A
- access lines 1
- accesses
- configuring subscriptions
- accounting
- anonymous subscriber
- attributes
- authenticated subscriber
- authentication plug-ins
- authorization plug-ins
B
C
- captive portal
- classification scripts
- conditions 1
- configuring
- descriptions
- DHCP classification, C Series Controller
- interface classification, C Series Controller
- structure
- subscriber classification, C Series Controller
- target, C Series Controller
- component interactions
- conventions
- COPS (Common Open Policy Service)
- custom RADIUS accounting plug-ins 1
- configuring
- custom RADIUS authentication plug-ins 1
- configuring
- customer support 1
D
- default retailer authentication plug-ins
- configuring
- default retailer DHCP authentication plug-ins
- configuring
- denial-of-service attacks
- DHCP (Dynamic Host Configuration Protocol)
- address assignment
- classification scripts. See classification scripts
- options
- profiles
- subscribers
- documentation
E
- enterprise
- enterprise subscribers 1
- adding
- enterprise subscribers, login process
- event publishers
- configuring
- default retailer authentication, configuring
- default retailer DHCP authentication, configuring
- description
- retailer-specific
- service-specific
- virtual router-specific
- external plug-ins
- configuring
F
- file upload settings for log rotation
- configuring
- flat file accounting plug-ins 1
- flexible RADIUS accounting plug-ins 1
- attributes, defining
- configuring
- RADIUS packets, defining
- flexible RADIUS authentication plug-ins 1
- attributes, defining
- configuring
- RADIUS packets, defining
- setting responses
- FTP server for log rotation
G
- general properties
- configuring
H
- HTTP proxy 1, 2
- HTTPS traffic
I
- interface classification scripts. See classification scripts
- interim accounting, configuring on SAE
- internal plug-ins
- configuring
L
- LDAP authentication plug-in 1
- configuring
- limiting subscribers plug-in 1
- configuring
- log rotation
- overview
- logging
- login events, description
- login process
- login registration
- configuring
- logout process, residential
M
- managers
- manuals
N
- NAT (Network Address Translation)
- notice icons
P
- plug-ins
- activating service sessions
- authentication
- authorization
- basic RADIUS accounting 1
- basic RADIUS authentication 1
- creating subscriber sessions
- custom RADIUS accounting 1
- custom RADIUS authentication 1
- defining RADIUS packets
- DHCP address assignment
- event publishers. See event publishers
- external
- flat file accounting 1
- flexible RADIUS accounting 1
- flexible RADIUS authentication 1
- internal 1
- LDAP authentication 1
- limiting subscribers 1
- state synchronization
- tracking
- policy groups
- policy management
- PPP subscribers
- prevention, use of unauthorized resources
- protocols
- proxy HTTP 1, 2
- proxy request management
- public addresses, VPNs
Q
R
- RADIUS accounting
- RADIUS attributes
- defining in RADIUS plug-ins
- examples, defining in RADIUS plug-ins
- RADIUS client library, custom RADIUS plug-ins
- RADIUS packets, customizing in plug-ins
- RADIUS peers
- configuring in plug-ins
- RADIUS plug-ins 1, See also plug-ins
- redirect server
- assessing load
- configuration statements
- configuring
- configuring DNS server for
- configuring HTTP proxy support
- configuring redundant
- directory connection
- failover
- file extensions
- logging
- number of requests
- protection against denial-of-service attacks
- redundancy 1, 2, 3
- static route to router
- traffic definition
- verifying
- redundancy
- residential subscribers 1
- adding
- login process. See login process
- retailers
- subscribers 1
- router subscribers 1
- adding
- routing instances
- routing scheme
S
- SAE (service activation engine)
- classification scripts. See classification scripts
- login events
- login process. See login process
- SAE (service activation engine), configuring
- service activation engine. See SAE
- service sessions
- sites 1, 2, 3
- subscriber 1
- state synchronization plug-in interface
- configuring
- static IP subscribers, login process
- static routing
- subscriber classification scripts. See classification scripts
- subscriber folders 1
- adding
- subscriber sessions
- subscribers
- 3gpp attributes (Gx router driver)
- adding
- enterprise 1
- inheriting properties
- inheriting subscriptions
- residential 1
- retailer 1
- router 1
- sessions
- sites 1
- types
- subscriptions 1
- access, configuring
- an orderly deactivation, activation order, specifying
- configuring
- multiple per subscriber
- support, technical See technical support
T
- targets. See classification scripts
- technical support
- text conventions defined
- tracking plug-ins 1
- configuring
U
- UDP ports
- User Datagram Protocol. See UDP
V
- validating
- virtual private networks. See VPNs
- VPNs (virtual private networks)
- adding
- configuration requirements
- configuration statements
- extranet clients, modifying
- invalid subscriptions
- modifying
- routing schemes
- using NAT
- validating
Download This Guide
Related Documentation
- Configuring Classification Scripts Overview
- Classifying Interfaces (SRC CLI)
- Classifying Interfaces (C-Web Interface)
- Classifying Subscribers (SRC CLI)
- Classifying Subscribers (C-Web Interface)
- Classifying DHCP Subscribers (SRC CLI)
- Classifying DHCP Subscribers (C-Web Interface)
Classification Scripts Overview
The service activation engine (SAE) uses classification scripts to determine whether it manages router interfaces, to select default policies, to find subscriber profiles, and to choose Dynamic Host Configuration Protocol (DHCP) profiles. The SAE has three classification scripts:
- Interface classification script—When a subscriber’s
IP interface comes up on the router, the router sends the subscriber’s
login and interface information to the SAE.
