Configuring RADIUS Authentication and Accounting Servers

The number of RADIUS servers you can configure depends on available memory.

The order in which you configure servers determines the order in which the router contacts those servers on behalf of clients.

Initially, a RADIUS client sends a request to a RADIUS authentication or accounting server. The RADIUS server uses the configured IP address, the UDP port number, and the secret key to make the connection. The RADIUS client waits for a response for a configurable timeout period and then retransmits the request. The RADIUS client retransmits the request for a user-configurable retry limit.

If there is no response from the primary RADIUS server, the RADIUS client submits the request to the secondary RADIUS server using the timeout period and retry limit configured for the secondary RADIUS server.
If the connection attempt fails for the secondary RADIUS server, the router submits the request to the tertiary server and so on until it either is granted access on behalf of the client or there are no more configured servers.
If another authentication server is not configured, the router attempts the next method in the method list; for accounting server requests, the information is dropped.

For example, suppose that you have configured the following authentication servers: Auth1, Auth2, Auth3, Auth4, and Auth5. Your router attempts to send an authentication request to Auth1. If Auth1 is unavailable, the router submits the request to Auth2, then Auth3, and so on until an available server is found. If Auth5, the last configured authentication server, is not available, the router attempts the next method in the methods list. If the only method configured is RADIUS, then the router notifies the client that the request has been denied.

Server Access

The router offers two options by which servers are accessed:

Direct—The first authentication or accounting server that you configure is treated as the primary authentication or accounting server, the next server configured is the secondary, and so on.
Round-robin—The first configured server is treated as a primary for the first request, the second server configured as primary for the second request, and so on. When the router reaches the end of the list of servers, it starts again at the top of the list until it comes full cycle through the list.

Use the radius algorithm command to specify the server access method.

When you configure the first RADIUS accounting server, a RADIUS Acct-On message is sent. When you delete the last accounting server, a RADIUS Acct-Off message is sent.

Server Request Processing Limit

You can configure RADIUS authentication servers and accounting servers to use different UDP ports on the router. This enables the same IP address to be used for both an authentication server and an accounting server. However, you cannot use the same IP address for multiple authentication servers or for multiple accounting servers.rs.

Note: For information about the number of concurrent RADIUS requests that the router supports for authentication and accounting servers, see JunosE Release Notes, Appendix A, System Maximums.

The E Series router listens to a range of UDP source (or local) ports for RADIUS responses. Each UDP source port supports a maximum of 255 RADIUS requests. When the 255 per-port limit is reached, the router opens the next source port. When the max-sessions command limit is reached, the router submits the request to the next configured server.

Table 4 lists the range of UDP ports the router uses for each type of RADIUS request.

Table 4: Local UDP Port Ranges by RADIUS Request Type

RADIUS Request Type	ERX310, ERX710, ERX1410, and E120 Broadband Services Routers	ERX1440 and E320 Broadband Services Routers
RADIUS authentication	50000–50124	50000–50124
RADIUS accounting	50125–50249	50125–50499
RADIUS preauthentication	50250–50374	50500–50624
RADIUS route-download	50375–50500	50625–50749

Authentication and Accounting Methods

When you configure AAA authentication and accounting services for your B-RAS environment, one important task is to specify the authentication and accounting method used. The JunosE Software gives you the flexibility to configure authentication or accounting methods based on the type of subscriber. This feature allows you to enable RADIUS authentication for some subscribers, while disabling authentication completely for other subscribers. Similarly, you can enable RADIUS accounting for some subscribers, but no accounting for others. For example, you might use RADIUS authentication for ATM 1483 subscribers, while granting IP subscriber management interfaces access without authentication (using the none keyword).

You can specify the authentication or accounting method you want to use, or you can specify multiple methods in the order in which you want them used. For example, if you specify the radius keyword followed by the none keyword when configuring authentication, AAA initially attempts to use RADIUS authentication. If no RADIUS servers are available, AAA uses no authentication. The JunosE Software currently supports radius and none as accounting methods and radius, none, and local as authentication methods. See Configuring Local Authentication Servers for information about local authentication.

You can configure authentication and accounting methods based on the following types of subscribers:

ATM 1483
Tunnels (for example, L2TP tunnels)
PPP
RADIUS relay server
IP subscriber management interfaces
Note: IP subscriber management interfaces are static or dynamic interfaces that are created or managed by the JunosE Software’s subscriber management feature.

