Configuring Pseudo–RADIUS Authorization Server Properties (SRC CLI)

Tasks to configure the pseudo–RADIUS authorization server are:

Configuring the Pseudo–RADIUS Authorization Server (SRC CLI)

Use the following configuration statements to configure the pseudo–RADIUS authorization server:

slot number external-subscriber-monitor radius-authorization {port port; local-address local-address; check-lease-limit-with-sae; query-cached-dhcp-profile; default-lease-limit default-lease-limit; invalid-pool-name invalid-pool-name; lease-time-limit lease-time-limit; cleanup-interval cleanup-interval; maximum-age maximum-age; minimum-pool-size minimum-pool-size; maximum-queue-length maximum-queue-length; service-type (all | login | framed | callback-login | callback-framed | outbound | administrative | nas-prompt | authenticate-only | callback-nas-prompt | callback-check | callback-administrative); }
slot number external-subscriber-monitor radius-authorization client client-address {secret secret; }

To configure the pseudo–RADIUS authorization server:

  1. From configuration mode, access the configuration statement that configures the pseudo–RADIUS authorization server.
    user@host# edit slot 0 external-subscriber-monitor radius-authorization
  2. Specify the listening port for RADIUS requests.
    [edit slot 0 external-subscriber-monitor radius-authorization]user@host# set port port
  3. (Optional) Specify the host address to bind to the pseudo–RADIUS authorization server. Absence (or deletion) of this attribute means binding it to a wildcard (*) address.
    [edit slot 0 external-subscriber-monitor radius-authorization]user@host# set local-address local-address
  4. (Optional) Specify whether to query the SAE for the number of active subscribers for a given interface. If set to true, the response to the RADIUS access request depends on the comparison between the number of active subscriber sessions and the lease limit for the interface. If the number of active subscriber sessions is less than the lease limit, the response is the RADIUS access accept message without the lease limit RADIUS attribute; otherwise, the response is the RADIUS access accept message where the subscriber is not assigned an address. If set to false, the response is the RADIUS access accept message with the lease limit RADIUS attribute. If the lease limit RADIUS vendor-specific attribute is returned, the MX Series router verifies the lease limit.
    [edit slot 0 external-subscriber-monitor radius-authorization]user@host# set check-lease-limit-with-sae
  5. (Optional) Specify whether to search for a cached DHCP profile in the o=AuthCache directory based on the MAC address. If set to true, you must configure a directory connection to the cached DHCP profiles.

    If set to true, the following conditions apply:

    • If a cached DHCP profile is found, the RADIUS response message includes the RADIUS attribute values for framed IP address, pool name, service bundle, and RADIUS class attributes that are present in the cached DHCP profile.
    • If the check-lease-limit-with-sae option is set to true and the number of active subscriber sessions is less than the lease limit, the RADIUS access accept message includes the cached DHCP profile.
    • If the check-lease-limit-with-sae option is set to false, the RADIUS response includes the lease limit.

    If set to false, the RADIUS response message does not include the cached DHCP profile information.

    [edit slot 0 external-subscriber-monitor radius-authorization]user@host# set query-cached-dhcp-profile
  6. (Optional) Specify the default lease limit for all interfaces.
    [edit slot 0 external-subscriber-monitor radius-authorization]user@host# set default-lease-limit default-lease-limit
  7. Specify the invalid pool name returned when the number of active subscriber sessions exceeds the lease limit.
    [edit slot 0 external-subscriber-monitor radius-authorization]user@host# set invalid-pool-name invalid-pool-name
  8. (Optional) Specify the timeout of a cached authenticated request.
    [edit slot 0 external-subscriber-monitor radius-authorization]user@host# set lease-time-limit lease-time-limit
  9. Specify the amount of time to wait before cleaning up cached RADIUS access requests that have been accepted.
    [edit slot 0 external-subscriber-monitor radius-authorization]user@host# set cleanup-interval cleanup-interval
  10. Specify the maximum age of an unacknowledged RADIUS access request cached in memory. We recommend a value slightly greater than the RADIUS packets retry interval.
    [edit slot 0 external-subscriber-monitor radius-authorization]user@host# set maximum-age maximum-age
  11. Specify the minimum number of concurrent threads processing RADIUS access messages subtasks.
    [edit slot 0 external-subscriber-monitor radius-authorization]user@host# set minimum-pool-size minimum-pool-size
  12. Specify the maximum number of unacknowledged RADIUS messages to be received from the RADIUS server before it discards new messages.
    [edit slot 0 external-subscriber-monitor radius-authorization]user@host# set maximum-queue-length maximum-queue-length
  13. Specify the service type of the RADIUS packets that will be forwarded.
    [edit slot 0 external-subscriber-monitor radius-authorization]user@host# set service-type service-type
  14. (Optional) Verify your configuration.
    [edit slot 0 external-subscriber-monitor radius-authorization]user@host# show
  15. Access the configuration statement that specifies the trusted RADIUS clients.
    [edit slot 0 external-subscriber-monitor radius-authorization]user@host# edit client client-address [edit slot 0 external-subscriber-monitor radius-authorization client client-address]
  16. Specify the RADIUS shared secret for the client.
    [edit slot 0 external-subscriber-monitor radius-authorization client client-address]user@host# set secret secret

