Juniper JUNOSE SOFTWARE 11.0.X - BROADBAND ACCESS CONFIGURATION GUIDE 4-1-2010, JUNOSe 11.0.X Configuration Manual

JUNOSe™ Software
for E Series™ Broadband Services Routers

Broadband Access
Configuration Guide

Release 11.0.x

Juniper Networks, Inc.

1194 North Mathilda Avenue

Sunnyvale, California 94089

USA

408-745-2000

www.juniper.net

Published: 2010-01-04

Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, ScreenOS, and Steel-Belted Radius are registered trademarks of Juniper Networks, Inc. in
the United States and other countries. JUNOSe is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or
registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or
otherwise revise this publication without notice.

Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed
to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347,
6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

JUNOSe™ Software for E Series™ Broadband Services Routers Broadband Access Configuration Guide

Release 11.0.x
Copyright © 2010, Juniper Networks, Inc.
All rights reserved. Printed in USA.

Writing: Mark Barnard, Diane Florio, Bruce Gillham, Sarah Lesway-Ball, Brian Wesley Simmons, Fran Singer, Poornima Goswami, Chander Aima, Hema
Priya J, Krupa Chandrashekar, Subash Babu Asokan, Sairam Venugopalan
Editing: Benjamin Mann
Illustration: Nathaniel Woodward
Cover Design: Edmonds Design

Revision History
January 2010—FRS JUNOSe 11.0.x

The information in this document is current as of the date listed in the revision history.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. The JUNOS Software has no known time-related limitations through the year

2038. However, the NTP application is known to have some difficulty in the year 2036.

ii ■

END USER LICENSE AGREEMENT

READ THIS END USER LICENSE AGREEMENT (“AGREEMENT”) BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE. BY DOWNLOADING,
INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU (AS CUSTOMER
OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER) CONSENT TO BE BOUND BY THIS
AGREEMENT. IF YOU DO NOT OR CANNOT AGREE TO THE TERMS CONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE,
AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS.

1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks
(Cayman) Limited (if the Customer’s principal office is located outside the Americas) (such applicable entity being referred to herein as “Juniper”), and (ii)
the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable license(s) for use of the Software (“Customer”)
(collectively, the “Parties”).

2. The Software. In this Agreement, “Software” means the program modules and features of the Juniper or Juniper-supplied software, for which Customer
has paid the applicable license or support fees to Juniper or an authorized Juniper reseller, or which was embedded by Juniper in equipment which Customer
purchased from Juniper or an authorized Juniper reseller. “Software” also includes updates, upgrades and new releases of such software. “Embedded
Software” means Software which Juniper has embedded in or loaded onto the Juniper equipment and any updates, upgrades, additions or replacements
which are subsequently embedded in or loaded onto the equipment.

3. License Grant. Subject to payment of the applicable fees and the limitations and restrictions set forth herein, Juniper grants to Customer a non-exclusive
and non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the following use restrictions:

a. Customer shall use Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased by Customer from Juniper
or an authorized Juniper reseller.

b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units for which Customer
has paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey Access Client software only, Customer shall use
such Software on a single computer containing a single physical random access memory space and containing any number of processors. Use of the
Steel-Belted Radius or IMS AAA software on multiple computers or virtual machines (e.g., Solaris zones) requires multiple licenses, regardless of whether
such computers or virtualizations are physically contained on a single chassis.

c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer may specify limits to
Customer’s use of the Software. Such limits may restrict use to a maximum number of seats, registered endpoints, concurrent users, sessions, calls,
connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the purchase of separate licenses to use particular features,
functionalities, services, applications, operations, or capabilities, or provide throughput, performance, configuration, bandwidth, interface, processing,
temporal, or geographical limits. In addition, such limits may restrict the use of the Software to managing certain kinds of networks or require the Software
to be used only in conjunction with other specific Software. Customer’s use of the Software shall be subject to all such limitations and purchase of all applicable
licenses.

d. For any trial copy of the Software, Customer’s right to use the Software expires 30 days after download, installation or use of the Software. Customer
may operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may not extend or create an additional trial
period by re-installing the Software after the 30-day trial period.

e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customer’s enterprise network.
Specifically, service provider customers are expressly prohibited from using the Global Enterprise Edition of the Steel-Belted Radius software to support any
commercial network access services.

The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase the applicable
license(s) for the Software from Juniper or an authorized Juniper reseller.

4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees not to and shall
not: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized copies of the Software (except as
necessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the Software, in any form, to any third party; (d) remove
any proprietary notices, labels, or marks on or in any copy of the Software or any product in which the Software is embedded; (e) distribute any copy of
the Software to any third party, including as may be embedded in Juniper equipment sold in the secondhand market; (f) use any ‘locked’ or key-restricted
feature, function, service, application, operation, or capability without first purchasing the applicable license(s) and obtaining a valid key from Juniper, even
if such feature, function, service, application, operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniper
to any third party; (h) use the Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniper
reseller; (i) use Embedded Software on non-Juniper equipment; (j) use Embedded Software (or make it available for use) on Juniper equipment that the
Customer did not originally purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarking of the Software to
any third party without the prior written consent of Juniper; or (l) use the Software in any manner other than as expressly provided herein.

5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper, Customer shall furnish
such records to Juniper and certify its compliance with this Agreement.

■ iii

6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customer
shall exercise all reasonable commercial efforts to maintain the Software and associated documentation in confidence, which at a minimum includes
restricting access to the Software to Customer employees and contractors having a need to use the Software for Customer’s internal business purposes.

7. Ownership. Juniper and Juniper’s licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to the Software,
associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest in
the Software or associated documentation, or a sale of the Software, associated documentation, or copies of the Software.

8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the warranty statement that
accompanies the Software (the “Warranty Statement”). Nothing in this Agreement shall give rise to any obligation to support the Software. Support services
may be purchased separately. Any such support shall be governed by a separate, written support services agreement. TO THE MAXIMUM EXTENT PERMITTED
BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTS OR PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES,
OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, THE SOFTWARE, OR ANY JUNIPER OR
JUNIPER-SUPPLIED SOFTWARE. IN NO EVENT SHALL JUNIPER BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANY
JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW,
JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING
ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPER
WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR OR INTERRUPTION,
OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Juniper’s or its suppliers’ or licensors’ liability to Customer, whether
in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gave rise to the claim, or
if the Software is embedded in another Juniper product, the price paid by Customer for such other product. Customer acknowledges and agrees that Juniper
has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same
reflect an allocation of risk between the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss),
and that the same form an essential basis of the bargain between the Parties.

9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination of the license
granted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related documentation in Customer’s
possession or control.

10. Taxes. All license fees payable under this agreement are exclusive of tax. Customer shall be responsible for paying Taxes arising from the purchase of
the license, or importation or use of the Software. If applicable, valid exemption documentation for each taxing jurisdiction shall be provided to Juniper prior
to invoicing, and Customer shall promptly notify Juniper if their exemption is revoked or modified. All payments made by Customer shall be net of any
applicable withholding tax. Customer will provide reasonable assistance to Juniper in connection with such withholding taxes by promptly: providing Juniper
with valid tax receipts and other required documentation showing Customer’s payment of any withholding taxes; completing appropriate applications that
would reduce the amount of withholding tax to be paid; and notifying and assisting Juniper in any audit or tax proceeding related to transactions hereunder.
Customer shall comply with all applicable tax laws and regulations, and Customer will promptly pay or reimburse Juniper for all costs and damages related
to any liability incurred by Juniper as a result of Customer’s non-compliance or delay with its responsibilities herein. Customer’s obligations under this
Section shall survive termination or expiration of this Agreement.

