[Contents]
[Prev]
[Next]
[Index]
[Report an Error]
Configuring Pseudo–RADIUS Authorization Server Properties
(SRC CLI)
Tasks to configure the pseudo–RADIUS authorization
server are:
Configuring the Pseudo–RADIUS Authorization Server (SRC
CLI)
Use the following configuration statements
to configure the pseudo–RADIUS authorization server:
- slot number external-subscriber-monitor
radius-authorization {
- port port;
- local-address local-address;
- check-lease-limit-with-sae;
- query-cached-dhcp-profile;
- default-lease-limit default-lease-limit;
- invalid-pool-name invalid-pool-name;
- lease-time-limit lease-time-limit;
- cleanup-interval cleanup-interval;
- maximum-age maximum-age;
- minimum-pool-size minimum-pool-size;
- maximum-queue-length maximum-queue-length;
- service-type (all | login | framed | callback-login | callback-framed
| outbound | administrative | nas-prompt | authenticate-only | callback-nas-prompt
| callback-check | callback-administrative);
- }
- slot number external-subscriber-monitor
radius-authorization client client-address {
- secret secret;
- }
To configure the pseudo–RADIUS authorization
server:
- From configuration mode, access the configuration
statement that configures the pseudo–RADIUS authorization server.
- user@host# edit slot 0 external-subscriber-monitor
radius-authorization
- Specify the listening port for RADIUS
requests.
- [edit slot 0 external-subscriber-monitor radius-authorization]
- user@host# set port port
- (Optional) Specify the host address to
bind to the pseudo–RADIUS authorization server. Absence (or
deletion) of this attribute means binding it to a wildcard (*) address.
- [edit slot 0 external-subscriber-monitor radius-authorization]
- user@host# set local-address local-address
- (Optional) Specify whether to query the
SAE for the number of active subscribers for a given interface. If
set to true, the response to the RADIUS access request depends on
the comparison between the number of active subscriber sessions and
the lease limit for the interface. If the number of active subscriber
sessions is less than the lease limit, the response is the RADIUS
access accept message without the lease limit RADIUS attribute; otherwise,
the response is the RADIUS access accept message where the subscriber
is not assigned an address. If set to false, the response is the RADIUS
access accept message with the lease limit RADIUS attribute. If the
lease limit RADIUS vendor-specific attribute is returned, the MX Series
router verifies the lease limit.
- [edit slot 0 external-subscriber-monitor radius-authorization]
- user@host# set check-lease-limit-with-sae
- (Optional) Specify whether to search
for a cached DHCP profile in the o=AuthCache directory based on the
MAC address. If set to true, you must configure a directory connection
to the cached DHCP profiles. See Configuring Directory Connection Properties for the Cached DHCP Profiles on page 121.
If set to true, the following conditions apply:
- If a cached DHCP profile is found, the RADIUS response
message includes the RADIUS attribute values for framed IP address,
pool name, service bundle, and RADIUS class attributes that are present
in the cached DHCP profile.
- If the check-lease-limit-with-sae option is set
to true and the number of active subscriber sessions is less than
the lease limit, the RADIUS access accept message includes the cached
DHCP profile.
- If the check-lease-limit-with-sae option is set
to false, the RADIUS response includes the lease limit.
If set to false, the RADIUS response message does not
include the cached DHCP profile information.
- [edit slot 0 external-subscriber-monitor radius-authorization]
- user@host# set query-cached-dhcp-profile
- (Optional) Specify the default lease
limit for all interfaces.
- [edit slot 0 external-subscriber-monitor radius-authorization]
- user@host# set default-lease-limit default-lease-limit
- Specify the invalid pool name returned
when the number of active subscriber sessions exceeds the lease limit.
- [edit slot 0 external-subscriber-monitor radius-authorization]
- user@host# set invalid-pool-name invalid-pool-name
- (Optional) Specify the timeout of a cached
authenticated request.
- [edit slot 0 external-subscriber-monitor radius-authorization]
- user@host# set lease-time-limit lease-time-limit
- Specify the amount of time to wait before
cleaning up cached RADIUS access requests that have been accepted.
- [edit slot 0 external-subscriber-monitor radius-authorization]
- user@host# set cleanup-interval cleanup-interval
- Specify the maximum age of an unacknowledged
RADIUS access request cached in memory. We recommend a value slightly
greater than the RADIUS packets retry interval.
- [edit slot 0 external-subscriber-monitor radius-authorization]
- user@host# set maximum-age maximum-age
- Specify the minimum number of concurrent
threads processing RADIUS access messages subtasks.
