Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring Authentication Plug-Ins (SRC CLI)

 

You can perform the following tasks to configure authentication plug-ins:

Limiting Subscribers on Router Interfaces

You can limit the number of authenticated subscribers who connect to an IP interface on the router. This plug-in does not limit the number of unauthenticated subscribers who connect to an IP interface, and does not limit the number of subscribers who connect to a physical or link-layer interface. In the case of subscriber interfaces, the plug-in limits the number of authenticated subscribers on the subscriber interface but not on the underlying primary IP interface.

Use the following configuration statement to set up a plug-in that limits the number of subscribers who connect to interfaces:

To set up a plug-in that limits the number of subscribers on interfaces:

  1. From configuration mode, access the custom RADIUS accounting plug-in configuration. In this sample procedure, the plug-in called subsLimit is configured in the west-region SAE group.

  2. Configure the number of authenticated subscribers who can connect to an IP interface on the router simultaneously.

  3. (Optional) Verify your configuration.

Configuring Basic RADIUS Authentication Plug-Ins

You can use basic RADIUS authentication plug-ins to send authentication information to an external RADIUS accounting server or a group of redundant servers. To communicate with nonredundant servers, you need to create additional instances of the plug-in.

Use the following configuration statements to set up basic RADIUS authentication plug-ins:

To set up basic RADIUS authentication plug-ins:

  1. From configuration mode, access the basic RADIUS authentication plug-in configuration. In this sample procedure, the plug-in called RadiusAuth is configured in the west-region SAE group.

  2. Configure the mode for load-balancing RADIUS servers.

  3. Specify if and when the SAE attempts to fail back to the default peer.

  4. (Optional) Configure the value of the NAS-Ip attribute.

  5. Configure the time the SAE waits for a response from a RADIUS server before it resends the RADIUS packet.

  6. Configure the maximum number of unacknowledged RADIUS messages that the plug-in receives from the RADIUS server before it discards new messages.

  7. (Optional) Configure the source IP address that the plug-in uses to communicate with the RADIUS server. If you do not specify an address, the global default address is used.

  8. (Optional) Configure the source UDP port or a range of source UDP ports used for communication with the RADIUS server. If you do not specify a UDP port, the global UDP port is used.

  9. Configure the name of the RADIUS server to which the SAE sends packets for this plug-in.

  10. (Optional) Verify your configuration.

Configuring Flexible RADIUS Authentication Plug-Ins

Flexible RADIUS authentication plug-ins provide the same features as basic RADIUS authentication plug-ins. In addition, they allow you to customize RADIUS authentication packets that the system sends to RADIUS servers and specify which fields are included in the RADIUS authentication packets and what information is contained in the fields.

Use the following configuration statements to set up flexible RADIUS authentication plug-ins:

To set up flexible RADIUS authentication plug-ins:

  1. From configuration mode, access the flexible RADIUS authentication plug-in configuration. In this sample procedure, the plug-in called flexRadiusAuth is configured in the west-region SAE group.

  2. Configure the mode for load-balancing RADIUS servers.

  3. Specify if and when the SAE attempts to fail back to the default peer.

  4. (Optional) Configure the maximum time the SAE waits for a response from a RADIUS server.

  5. Configure the time the SAE waits for a response from a RADIUS server before it resends the RADIUS packet.

  6. Configure the maximum number of unacknowledged RADIUS messages that the plug-in receives from the RADIUS server before it discards new messages.

  7. (Optional) Configure the source IP address that the plug-in uses to communicate with the RADIUS server. If you do not specify an address, the global default address is used.

  8. (Optional) Configure the source UDP port or a range of source UDP ports used for communication with the RADIUS server. If you do not specify a UDP port, the global UDP port is used.

  9. Configure the way the SAE handles errors.

  10. Configure the name of the RADIUS server to which the SAE sends packets for this plug-in.

  11. Configure the name of the RADIUS packet template that defines attributes for this plug-in.

  12. (Optional) Verify your configuration.