11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable foreign
agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, or
without all necessary approvals. Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption
or other capabilities restricting Customer’s ability to export the Software without an export license.

12. Commercial Computer Software. The Software is “commercial computer software” and is provided with restricted rights. Use, duplication, or disclosure
by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS 227.7201 through 227.7202-4, FAR 12.212,
FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.

13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer with the interface
information needed to achieve interoperability between the Software and another independently created program, on payment of applicable fee, if any.
Customer shall observe strict obligations of confidentiality with respect to such information and shall use such information in compliance with any applicable
terms and conditions upon which Juniper makes such information available.

14. Third Party Software. Any licensor of Juniper whose software is embedded in the Software and any supplier of Juniper whose products or technology
are embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement, and such licensor or vendor
shall have the right to enforce this Agreement in its own name as if it were Juniper. In addition, certain third party software may be provided with the
Software and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent portions of the Software are distributed under and
subject to open source licenses obligating Juniper to make the source code for such portions publicly available (such as the GNU General Public License
(“GPL”) or the GNU Library General Public License (“LGPL”)), Juniper will make such source code portions (including Juniper modifications, as appropriate)
available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194

N. Mathilda Ave., Sunnyvale, CA 94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, and
a copy of the LGPL at http://www.gnu.org/licenses/lgpl.html.

15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws principles. The provisions
of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, the Parties
hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal courts within Santa Clara County, California. This Agreement
constitutes the entire and sole agreement between Juniper and the Customer with respect to the Software, and supersedes all prior and contemporaneous

iv ■

agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of a
separate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict
with terms contained herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to in
writing by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity of the
remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the Parties agree that the English
version will govern. (For Canada: Les parties aux présentés confirment leur volonté que cette convention de même que tous les documents y compris tout
avis qui s'y rattaché, soient redigés en langue anglaise. (Translation: The parties confirm that this Agreement and all related documentation is and will be
in the English language)).

■ v

vi ■

Abbreviated Table of Contents

About the Documentation xxxvii

Part 1 Managing Remote Access

Chapter 1 Configuring Remote Access 3

Chapter 2 Monitoring and Troubleshooting Remote Access 109

Part 2 Managing RADIUS and TACACS+

Chapter 3 Configuring RADIUS Attributes 165

Chapter 4 Configuring RADIUS Dynamic-Request Server 235

Chapter 5 Configuring RADIUS Relay Server 245

Chapter 6 RADIUS Attribute Descriptions 253

Chapter 7 Application Terminate Reasons 273

Chapter 8 Monitoring RADIUS 297

Chapter 9 Configuring TACACS+ 311

Chapter 10 Monitoring TACACS+ 323

Part 3 Managing L2TP

Chapter 11 L2TP Overview 329

Chapter 12 Configuring an L2TP LAC 337

Chapter 13 Configuring an L2TP LNS 369

Chapter 14 Configuring L2TP Dial-Out 405

Chapter 15 L2TP Disconnect Cause Codes 417

Chapter 16 Monitoring L2TP and L2TP Dial-Out 421

Part 4 Managing DHCP

Chapter 17 DHCP Overview 455

Chapter 18 DHCP Local Server Overview 463

Chapter 19 Configuring DHCP Local Server 471

Chapter 20 Configuring DHCP Relay 489

Chapter 21 Configuring the DHCP External Server Application 517

Chapter 22 Monitoring and Troubleshooting DHCP 533

Abbreviated Table of Contents ■ vii

JUNOSe 11.0.x Broadband Access Configuration Guide

Part 5 Managing the Subscriber Environment

Chapter 23 Configuring Subscriber Management 577

Chapter 24 Monitoring Subscriber Management 593

Chapter 25 Configuring Subscriber Interfaces 597

Chapter 26 Monitoring Subscriber Interfaces 629

Part 6 Managing Subscriber Services

Chapter 27 Configuring Service Manager 635

Chapter 28 Monitoring Service Manager 701

Part 7 Index

Index 729

viii ■

Table of Contents

About the Documentation xxxvii

E Series and JUNOSe Documentation and Release Notes .........................xxxvii

Audience ..................................................................................................xxxvii

E Series and JUNOSe Text and Syntax Conventions .................................xxxvii

Obtaining Documentation ........................................................................xxxix

Documentation Feedback .........................................................................xxxix

Requesting Technical Support ...................................................................xxxix

Self-Help Online Tools and Resources ......................................................xl

Opening a Case with JTAC .......................................................................xl

Part 1 Managing Remote Access

Chapter 1 Configuring Remote Access 3

Remote Access Overview ................................................................................4

B-RAS Data Flow .......................................................................................4

Configuring IP Addresses for Remote Clients ............................................4

AAA Overview ..........................................................................................5

Remote Access Platform Considerations .........................................................5

B-RAS Protocol Support ............................................................................5

Remote Access References ..............................................................................6

Before You Configure B-RAS ............................................................................6

Remote Access Configuration Tasks ................................................................6

Configuring a B-RAS License ...........................................................................7

Mapping a User Domain Name to a Virtual Router ..........................................8

Mapping User Requests Without a Valid Domain Name ............................8

Mapping User Requests Without a Configured Domain Name ..................9

Using DNIS ...............................................................................................9

Redirected Authentication .........................................................................9

IP Hinting ...............................................................................................10

Setting Up Domain Name and Realm Name Usage .......................................12

Using the Realm Name as the Domain Name .........................................12

Using Delimiters Other Than @ ..............................................................12

Using Either the Domain or the Realm as the Domain Name ..................13

Specifying the Domain Name or Realm Name Parse Direction ...............13

Stripping the Domain Name ...................................................................14

Domain Name and Realm Name Examples ............................................15

Specifying a Single Name for Users from a Domain ......................................16

Table of Contents ■ ix

JUNOSe 11.0.x Broadband Access Configuration Guide

Configuring RADIUS Authentication and Accounting Servers ........................18

Server Access ..........................................................................................18

Server Request Processing Limit .............................................................19

Authentication and Accounting Methods .................................................19

Supporting Exchange of Extensible Authentication Protocol

Messages ..........................................................................................20

Immediate Accounting Updates ..............................................................21

Duplicate and Broadcast Accounting .......................................................21

Configuring AAA Duplicate Accounting .............................................22

Configuring AAA Broadcast Accounting ............................................22

Overriding AAA Accounting NAS Information ..................................22

UDP Checksums .....................................................................................23

Collecting Accounting Statistics ...............................................................23

Configuring RADIUS AAA Servers ...........................................................23

SNMP Traps and System Log Messages ...................................................36

SNMP Traps ......................................................................................36

System Log Messages .......................................................................37

Configuring SNMP Traps .........................................................................37

Configuring Local Authentication Servers ......................................................40

Creating the Local Authentication Environment ......................................40

Creating Local User Databases ................................................................40

Adding User Entries to Local User Databases ..........................................40

Using the username Command ........................................................41

Using the aaa local username Command ..........................................41

Assigning a Local User Database to a Virtual Router ...............................42

Enabling Local Authentication on the Virtual Router ...............................42

Configuration Commands .......................................................................43

Local Authentication Example .................................................................47

Configuring Tunnel Subscriber Authentication ...............................................50

Configuring Name Server Addresses .............................................................51

Configuration Tasks ................................................................................51

DNS Primary and Secondary NMS Configuration ..............................52

WINS Primary and Secondary NMS Configuration ............................53

Configuring Local Address Servers ................................................................54

Local Address Pool Ranges .....................................................................54

Local Address Pool Aliases ......................................................................55

