Managing Subscriber Sessions on MX Series Routers (SRC CLI)

Configuring External Subscriber Monitor (SRC CLI)

Use External Subscriber Monitor to log in and log out authorized subscribers and to provide interim updates for authorized subscribers.

1. From configuration mode, access the configuration statement that configures the local properties.
2. Configure the local properties for External Subscriber Monitor.

   If you are configuring the pseudo–RADIUS authorization server, specify the include-mac-address and include-interface-name options when configuring External Subscriber Monitor so that the MAC address and interface name attributes are included in the event notifications sent to the SAE.

   For more information about configuring External Subscriber Monitor, see Configuring External Subscriber Monitor (SRC CLI).

Configuring Pseudo–RADIUS Authorization Server Properties (SRC CLI)

• Configuring the Pseudo–RADIUS Authorization Server (SRC CLI)

• Configuring the Directory Connection Properties for the Subscriber Data

• Configuring Directory Connection Properties for the Cached DHCP Profiles

Configuring the Pseudo–RADIUS Authorization Server (SRC CLI)

Use the following configuration statements to configure the pseudo–RADIUS authorization server:

1. From configuration mode, access the configuration statement that configures the pseudo–RADIUS authorization server.
2. Specify the listening port for RADIUS requests.
3. (Optional) Specify the host address to bind to the pseudo–RADIUS authorization server. Absence (or deletion) of this attribute means binding it to a wildcard (*) address.
4. (Optional) Specify whether to query the SAE for the number of active subscribers for a given interface. If set to true, the response to the RADIUS access request depends on the comparison between the number of active subscriber sessions and the lease limit for the interface. If the number of active subscriber sessions is less than the lease limit, the response is the RADIUS access accept message without the lease limit RADIUS attribute; otherwise, the response is the RADIUS access accept message where the subscriber is not assigned an address. If set to false, the response is the RADIUS access accept message with the lease limit RADIUS attribute. If the lease limit RADIUS vendor-specific attribute is returned, the MX Series router verifies the lease limit.
5. (Optional) Specify whether to search for a cached DHCP profile in the o=AuthCache directory based on the MAC address. If set to true, you must configure a directory connection to the cached DHCP profiles.

   If set to true, the following conditions apply:

   • If a cached DHCP profile is found, the RADIUS response message includes the RADIUS attribute values for framed IP address, pool name, service bundle, and RADIUS class attributes that are present in the cached DHCP profile.

   • If the check-lease-limit-with-sae option is set to true and the number of active subscriber sessions is less than the lease limit, the RADIUS access accept message includes the cached DHCP profile.

   • If the check-lease-limit-with-sae option is set to false, the RADIUS response includes the lease limit.

   If set to false, the RADIUS response message does not include the cached DHCP profile information.
6. (Optional) Specify the default lease limit for all interfaces.
7. Specify the invalid pool name returned when the number of active subscriber sessions exceeds the lease limit.
8. (Optional) Specify the timeout of a cached authenticated request.
9. Specify the amount of time to wait before cleaning up cached RADIUS access requests that have been accepted.
10. Specify the maximum age of an unacknowledged RADIUS access request cached in memory. We recommend a value slightly greater than the RADIUS packets retry interval.
11. Specify the minimum number of concurrent threads processing RADIUS access messages subtasks.
12. Specify the maximum number of unacknowledged RADIUS messages to be received from the RADIUS server before it discards new messages.
13. Specify the service type of the RADIUS packets that will be forwarded.
14. (Optional) Verify your configuration.
15. Access the configuration statement that specifies the trusted RADIUS clients.
16. Specify the RADIUS shared secret for the client.

Configuring the Directory Connection Properties for the Subscriber Data

The subscriber data can be queried for information such as the interface’s lease limit.

Use the following statements to configure the directory connection to the directory in which the subscriber data is stored:

1. From configuration mode, access the configuration statement that configures the directory connection.
2. Specify the top-level directory DN.
3. Specify the subtree in the directory in which the subscriber data is stored.
4. Access the configuration statement that configures the directory connection properties.
5. Specify the directory connection properties for the subscriber data.
6. (Optional) Verify your configuration.