Supporting Exchange of Extensible Authentication Protocol Messages

Extensible Authentication Protocol (EAP) is a protocol that supports multiple methods for authenticating a peer before allowing network layer protocols to transmit over the link. JunosE Software supports the exchange of EAP messages between JunosE applications, such as PPP, and an external RADIUS authentication server.

The JunosE Software’s AAA service accepts and passes EAP messages between the JunosE application and the router’s internal RADIUS authentication server. The internal RADIUS authentication server, which is a RADIUS client, provides EAP pass-through—the RADIUS client accepts the EAP messages from AAA, and sends the messages to the external RADIUS server for authentication. The RADIUS client then passes the response from the external RADIUS authentication server back to the AAA service, which then sends a response to the JunosE application. The AAA service and the internal RADIUS authentication service do not process EAP information—both simply act as pass-through devices for the EAP message.

The router’s local authentication server and TACACS+ authentication servers do not support the exchange of EAP messages. These type of servers deny access if they receive an authentication request from AAA that includes an EAP message. EAP messages do not affect the none authentication configuration, which always grants access.

The local RADIUS authentication server uses the following RADIUS attributes when exchanging EAP messages with the external RADIUS authentication server:

Framed-MTU (attribute 12)—Used if AAA passes an MTU value to the internal RADIUS client
State (attribute 24)—Used in Challenge-Response messages from the external server and returned to the external server on the subsequent Access-Request
Session-Timeout (attribute 27)—Used in Challenge-Response messages from the external server
EAP-Message (attribute 79)—Used to fragment EAP strings into 253-byte fragments (the RADIUS limit)
Message-Authenticator (attribute 80)—Used to authenticate messages that include an EAP-Message attribute

For additional information on configuring PPP to use EAP authentication, see JunosE Link Layer Configuration Guide .

Immediate Accounting Updates

You can use the aaa accounting immediate-update command to configure immediate accounting updates on a per-VR basis. If you enable this feature, the E Series router sends an Acct-Update message to the accounting server immediately on receipt of a response (ACK or timeout) to the Acct-Start message.

This feature is disabled by default. Use the enable keyword to enable immediate updates and the disable keyword to halt them.

The accounting update contains 0 (zero) values for the input/output octets/packets and 0 (zero) for uptime. If you have enabled duplicate or broadcast accounting, the accounting update goes to both the primary virtual router context and the duplicate or broadcast virtual router context.

Duplicate and Broadcast Accounting

Normally, the JunosE Software sends subscriber-related AAA accounting information to the virtual router that authenticates the subscriber. If an operational virtual router is configured that is different from the authentication router, it also receives the accounting information. You can optionally configure duplicate or broadcast AAA accounting, which sends the accounting information to additional virtual routers simultaneously. The accounting information continues to be sent to the authenticating virtual router, but not to the operational virtual router.

Both the duplicate and broadcast accounting features are supported on a per-virtual router context, and enable you to specify particular accounting servers that you want to receive the accounting information.

For example, you might use broadcast accounting to send accounting information to a group of your private accounting servers. Or you might use duplicate accounting to send the accounting information to a customer’s accounting server.

Duplicate accounting—Sends the accounting information to a particular virtual router
Broadcast accounting—Sends the accounting information to a group of virtual routers. An accounting virtual router group can contain up to four virtual routers and the E Series router supports a maximum of 100 virtual router groups. The accounting information continues to be sent to the duplicate accounting virtual router, if one is configured.

Configuring AAA Duplicate Accounting

To configure and enable duplicate accounting on a virtual router, you use the aaa accounting duplication command with the name of the accounting server that will receive the information. For example, to enable duplicate accounting for the default virtual router:

host1(config)#aaa accounting duplication xyzCompanyServer

Configuring AAA Broadcast Accounting

To configure and enable broadcast accounting on a virtual router:

Create the virtual router group and enter VR Group Configuration mode:
host1(config)#aaa accounting vr-group groupXyzCompany host1(vr-group-config)#
Add up to four virtual routers to the group. The accounting information will be sent to all virtual routers in the group.
host1(vr-group-config)#aaa virtual-router 1 vrXyz1 host1(vr-group-config)#aaa virtual-router 2 vrXyz2 host1(vr-group-config)#aaa virtual-router 3 vrXyz3 host1(vr-group-config)#exit host1(config)#
Enable broadcast accounting. Enter the correct virtual router context, and specify the virtual router group whose virtual routers will receive the accounting information.
host1(config)#virtual-router opVr100 host1:opVr100(config)#aaa accounting broadcast groupXyzCompany

Overriding AAA Accounting NAS Information

AAA accounting packets normally include two RADIUS attributes—NAS-IP-Address [4] and NAS-Identifier [32]—of the virtual router that generates the accounting information. You can override the default configuration and specify that accounting packets from particular broadcast virtual routers instead include the NAS-IP-Address and NAS-Identifier attributes of the authenticating virtual router.