Shared Local Address Pools ....................................................................55

SNMP Thresholds ....................................................................................56

Configuring a Local Address Server .........................................................56

Configuring DHCP Features ...........................................................................60

Creating an IP Interface .................................................................................61

Single Clients per ATM Subinterface .......................................................61

Multiple Clients per ATM Subinterface ....................................................62

Configuring AAA Profiles ...............................................................................63

Allowing or Denying Domain Names ......................................................64

Configuration Example .....................................................................64

Using Domain Name Aliases ...................................................................65

Manually Setting NAS-Port-Type Attribute ...............................................69

Service-Description Attribute ..................................................................70

x ■ Table of Contents

Table of Contents

Using RADIUS Route-Download Server to Distribute Routes ..........................71

Format of Downloaded Routes ...............................................................71

Framed-Route (RADIUS attribute 22) ................................................72

Cisco-AVPair (Cisco VSA 26-1) ..........................................................72

How the Route-Download Server Downloads Routes ..............................72

Configuring the Route-Download Server to Download Routes .................72

Using the AAA Logical Line Identifier to Track Subscribers ............................76

How the Router Obtains and Uses the LLID ............................................76

RADIUS Attributes in Preauthentication Request ....................................77

Considerations for Using the LLID ...........................................................78

Configuring the Router to Obtain the LLID for a Subscriber ....................79

Troubleshooting Subscriber Preauthentication ........................................81

Using VSAs for Dynamic IP Interfaces ...........................................................82

Traffic Shaping for PPP over ATM Interfaces ...........................................83

Mapping Application Terminate Reasons to RADIUS Terminate Codes .........84

Configuration Example ...........................................................................86

Configuring Timeout .....................................................................................88

Limiting Active Subscribers ...........................................................................89

Notifying RADIUS of AAA Failure ..................................................................90

Configuring Standard RADIUS IPv6 Attributes for IPv6 Neighbor Discovery

Router Advertisements and DHCPv6 Prefix Delegation ...........................90

Propagation of LAG Subscriber Information to AAA and RADIUS ..................92

Configuring the SRC Client ............................................................................94

DHCPv6 Local Address Pools for Allocation of IPv6 Prefixes Overview .......101

DHCPv6 Prefix Delegation Example .....................................................103

Order of Preference in Determining the Local Address Pool for Allocating

Prefixes ..........................................................................................103

Order of Preference in Allocating Prefixes and Assigning DNS Addresses

to Requesting Routers ....................................................................104

Configuring the DHCPv6 Local Address Pools ..............................................104

Limitation on the Number of Prefixes Used by Clients ..........................107

Using DHCPv6 Local Address Pools for Prefix Delegation over non-PPP Links

Example ...............................................................................................107

Chapter 2 Monitoring and Troubleshooting Remote Access 109

Setting Baselines for Remote Access ...........................................................110

How to Monitor PPP Interfaces ...................................................................112

Monitoring AAA Accounting Configuration ..................................................112

Monitoring AAA Accounting Default ............................................................113

Monitoring Accounting Interval ...................................................................114

Monitoring Specific Virtual Router Groups ...................................................114

Monitoring the Default AAA Authentication Method List ..............................115

Monitoring Domain and Realm Name Delimiters ........................................115

Setting a Baseline for AAA Statistics ......................................................111

Setting a Baseline for AAA Route Downloads ........................................111

Setting a Baseline for COPS Statistics ....................................................111

Setting a Baseline for Local Address Pool Statistics ...............................111

Setting a Baseline for RADIUS Statistics ................................................112

Setting the Baseline for SRC Statistics ...................................................112

Table of Contents ■ xi

JUNOSe 11.0.x Broadband Access Configuration Guide

Monitoring Mapping Between User Domains and Virtual Routers ...............115

Monitoring Tunnel Subscriber Authentication ..............................................117

Monitoring Routing Table Address Lookup ..................................................118

Monitoring the AAA Model ..........................................................................118

Monitoring IP Addresses of Primary and Secondary DNS and WINS Name

Servers ..................................................................................................118

Monitoring AAA Profile Configuration .........................................................119

Monitoring Statistics about the RADIUS Route-Download Server .................120

Monitoring Routes Downloaded by the RADIUS Route-Download Server ....122

Monitoring Chassis-Wide Routes Downloaded by RADIUS Route-Download

Servers ..................................................................................................123

Monitoring Authentication, Authorization, and Accounting Statistics ...........125

Monitoring the Number of Active Subscribers Per Port ................................127

Monitoring the Maximum Number of Active Subscribers Per Virtual

Router ...................................................................................................127

Monitoring Session Timeouts ......................................................................127

Monitoring Interim Accounting for Users on the Virtual Router ...................128

Monitoring Virtual Router Groups Configured for AAA Broadcast

Accounting ............................................................................................128

Monitoring Configuration Information for AAA Local Authentication ...........129

Monitoring AAA Server Attributes ................................................................130

Monitoring the COPS Layer Over SRC Connection ......................................132

Monitoring Statistics About the COPS Layer ................................................134

Monitoring Local Address Pool Aliases ........................................................136

Monitoring Local Address Pools ...................................................................136

Monitoring Local Address Pool Statistics .....................................................138

Monitoring Shared Local Address Pools .......................................................138

Monitoring the Routing Table ......................................................................139

Monitoring the B-RAS License .....................................................................140

Monitoring the RADIUS Server Algorithm ....................................................140

Monitoring RADIUS Override Settings .........................................................140

Monitoring the RADIUS Rollover Configuration ...........................................141

Monitoring RADIUS Server Information .......................................................141

Monitoring RADIUS Services Statistics .........................................................143

Monitoring RADIUS SNMP Traps .................................................................146

Monitoring RADIUS Accounting for L2TP Tunnels .......................................147

Monitoring RADIUS UDP Checksums ..........................................................147

Monitoring RADIUS Server IP Addresses .....................................................147

Monitoring the RADIUS Attribute Used for IPv6 Neighbor Discovery Router

Advertisements .....................................................................................148

Monitoring the RADIUS Attribute Used for DHCPv6 Prefix Delegation ........148

Monitoring SRC Client Connection Status ....................................................148

Monitoring SRC Client Connection Statistics ................................................150

Monitoring the SRC Client Version Number .................................................152

Monitoring Subscriber Information ..............................................................152

Monitoring Application Terminate Reason Mappings ..................................157

Monitoring IPv6 Local Pools for DHCP Prefix Delegation By All Configured

Pools .....................................................................................................159

Monitoring IPv6 Local Pools for DHCP Prefix Delegation By Pool Name ......160

Monitoring IPv6 Local Pool Statistics for DHCP Prefix Delegation ...............161

xii ■ Table of Contents

Table of Contents

Part 2 Managing RADIUS and TACACS+

Chapter 3 Configuring RADIUS Attributes 165

RADIUS Overview .......................................................................................165

RADIUS Services ...................................................................................166

RADIUS Attributes ................................................................................166

RADIUS Platform Considerations ................................................................166

RADIUS References .....................................................................................167

Subscriber AAA Access Messages ................................................................167

Supported RADIUS IETF Attributes .......................................................168

Supported Juniper Networks VSAs ........................................................170

Subscriber AAA Accounting Messages .........................................................175

Supported RADIUS IETF Attributes .......................................................175

Supported Juniper Networks VSAs ........................................................178

Tunnel Accounting Messages ................................................................181

DSL Forum VSAs in AAA Access and Accounting Messages .........................182

CLI AAA Messages .......................................................................................184

CLI Commands Used to Modify RADIUS Attributes .....................................184

RADIUS IETF Attributes ........................................................................185