Configuring Directory Connection Properties for the Cached DHCP Profiles

The DHCP profiles can be queried by MAC address for the RADIUS framed IP address for authorized subscribers or invalid pool name for unauthorized subscribers.

Use the following statements to configure the directory connection to the directory in which the cached DHCP profiles are stored:

1. From configuration mode, access the configuration statement that configures the directory connection.
2. Specify the top-level directory DN.
3. Specify the subtree in the directory in which the cached DHCP profiles are stored.
4. Access the configuration statement that configures the directory connection properties.
5. Specify the directory connection properties for the cached DHCP profiles.
6. (Optional) Verify your configuration.

Configuring the NIC Proxy for the Pseudo-RADIUS Authorization Server (SRC CLI)

• Configuring Resolution Information for a NIC Proxy

• Changing the Configuration for the NIC Proxy Cache

• Configuring a NIC Proxy for NIC Replication

Configuring Resolution Information for a NIC Proxy

Use the following configuration statements to configure the NIC proxy:

1. From configuration mode, access the configuration statement that configures the NIC proxy configuration. In this sample procedure, the NIC proxy called radius-authorization-nic is configured.
2. Specify the resolution information for this NIC proxy.

   For more information about configuring resolution information for a NIC proxy, see Configuring Resolution Information for a NIC Proxy (SRC CLI).

3. (Optional) Verify your configuration.

Changing the Configuration for the NIC Proxy Cache

You can modify cache properties for the NIC proxy to optimize the resolution performance for your network configuration and system resources. Typically, you can use the default settings for the cache properties. The configuration statements are available at the Advanced editing level.

Use the following configuration statements to change values for the NIC proxy cache:

1. From configuration mode, access the configuration statement that specifies the NIC proxy configuration. In this sample procedure, the NIC proxy called radius-authorization-nic is configured.
2. Specify the cache properties for the NIC proxy.

   For more information about configuring the cache for a NIC proxy, see Changing the Configuration for the NIC Proxy Cache (SRC CLI).

3. (Optional) Verify your configuration.

Configuring a NIC Proxy for NIC Replication

Typically, you configure NIC replication to keep the NIC highly available. You configure NIC host selection to specify the groups of NIC hosts to be contacted to resolve a request, and to define how the NIC proxy handles NIC hosts that the proxy is unable to contact. The configuration statements are available at the Normal editing level.

Use the following configuration statements to configure NIC host selection for a NIC proxy:

1. From configuration mode, access the configuration statement that specifies the NIC proxy configuration. In this sample procedure, the NIC proxy called radius-authorization-nic is configured.
2. (Optional) Configure NIC host selection for a NIC proxy.

   For more information about configuring NIC host selection for a NIC proxy, see Configuring a NIC Proxy for NIC Replication (SRC CLI).

3. (Optional) Verify your configuration.
4. Access the configuration statement that specifies the NIC proxy configuration for blacklisting—the process of handling nonresponsive NIC hosts.
5. (Optional) Configure blacklisting for a NIC proxy.

   For more information about configuring NIC host selection for a NIC proxy, see Configuring a NIC Proxy for NIC Replication (SRC CLI).

6. (Optional) Verify your configuration.
   [edit slot 0 external-subscriber-monitor nic-proxy-configuration radius-authorization-nic nic-host-selection blacklisting]

   user@host# show

Extracting RADIUS Attributes with the Pseudo–RADIUS Authorization Server (SRC CLI)

• Extracting Interface Name Attribute Values

• Extracting Virtual Router Name Attribute Values

Extracting Interface Name Attribute Values

The interface name value is the subscriber line interface. This value is extracted from the NAS-Port-ID attribute. The default settings for this configuration are sufficient for most applications.