To override the normal AAA accounting NAS information, access the correct virtual router context, and use the radius override nas-info command. For example:

host1(config)#virtual-router vrXyz1 host1:vrXyz1(config)#radius override nas-info host1:vrXyz1(config)#virtual-router vrXyz2 host1:vrXyz2(config)#radius override nas-info host1:vrXyz3(config)#exit host1(config)#

UDP Checksums

Each virtual router on which you configure B-RAS is enabled to perform UDP checksums by default. You can disable and reenable UDP checksums.

Collecting Accounting Statistics

You can use the aaa accounting statistics command to specify how the AAA server collects statistics on the sessions it manages. Use the volume-time keyword to specify that AAA notifies applications to collect a full set of statistics from each of their connections. Use the time keyword to specify that only the uptime status is collected for each connection. Collecting only uptime information reduces the amount of data sent to AAA and is a more efficient use of system resources for customers that do not need a full set of statistics. The router collects a full set of statistics by default.

Configuring RADIUS AAA Servers

The number of RADIUS servers you cansure configure depends on available memory. The router has an embedded RADIUS client for authentication and accounting.

Note: You can configure B-RAS with RADIUS accounting, but without RADIUS authentication. In this configuration, the username and password on the remote end are not authenticated and can be set to any value.

You must assign an IP address to a RADIUS authentication or accounting server to configure it.

If you do not configure a primary authentication or accounting server, all authentication and accounting requests will fail. You can configure other servers as backup in the event that the primary server cannot be reached. Configure each server individually.

To configure an authentication or accounting RADIUS server:

Specify the authentication or accounting server address.
host1(config)#radius authentication server 10.10.10.1 host1(config-radius)#orhost1(config)#radius accounting server 10.10.10.6 host1(config-radius)#
(Optional) Specify a UDP port for RADIUS authentication or accounting server requests.
host1(config-radius)#udp-port 1645
Specify an authentication or accounting server secret.
host1(config-radius)#key gismo
(Optional) Specify the number of retries the router makes to an authentication or accounting server before it attempts to contact another server.
host1(config-radius)#retransmit 2
(Optional) Specify the number of seconds between retries.
host1(config-radius)#timeout 5
(Optional) Specify the maximum number of outstanding requests.
host1(config-radius)#max-sessions 100
(Optional) Specify the amount of time to remove a server from the available list when a timeout occurs.
host1(config-radius)#deadtime 10
(Optional) In Global Configuration mode, specify whether the E Series router should move on to the next RADIUS server when the router receives an Access-Reject message for the user it is authenticating.
host1(config)#radius rollover-on-reject enable
(Optional) Enable duplicate address checking.
host1(config)aaa duplicate-address-check enable
(Optional) Specify that duplicate accounting records be sent to the accounting server for a virtual router.
host1(config)#aaa accounting duplication routerBoston
(Optional) Enter the correct virtual router context, and specify the virtual router group to which broadcast accounting records are sent.
host1(config)#virtual-router vrSouth25 host1:vrSouth25(config)#aaa accounting broadcast westVrGroup38 host1:vrSouth25(config)#exit
(Optional) Specify that immediate accounting updates be sent to the accounting server when a response is received to an Acct-Start message.
host1(config)#aaa accounting immediate-update
(Optional) Specify whether the router collects all statistics or only the uptime status.
host1(config)#aaa accounting time
(Optional) Specify that tunnel accounting be enabled or disabled.
host1(config)#radius tunnel-accounting enable
(Optional) Specify the default authentication and accounting methods for the subscribers.
host1(config)#aaa authentication ppp default radius none
(Optional) Disable UDP checksums on virtual routers you configure for B-RAS.
host1:(config)#virtual router boston host1:boston(config)#radius udp-checksum disable

aaa accounting broadcast

Use to enable AAA broadcast accounting on a virtual router. Specifies that accounting records be sent to the accounting servers on the virtual routers in the named virtual router group.
A virtual router group can be used in any virtual router context, not just the context in which it is created.
Example
host1(config)#virtual-router vrSouth25 host1:vrSouth25(config)#aaa accounting broadcast westVrGroup38 host1:vrSouth25(config)#exit
Use the no version to disable the AAA broadcast accounting.
See aaa accounting broadcast

aaa accounting default

Use to specify the accounting method used for a particular type of subscriber.