[4] NAS-IP-Address .........................................................................185

[5] NAS-Port ...................................................................................186

[8] Framed-IP-Address ....................................................................189

[9] Framed-Ip-Netmask ..................................................................189

[13] Framed-Compression ..............................................................190

[25] Class .......................................................................................190

[30] Called-Station-Id ......................................................................191

[31] Calling-Station-Id .....................................................................191

[32] NAS-Identifier .........................................................................196

[41] Acct-Delay-Time ......................................................................198

[44] Acct-Session-Id ........................................................................199

[45] Acct-Authentic .........................................................................200

[49] Acct-Terminate-Cause .............................................................200

[50] Acct-Multi-Session-Id ...............................................................201

[51] Acct-Link-Count .......................................................................201

[52] Acct-Input-Gigawords ..............................................................202

[53] Output-Gigawords ...................................................................202

[55] Event-Timestamp ....................................................................202

[61] NAS-Port-Type ........................................................................203

[64] Tunnel-Type ............................................................................204

[65] Tunnel-Medium-Type ..............................................................205

[66] Tunnel-Client-Endpoint ...........................................................205

[67] Tunnel-Server-Endpoint ..........................................................205

[68] Acct-Tunnel-Connection ..........................................................206

[77] Connect-Info ...........................................................................206

[82] Tunnel-Assignment-Id .............................................................207

[83] Tunnel-Preference ...................................................................208

[87] NAS-Port-Id .............................................................................208

[90] Tunnel-Client-Auth-Id ..............................................................209

[91] Tunnel-Server-Auth-Id .............................................................210

Table of Contents ■ xiii

JUNOSe 11.0.x Broadband Access Configuration Guide

[96] Framed-Interface-Id ................................................................210

[97] Framed-Ipv6-Prefix .................................................................211

[99] Framed-Ipv6-Route .................................................................211

[100] Framed-Ipv6-Pool .................................................................212

[123] Delegated-Ipv6-Prefix ............................................................212

[188] Ascend-Num-In-Multilink .......................................................213

All Tunnel Server Attributes ............................................................213

Juniper Networks Vendor-Specific Attributes .........................................214

[26-1] Virtual-Router .......................................................................214

[26-10] Ingress-Policy-Name ..........................................................214

[26-11] Egress-Policy-Name ............................................................215

[26-14] Service-Category ................................................................216

[26-15] PCR ....................................................................................216

[26-16] SCR ....................................................................................217

[26-17] MBS ...................................................................................217

[26-24] Pppoe-Description ..............................................................217

[26-35] Acct-Input-Gigapackets .......................................................218

[26-36] Acct-Output-Gigapackets ....................................................218

[26-44] Tunnel-Interface-Id .............................................................218

[26-45] Ipv6-Virtual-Router .............................................................219

[26-46] Ipv6-Local-Interface ...........................................................219

[26-47] Ipv6-Primary-DNS ..............................................................220

[26-48] Ipv6-Secondary-DNS ..........................................................220

[26-51] Disconnect-Cause ...............................................................221

[26-53] Service-Description ............................................................221

[26-55] DHCP-Options ....................................................................222

[26-56] DHCP-MAC-Address ...........................................................222

[26-57] DHCP-GI-Address ...............................................................222

[26-62] MLPPP-Bundle-Name .........................................................223

[26-63] Interface-Desc ....................................................................223

[26-81] L2C-Information .................................................................224

[26-92] L2C-Up-Stream-Data ..........................................................224

[26-93] L2C-Down-Stream-Data ......................................................225

[26-129] Ipv6-NdRa-Prefix ..............................................................225

[26-141] Downstream-Calculated-Qos-Rate ....................................226

[26-142] Upstream-Calculated-Qos-Rate .........................................226

[26-143] Max-Clients-Per-Interface .................................................227

[26-150] ICR-Partition-Id ................................................................227

All IPv6 Accounting Attributes ........................................................228

ANCP-Related Juniper Networks VSAs ...................................................229

DSL Forum Vendor-Specific Attributes ..................................................231

Including or Excluding Attributes in RADIUS Messages .........................232

Ignoring Attributes When Receiving Access-Accept Messages ...............233

Chapter 4 Configuring RADIUS Dynamic-Request Server 235

RADIUS Dynamic-Request Server Overview ................................................235

RADIUS Dynamic-Request Server Platform Considerations .........................236

RADIUS Dynamic-Request Server References .............................................236

How RADIUS Dynamic-Request Server Works ............................................237

xiv ■ Table of Contents

Table of Contents

RADIUS-Initiated Disconnect .......................................................................237

Disconnect Messages ............................................................................237

Message Exchange ......................................................................................237

Supported Error-Cause Codes (RADIUS Attribute 101) ..........................238

Qualifications for Disconnect ................................................................238

Security/Authentication .........................................................................239

Configuring RADIUS-Initiated Disconnect ....................................................239

RADIUS-Initiated Change of Authorization ..................................................239

Change-of-Authorization Messages ........................................................239

Message Exchange ................................................................................240

Supported Error-Cause Codes (RADIUS Attribute 101) ..........................240

Qualifications for Change of Authorization ............................................241

Security/Authentication .........................................................................241

Configuring RADIUS-Initiated Change of Authorization ...............................241

RADIUS Dynamic-Request Server Commands .............................................242

Monitoring RADIUS Dynamic-Request Servers ............................................244

Chapter 5 Configuring RADIUS Relay Server 245

RADIUS Relay Server Overview ...................................................................245

RADIUS Relay Server Platform Considerations ............................................246

RADIUS Relay Server References ................................................................246

How RADIUS Relay Server Works ...............................................................246

Authentication and Addressing .............................................................247

Accounting ............................................................................................247

Terminating the Wireless Subscriber’s Connection ...............................248

RADIUS Relay Server and the SRC Software ................................................248

Using the SRC Software for Addressing .................................................248

Using the SRC Application for Accounting .............................................248

Configuring RADIUS Relay Server Support ..................................................249

Monitoring RADIUS Relay Server .................................................................251

Chapter 6 RADIUS Attribute Descriptions 253

RADIUS IETF Attributes ...............................................................................253

Juniper Networks VSAs ................................................................................259

DSL Forum VSAs .........................................................................................270

Pass Through RADIUS Attributes .................................................................271

RADIUS Attributes References .....................................................................272

Chapter 7 Application Terminate Reasons 273

AAA Terminate Reasons ..............................................................................273

L2TP Terminate Reasons .............................................................................274

PPP Terminate Reasons ..............................................................................289

RADIUS Client Terminate Reasons ..............................................................295

Table of Contents ■ xv

JUNOSe 11.0.x Broadband Access Configuration Guide

Chapter 8 Monitoring RADIUS 297

Monitoring Override Settings of RADIUS IETF Attributes .............................297

Monitoring the NAS-Port-Format RADIUS Attribute .....................................298

Monitoring the Calling-Station-Id RADIUS Attribute .....................................299

Monitoring the NAS-Identifier RADIUS Attribute ..........................................299

Monitoring the Format of the Remote-Circuit-ID for RADIUS .......................300

Monitoring the Delimiter Character in the Remote-Circuit-ID for RADIUS ....300

Monitoring the Acct-Session-Id RADIUS Attribute ........................................300

Monitoring the DSL-Port-Type RADIUS Attribute .........................................301

Monitoring the Connect-Info RADIUS Attribute ...........................................301

Monitoring the NAS-Port-ID RADIUS Attribute .............................................301

Monitoring Included RADIUS Attributes ......................................................302

Monitoring Ignored RADIUS Attributes ........................................................304

Setting the Baseline for RADIUS Dynamic-Request Server Statistics ............304

