Configuring RADIUS-Based Mirroring
To configure the RADIUS-based packet mirroring environment, you must coordinate the mirroring operations of three devices in the network: the RADIUS server, the E-series router, and the analyzer device. The configuration of the RADIUS server and the analyzer device is described in this section for reference only. The actual configuration procedures depend on the policies and guidelines established by the responsible organizations.
Configuring the RADIUS Server
Table 43 lists the VSAs that are included for both types of RADIUS-based mirroring—user-initiated (when the user logs on to start a new session), and RADIUS-initiated (when the user is already logged in).
Disabling RADIUS-Based Mirroring
To disable mirroring, you include the RADIUS attribute (for example, Acct-Session-ID) and set the Mirror-Action attribute to 0 in the mirrored user's RADIUS record.
You can also use the mirror disable CLI commands to disable RADIUS-based mirroring. You must use the version of the mirror disable command that corresponds to the RADIUS attribute that was used to identify the user. For example, if you used the RADIUS Calling-Station-ID attribute to create the mirroring session, you must use the mirror disable calling-station-id command to disable the session.
Configuring the Analyzer Device
The analyzer device must be configured to receive the mirrored traffic from the E-series router's analyzer interface. The analyzer interface directs mirrored traffic to the specified analyzer device for analysis. You can configure the interface as the virtual router's default analyzer interface. You cannot configure multiaccess interfaces, such as IP over Ethernet, as default analyzer interfaces.
When mirroring an IP interface, the analyzer interface must reside in the same virtual router as the mirrored interface. When mirroring an L2TP interface, the analyzer interface must reside in the default virtual router.
You can configure any type of IP interface on the E-series router as an analyzer interface, except for special interfaces such as SRP interfaces, null interfaces, and loopback interfaces. An interface cannot be both an analyzer interface and a mirrored interface at the same time. A single analyzer interface can support multiple mirrored interfaces.The receive side of the analyzer interface is disabled. All traffic attempting to access the router through an analyzer interface is dropped.Analyzer interfaces drop all nonmirrored traffic. Policies are not supported. When you configure an analyzer interface, existing policies are disabled, and no new policies are accepted.
- authorization change command
- ip analyzer command
- key command
- mirror disable command
- radius dynamic-request server command
- udp-port command
Configuring Router to Start Mirroring When User Logs On
To configure the router to support RADIUS-based mirroring that starts when the user logs on:
- Configure RADIUS server authentication information in the router. See JUNOSe Broadband Access Configuration Guide, Chapter 1, Configuring Remote Access for information.
- Ensure that the analyzer interface is configured to send the mirrored traffic to the analyzer device.
- (Optional) For increased security, create an IPSec tunnel between the analyzer interface and the analyzer device.
Configuring Router to Mirror Users Already Logged On
To configure the router to support RADIUS-initiated mirroring when the user is already logged in:
- Specify the RADIUS server that sends change-of-authorization messages to the router.
- Specify the UDP port used to communicate with the RADIUS server.
- Configure the key used when communicating with the RADIUS server.
- Enable the router to receive change-of-authorization messages from the RADIUS server.
- Ensure that the analyzer interface is configured to send the mirrored traffic to the analyzer device.
- (Optional) For increased security, create an IPSec tunnel between the analyzer interface and the analyzer device.
Configuring RADIUS-Initiated Mirroring When Users Are Logged On
When a mirroring operation is initiated for a user who is already logged on, the RADIUS server uses change-of-authorization messages and passes the required RADIUS attributes and the identifier of the currently running session to the E-series router. The router uses this information to create the secure policy and attaches it to the interface that is created for the user. The E-series router must be configured to accept change-of-authorization messages from the RADIUS server.
- Specify the RADIUS dynamic-request server, and enter RADIUS configuration mode.
- Specify the UDP port used to communicate with the RADIUS server.
- Create the key used to communicate with the RADIUS server.
- Configure the router to receive change-of-authorization messages from the RADIUS server.
- Verify your RADIUS-initiated mirroring configuration.
- Create the analyzer interface.
host1(config)#radius dynamic-request server 192.168.11.0
host1(config-radius)#udp-port 3799
host1(config-radius)#key mysecret
host1(config-radius)#authorization change
host1(config-radius)#exit
host1(config)#exit
host1#show radius dynamic-request servers
RADIUS Request Configuration
----------------------------
Change
Udp Of
IP Address Port Disconnect Authorization Secret
------------- ---- ---------- ------------- ------
10.10.3.4 3799 enabled enabled mysecret
host1(config)#interface fastEthernet 4/0
host1(config-if)#ip analyzer