Specify one of the following types of subscribers:

atm1483; this keyword is not supported
tunnel
ppp
radius-relay
ipsec

ip (IP subscriber management interfaces)

Note: IP subscriber management interfaces are static or dynamic interfaces that are created or managed by the JunosE Software’s subscriber management feature.

Although the atm1483 keyword is available in the CLI for this command, that subscriber type is not supported. The router does not support accounting for ATM 1483 subscribers.

Specify one of the following types of accounting methods:
- radius—RADIUS accounting for the specified subscribers.
- none—No accounting is done for the specified subscribers.
- radius none—Multiple types of accounting; used in the order specified. For example, radius none specifies that RADIUS accounting is initially used; however, if RADIUS servers are not available, no accounting is done.
Example
host1(config)#aaa accounting ppp default radius
Use the no version to set the accounting protocol to the default, radius.
See aaa accounting default

aaa accounting duplication

Use to enable AAA duplicate accounting on a virtual router. Specifies that duplicate accounting records be sent to the accounting server on another virtual router.
Example
host1(config)#aaa accounting duplication routerBoston
Use the no version to disable the feature.
See aaa accounting duplication

aaa accounting immediate-update

Use to send an accounting update to the accounting server immediately on receipt of a response for an Acct-Start message.
Use the enable keyword to enable immediate updates. Use the disable keyword to disable immediate updates. Immediate updates are disabled by default.
Example
host1(config)#aaa accounting immediate-update enable
Use the no version to restore the default condition, disabling immediate updates.
See aaa accounting immediate-update

aaa accounting interval

Use to specify the default interval between updates for user and service interim accounting.

Note: This command is deprecated and might be removed completely in a future release. Use the aaa user accounting interval command to specify the default interval for user accounting. Use the aaa service accounting interval command to specify the default interim accounting interval used for services created by the Service Manager application. See Configuring Service Manager.

Select an interval in the range 10–1440 minutes. The default is 0, which means that the feature is disabled.
Example
host1(config)#aaa accounting interval 60
Use the no version to turn off interim accounting for both users and services.
See aaa accounting interval

aaa accounting statistics

Use to specify how the AAA server collects statistics on the sessions it manages.
Use the volume-time keyword to collect all statistics for the sessions.
Use the time keyword to collect only the uptime status of the sessions. Collecting only uptime information is more efficient because less data is sent to AAA.
Example
host1(config)#aaa accounting statistics time
Use the no version to restore the default, in which all statistics are collected.
See aaa accounting statistics

aaa accounting vr-group

Use to create an accounting virtual router group and enter VR Group Configuration mode. Virtual routing groups are used for AAA broadcast accounting.
A virtual router group can have up to four virtual routers. The accounting servers of the virtual routers in the group receive broadcast accounting records that are forwarded to the group.
The E Series router supports a maximum of 100 virtual router groups.
When creating a virtual router group, you must add at least one virtual router to the group; otherwise, the group is not created.
A virtual router group can be used in any virtual router context, not just the context in which it is created.
Example
host1(config)#aaa accounting vr-group westVrGroup38 host1(config-vr-group)#
Use the no version to delete the accounting virtual router group.
See aaa accounting vr-group

aaa authentication default

Use to specify the authentication method used for a particular type of subscriber.
Specify one of the following types of subscribers:
- atm1483
- tunnel
- ppp
- radius-relay
- ipsec
- ip (IP subscriber management interfaces)
  Note: IP subscriber management interfaces are static or dynamic interfaces that are created or managed by the JunosE Software’s subscriber management feature.
Specify one of the following types of accounting methods:
- radius—RADIUS authentication for the specified subscribers.
- none—Grants the specified subscribers access without authentication.
- radius none—Multiple types of authentication; used in the order specified. For example, radius none specifies that RADIUS authentication is initially used; however, if RADIUS servers are not available, users are granted access without authentication.
Example
host1(config)#aaa authentication ip default radius
Use the no version to set the authentication protocol to the default, radius.
See aaa authentication default