Monitoring RADIUS Dynamic-Request Server Statistics ...............................305

Monitoring the Configuration of the RADIUS Dynamic-Request Server ........306

Setting a Baseline for RADIUS Relay Statistics .............................................307

Monitoring RADIUS Relay Server Statistics ..................................................307

Monitoring the Configuration of the RADIUS Relay Server ..........................309

Monitoring the Status of RADIUS Relay UDP Checksums ............................310

Monitoring the Status of ICR Partition Accounting .......................................310

Chapter 9 Configuring TACACS+ 311

TACACS+ Overview ...................................................................................311

AAA Overview ......................................................................................312

Administrative Login Authentication .....................................................312

Privilege Authentication ........................................................................313

Login Authorization ..............................................................................313

Accounting ............................................................................................313

TACACS+ Platform Considerations .............................................................315

TACACS+ References .................................................................................315

Before You Configure TACACS+ .................................................................316

Configuring TACACS+ Support ...................................................................316

Configuring Authentication ...................................................................316

Configuring Accounting ........................................................................317

Chapter 10 Monitoring TACACS+ 323

Setting Baseline TACACS+ Statistics ...........................................................323

Monitoring TACACS+ Statistics ...................................................................323

Monitoring TACACS+ Information ..............................................................325

xvi ■ Table of Contents

Table of Contents

Part 3 Managing L2TP

Chapter 11 L2TP Overview 329

L2TP Overview ............................................................................................329

L2TP Terminology .......................................................................................330

Implementing L2TP .....................................................................................331

Sequence of Events on the LAC ............................................................331

Sequence of Events on the LNS .............................................................332

Packet Fragmentation .................................................................................333

L2TP Platform Considerations .....................................................................334

L2TP Module Requirements ........................................................................334

ERX7xx Models, ERX14xx Models, and the ERX310 Router .................334

E120 Router and E320 Router ..............................................................335

Sessions and Tunnels Supported .................................................................335

L2TP References .........................................................................................336

Chapter 12 Configuring an L2TP LAC 337

LAC Configuration Prerequisites ..................................................................337

Modifying L2TP LAC Default Settings for Managing Destinations, Tunnels,

and Sessions .........................................................................................338

Generating UDP Checksums in Packets to L2TP Peers .................................339

Specifying a Destruct Timeout for L2TP Tunnels and Sessions ....................339

Preventing Creation of New Destinations, Tunnels, and Sessions ................340

Preventing Creation of New Destinations, Tunnels, and Sessions on the

Router ............................................................................................340

Preventing Creation of New Tunnels and Sessions at a Destination ......341

Preventing Creation of New Sessions for a Tunnel ................................341

Specifying a Drain Timeout for a Disconnected Tunnel .........................341

Shutting Down Destinations, Tunnels, and Sessions ....................................342

Closing Existing and Preventing New Destinations, Tunnels, and Sessions

on the Router .................................................................................342

Closing Existing and Preventing New Tunnels and Sessions for a

Destination .....................................................................................342

Closing Existing and Preventing New Sessions in a Specific Tunnel ......342

Closing a Specific Session .....................................................................343

Specifying the Number of Retransmission Attempts ....................................343

Configuring Calling Number AVP Formats ...................................................343

Calling Number AVP 22 Configuration Tasks ........................................347

Configuring the Fallback Format ...........................................................348

Disabling the Calling Number AVP ........................................................351

Mapping a User Domain Name to an L2TP Tunnel Overview ......................352

Mapping User Domain Names to L2TP Tunnels from Domain Map Tunnel

Mode ....................................................................................................353

Mapping User Domain Names to L2TP Tunnels from Tunnel Group Tunnel

Mode ....................................................................................................357

Configuring the RX Speed on the LAC .........................................................359

Table of Contents ■ xvii

JUNOSe 11.0.x Broadband Access Configuration Guide

Managing the L2TP Destination Lockout Process .........................................360

Modifying the Lockout Procedure .........................................................360

Verifying That a Locked-Out Destination Is Available ............................362

Configuring a Lockout Timeout .............................................................362

Unlocking a Destination that is Currently Locked Out ...........................362

Starting an Immediate Lockout Test .....................................................363

Managing Address Changes Received from Remote Endpoints ...................363

Configuring LAC Tunnel Selection Parameters .............................................364

Configuring the Failover Between Preference Levels Method ................364

Configuring the Failover Within a Preference Level Method ..................365

Configuring the Maximum Sessions per Tunnel ....................................366

Configuring the Weighted Load Balancing Method ................................366

Chapter 13 Configuring an L2TP LNS 369

LNS Configuration Prerequisites ..................................................................369

Configuring an LNS .....................................................................................370

Creating an L2TP Destination Profile ...........................................................372

Creating an L2TP Host Profile ......................................................................373

Configuring the Maximum Number of LNS Sessions ...................................374

Configuring the RADIUS Connect-Info Attribute on the LNS ........................374

Overriding LNS Out-of-Resource Result Codes 4 and 5 ................................375

Overriding the Result Codes .................................................................375

Displaying the Current Override Setting ................................................376

Selecting Tunnel-Service Modules for LNS Sessions Using MLPPP ...............376

Assigning Bundled Group Identifiers .....................................................377

Overriding All Endpoint Discriminators ................................................378

Enabling Tunnel Switching ..........................................................................378

Creating Persistent Tunnels .........................................................................379

Testing Tunnel Configuration ......................................................................379

Managing L2TP Destinations, Tunnels, and Sessions ...................................379

Configuring Disconnect Cause Information .................................................380

Generating the Disconnect Cause AVP Globally .....................................380

Generating the Disconnect Cause AVP with a Host Profile ....................381

Enabling RADIUS Accounting for Disconnect Cause ..............................381

Displaying Disconnect Cause Statistics .................................................381

Configuring the Receive Window Size .........................................................382

Configuring the Default Receive Window Size ......................................382

Configuring the Receive Window Size on the LAC ................................383

Configuring the Receive Window Size on the LNS .................................384

Configuring Peer Resynchronization ...........................................................385

Configuring Peer Resynchronization for L2TP Host Profiles and AAA

Domain Map Tunnels .....................................................................386

Configuring the Global L2TP Peer Resynchronization Method ...............387

Using RADIUS to Configure Peer Resynchronization .............................388

Configuring L2TP Tunnel Switch Profiles .....................................................388

Applying the L2TP Tunnel Switch Profile ..............................................388

Configuration Guidelines .......................................................................389

Configuring L2TP AVPs for Relay ..........................................................389

xviii ■ Table of Contents

Table of Contents

Configuration Tasks ..............................................................................390

Enabling Tunnel Switching on the Router .......................................390

Configuring L2TP Tunnel Switch Profiles ........................................390

Applying L2TP Tunnel Switch Profiles by Using AAA Domain

Maps ........................................................................................391

Applying L2TP Tunnel Switch Profiles by Using AAA Tunnel

Groups .....................................................................................392

Applying Default L2TP Tunnel Switch Profiles ................................393

Applying L2TP Tunnel Switch Profiles by Using RADIUS ................393

Configuring the Transmit Connect Speed Calculation Method .....................394

Transmit Connect Speed Calculation Methods ......................................395

Static Layer 2 .................................................................................395

Dynamic Layer 2 ............................................................................396

QoS ................................................................................................396

Actual .............................................................................................396

Transmit Connect Speed Calculation Examples ....................................396

Example 1: L2TP Session over ATM 1483 Interface ........................396

Example 2: L2TP Session over Ethernet VLAN Interface .................397

Transmit Connect Speed Reporting Considerations ..............................398

