Interaction with RADIUS for ICR

Authorization and authentication access messages identify subscribers before the RADIUS server grants or denies those subscribers access to the network or network services. When an application requests user authentication, the request must have certain authenticating attributes, such as a user’s name, password, and the particular type of service the user is requesting. This information is sent in the authentication request via the RADIUS protocol to the RADIUS server. In response, the RADIUS server grants or denies the request.

JunosE Software supports certain RADIUS vendor-specific attributes (VSAs) that define specific authentication, authorization, and accounting elements in a user’s profile. The profile is stored on the RADIUS server. RADIUS messages contain RADIUS attributes to communicate information between an E Series Broadband Services Router and the RADIUS server. For complete information on VSAs, see Configuring RADIUS Attributes in the JunosE Broadband Access Configuration Guide. JunosE Software Release 10.3.x and later supports the ICR-Partition-Id VSA [26-150]. You can use this VSA to collect information on the ICR partition configured on the VLAN or S-VLAN subinterface on which subscribers are logged in.

You can include an ICR-Partition-Id vendor-specific attribute (VSA) in the following RADIUS messages:

• Access-Request
• Acct-Start
• Acct-Stop
• Interim-Acct (if Acct-Stop messages are specified)
• Partition-Accounting-On
• Partition-Accounting-Off

Note: For more information about the ICR partition accounting messages, see the Configuring RADIUS Attributes chapter in the JunosE Broadband Access Configuration Guide.

Determining the ICR partition is useful for accounting and authentication of subscribers in RADIUS messages.

Use the ICR-Partition-Id VSA to determine the ICR partition on which subscribers are logged in. You can configure the same ICR-Partition-Id string for an active ICR partition and its corresponding backup partition.

To configure inclusion of ICR-Partition-Id in RADIUS Access-Request, Acct-Start, and Acct-Stop messages, you can use the ICR-Partition-Id attribute in the radius include command. When included in Acct-Stop messages, the attributes are also included in Interim-Acct messages.

In addition to including the ICR-Partition-Id VSA in RADIUS Access-Request, Acct-Start, Acct-Stop, and Interim-Acct messages, the router also sends the Partition-Accounting-On and Partition-Accounting-Off messages:

Both Partition-Accounting messages include the ICR-Partition-Id VSA. Also, both these messages are sent to the RADIUS accounting server configured on the virtual router where the ICR partition is configured or the virtual router on which the corresponding ICR interface is configured.

You can optionally configure duplicate or broadcast AAA accounting on a virtual router, which sends the accounting information to additional virtual router simultaneously, so that the Partition-Accounting-On and Partition-Accounting-Off messages can also be sent to the duplicate and broadcast virtual routers.

ICR Partition Accounting Overview

To enable or disable sending of the ICR Partition-Accounting-On or Partition-Accounting-Off messages to the RADIUS servers, you can now use the radius icr-partition-accounting command.

The transition of the ICR partition states from master to backup and backup to master can occur because of chassis failure, an administrative switchover, or an interface or line module reset action. The following scenarios describe how ICR partition accounting messages are processed and subscriber logging is handled:

• In the event of a complete chassis failure, RADIUS cannot interact with the failing B-RAS application on the router. In such a scenario, when the new master partition takes over, the Partition-Accounting-On message is sent from the new master. After the response for the Partition-Accounting-On message is received from the new master partition, subscribers are allowed to log in to the master. When you remove certain VLAN or S-VLAN IDs from an ICR partition, the corresponding subscribers in that partition are removed and forced to log out from the chassis. This action causes the Acct-Stop messages to be sent to RADIUS.
• If ICR partition accounting is enabled and an administrative switchover forces subscribers in a particular ICR partition to be logged out, the Partition-Accounting-Off message is sent from the failing B-RAS application on the router only after Acct-Stop responses are received for all the logged out subscribers.
• If ICR partition accounting is enabled, and the interface or the line module that is configured with the ICR partition fails, the Partition-Accounting-Off message is sent from the failing B-RAS application on the router after Acct-Stop responses are received for all the logged out subscribers in that partition.