aaa duplicate-address-check

Use to enable or disable routing table address lookup or duplicate address check.
By default, this command is enabled.
The router checks the routing table for returned addresses for PPP users. If the address existed, then the user was denied access.
You can disable this routing table address lookup or duplicate address check with the aaa duplicate-address-check command.
Example
host1(config)#aaa duplicate-address-check enable
There is no no version.
See aaa duplicate-address-check

aaa user accounting interval

Use to specify the default interval between user accounting updates. The router uses the default interval when no value is specified in the RADIUS Acct-Interim-Interval attribute (RADIUS attribute 85).
This command and the aaa service accounting interval command replace the aaa accounting interval command, which is deprecated and might be removed in a future release. For information about setting the default interim accounting interval for services, see Configuring Service Manager.
The default interval is applied on a virtual router basis—this setting is used for all users who attach to the corresponding virtual router.
Specify the user accounting interval in the range 10–1440 minutes. The default setting is 0, which disables the feature.
Example
host1(config)#aaa user accounting interval 20
Use the no version to reset the accounting interval to 0, which turns off interim user accounting when no value is specified in the RADIUS Acct-Interim-Interval attribute.
See aaa user accounting interval

aaa virtual-router

Use to add virtual routers to a virtual router group. During AAA broadcast accounting, accounting records are sent to the accounting servers on the virtual routers in the named virtual router group.
You can add up to four virtual routers to a virtual router group. Use the indexInteger parameter to specify the order (1–4) in which the virtual routers receive the accounting information. The indexInteger is used with the no version to delete a specific virtual router from a group (see Example 2).
A virtual router name consists of 1–32 alphanumeric characters.
The virtual router names in the group must be unique. An error message appears if you enter a duplicate name.
Example 1
host1(config)#aaa accounting vr-group westVrGroup38 host1(config-vr-group)#aaa virtual-router 1 vrWestA host1(config-vr-group)#aaa virtual-router 2 vrWestB host1(config-vr-group)#aaa virtual-router 4 vrSouth1
Example 2
host1(config-vr-group)#no aaa virtual-router 2
Use the no version of the command with the indexInteger parameter to delete a specific virtual router from a group. If all virtual routers in a group are deleted, the group is also deleted; a group must contain at least one virtual router.
See aaa virtual-router

deadtime

Use to configure the amount of time (0–1440 minutes) that a server is marked as unavailable if a request times out for the configured retry count.
If a server fails to answer a request, the router marks it unavailable. The router does not send requests to the server until the router receives a response from the server or until the configured time is reached, whichever occurs first.
If all servers fail to answer a request, then instead of marking all servers as unavailable, all servers are marked as available.
To turn off the deadtime mechanism, specify a value of 0.
Example
host1(config)#radius authentication server 10.10.0.1 host1(config-radius)#deadtime 10
Use the no version to set the time to the default value, 0
See deadtime

key

Use to configure secrets on the primary, secondary, and tertiary authentication servers.
The authentication or accounting server secret is a text string used by RADIUS to encrypt the client and server authenticator field during exchanges between the router and a RADIUS authentication server. The router encrypts PPP PAP passwords using this text string.
The default is no server secret.
Example
host1(config)#radius authentication server 10.10.8.1 host1(config-radius)#key gismo
Use the no version to remove the secret.
Note: Authentication fails if no key is specified for the authentication server.
See key

logout subscribers

Use to issue an administrative reset to the user’s connection to disconnect the user.
From Privileged Exec mode, you can log out all subscribers, or log out subscribers by username, domain, virtual-router, port, or icr-partition.
This command applies to PPP users, as well as to non-PPP DHCP users.
Example
host1#logout subscribers username bmurphy
There is no no version.
See logout subscribers

max-sessions

Use to configure the number of outstanding requests supported by an authentication or accounting server.
If the request limit is reached, the router sends the request to the next server.
Note: For information about the number of concurrent RADIUS requests that the router supports for authentication and accounting servers, see JunosE Release Notes, Appendix A, System Maximums.
The same IP address can be used for both an authentication and accounting server (but not for multiple servers of the same type). The router uses different UDP ports for authentication servers and accounting servers.
For each multiple of 255 requests (the RADIUS protocol limit), the router opens a new UDP source (or local) port on the server to send and receive RADIUS requests and responses.
Example
host1(config)#radius authentication server 10.10.0.1 host1(config-radius)#max-sessions 100
Use the no version to restore the default value, 255.
See max-sessions.