Session Termination for Dynamic Speed Timeout ..........................398

Advisory Speed Precedence for VLANs over Bridged Ethernet ........398

Using AAA Domain Maps to Configure the Transmit Connect Speed

Calculation Method .........................................................................398

Using AAA Tunnel Groups to Configure the Transmit Connect Speed

Calculation Method .........................................................................399

Using AAA Default Tunnel Parameters to Configure the Transmit Connect

Speed Calculation Method ..............................................................400

Using RADIUS to Configure the Transmit Connect Speed Calculation

Method ...........................................................................................401

PPP Accounting Statistics ............................................................................402

Chapter 14 Configuring L2TP Dial-Out 405

L2TP Dial-Out Overview ..............................................................................405

Terms ...................................................................................................406

Network Model for Dial-Out ..................................................................406

Dial-Out Process ...................................................................................407

Dial-Out Operational States ...................................................................407

Chassis ...........................................................................................407

Virtual Router .................................................................................408

Targets ...........................................................................................408

Sessions .........................................................................................409

Outgoing Call Setup Details ...................................................................410

Access-Request Message ................................................................410

Access-Accept Message ..................................................................411

Outgoing Call ..................................................................................411

Mutual Authentication ....................................................................412

Route Installation ...........................................................................412

L2TP Dial-Out Platform Considerations .......................................................412

L2TP Dial-Out References ............................................................................412

Table of Contents ■ xix

JUNOSe 11.0.x Broadband Access Configuration Guide

Before You Configure L2TP Dial-Out ...........................................................413

Configuring L2TP Dial-Out ...........................................................................413

Monitoring L2TP Dial-Out ............................................................................415

Chapter 15 L2TP Disconnect Cause Codes 417

L2TP Disconnect Cause Codes .....................................................................417

Chapter 16 Monitoring L2TP and L2TP Dial-Out 421

Monitoring the Mapping for User Domains and Virtual Routers with AAA ....422

Monitoring Configured Tunnel Groups with AAA .........................................424

Monitoring Configuration of Tunnel Parameters with AAA ..........................426

Monitoring Global Configuration Status on E Series Routers ........................427

Monitoring Detailed Configuration Information for Specified

Destinations ..........................................................................................429

Monitoring Locked Out Destinations ...........................................................431

Monitoring Configured Destination Profiles or Host Profiles ........................431

Monitoring Configured and Operational Status of all Destinations ...............434

Monitoring Statistics on the Cause of a Session Disconnection ....................435

Monitoring Detailed Configuration Information about Specified Sessions ....436

Monitoring Configured and Operational Summary Status ............................437

Monitoring Configured Switch Profiles on Router ........................................438

Monitoring Detailed Configuration Information about Specified Tunnels .....439

Monitoring Configured and Operational Status of All Tunnels .....................442

Monitoring Chassis-wide Configuration for L2TP Dial-out ............................442

Monitoring Status of Dial-out Sessions .........................................................447

Monitoring Dial-out Targets within the Current VR Context .........................448

Monitoring Operational Status within the Current VR Context .....................450

Part 4 Managing DHCP

Chapter 17 DHCP Overview 455

DHCP Overview Information .......................................................................455

DHCP Platform Considerations ....................................................................456

DHCP References ........................................................................................457

Configuring the DHCP Access Model ...........................................................457

Configuring DHCP Proxy Clients .................................................................458

Logging DHCP Packet Information ..............................................................459

Viewing and Deleting DHCP Client Bindings ................................................460

xx ■ Table of Contents

Session and Resource Control Software ................................................456

Table of Contents

Chapter 18 DHCP Local Server Overview 463

Embedded DHCP Local Server Overview ....................................................463

DHCP Local Server and Client Configuration .........................................463

Equal-Access Mode Overview ......................................................................464

Local Pool Selection and Address Allocation .........................................464

The Connection Process ........................................................................465

Standalone Mode Overview .........................................................................466

Local Pool Selection and Address Allocation .........................................466

Server Management Table ....................................................................468

DHCP Local Server Prerequisites .................................................................468

DHCP Local Server Configuration Tasks ......................................................469

Chapter 19 Configuring DHCP Local Server 471

Configuring the DHCP Local Server .............................................................471

Basic Configuration of DHCP Local Server ............................................471

Limiting the Number of IP Addresses Supplied by DHCP Local

Server .............................................................................................473

Excluding IP Addresses from Address Pools .........................................473

Configuring DHCP Local Server to Support Creation of Dynamic

Subscriber Interfaces ......................................................................474

Differentiating Between Clients with the Same Client ID or Hardware

Address ..........................................................................................474

Logging Out DHCP Local Server Subscribers .........................................475

Clearing an IP DHCP Local Server Binding ............................................476

Using SNMP Traps to Monitor DHCP Local Server Events .....................476

Using DHCP Local Server Event Logs ....................................................477

Configuring DHCP Local Address Pools .......................................................478

Basic Configuration of DHCP Local Address Pools .................................478

Linking Local Address Pools ..................................................................480

Setting Grace Periods for Address Leases ..............................................480

Configuring AAA Authentication for DHCP Local Server Standalone

Mode ....................................................................................................481

Configuring the DHCPv6 Local Server .........................................................483

Deleting DHCPv6 Client Bindings ................................................................485

Configuring the Router to Work with the SRC Software ...............................486

Chapter 20 Configuring DHCP Relay 489

Configuring DHCP Relay and BOOTP Relay ................................................489

Enabling DHCP Relay ............................................................................490

Removing Access Routes from Routing Tables and NVS .......................490

Treating All Packets as Originating at Trusted Sources ..........................491

Assigning the Giaddr to Source IP Address ............................................491

Protecting Against Spoofed Giaddr and Relay Agent Option Values ......491

Table of Contents ■ xxi

JUNOSe 11.0.x Broadband Access Configuration Guide

Using the Broadcast Flag Setting to Control Transmission of DHCP Reply

Packets ...........................................................................................492

Interaction with Layer 2 Unicast Transmission Method ..................493

Preventing DHCP Relay from Installing Host Routes by Default ............494

Configuration Example—Preventing Installation of Host Routes .....494

Including Relay Agent Option Values in the PPPoE Remote Circuit

ID ...................................................................................................495

Using the Giaddr to Identify the Primary Interface for Dynamic Subscriber

Interfaces .......................................................................................496

Configuring Layer 2 Unicast Transmission Method for Reply Packets to

DHCP Clients ..................................................................................496

Using Option 60 Strings to Forward Client Traffic to Specific DHCP

Servers ...........................................................................................497

Configuration Example—Using DHCP Relay Option 60 to Specify

Traffic Forwarding ...................................................................499

Relaying DHCP Packets That Originate from a Cable Modem ...............500

Configuring Relay Agent Option 82 Information ...................................500

Preventing Option 82 Information from Being Stripped from Trusted

Client Packets .................................................................................501

Configuring Relay Agent Information Option (Option 82) Suboption

Values ............................................................................................501

Format of the JUNOSe Data Field in the Vendor-Specific Suboption

for Option 82 ...........................................................................503

Using the set dhcp relay agent sub-option Command to Enable

Option 82 Suboption Support ..................................................505

Configuration Example—Using DHCP Relay Option 82 to Pass IEEE

802.1p Values to DHCP Servers ...............................................507

Using the set dhcp relay agent Command to Enable Option 82

Suboption Support ...................................................................510

Configuring DHCP Relay Proxy ...................................................................512

Enabling DHCP Relay Proxy .................................................................513

Use the First Offer from a DHCP Server ................................................513

Set a Timeout for DHCP Client Renewal Messages ................................513