- [edit slot 0 external-subscriber-monitor radius-authorization]
- user@host# set minimum-pool-size minimum-pool-size
- Specify the maximum number of unacknowledged
RADIUS messages to be received from the RADIUS server before it discards
new messages.
- [edit slot 0 external-subscriber-monitor radius-authorization]
- user@host# set maximum-queue-length maximum-queue-length
- Specify the service type of the RADIUS
packets that will be forwarded.
- [edit slot 0 external-subscriber-monitor radius-authorization]
- user@host# set service-type service-type
- (Optional) Verify your configuration.
- [edit slot 0 external-subscriber-monitor radius-authorization]
- user@host# show
- Access the configuration statement that
specifies the trusted RADIUS clients.
- [edit slot 0 external-subscriber-monitor radius-authorization]
- user@host# edit client client-address
- [edit slot 0 external-subscriber-monitor radius-authorization
client client-address]
- Specify the RADIUS shared secret for
the client.
- [edit slot 0 external-subscriber-monitor radius-authorization
client client-address]
- user@host# set secret secret
Configuring the Directory Connection Properties for the Subscriber
Data
The subscriber data can be queried
for information such as the interface’s lease limit.
Use the following statements to configure the directory connection
to the directory in which the subscriber data is stored:
- slot number external-subscriber-monitor
radius-authorization ldap subscriber-data {
- base base;
- base-dn base-dn;
- }
- slot number external-subscriber-monitor
radius-authorization ldap subscriber-data directory-connection {
- url url;
- principal principal;
- credentials credentials;
- protocol (ldaps);
- backup-urls [backup-urls...];
- timeout timeout;
- check-interval check-interval;
- blacklist;
- snmp-agent;
- signature-dn signature-dn;
- }
To configure directory connection properties:
- From configuration mode, access the configuration
statement that configures the directory connection.
- user@host# edit slot 0 external-subscriber-monitor
radius-authorization ldap subscriber-data
- Specify the top-level directory DN.
- [edit slot 0 external-subscriber-monitor radius-authorization
ldap subscriber-data]
- user@host# set base base
- Specify the subtree in the directory
in which the subscriber data is stored.
- [edit slot 0 external-subscriber-monitor radius-authorization
ldap subscriber-data]
- user@host# set base-dn base-dn
- Access the configuration statement that
configures the directory connection properties.
- [edit slot 0 external-subscriber-monitor radius-authorization
ldap subscriber-data]
- user@host# edit directory-connection
- Specify the directory connection properties
for the subscriber data.
- [edit slot 0 external-subscriber-monitor radius-authorization
ldap subscriber-data directory-connection]
- user@host# set ?
- (Optional) Verify your configuration.
- [edit slot 0 external-subscriber-monitor radius-authorization
ldap subscriber-data]
- user@host# show
Configuring Directory Connection Properties for the Cached
DHCP Profiles
The DHCP profiles can be queried
by MAC address for the RADIUS framed IP address for authorized subscribers
or invalid pool name for unauthorized subscribers.
Use the following statements to configure the directory connection
to the directory in which the cached DHCP profiles are stored:
- slot number external-subscriber-monitor
radius-authorization ldap cached-dhcp-profile {
- base base;
- base-dn base-dn;
- }
- slot number external-subscriber-monitor
radius-authorization ldap cached-dhcp-profile directory-connection
{
- url url;
- principal principal;
- credentials credentials;
- protocol (ldaps);
- backup-urls [backup-urls...];
- timeout timeout;
- check-interval check-interval;
- blacklist;
- snmp-agent;
- signature-dn signature-dn;
- }
To configure directory connection properties:
- From configuration mode, access the configuration
statement that configures the directory connection.
- user@host# edit slot 0 external-subscriber-monitor
radius-authorization ldap cached-dhcp-profile
- Specify the top-level directory DN.
- [edit slot 0 external-subscriber-monitor radius-authorization
ldap cached-dhcp-profile]
- user@host# set base base
- Specify the subtree in the directory
in which the cached DHCP profiles are stored.
- [edit slot 0 external-subscriber-monitor radius-authorization
ldap cached-dhcp-profile]
- user@host# set base-dn base-dn
- Access the configuration statement that
configures the directory connection properties.
- [edit slot 0 external-subscriber-monitor radius-authorization
ldap cached-dhcp-profile]
- user@host# edit directory-connection
- Specify the directory connection properties
for the cached DHCP profiles.
- [edit slot 0 external-subscriber-monitor radius-authorization
ldap cached-dhcp-profile directory-connection]
- user@host# set ?
- (Optional) Verify your configuration.
- [edit slot 0 external-subscriber-monitor radius-authorization
ldap cached-dhcp-profile]
- user@host# show
[Contents]
[Prev]
[Next]
[Index]
[Report an Error]