no radius client

Use to remove all RADIUS servers for the virtual router context and to delete the E Series RADIUS client for the virtual router context.
Example
host1:boston(config)#no radius client
There is no affirmative version of this command; there is only a no version.
See no radius client

radius accounting server

Use to specify the IP address of authentication and accounting servers.
Example
host1(config)#radius authentication server 10.10.10.1 host1(config-radius)exit host1(config)#radius authentication server 10.10.10.2 host1(config-radius)exit host1(config)#radius authentication server 10.10.10.3 host1(config-radius)exit host1(config)#radius accounting server 10.10.10.20 host1(config-radius)exit host1(config)#radius accounting server 10.10.10.30
Use the no version to delete the instance of the RADIUS server.
See radius accounting server

radius algorithm

Use to specify the algorithm—either direct or round-robin—that the E Series RADIUS client uses to contact the RADIUS server.
The algorithm that you choose impacts the display status of a RADIUS server. For information on the effect of the algorithm configuration on the display of the show radius servers command, see Monitoring RADIUS Server Information.
Example
host1(config)#radius algorithm round-robin
Use the no version to set the algorithm to the default, direct.
See radius algorithm

radius override nas-info

Use to configure the RADIUS client to include the NAS-IP-Address [4] and NAS-Identifier [32] RADIUS attributes of the authenticating virtual router in accounting packets when the client performs AAA broadcast accounting. Normally, the accounting packets include the NAS-IP-Address and NAS-Identifier of the virtual router that generated the accounting information.
This override operation is a per-virtual router specification; use this command in the correct virtual router context.
This command is ignored if the authenticating virtual router does not have a configured RADIUS server.
Example
host1(config)#virtual-router vrXyz1 host1:vrXyz1(config)#radius override nas-info host1:vrXyz1(config)#exit
Use the no version to restore inclusion of the NAS-IP-Address [4] and NAS-Identifier [32] RADIUS attributes of the virtual router that requested the accounting information.
See radius override nas-info

radius rollover-on-reject

Use to specify whether the router rolls over to the next RADIUS server when the router receives an Access-Reject message for the user it is authenticating.
Example
host1(config)#radius rollover-on-reject enable
Use the no version to set the default of disable.
See radius rollover-on-reject

radius tunnel-accounting

Use to specify that tunnel accounting be enabled or disabled.
This command turns on accounting messages: Tunnel-Start, Tunnel-Stop, Tunnel-Reject, Tunnel-Link-Start, Tunnel-Link-Stop, and Tunnel-Link-Reject, as described in RFC 2867.
Your router supports tunnel accounting for the L2TP LAC and LNS.
Example
host1(config)#radius tunnel-accounting enable
Use the no version to set the default, disabled.
See radius tunnel-accounting

radius udp-checksum

Use to disable UDP checksums on virtual routers you configure for B-RAS.
Issue this command in the context of the appropriate virtual router.
Example
host1(config)#virtual router boston host1:boston(config)#radius udp-checksum disable
Use the no version to reenable UDP checksums on virtual routers you configure for B-RAS.
See radius udp-checksum

radius update-source-addr

Use to specify an alternate source IP address for the router to use rather than the default router ID.
Example
host1(config)#radius update-source-addr 192.168.40.23
Use the no version to delete the parameter so that the router uses the router ID.
See radius update-source-addr

retransmit

Use to set the maximum number of times (0–100) that the router retransmits a RADIUS packet to an authentication or accounting server.
If there is no response from the primary RADIUS authentication or accounting server in the specified number of retries, the client sends the request to the secondary server. If there is no response from the secondary server, the router sends the request to the tertiary server, and so on.
Example
host1(config)#radius authentication server 10.10.8.1 host1(config-radius)#retransmit 2
Use the no version to set the value to the default, 3 retransmits.
See retransmit