Configuring Custom RADIUS Authentication Plug-Ins

The custom RADIUS authentication plug-ins provide the same functions as the flexible RADIUS authentication plug-ins, but are designed to deliver better system performance. To use a custom plug-in, you must provide a Java class that implements the SPI defined in the RADIUS client library. Use this SPI to specify which fields and field values to include in RADIUS accounting packets. The RADIUS client library is part of the SAE core API.

See the documentation for the RADIUS client library in the SAE core API documentation on the Juniper Networks website at:

https://www.juniper.net/documentation/software/management/src/api-index.html

For a sample implementation, see in the SDK+AppSupport+Demos+Samples.tar.gz file on the Juniper Networks website at: https://www.juniper.net/support/products/src/index.html#sw

The application is located the following directory: SDK/plugin/java/src/net/juniper/smgt/sample/radiuslib/RadiusPacketHandlerImpl.java.

Use the following configuration statements to set up custom RADIUS authentication plug-ins:

To set up custom RADIUS authentication plug-ins:

  1. From configuration mode, access the custom RADIUS authentication plug-in configuration. In this sample procedure, the plug-in called customRadiusAuth is configured in the west-region SAE group.

  2. Configure the name of the Java class that implements the RadiusPacketHandler interface in the RADIUS client library.

  3. Configure the URLs that identify a location from which Java classes are loaded when the plug-in is initialized.

  4. (Optional) Specify that a RADIUS authentication or accounting request must contain all mandatory RADIUS attributes before sending the request packet.

  5. Configure the mode for load-balancing RADIUS servers.

  6. Specify if and when the SAE attempts to fail back to the default peer.

  7. (Optional) Configure the maximum time the SAE waits for a response from a RADIUS server.

  8. Configure the time the SAE waits for a response from a RADIUS server before it resends the RADIUS packet.

  9. Configure the maximum number of unacknowledged RADIUS messages that the plug-in receives from the RADIUS server before it discards new messages.

  10. (Optional) Configure the source IP address that the plug-in uses to communicate with the RADIUS server. If you do not specify an address, the global default address is used.

  11. (Optional) Configure the source UDP port or a range of source UDP ports used for communication with the RADIUS server. If you do not specify a UDP port, the global UDP port is used.

  12. Configure the name of the RADIUS server to which the SAE sends packets for this plug-in.

  13. (Optional) From operational mode, verify your configuration.

Configuring LDAP Authentication Plug-Ins

Use the following configuration statements to configure LDAP authentication plug-ins:

To create LDAP authentication plug-ins:

  1. From configuration mode, access the custom LDAP authentication plug-in configuration. In this sample procedure, the plug-in called ldapAuth is configured in the west-region SAE group.

  2. Configure the LDAP authentication method that the SAE uses.

  3. (Optional) Configure a comma-separated list of IP addresses or hostnames of the LDAP authentication server.

  4. (Optional) Configure the DN used to authenticate access to the directory.

  5. (Optional) Configure the password that the SAE uses to authenticate its access to the directory to search for the subscriber profile. If you do not specify a bind DN or bind password, the SAE uses anonymous access.

  6. (Optional) Configure the additional LDAP search filter that the SAE uses to search the directory for the subscriber profile.

  7. (Optional) Enable the secure protocol used for LDAP connections with the directory. LDAPS, the only secure protocol supported, causes communication with the directory to be encrypted with Secure Sockets Layer (SSL).

  8. (Optional) Configure the base DN for searching entries in the directory.

  9. (Optional) Configure the name of the directory attribute that holds the username.

  10. (Optional) Configure the name of the directory attribute that stores the password.

  11. (Optional) Configure the name of the directory attribute that contains the name of the service bundle that is used for subscriber authentication. This value is made available to the subscriber classification process and can be used to select the subscriber profile to load.

  12. (Optional) Configure the name of the LDAP attribute that contains the value of the session volume quota. The LDAP plug-in sets the session volume quota to this value.

  13. (Optional) Configure the maximum time the SAE waits for a response from a directory server.

  14. (Optional) Enable blocklist to prevent the directory eventing system from establishing further connections to the directory if the connection fails to respond within the expected time interval for 10 times. If the blocklist is disabled, the connection will be established repeatedly if the response is not received within the expected time interval even after 10 times.

  15. (Optional) From operational mode, verify your configuration.