, virtual-router, or port.
This command applies to PPP users, as well as to non-PPP DHCP users.
Examplehost1#logout subscribers username bmurphy
There is no no version.
See logout subscribers

max-sessions

Use to configure the number of outstanding requests supported by an authentication or accounting server.

If the request limit is reached, the router sends the request to the next server.

Note: For information about the number of concurrent RADIUS requests that the router supports for authentication and accounting servers, see JUNOSe Release Notes, Appendix A, System Maximums.

The same IP address can be used for both an authentication and accounting server (but not for multiple servers of the same type). The router uses different UDP ports for authentication servers and accounting servers.
For each multiple of 255 requests (the RADIUS protocol limit), the router opens a new UDP source (or local) port on the server to send and receive RADIUS requests and responses.
Examplehost1(config)#radius authentication server 10.10.0.1 host1(config-radius)#max-sessions 100
Use the no version to restore the default value, 255.
See max-sessions

no radius client

Use to remove all RADIUS servers for the virtual router context and to delete the E-series RADIUS client for the virtual router context.
Examplehost1:boston(config)#no radius client
There is no affirmative version of this command; there is only a no version.
See no radius client

radius algorithm

Use to specify the algorithm—either direct or round-robin—that the E-series RADIUS client uses to contact the RADIUS server.
Examplehost1(config)#radius algorithm round-robin
Use the no version to set the algorithm to the default, direct.
See radius algorithm

radius override nas-info

Use to configure the RADIUS client to include the NAS-IP-Address [4] and NAS-Identifier [32] RADIUS attributes of the authenticating virtual router in accounting packets when the client performs AAA broadcast accounting. Normally, the accounting packets include the NAS-IP-Address and NAS-Identifier of the virtual router that generated the accounting information.
This override operation is a per-virtual router specification; use this command in the correct virtual router context.
This command is ignored if the authenticating virtual router does not have a configured RADIUS server.
Examplehost1(config)#virtual-router vrXyz1 host1:vrXyz1(config)#radius override nas-info host1:vrXyz1(config)#exit
Use the no version to restore inclusion of the NAS-IP-Address [4] and NAS-Identifier [32] RADIUS attributes of the virtual router that requested the accounting information.
See radius override nas-info

radius rollover-on-reject

Use to specify whether the router rolls over to the next RADIUS server when the router receives an Access-Reject message for the user it is authenticating.
Examplehost1(config)#radius rollover-on-reject enable
Use the no version to set the default of disable.
See radius rollover-on-reject

radius accounting server

Use to specify the IP address of authentication and accounting servers.
Examplehost1(config)#radius authentication server 10.10.10.1 host1(config-radius)exit host1(config)#radius authentication server 10.10.10.2 host1(config-radius)exit host1(config)#radius authentication server 10.10.10.3 host1(config-radius)exit host1(config)#radius accounting server 10.10.10.20 host1(config-radius)exit host1(config)#radius accounting server 10.10.10.30
Use the no version to delete the instance of the RADIUS server.
See radius accounting server

radius tunnel-accounting

Use to specify that tunnel accounting be enabled or disabled.
This command turns on accounting messages: Tunnel-Start, Tunnel-Stop, Tunnel-Reject, Tunnel-Link-Start, Tunnel-Link-Stop, and Tunnel-Link-Reject, as described in RFC 2867.
Your router supports tunnel accounting for the L2TP LAC and LNS.
Examplehost1(config)#radius tunnel-accounting enable
Use the no version to set the default, disabled.
See radius tunnel-accounting

radius udp-checksum

Use to disable UDP checksums on virtual routers you configure for B-RAS.
Issue this command in the context of the appropriate virtual router.
Examplehost1(config)#virtual router boston host1:boston(config)#radius udp-checksum disable
Use the no version to reenable UDP checksums on virtual routers you configure for B-RAS.
See radius udp-checksum

radius update-source-addr

Use to specify an alternate source IP address for the router to use rather than the default router ID.
Examplehost1(config)#radius update-source-addr 192.168.40.23
Use the no version to delete the parameter so that the router uses the router ID.
See radius update-source-addr

retransmit

Use to set the maximum number of times that the router retransmits a RADIUS packet to an authentication or accounting server.
If there is no response from the primary RADIUS authentication or accounting server in the specified number of retries, the client sends the request to the secondary server. If there is no response from the secondary server, the router sends the request to the tertiary server, and so on.
Examplehost1(config)#radius authentication server 10.10.8.1 host1(config-radius)#retransmit 2
Use the no version to set the value to the default, 3 retransmits.
See retransmit

test aaa

Use to verify RADIUS authentication and accounting and IP address assignment setup.
You must specify either a PPP or Multilink PPP (MLPPP) user. PPP indicates a regular PPP user. MLPPP simulates Multilink PPP so that if multiple test commands are issued, all test users are bound by the same address.
The command uses a username and password and attempts to authenticate a user, get an address assignment, and issue a start accounting request.
Optionally, you can specify the virtual router context in which to authenticate the user.
The command pauses for several seconds, then terminates the session by issuing a stop accounting request and an address release.
Examplehost1#test aaa ppp jsmith mypassword virtual-router charlie2

Note: Specifying the password to associate with the username is optional. Specifying a virtual router is optional.
There is no no version.
See test aaa

timeout

Use to set the number of seconds before the router retransmits a RADIUS packet to an authentication or accounting server.

If the interval is reached and there is no response from the primary RADIUS authentication or accounting server, the router attempts another retry. When the retry limit is reached, the client sends the request to the secondary server. When the retry limit for the secondary server is reached, the router attempts to reach the tertiary server, and so on.

Note: After the fourth retransmission, the configured timeout value is ignored, and the router uses a backoff algorithm that increases the timeout between each succeeding transmission.

The backoff algorithm is:

Image g013623.gif

Examplehost1(config)#radius authentication server 10.10.0.1 host1(config-radius)#timeout 5

Use the no version to restore the default value, 3 seconds.

Note: When a RADIUS server times out or when it has no available RADIUS identifier values, the router removes the RADIUS server from the list of available servers for a period of time. The router restores all configured servers to the list if it is about to remove the last server. Restoring the servers avoids having an empty server list.

See timeout

udp-port

Use to configure the UDP port on the router where the RADIUS authentication, accounting, preauthentication, and route-download servers reside. The router uses this port to communicate with the RADIUS authentication servers.
Specify a port number in the range 0–65536. For authentication, preauthentication, or route-download servers, the default UDP port is 1812. For accounting servers, the default is 1813.
For an accounting server, specify a port number in the range 0–65536. The default is 1813.
Examplehost1(config)#radius authentication server 10.10.9.1 host1(config-radius)#udp-port 1645
Use the no version to set the port number to the default value.
See udp-port

[Contents] [Prev] [Next] [Index] [Report an Error]