Managing Host Routes ..........................................................................513

Selecting the DHCP Server Response ..............................................514

Behavior for Bound Clients and Address Renewals .........................514

Chapter 21 Configuring the DHCP External Server Application 517

DHCP External Server Overview .................................................................517

Preservation of Dynamic Subscriber Interfaces with DHCP External Server

DHCP External Server Identification of Clients with Duplicate MAC Addresses

DHCP External Server Configuration Requirements ....................................522

Enabling and Disabling the DHCP External Server Application ....................522

Monitoring DHCP Traffic Between Remote Clients and DHCP Servers ........523

Synchronizing the DHCP External Application and the Router ....................523

xxii ■ Table of Contents

Overview ..............................................................................................519

Overview ..............................................................................................520

Configuration Guidelines for Using Duplicate MAC Mode ......................521

Restrictions for Using Duplicate MAC Mode to Manage Clients .............521

Table of Contents

Configuring Interoperation with Ethernet DSLAMs ......................................523

Configuring the DHCP External Server to Support the Creation of Dynamic

Subscriber Interfaces ............................................................................524

Configuring DHCP External Server to Control Preservation of Dynamic

Subscriber Interfaces ............................................................................526

Configuring Dynamic Subscriber Interfaces for Interoperation with DHCP

Relay and DHCP Relay Proxy ................................................................527

Deleting Clients from a Virtual Router’s DHCP Binding Table ......................528

Configuring DHCP External Server to Uniquely Identify Clients with Duplicate

MAC Addresses .....................................................................................530

Configuring DHCP External Server to Re-Authenticate Auto-Detected Dynamic

Subscriber Interfaces ............................................................................531

Chapter 22 Monitoring and Troubleshooting DHCP 533

Setting Baselines for DHCP Statistics ...........................................................534

Setting a Baseline for DHCP Relay and Relay Proxy ..............................534

Setting a Baseline for DHCP Proxy Server Statistics ..............................534

Setting a Baseline for DHCP External Server Statistics ..........................535

Setting a Baseline for DHCP Local Server Statistics ...............................535

Monitoring Addresses Excluded from DHCP Local Server Use .....................535

Monitoring DHCP Bindings ..........................................................................536

Monitoring DHCP Binding Information ........................................................537

Monitoring DHCP Binding Count Information .............................................540

Monitoring DHCP Binding Host Information ................................................542

Monitoring DHCP Bindings (Displaying IP Address-to-MAC Address

Bindings) ...............................................................................................544

Monitoring DHCP Bindings (Displaying DHCP Bindings Based on Binding

ID) ........................................................................................................545

Monitoring DHCP Bindings (Local Server Binding Information) ...................546

Monitoring DHCP External Server Configuration Information .....................547

Monitoring DHCP External Server Statistics .................................................548

Monitoring DHCP External Server Duplicate MAC Address Setting ..............549

Monitoring DHCP Local Address Pools ........................................................550

Monitoring DHCP Local Server Authentication Information .........................552

Monitoring DHCP Local Server Configuration ..............................................553

Monitoring DHCP Local Server Leases .........................................................554

Monitoring DHCP Local Server Statistics ......................................................555

Monitoring DHCP Option 60 Information ....................................................558

Monitoring DHCP Packet Capture Settings ..................................................559

Monitoring DHCP Relay Configuration Information .....................................560

Monitoring DHCP Relay Proxy Statistics ......................................................561

Monitoring DHCP Relay Statistics ................................................................563

Monitoring DHCP Server and DHCP Relay Agent Statistics ..........................565

Monitoring DHCP Server and Proxy Client Information ...............................566

Monitoring DHCPv6 Local Server Binding Information ................................567

Monitoring DHCPv6 Local Server DNS Search Lists .....................................568

Monitoring DHCPv6 Local Server DNS Servers ............................................569

Monitoring DHCPv6 Local Server Prefix Lifetime ........................................569

Monitoring DHCPv6 Local Server Statistics ..................................................570

Table of Contents ■ xxiii

JUNOSe 11.0.x Broadband Access Configuration Guide

Monitoring Duplicate MAC Addresses Use By DHCP Local Server Clients ....571

Monitoring the Maximum Number of Available Leases ...............................572

Monitoring Static IP Address and MAC Address Pairs Supplied by DHCP Local

Server ...................................................................................................573

Monitoring Status of DHCP Applications ......................................................574

Part 5 Managing the Subscriber Environment

Chapter 23 Configuring Subscriber Management 577

Subscriber Management Overview ..............................................................577

Subscriber Management Platform Considerations .......................................578

Subscriber Management Attributes ..............................................................578

Dynamic IP Subscriber Interfaces .........................................................578

Subscriber Management Procedure .............................................................579

Configuring Subscriber Management with an External DHCP Server ....580

Subscriber Management Commands ...........................................................581

Subscriber Management Configuration Examples .......................................589

Username with ATM Circuit Identifier and No Circuit Type ...................589

Username with VLAN Circuit Identifier and Circuit Type .......................590

Username with MAC Address ...............................................................590

Chapter 24 Monitoring Subscriber Management 593

Monitoring IP Service Profiles ......................................................................593

Monitoring Active IP Subscribers Created by Subscriber Management ........594

Chapter 25 Configuring Subscriber Interfaces 597

Subscriber Interfaces Overview ...................................................................597

Dynamic Interfaces and Dynamic Subscriber Interfaces .......................598

Relationship to Shared IP Interfaces .....................................................599

Relationship to Primary IP Interfaces ....................................................600

Ethernet Interfaces and VLANs .............................................................600

Moving Interfaces .................................................................................601

Preventing IP Spoofing .........................................................................601

Routing Protocols ..................................................................................601

Policies and QoS ...................................................................................601

Applications ..........................................................................................601

Directing Traffic Toward Special Local Content ..............................602

Differentiating Traffic for VPNs ......................................................603

Subscriber Interfaces Platform Considerations ............................................603

Interface Specifiers ...............................................................................604

Subscriber Interfaces References .................................................................604

xxiv ■ Table of Contents

Table of Contents

Dynamic Creation of Subscriber Interfaces ..................................................604

DHCP Servers .......................................................................................605

DHCP Local Server and Address Allocation ....................................605

DHCP External Server and Address Allocation ................................605

DHCP Relay Configuration .............................................................606

Supported Configurations ...............................................................606

Packet Detection ...................................................................................606

Designating Traffic for the Primary IP Interface ....................................607

Using Framed Routes ............................................................................607

Inheritance of MAC Address Validation State for Dynamic Subscriber

Interfaces .......................................................................................607

How MAC Address Validation State Inheritance Works ..................608

Configuration of MAC Address Validation State Inheritance ...........608

Verification of MAC Address Validation State Inheritance ...............609

Configuring Static Subscriber Interfaces ......................................................609

Using a Destination Address to Demultiplex Traffic ..............................610

Using a Source Address to Demultiplex Traffic .....................................611

Configuring Dynamic Subscriber Interfaces .................................................616

Configuring Dynamic Subscriber Interfaces over Ethernet ....................616

Configuring Dynamic Subscriber Interfaces over VLANs .......................617

Configuring Dynamic Subscriber Interfaces over Bridged Ethernet .......618

Configuring Dynamic Subscriber Interfaces over GRE Tunnels .............619

Dynamic Subscriber Interface Configuration Example ..........................620

Chapter 26 Monitoring Subscriber Interfaces 629

Monitoring Subscriber Interfaces Overview .................................................629

Monitoring Subscriber Interfaces .................................................................629

Monitoring Active IP Subscribers Created by Subscriber Management ........630

Part 6 Managing Subscriber Services

Chapter 27 Configuring Service Manager 635

Service Manager Overview ..........................................................................635

