Technical Documentation
New
Configuring Router to Mirror Users Already Logged In
When a mirroring operation is initiated for a user who is already logged in (RADIUS-initiated mirroring), the RADIUS server uses change-of-authorization messages and passes the required RADIUS attributes and the identifier of the currently running session to the E Series router. The router uses this information to create the secure policy and attaches it to the interface that is created for the user. The E Series router must be configured to accept change-of-authorization messages from the RADIUS server.
- Specify the RADIUS dynamic-request server that sends change-of-authorization
messages to the router, and enter RADIUS configuration mode.host1(config)#radius dynamic-request server 192.168.11.0
- Specify the UDP port used to communicate with the RADIUS
server.host1(config-radius)#udp-port 3799
- Create the key used to communicate with the RADIUS server.host1(config-radius)#key mysecret
- Configure the router to receive change-of-authorization
messages from the RADIUS server. host1(config-radius)#authorization change host1(config-radius)#exit host1(config)#exit
- Verify your RADIUS-initiated mirroring configuration.
host1#show radius dynamic-request servers
RADIUS Request Configuration ---------------------------- Change Udp Of IP Address Port Disconnect Authorization Secret ------------- ---- ---------- ------------- ------ 10.10.3.4 3799 enabled enabled mysecret - Configure the analyzer interface to send the mirrored
traffic to the analyzer device. host1(config)#interface fastEthernet 4/0 host1(config-if)#ip analyzer
Alternatively, for increased security, create the analyzer interface at one end of an IPSec tunnel to the analyzer device.
host1(config)# interface tunnel ipsec:mirror3 transport-virtual-router default host1(config-if)#ip analyzer host1(config-if)#exit host1(config)#ip route 192.168.99.2 255.255.255.255 tunnel ipsec:mirror3
Published: 2012-06-21
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.
