Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
ContentIndex
  
[+] Expand All
[-] Collapse All

 A  B  C  D  E  F  G  H  I  L  M  N  P  Q  R  S  T  U  V

 

A

access lines    1
description    12
accesses    
configuring subscriptions    
SRC CLI
accounting    
basic RADIUS accounting plug-in
custom RADIUS accounting plug-ins
flat file accounting plug-ins
flexible RADIUS accounting plug-ins
anonymous subscriber
attributes    
RADIUS accounting
authenticated subscriber
authentication plug-ins    
configuring
types
authorization plug-ins    
configuring
types
 

B

basic RADIUS accounting plug-in    1
configuring    
SRC CLI
basic RADIUS authentication plug-in    1
configuring    
SRC CLI
 

C

captive portal    
preventing access to resources
classification scripts    
conditions    1
glob matching
joining
regular expression matching
configuring    
C-Web interface
descriptions
DHCP classification, C Series Controller    
conditions
configuring, SRC CLI
description
targets
interface classification, C Series Controller    
conditions
configuring, SRC CLI
description
empty policy    12
examples
how it works
targets
structure    
C-Web interface
subscriber classification, C Series Controller    
condition
configuring, SRC CLI
description
DHCP options
enterprise subscriber example
how it works
static IP subscriber example
subscriber group example
targets
target, C Series Controller    
definition
expressions
types
component interactions    
DHCP    
initial login
persistent login
subscriber account login
subscriber logout
enterprise subscribers    
login
remote session activation
PPP    
login
logout
static IP subscribers
subscription activation
subscription deactivation
conventions    
notice icons
text
COPS (Common Open Policy Service)    
DHCP interactions    
initial login
logout
persistent login
subscriber account login
interface startup interactions
PPP interactions    
login
logout
static IP subscriber interactions
subscription activation interactions
subscription deactivation interactions
custom RADIUS accounting plug-ins    1
configuring    
SRC CLI
custom RADIUS authentication plug-ins    1
configuring    
SRC CLI
customer support    1
contacting JTAC
 

D

default retailer authentication plug-ins    
configuring    
SRC CLI
default retailer DHCP authentication plug-ins    
configuring    
SRC CLI
denial-of-service attacks
DHCP (Dynamic Host Configuration Protocol)    
address assignment
classification scripts.     See classification scripts    
options
profiles    
SRC CLI
subscribers    
login process
logout process
documentation    
comments on
 

E

enterprise    
description
enterprise subscribers    1
adding    
SRC CLI
enterprise subscribers, login process
event publishers    
configuring    
SRC CLI
default retailer authentication, configuring    
SRC CLI
default retailer DHCP authentication, configuring    
SRC CLI
description
retailer-specific
service-specific
virtual router-specific
external plug-ins    
configuring    
SRC CLI
 

F

file upload settings for log rotation    
configuring    
SRC CLI
flat file accounting plug-ins    1
configuring    
SRC CLI
configuring headers    
SRC CLI
flexible RADIUS accounting plug-ins    1
attributes, defining    
C-Web interface
configuring
RADIUS packets, defining
flexible RADIUS authentication plug-ins    1
attributes, defining    
C-Web interface
examples
configuring    
SRC CLI
RADIUS packets, defining    
SRC CLI
setting responses    
C-Web interface
FTP server for log rotation    
configuring    
SRC CLI    12
 

G

general properties    
configuring    
SRC CLI
 

H

HTTP proxy    12
HTTPS traffic
 

I

interface classification scripts.     See classification scripts    
interim accounting, configuring on SAE
internal plug-ins    
configuring    
SRC CLI
 

L

LDAP authentication plug-in    1
configuring    
SRC CLI
limiting subscribers plug-in    1
configuring    
SRC CLI
log rotation    
overview    
SRC CLI
logging    
redirect server
login events, description
login process    
enterprise
residential    12,  See also logout process, residential    
DHCP
PPP
summary
login registration    
configuring    
SRC CLI
logout process, residential    
DHCP
 

M

managers    
configuring    
SRC CLI
control over all retailers
management privileges
subscribers and subscriptions
manuals    
comments on
 

N

NAT (Network Address Translation)    
VPNs
notice icons
 

P

plug-ins    
activating service sessions
authentication    
configuring
authorization    
configuring
basic RADIUS accounting    1
configuring, SRC CLI
basic RADIUS authentication    1
configuring, SRC CLI
creating subscriber sessions
custom RADIUS accounting    1
configuring, SRC CLI
custom RADIUS authentication    1
configuring, SRC CLI
defining RADIUS packets    
SRC CLI
DHCP address assignment
event publishers.     See event publishers    
external    
configuring, SRC CLI
flat file accounting    1
configuring, SRC CLI
flexible RADIUS accounting    1
configuring
flexible RADIUS authentication    1
configuring, SRC CLI
internal    1
authorization
configuring RADIUS peers, SRC CLI
configuring, SRC CLI
customizing RADIUS packets
how they work
pool
RADIUS attributes, C-Web interface
tracking
LDAP authentication    1
configuring, SRC CLI
limiting subscribers    1
configuring, SRC CLI
state synchronization    
configuring, SRC CLI
tracking    
configuring, C-Web interface
service sessions
subscriber sessions
policy groups    
empty    12
policy management    
external policy system    12
PPP subscribers    
login process
Web login
prevention, use of unauthorized resources
protocols    
routing
proxy HTTP    12
proxy request management
public addresses, VPNs
 