test aaa

Use to verify RADIUS authentication and accounting and IP address assignment setup.
You must specify either a PPP or Multilink PPP (MLPPP) user. PPP indicates a regular PPP user. MLPPP simulates Multilink PPP so that if multiple test commands are issued, all test users are bound by the same address.
The command uses a username and password and attempts to authenticate a user, get an address assignment, and issue a start accounting request.
Optionally, you can specify the virtual router context in which to authenticate the user.
The command pauses for several seconds, then terminates the session by issuing a stop accounting request and an address release.
Example
host1#test aaa ppp jsmith mypassword virtual-router charlie2
Note: Specifying the password to associate with the username is optional. Specifying a virtual router is optional.
There is no no version.
See test aaa

timeout

Use to set the number of seconds (1–1000) before the router retransmits a RADIUS packet to an authentication or accounting server.

If the interval is reached and there is no response from the primary RADIUS authentication or accounting server, the router attempts another retry. When the retry limit is reached, the client sends the request to the secondary server. When the retry limit for the secondary server is reached, the router attempts to reach the tertiary server, and so on.

Note: After the fourth retransmission, the configured timeout value is ignored, and the router uses a backoff algorithm that increases the timeout between each succeeding transmission. The router used the backoff algorithm only for subscriber AAA accounting messages except for Acct-On messages.

The backoff algorithm is:

Example
host1(config)#radius authentication server 10.10.0.1 host1(config-radius)#timeout 5

Use the no version to restore the default value, 3 seconds.

Note: When a RADIUS server times out or when it has no available RADIUS identifier values, the router removes the RADIUS server from the list of available servers for a period of time. The router restores all configured servers to the list if it is about to remove the last server. Restoring the servers avoids having an empty server list.

See timeout

udp-port

Use to configure the UDP port on the router where the RADIUS authentication, accounting, preauthentication, and route-download servers reside. The router uses this port to communicate with the RADIUS authentication servers.
Specify a port number in the range 0–65536. For authentication, preauthentication, or route-download servers, the default UDP port is 1812. For accounting servers, the default is 1813.
For an accounting server, specify a port number in the range 0–65536. The default is 1813.
Example
host1(config)#radius authentication server 10.10.9.1 host1(config-radius)#udp-port 1645
Use the no version to set the port number to the default value.
See udp-port

SNMP Traps and System Log Messages

The router can send Simple Network Management Protocol (SNMP) traps to alert network managers when:

A RADIUS server fails to respond to a request.
A RADIUS server that previously failed to respond to a request (and was consequently removed from the list of active servers) returns to active service.
Returning to active service means that the E Series RADIUS client receives a valid response to an outstanding RADIUS request after the server is marked unavailable.
All RADIUS servers within a VR context fail to respond to a request.

The router also generates system log messages when RADIUS servers fail to respond or when they return to active service; no configuration is required for system log messages.

SNMP Traps

The router generates SNMP traps and system log messages as follows:

If the first RADIUS server fails to respond to the RADIUS request, the E Series RADIUS client issues a system log message and, if configured, an SNMP trap indicating that the RADIUS server timed out. The E Series RADIUS client will not issue another system log message or SNMP trap regarding this RADIUS server until the deadtime expires, if configured, or for 3 minutes if deadtime is not configured.
The E Series RADIUS client then sends the RADIUS request to the second configured RADIUS server. If the second RADIUS server fails to respond to the RADIUS request, the E Series RADIUS client again issues a system log message and, if configured, an SNMP trap indicating that the RADIUS server timed out.
This process continues until either the E Series RADIUS client receives a valid response from a RADIUS server or the list of configured RADIUS servers is exhausted. If the list of RADIUS servers is exhausted, the E Series RADIUS client issues a system log message and, if configured, an SNMP trap indicating that all RADIUS servers have timed out.

If the E Series RADIUS client receives a RADIUS response from a “dead” RADIUS server during the deadtime period, the RADIUS server is restored to active status.

If the router receives a valid RADIUS response to an outstanding RADIUS request, the E Series client issues a system log message and, if configured, an SNMP trap indicating that the RADIUS server is now available.

System Log Messages

You do not need to configure system log messages. The router automatically sends them when individual servers do not respond to RADIUS requests and when all servers on a VR fail to respond to requests. The following are the formats of the warning level system log messages:

RADIUS [ authentication | accounting ] server serverAddress unavailable in VR virtualRouterName [; trying nextServerAddress]RADIUS no [ authentication | accounting ] servers responding in VR virtualRouterName RADIUS [ authentication | accounting ] server serverAddress available in VR virtualRouterName

Configuring SNMP Traps

This section describes how to configure the router to send traps to SNMP when RADIUS servers fail to respond to messages, and how to configure SNMP to receive the traps.

