[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring Router to Mirror Users Already Logged In

When a mirroring operation is initiated for a user who is already logged in (RADIUS-initiated mirroring), the RADIUS server uses change-of-authorization messages and passes the required RADIUS attributes and the identifier of the currently running session to the E-series router. The router uses this information to create the secure policy and attaches it to the interface that is created for the user. The E-series router must be configured to accept change-of-authorization messages from the RADIUS server.

  1. Specify the RADIUS dynamic-request server that sends change-of-authorization messages to the router, and enter RADIUS configuration mode.
    host1(config)#radius dynamic-request server 192.168.11.0
  2. Specify the UDP port used to communicate with the RADIUS server.
    host1(config-radius)#udp-port 3799
  3. Create the key used to communicate with the RADIUS server.
    host1(config-radius)#key mysecret
  4. Configure the router to receive change-of-authorization messages from the RADIUS server.
    host1(config-radius)#authorization change
    host1(config-radius)#exit
    host1(config)#exit
  5. Verify your RADIUS-initiated mirroring configuration. 
    host1#show radius dynamic-request servers


    

                   RADIUS Request Configuration
               ----------------------------
                                       Change
                Udp                      Of
 IP Address     Port   Disconnect   Authorization   Secret
-------------   ----   ----------   -------------   ------
 10.10.3.4      3799   enabled      enabled         mysecret
    

    6. 

  6. Configure the analyzer interface to send the mirrored
traffic to the analyzer device. 

    

    host1(config)#interface fastEthernet 4/0 

    

    host1(config-if)#ip analyzer 

    

    

    
    

    Alternatively, for increased security, create the
analyzer interface at one end of an IPSec tunnel to the analyzer device.
    


    

    host1(config)# interface tunnel ipsec:mirror3
transport-virtual-router default 

    

    host1(config-if)#ip analyzer 

    

    host1(config-if)#exit 

    

    host1(config)#ip route 192.168.99.2 255.255.255.255
tunnel ipsec:mirror3 

    

    

    
    

    7. 




[Contents]
[Prev]
[Next]

[Index]

[Report an Error]










Copyright © 2008, Juniper Networks, Inc.
All rights reserved.
	Trademark Notice.