Q

QoS tracking plug-in
 

R

RADIUS accounting    
attributes
description
RADIUS attributes    
defining in RADIUS plug-ins    
C-Web interface
examples, defining in RADIUS plug-ins    
C-Web interface
RADIUS client library, custom RADIUS plug-ins
RADIUS packets, customizing in plug-ins
RADIUS peers    
configuring in plug-ins    
SRC CLI
RADIUS plug-ins    1,  See also plug-ins    
authentication
UDP port
redirect server    
assessing load    
C-Web interface
configuration statements    
SRC CLI
configuring    
SRC CLI
configuring DNS server for    
SRC CLI
configuring HTTP proxy support    
SRC CLI
configuring redundant    
SRC CLI
directory connection    
SRC CLI
failover
file extensions    
SRC CLI
logging
number of requests    
SRC CLI
protection against denial-of-service attacks
redundancy    123
static route to router
traffic definition    
SRC CLI
verifying    
SRC CLI
redundancy    
redirect server
residential subscribers    1
adding    
SRC CLI
login process.     See login process    
retailers    
subscribers    1
adding, SRC CLI
router subscribers    1
adding    
SRC CLI
routing instances    
VPNs
routing scheme
 

S

SAE (service activation engine)    
classification scripts.     See classification scripts    
login events
login process.     See login process    
SAE (service activation engine), configuring    
interim accounting    
SRC CLI
login registration    
SRC CLI
multiple logins from same IP address    
SRC CLI
reduce reported session time    
SRC CLI
session reactivation timers    
SRC CLI
time for MAC address in cache    
SRC CLI
unauthenticated user DN    
SRC CLI
service activation engine.     See SAE    
service sessions    
activate-on-login    12
activating and tracking
activating with Web application
enterprise, remote activation
sites    123
subscriber    1
adding, SRC CLI
state synchronization plug-in interface    
configuring    
SRC CLI
static IP subscribers, login process
static routing
subscriber classification scripts.     See classification scripts    
subscriber folders    1
adding    
SRC CLI
subscriber sessions    
activating with Web application
creating and tracking
enterprise, creating and activating
subscribers    
3gpp attributes (Gx router driver)    
configuring, SRC CLI
adding    
SRC CLI
enterprise    1
adding, SRC CLI
inheriting properties
inheriting subscriptions
residential    1
adding, SRC CLI
retailer    1
adding, SRC CLI
router    1
adding, SRC CLI
sessions
sites    1
adding, SRC CLI
types
subscriptions    1
access, configuring    
SRC CLI
an orderly deactivation, activation order, specifying    
SRC CLI
configuring    
SRC CLI
multiple per subscriber
support, technical     See technical support    
 

T

targets.     See classification scripts    
technical support    
contacting JTAC
text conventions defined
tracking plug-ins    1
configuring    
C-Web interface
 

U

UDP ports    
RADIUS plug-ins
User Datagram Protocol.     See UDP    
 

V

validating    
VPNs
virtual private networks.     See VPNs    
VPNs (virtual private networks)    
adding    
SRC CLI
configuration requirements
configuration statements
extranet clients, modifying    
SRC CLI
invalid subscriptions
modifying
routing schemes
using NAT
validating

Classifying Subscribers (SRC CLI)

Changes that you make to subscriber classification scripts do not affect subscriber sessions that are already established. One effect of this behavior is that static IP subscriber sessions are not closed if the classification script is changed in a way that would no longer cause the SAE to load a profile for certain subscribers.

On JunosE routers that use the COPS-PR or COPS XDR router drivers, you can create a subscriber session for the router interface to start services such as script services and aggregate services. The SAE creates the router interface, but does not install any policies on it. You can create a subscriber classification rule, but not an interface classification rule for this interface.

Use the following configuration statements to define subscriber classification scripts:

shared sae subscriber-classifier rule name {target target; }
shared sae subscriber-classifier rule name condition name ...
shared sae subscriber-classifier rule name {script-value; include include; }

A classification script can contain either a target and a condition or a script. If you do not define a script, the classifier must have both a target and a condition.

To define subscriber classification scripts:

  1. From configuration mode, enter the subscriber classifier configuration. In this sample procedure, the subscriber classifier is configured in the west-region SAE group.
    user@host# edit shared sae group west-region subscriber-classifier
  2. Create a rule for the subscriber classifier. You can create multiple rules for the classifier.
    [edit shared sae group west-region subscriber-classifier]user@host# edit rule rule-2
  3. Configure either a target or a script for the rule.
    • Configure the target for the rule. If you configure a target, see Subscriber Classification Targets.
      [edit shared sae group west-region subscriber-classifier rule rule-2]user@host# set target target

      If you configured a target for the rule, you must configure a match condition for the rule. You can create multiple conditions for the rule. See Subscriber Classification Conditions.

