Technical Documentation

Configuring RADIUS Parameters for AAA Subscriber Management

Include the radius statement at the [edit access profile profile-name] hierarchy level to specify the RADIUS parameters for the subscriber access manager feature. You can specify the IP addresses of the RADIUS servers used for authentication and accounting, options that provide configuration information for the RADIUS servers, and how RADIUS attributes are used.

Tasks to configure RADIUS parameters for subscriber access management are:

  1. Specifying the RADIUS Authentication and Accounting Servers to Use for Subscriber Access Management
  2. Configuring Options for RADIUS Servers
  3. Configuring How RADIUS Attributes Are Used

Specifying the RADIUS Authentication and Accounting Servers to Use for Subscriber Access Management

To specify one or more RADIUS authentication or accounting servers to use for subscriber access management, include the authentication-server and accounting-server statements at the [edit access profile profile-name radius] hierarchy level. You must specify the IP address for the authentication or accounting server.

[edit access profile profile-name radius]
authentication-server [ ip-address ];
accounting-server [ ip-address ];

To configure multiple RADIUS authentication or accounting servers, include multiple ip-address entries, for example:

[edit access profile profile-name radius]
authentication-server 192.168.1.1 192.168.1.2 192.168.1.3;
accounting-server 192.168.1.1 192.168.1.3 192.168.1.4;

Configuring Options for RADIUS Servers

Include the options statement at the [edit access profile profile-name radius] hierarchy level to specify the options used by the RADIUS authentication and accounting servers.

[edit access profile profile-name radius]
options {
accounting-session-id-format (decimal | description);
ethernet-port-type-virtual;
interface-description-format [sub-interface | adapter];
nas-identifier identifier-value;
nas-port-extended-format {
adapter-width width;
port-width width;
slot-width width;
stacked-vlan-width width;
vlan-width width;
}
override-nas-information;
revert-interval interval;
vlan-nas-port-stacked-format;
}

The following list describes the accounting options:

  • accounting-session-id-format—The format the router uses to identify the accounting session. The identifier can be in one of the following formats. The router uses decimal format by default.
    • decimal—For example, 435264
    • description—In the format, jnpr interface-specifier:subscriber-session-id. For example, jnpr fastEthernat 3/2.6:1010101010101
  • ethernet-port-type-virtual—The physical port type the router uses to authenticate clients. The port type is passed in RADIUS attribute 61 (NAS-Port-Type). This statement specifies a port type of virtual; by default the router passes a port type of ethernet in RADIUS attribute 61.
  • interface-description-format—The information that is included in or omitted from the interface description that the router passes to RADIUS for inclusion in the RADIUS attribute 87 (NAS-Port-Id). By default, the router includes both the subinterface and the adapter in the interface description.
  • nas-identifier—The value for the client RADIUS attribute 32 (NAS-Identifier), which is used for authentication and accounting requests. You can specify a string in the range 1 to 64 characters.
  • nas-port-extended-format—Configures the RADIUS client to use the extended format for RADIUS attribute 5 (NAS-Port) and specify the width of the fields in the NAS-Port attribute.
    • adapter-width width—Number of bits in the adapter field.
    • port-width width—Number of bits in the port field.
    • slot-width width—Number of bits in the slot field.
    • stacked-vlan-width width—Number of bits in the SVLAN ID field.
    • vlan-width width—Number of bits in the VLAN ID field.
  • revert-interval—The amount of time that the router waits after a server has become unreachable. The router rechecks the connection to the server when the revert-interval expires. If the server is then reachable, it is used in accordance with the order of the server list.
  • vlan-nas-port-stacked-format—Configures RADIUS attribute 5 (NAS-Port) to include the S-VLAN ID, in addition to the VLAN ID, for subscribers on Ethernet interfaces.

Configuring How RADIUS Attributes Are Used

Include the attributes statement at the [edit access profile profile-name radius] hierarchy level to specify attributes that are ignored in RADIUS Access-Accept messages, or that are excluded from particular RADIUS message types.