Configuring the Directory Connection Properties for the Subscriber Data

The subscriber data can be queried for information such as the interface’s lease limit.

Use the following statements to configure the directory connection to the directory in which the subscriber data is stored:

slot number external-subscriber-monitor radius-authorization ldap subscriber-data {base base; base-dn base-dn; }
slot number external-subscriber-monitor radius-authorization ldap subscriber-data directory-connection {url url; principal principal; credentials credentials; protocol (ldaps); backup-urls [backup-urls...]; timeout timeout; check-interval check-interval; blacklist; snmp-agent; signature-dn signature-dn; }

To configure directory connection properties:

  1. From configuration mode, access the configuration statement that configures the directory connection.
    user@host# edit slot 0 external-subscriber-monitor radius-authorization ldap subscriber-data
  2. Specify the top-level directory DN.
    [edit slot 0 external-subscriber-monitor radius-authorization ldap subscriber-data]user@host# set base base
  3. Specify the subtree in the directory in which the subscriber data is stored.
    [edit slot 0 external-subscriber-monitor radius-authorization ldap subscriber-data]user@host# set base-dn base-dn
  4. Access the configuration statement that configures the directory connection properties.
    [edit slot 0 external-subscriber-monitor radius-authorization ldap subscriber-data]user@host# edit directory-connection
  5. Specify the directory connection properties for the subscriber data.
    [edit slot 0 external-subscriber-monitor radius-authorization ldap subscriber-data directory-connection]user@host# set ?
  6. (Optional) Verify your configuration.
    [edit slot 0 external-subscriber-monitor radius-authorization ldap subscriber-data]user@host# show

Configuring Directory Connection Properties for the Cached DHCP Profiles

The DHCP profiles can be queried by MAC address for the RADIUS framed IP address for authorized subscribers or invalid pool name for unauthorized subscribers.

Use the following statements to configure the directory connection to the directory in which the cached DHCP profiles are stored:

slot number external-subscriber-monitor radius-authorization ldap cached-dhcp-profile {base base; base-dn base-dn; }
slot number external-subscriber-monitor radius-authorization ldap cached-dhcp-profile directory-connection {url url; principal principal; credentials credentials; protocol (ldaps); backup-urls [backup-urls...]; timeout timeout; check-interval check-interval; blacklist; snmp-agent; signature-dn signature-dn; }

To configure directory connection properties:

  1. From configuration mode, access the configuration statement that configures the directory connection.
    user@host# edit slot 0 external-subscriber-monitor radius-authorization ldap cached-dhcp-profile
  2. Specify the top-level directory DN.
    [edit slot 0 external-subscriber-monitor radius-authorization ldap cached-dhcp-profile]user@host# set base base
  3. Specify the subtree in the directory in which the cached DHCP profiles are stored.
    [edit slot 0 external-subscriber-monitor radius-authorization ldap cached-dhcp-profile]user@host# set base-dn base-dn
  4. Access the configuration statement that configures the directory connection properties.
    [edit slot 0 external-subscriber-monitor radius-authorization ldap cached-dhcp-profile]user@host# edit directory-connection
  5. Specify the directory connection properties for the cached DHCP profiles.
    [edit slot 0 external-subscriber-monitor radius-authorization ldap cached-dhcp-profile directory-connection]user@host# set ?
  6. (Optional) Verify your configuration.
    [edit slot 0 external-subscriber-monitor radius-authorization ldap cached-dhcp-profile]user@host# show

Related Documentation

Copyright© 1999-2014 Juniper Networks, Inc. All rights reserved.