To set up the router to send traps:

(Optional) Enable SNMP traps when a particular RADIUS authentication server fails to respond to Access-Request messages.
host1(config)#radius trap auth-server-not-responding enable
(Optional) Enable SNMP traps when all of the configured RADIUS authentication servers on a VR fail to respond to Access-Request messages.
host1(config)#radius trap no-auth-server-responding enable
(Optional) Enable SNMP traps when a RADIUS authentication server returns to active service.
host1(config)#radius trap auth-server-responding enable
(Optional) Enable SNMP traps when a RADIUS accounting server fails to respond to a RADIUS accounting request.
host1(config)#radius trap acct-server-not-responding enable
(Optional) Enable SNMP traps when all of the RADIUS accounting servers on a VR fail to respond to a RADIUS accounting request.
host1(config)#radius trap no-acct-server-responding enable
(Optional) Enable SNMP traps when a RADIUS accounting server returns to active service.
host1(config)#radius trap acct-server-responding enable

To set up SNMP to receive RADIUS traps:

Set up the appropriate SNMP community strings.
host1(config)#snmp-server community admin view everything rw host1(config)#snmp-server community private view user rw host1(config)#snmp-server community public view everything ro
Specify the interface whose IP address is the source address for SNMP traps.
host1(config)#snmp-server trap-source fastEthernet 0/0
Configure the host that should receive the SNMP traps.
host1(config)#snmp-server host 10.10.132.93 version 2c 3 udp-port 162 radius
Enable the SNMP router agent to receive and forward RADIUS traps.
host1(config)#snmp-server enable traps radius
Enable the SNMP on the router.
host1(config)#snmp-server
Note: For more information about these SNMP commands, see JunosE System Basics Configuration Guide.

radius trap acct-server-not-responding

Use to enable or disable SNMP traps when a particular RADIUS accounting server fails to respond to a RADIUS accounting request.
The associated SNMP object is rsRadiusClientTrapOnAcctServerUnavailable.
Example
host1(config)#radius trap acct-server-not-responding enable
Use the no version to return to the default setting, disable.
See radius trap acct-server-not-responding

radius trap acct-server-responding

Use to enable or disable SNMP traps when a RADIUS accounting server returns to service after being marked as unavailable.
The associated SNMP object is rsRadiusClientTrapOnAcctServerAvailable.
This command affects only the current VR context.
Example
host1(config)#radius trap acct-server-responding enable
Use the no version to restore the default, disable.
See radius trap acct-server-responding

radius trap auth-server-not-responding

Use to enable or disable SNMP traps when a RADIUS authentication server fails to respond to a RADIUS Access-Request message.
The associated SNMP object is rsRadiusClientTrapOnAuthServerUnavailable.
Example
host1(config)#radius trap auth-server-not-responding enable
Use the no version to return to the default setting, disabled.
See radius trap auth-server-not-responding

radius trap auth-server-responding

Use to enable RADIUS to send SNMP traps when a RADIUS authentication server returns to service after being marked as unavailable.
The associated SNMP object is rsRadiusClientTrapOnAuthServerAvailable.
This command affects only the current VR context.
Example
host1(config)#radius trap auth-server-responding enable
Use the no version to restore the default setting, disabled.
See radius trap auth-server-responding

radius trap no-acct-server-responding

Use to enable or disable SNMP traps when all of the configured RADIUS accounting servers per VR fail to respond to a RADIUS accounting request.
The associated SNMP object is rsRadiusClientTrapOnNoAcctServerAvailable.
Example
host1(config)#radius trap no-acct-server-responding enable
Use the no version to return to the default setting, disabled.
See radius trap no-acct-server-responding

radius trap no-auth-server-responding

Use to enable or disable SNMP traps when all of the configured RADIUS authentication servers per VR fail to respond to a RADIUS Access-Request message.
The associated SNMP object is rsRadiusClientTrapOnNoAuthServerAvailable.
Example
host1(config)#radius trap no-auth-server-responding enable
Use the no version to return to the default setting, disabled.
See radius trap no-auth-server-responding