[edit access profile profile-name radius]
attributes {
ignore {
framed-ip-netmask;
input-filter;
logical-system-routing-instance;
output-filter;
}
exclude
accounting-authentic [ accounting-on | accounting-off ];
accounting-delay-time [ accounting-on | accounting-off ];
accounting-session-id [ access-request | accounting-on | accounting-off | accounting-stop ];
accounting-terminate-cause [ accounting-off ];
called-station-id [ access-request | accounting-start | accounting-stop ];
calling-station-id [ access-request | accounting-start | accounting-stop ];
class [ accounting-start | accounting-stop ];
dhcp-gi-address [ access-request | accounting-start | accounting-stop ];
dhcp-mac-address [ access-request | accounting-start | accounting-stop ];
output-filter [ accounting-start | accounting-stop ];
event-timestamp [ accounting-on | accounting-off | accounting-start | accounting-stop ];
framed-ip-address [ accounting-start | accounting-stop ];
framed-ip-netmask [ accounting-start | accounting-stop ];
input-filter [ accounting-start | accounting-stop ];
input-gigapackets [ accounting-stop ];
input-gigawords [ accounting-stop ];
interface-description [ access-request | accounting-start | accounting-stop ];
nas-identifier [ access-request | accounting-on | accounting-off | accounting-start | accounting-stop ];
nas-port [ access-request | accounting-start | accounting-stop ];
nas-port-id [ access-request | accounting-start | accounting-stop ];
nas-port-type [ access-request | accounting-start | accounting-stop ];
output-gigapackets [ accounting-stop ];
output-gigawords [ accounting-stop ];
}
}

The following list describes the ignore and exclude statements:

  • Use the ignore statement to configure the router to ignore a particular attribute in RADIUS Access-Accept messages. By default, the router processes the attributes received from the external AAA server. You can specify that the following attributes be ignored:
    • framed-ip-netmask—Framed-Ip-Netmask, RADIUS attribute 9
    • input-filter—Ingress-Policy-Name, VSA 26-10
    • logical-system-routing-instance—Virtual-Router, VSA 26-1
    • output-filter—Egress-Policy-Name, VSA 26-11
  • Use the exclude statement to configure the router to exclude the specified attributes from the specified type of RADIUS message. Not all attributes appear in all types of RADIUS messages—the CLI indicates the RADIUS message type. By default, the router includes the specified attributes in RADIUS Access-Request, Acct-On, Acct-Off, Acct-Start, and Acct-Stop messages. You can configure the router to exclude the following attributes:
    • accounting-authentic—RADIUS attribute 45, Acct-Authentic
    • accounting-delay-time—RADIUS attribute 41, Acct-Delay-Time
    • accounting-session-id—RADIUS attribute 44, Acct-Session-Id
    • accounting-terminate-cause—RADIUS attribute 49, Acct-Terminate-Cause
    • called-station-id—RADIUS attribute 30, Called-Station-Id
    • calling-station-id—RADIUS attribute 31, Calling-Station-Id
    • class—RADIUS attribute 25, Class
    • dhcp-gi-address—Juniper VSA 26-57, DHCP-GI-Address
    • dhcp-mac-address—Juniper VSA 26-56, DHCP-MAC-Address
    • event-timestamp—RADIUS attribute 55, Event-Timestamp
    • framed-ip-address—RADIUS attribute 8, Framed-IP-Address
    • framed-ip-netmask—RADIUS attribute 9, Framed-IP-Netmask
    • input-filter—Juniper VSA 26-10, Ingress-Policy-Name
    • input-gigapackets—Juniper VSA 26-42, Acct-Input-Gigapackets
    • input-gigawords—RADIUS attribute 52, Acct-Input-Gigawards
    • interface-description—Juniper VSA 26-53, Interface-Desc
    • nas-identifier—RADIUS attribute 32, NAS-Identifier
    • nas-port—RADIUS attribute 5, NAS-Port
    • nas-port-id—RADIUS attribute 87, NAS-Port-Id
    • nas-port-type—RADIUS attribute 61, NAS-Port-Type
    • output-filter—Juniper VSA 26-11, Egress-Policy-Name
    • output-gigapackets—Juniper VSA 25-43, Acct-Output-Gigapackets
    • output-gigawords—RADIUS attribute 53, Acct-Output-Gigawords

Published: 2009-07-15