The SAE runs the interface classification script to determine whether the SAE:
- Manages the interface and if so, what default policies to send to the router
- Does not manage the interface, but supports subscriber sessions on JunosE routers for services that use policies managed through an external policy management system
- Subscriber classification script—If the SAE is managing the interface, the SAE uses the login and interface information that the router sends to run the subscriber classification script to determine which subscriber profile to load into memory. The SAE runs subscriber classification scripts regardless of whether the interface is being managed or not for the devices other than JunosE.
- DHCP classification script—For DHCP subscribers, the SAE runs DHCP classification scripts to choose DHCP profiles.
How Classification Scripts Work
Classification scripts consist of targets and conditions.
- A target is the result of the classification script. For example, the result of subscriber classification scripts is an LDAP search string that is used to find a unique subscriber profile. The result of interface classification scripts is a policy group.
- Conditions are match criteria. The script attempts to match conditions in the script with information sent from the router. For example, match conditions for a subscriber classification script might be login type or domain name. Match conditions for an interface classification script could be interface IP address or interface description.
Each script can have multiple targets, and each target can have multiple conditions. When an object needs classification, the script processes the targets in turn. Within each target, the script processes conditions sequentially. When it finds that the classification conditions for a target match, it returns the target to the SAE. If the script does not find any targets that can be matched, the classifier engine returns a no-match message to the SAE.
Because classification scripts examine conditions sequentially as the conditions appear in the script, you should put more specific conditions at the beginning of the script and less specific conditions at the end of the script.
Interface Classification Scripts
When a subscriber’s IP interface comes up on the router, the router sends the subscriber’s login and interface information to the SAE. For example, the router might send the following information:
The SAE invokes the interface classification script and provides to the script the information that it received from the router. The script engine matches the information sent from the router to the conditions in the interface classification script. The script examines each condition in sequential order to find a match.
- If it finds a match, the script processing stops, and
the target for that condition is returned to the SAE. The target is
the path of a policy group.
This policy group is one of the following:
- The default policy. In this case, the SAE installs the policy on the interface and begins managing the interface.
- An empty policy. In this case, the SAE allows subscriber session to start and manages services for the subscriber on routers that run JunosE software. The policies are managed by an external policy management system.
- If it does not find a match, the script sends a no-match message to the SAE. For JunosE routers, the SAE does not manage the interface (that is, the policies installed through RADIUS or the CLI remain in effect), does not install policies, and does not attempt to log in subscribers. For the other types of devices, the SAE attempts to log in subscribers regardless of whether the interface is being managed or not.
Subscriber Classification Scripts
When the SAE begins managing an interface, it determines whether a subscriber is associated with the interface by running the subscriber classification script. The SAE also runs the subscriber classification script when certain login events occur. See Login Events for a description of login event types.
To find the matching subscriber profile, the SAE uses interface information that it received from the router when the interface became operational (for example, virtual router name, interface name, interface alias). It also uses login information that it received from the router or the portal application when the subscriber attempted to log in (for example, subscriber IP address, login name, or login event type).
When the SAE runs the subscriber classification script, the script engine matches the information sent from the router to the conditions in the subscriber classification script. The script examines each condition in sequential order to find a match.
- If it finds a match, the script processing stops, and the target for the matching condition is returned to the SAE. The target is an LDAP query that uniquely identifies a subscriber profile. The SAE loads the subscriber entry and uses the entry to create a subscriber session in memory.
- If it does not find a match, the script sends a no-match message to the SAE. The SAE does not load a subscriber session onto the interface, and services cannot be activated for this session.
DHCP Classification Scripts
DHCP classification scripts choose DHCP profiles. See Assigning DHCP Addresses to Subscribers for information about how DHCP classification scripts are used.
Sharing Information Among Classification Scripts
In many instances, the same classification rule may appear in different classification scripts. You can reuse the same information in different scripts by configuring the information in one script and including that information in another script. Interface, subscriber, and DHCP classification scripts all let you include another script.
Related Documentation
- Configuring Classification Scripts Overview
- Classifying Interfaces (SRC CLI)
- Classifying Interfaces (C-Web Interface)
- Classifying Subscribers (SRC CLI)
- Classifying Subscribers (C-Web Interface)
- Classifying DHCP Subscribers (SRC CLI)
- Classifying DHCP Subscribers (C-Web Interface)