      [edit shared sae group west-region subscriber-classifier rule rule-2]user@host# edit condition name
    • Configure the script for the rule.
      [edit shared sae group west-region subscriber-classifier rule rule-2]user@host# edit script

      (Optional) You can specify a script target.

      [edit shared sae group west-region subscriber-classifier rule rule-2 script]user@host# set script-value

      (Optional) You can include a script that has already been created.

      [edit shared sae group west-region subscriber-classifier rule rule-2 script]user@host# set include include

      where include is a reference to an existing script that is included in the script you are configuring.

  4. (Optional) Change the order of rules.
    [edit shared sae group west-region subscriber-classifier]user@host# insert rule rule-5 before rule-4
  5. (Optional) Rename a rule.
    [edit shared sae group west-region subscriber-classifier]user@host# rename rule rule-5 to Retailer
  6. (Optional) Verify the classifier rule configuration.
    [edit shared sae group west-region subscriber-classifier rule rule-2]
    user@host# show 
    target <-unauthenticatedUserDn->;
    condition {
      "loginType == \"ADDR\"";
      "loginType == \"AUTHADDR\"";
    }
  7. (Optional) Verify the subscriber classifier configuration.
    [edit shared sae group west-region subscriber-classifier]
    user@host# show 
    rule rule-1 {
      script "# User Classification script
    #
    # The following attributes MAY be available for comparison.
    #  Attributes that are not available will have the value \"\" (empty string).
    #
    #   loginType: one of \"INTF\", \"AUTHINTF\", \"ADDR\", \"AUTHADDR\",
    #              \"PORTAL\", \"ASSIGNEDIP\"
    #   userName:  Everything before the \"@\" in the user's login name.
    #   domainName: Everything after the \"@\" in the user's login name.
    #   serviceBundle: A RADIUS VSA available if the login event involves
    #                  authentication with a properly configured RADIUS server.
    #   radiusClass: The RADIUS class of user's ERX interface.
    #   virtualRouterName: The name of the user's virtual router.
    #   interfaceName: The name of the user's ERX interface (e.g.
    #                  \"fastEthernet3/1.0\")
    #   ifAlias: The alias of the user's ERX interface, as configured on the ERX.
    #   ifDesc: The description of the user's ERX interface, as configured on
    #           the ERX.
    #   nasPortId: The user's ERX interface including Layer 2 access information
    #              (e.g. \"fastEthernet 3/1.0:3\")
    #   macAddress: The MAC address of the user, if he is a DHCP user.
    #   retailerDn: Generated by SSP for backwards compatibility; see below.
    #
    #  The loginType value available to this user classifier script will be
    #  one of the following:
    #
    #  \"INTF\":
    #  An INTF login is triggered every time an interface comes up and the
    #  interface classifier script determines that SAE should manage that
    #  interface, and the interface has not been authenticated by the router.
    #
    #  \"AUTHINTF\":
    #  An AUTHINTF login is triggered every time an authenticated
    #  interface comes up, for example as a result of an authenticated PPP
    #  session.
    #
    #  \"ADDR\":
    #  An ADDR login is triggered every time an `unauthenticated' IP
    #  address is handed out by the DHCP server in the ERX.
    #
    #  \"AUTHADDR\":
    #  An AUTHADDR login is triggered every time an `authenticated' IP
    #  address is handed out by the DHCP server in the ERX.
    #
    #  \"PORTAL\":
    #  A PORTAL login is triggered every time the portal API is invoked to
    #  login a user.
    #
    #  See the customer documentation for a description of the values
    #  for each login type available in the script.
    #       
    #  One of the values available during some types of logins is the
    #  `retailerDn'.  This is a generated value available for backwards
    #  compatibility with previous versions of SAE.  SAE generates this
    #  value as follows:
    #       
    #  The retailerDn value is generated by, first, determining an
    #  effective user domain name, and second, locating the retailer
    #  entry in LDAP that contains that effective domain name.  If no
    #  such retailer exists, the retailerDn value will be \"\".
    #
    #  The effective user domain name is the first of the following that yields
    #  a result:
    #       
    #  1. For PPP, PORTAL, and PUBLIC logins where a non-empty domainName
    #     is supplied, that non-empty domain name is used as the effective
    #     domain name.
    #
    #  2. For INTF logins, and for PPP, PORTAL, and PUBLIC logins where a
    #     non-empty domain name is not supplied, the effective domain name
    #     is the name of the user's virtual router, unless that effective
    #     domain does not exist in some retailer in LDAP.
    #
    #  3. If neither step 1 nor step 2 yields an effective domain name,
    #     \"default\" is used as the effective domain name.
    #          
    ";
    }
    rule rule-2 {
      target <-unauthenticatedUserDn->;
      condition {
        "loginType == \"ADDR\"";
        "loginType == \"AUTHADDR\"";
      }
    }
    rule rule-3 {
      target <-retailerDn->??sub?(uniqueID=<-userName->);
      condition {
        "retailerDn != \"\"";
        "& userName != \"\"";
      }
    }

Related Documentation

Modified: 2015-06-19