Use the following configuration statements to extract the interface name value from the RADIUS access request:

1. From configuration mode, access the configuration statement that configures RADIUS attribute extraction for the interface name value.
2. (Optional) Specify the RADIUS attribute value format with a regular expression. You can group regular expressions by enclosing them in parentheses. The value for the interface is the part of the NAS-Port-ID matched by the first group in your regular expression. For more information about using regular expressions, see http://docs.oracle.com/javase/1.5.0/docs/api/java/util/regex/Pattern.html.

   For example, to specify that the extracted interface name value is ge-0/0/3.0 from the NAS-Port attribute value of ge-0/0/3.0[:0-0]:

Extracting Virtual Router Name Attribute Values

In most cases, the virtual router name value is in the format default@<NAS-ID attribute>. The default settings extract a virtual router name in this format. If your environment is different, you can configure a different format for the extracted value.

Use the following configuration statements to extract the virtual router name value from the RADIUS access request:

1. From configuration mode, access the configuration statement that configures RADIUS attribute extraction for the virtual router name value.
2. Specify the RADIUS attribute identifier.
3. (Optional) Specify whether the RADIUS attribute is a vendor-specific attribute.
4. (Optional) Specify the RADIUS vendor-specific attribute identifier.
5. (Optional) Specify the RADIUS attribute value format with a regular expression. You can group regular expressions by enclosing them in parentheses. The value for the interface is the part of the NAS-Port-ID matched by the first group in your regular expression. For more information about using regular expressions, see http://docs.oracle.com/javase/1.5.0/docs/api/java/util/regex/Pattern.html.

   For example:
6. (Optional) Specify the value type of this RADIUS attribute.

   where:

   • raw-byte—Raw bytes

   • chars—Sequence of characters

7. (Optional) Specify the prefix that is prepended to the extracted RADIUS attribute value.

Enabling the Pseudo-RADIUS Authorization Server (SRC CLI)

To enable the pseudo–RADIUS authorization server, configure the pseudo-RADIUS authorization server and make sure the External Subscriber Monitor is running.

To start External Subscriber Monitor:

Disabling the Pseudo-RADIUS Authorization Server (SRC CLI)

To disable the pseudo–RADIUS authorization server, delete the pseudo–RADIUS authorization server configuration for External Subscriber Monitor from configuration mode.

Setting Up MX Series Routers in the SRC Network (SRC CLI)

1. From configuration mode, access the configuration statement that configures network devices. This sample procedure uses mx_device as the name of the router.
2. Set the type of device to third-party.
3. From configuration mode, access the configuration statements for virtual routers. For MX Series routers, use the name default for the virtual router.
4. Specify the addresses of SAEs that can manage this router.

Configuring the COA Script Service for MX Series Routers (SRC CLI)

1. Create a script service in the services global service name hierarchy or the services scope name service name hierarchy. For example:
2. Set the type to script.
3. (Optional) Configure other properties as needed for your service.
4. Configure the script properties.

   1. Access the script hierarchy for the configured script service.

   2. Specify URL as the script type.

   3. Specify the name of the Java class that implements the script service.

   4. Configure the URL of the script service or the path and filename of the service.

      If you specify a file URL, you must copy the file to the C Series Controller. If you specify an ftp or http URL, the file can reside on a centralized server. You can find the coa.jar file in the application and SDK distribution on the Juniper Networks website at:

      https://www.juniper.net/support/downloads/?p=src#sw

      in the SDK+AppSupport+Demos+Samples.tar.gz archive file with the pathname:

      AppSupport+Demos+Samples/SDK/scriptServices/coa/lib/coa.jar

5. Verify the configuration.
6. Configure the parameters for the script service.

   See Configuring Parameters for the Script Service for MX Series Routers (SRC CLI).

Configuring Parameters for the Script Service for MX Series Routers (SRC CLI)

Provide parameter substitutions with the values that are in the service definitions for the script service.

Table 9 lists the parameters specified by the sample script service.

1. At the hierarchy for the script service, specify substitutions for the parameters. For example:
2. Verify the configuration.

Configuring Subscriptions to the Script Service

You need to configure subscriptions to the script service. You can set up the subscriptions to activate immediately on login.

For more information, see Adding Subscribers (SRC CLI).