Service Manager Terms and Acronyms .................................................636

Service Manager Platform Considerations ...................................................637

Service Manager References ........................................................................637

Service Manager Configuration Tasks ..........................................................637

Service Definitions ......................................................................................639

Creating Service Definitions ..................................................................640

Managing Your Service Definitions .......................................................643

Referencing Policies in Service Definitions ..................................................644

Table of Contents ■ xxv

JUNOSe 11.0.x Broadband Access Configuration Guide

Referencing QoS Configurations in Service Definitions ................................645

Specifying QoS Profiles in a Service Definition .....................................645

Configuring a QoS Profile for Service Manager ...............................645

Specifying QoS Profiles in a Service Definition ...............................646

Specifying QoS Parameter Instances in a Service Definition .................646

Creating a Parameter Instance in a Profile .....................................646

Specifying QoS Parameter Instances in a Service Definition ...........647

Modifying QoS Configurations with Service Manager ............................648

Modifying Parameter Instances ......................................................648

Modifying QoS Configurations in a Single Service Manager

Event .......................................................................................650

Modifying QoS Configurations Using Other Sources .......................650

Removing QoS Configurations Referenced by Service Manager ............652

QoS for Service Manager Considerations ..............................................652

RADIUS or Service Manager ...........................................................653

Interoperability with Other Service Components ............................653

QoS Statistics .................................................................................653

Ranges ...........................................................................................653

Configuring the Service Manager License ....................................................653

Managing and Activating Service Sessions ...................................................654

Using RADIUS to Manage Subscriber Service Sessions ................................654

Using RADIUS to Activate Subscriber Service Sessions ..........................655

Service Manager RADIUS Attributes ......................................................656

Using Tags with RADIUS Attributes ................................................658

Using RADIUS to Deactivate Service Sessions .......................................659

Setting Thresholds ..........................................................................659

Using the Deactivate-Service Attribute ............................................660

Using Mutex Groups to Activate and Deactivate Subscriber Services ...........661

Activating and Deactivating Multiple Services .......................................661

Configuring a Mutex Service .................................................................662

Combined and Independent IPv4 and IPv6 Services in a Dual Stack

Overview ..............................................................................................663

Activation and Deactivation of IPv4 and IPv6 Services in a Dual Stack ........664

Independent IPv4 and IPv6 Services in a Dual Stack .............................664

Combined IPv4 and IPv6 Service in a Dual Stack ..................................665

Performance Impact on the Router and Compatibility with Previous

Releases for an IPv4 and IPv6 Dual Stack .......................................665

Configuring RADIUS Accounting for Service Manager .................................666

Configuring Service Interim Accounting ................................................667

Service Interim Accounting for IPv4 and IPv6 Services in a Dual Stack

Overview ........................................................................................670

Using the CLI to Manage Subscriber Service Sessions ..................................671

Using the CLI to Activate Subscriber Service Sessions ...........................671

Preprovisioning Services .......................................................................674

Using Service Session Profiles ...............................................................674

Using the CLI to Deactivate Subscriber Service Sessions .......................677

Gracefully Deactivating Subscriber Service Sessions .......................678

Forcing Immediate Deactivation of Subscriber Service Sessions .....678

Using Service Session Profiles to Deactivate Service Sessions .........679

xxvi ■ Table of Contents

Table of Contents

Configuring Service Manager Statistics ........................................................680

Setting Up the Service Definition File for Statistics Collection ...............680

Enabling Statistics Collection with RADIUS ...........................................681

Enabling Statistics Collection with the CLI .............................................682

External Parent Group Statistics Collection Setup ..................................683

Service Manager Performance Considerations .............................................684

Service Definition Examples ........................................................................684

Tiered Service Example ........................................................................684

Video-on-Demand Service Definition Example .....................................685

Voice-over-IP Service Definition Example .............................................686

Guided Entrance Service Example ........................................................687

Guided Entrance Service Definition Example .................................688

Using CoA Messages with Guided Entrance Services ......................689

Configuring the HTTP Local Server to Support Guided Entrance .....690

Combined IPv4 and IPv6 Service in a Dual Stack Example ...................696

Chapter 28 Monitoring Service Manager 701

Setting a Baseline for HTTP Local Server Statistics ......................................701

Monitoring the Connections to the HTTP Local Server .................................702

Monitoring the Configuration of the HTTP Local Server ...............................702

Monitoring Statistics for Connections to the HTTP Local Server ...................703

Monitoring Profiles for the HTTP Local Server .............................................704

Monitoring the Default Interval for Interim Accounting of Services .............705

Monitoring the Status of the Service Manager License .................................706

Monitoring Profiles for Service Manager ......................................................706

Monitoring IPv4 and IPv6 Interfaces for Service Manager ...........................707

Monitoring Service Definitions ....................................................................717

Monitoring Service Session Profiles .............................................................718

Monitoring Active Owner Sessions with Service Manager ............................719

Monitoring Active Subscriber Sessions with Service Manager ......................721

Monitoring the Number of Active Subscriber and Service Sessions with

Service Manager ...................................................................................724

Part 7 Index

Index ...........................................................................................................729

Table of Contents ■ xxvii

JUNOSe 11.0.x Broadband Access Configuration Guide

xxviii ■ Table of Contents

List of Figures

Part 1 Managing Remote Access

Chapter 1 Configuring Remote Access 3

Figure 1: Local Address Pool Hierarchy .........................................................54

Figure 2: Shared Local Address Pools ............................................................55

Figure 3: Single PPP Clients per ATM Subinterface ........................................61

Figure 4: Multiple PPP Clients per ATM Subinterface .....................................62

Part 2 Managing RADIUS and TACACS+

Chapter 4 Configuring RADIUS Dynamic-Request Server 235

Figure 5: Sample Remote Access Network Using RADIUS ...........................236

Chapter 5 Configuring RADIUS Relay Server 245

Figure 6: RADIUS Relay Server ....................................................................246

Part 3 Managing L2TP

Chapter 11 L2TP Overview 329

Figure 7: Using the E Series Router as an LAC .............................................330

Figure 8: Using the E Series Router as an LNS .............................................330

Chapter 12 Configuring an L2TP LAC 337

Figure 9: Lockout States ..............................................................................361

Chapter 14 Configuring L2TP Dial-Out 405

Figure 10: Network Model for Dial-Out ........................................................406

Part 4 Managing DHCP

Chapter 18 DHCP Local Server Overview 463

Figure 11: Non-PPP Equal Access via the Router .........................................466

Chapter 19 Configuring DHCP Local Server 471

Figure 12: Non-PPP Equal-Access Configuration Example ...........................486

Chapter 20 Configuring DHCP Relay 489

Figure 13: Passing 802.1p Values to the DHCP Server .................................508

Chapter 21 Configuring the DHCP External Server Application 517

Figure 14: DHCP External Server .................................................................518

Part 5 Managing the Subscriber Environment

Chapter 23 Configuring Subscriber Management 577

List of Figures ■ xxix

JUNOSe 11.0.x Broadband Access Configuration Guide

Figure 15: DHCP External Server .................................................................579

Chapter 25 Configuring Subscriber Interfaces 597

Figure 16: Example of a Dynamic Interface Stack .......................................598

Figure 17: Example of a Dynamic Subscriber Interface ...............................599

Figure 18: Subscriber Interfaces over Ethernet ............................................600

Figure 19: Subscriber Interfaces in a Cable Modem Network .......................602

Figure 20: Associating Subnets with a VPN Using Subscriber Interfaces ......603

Figure 21: IP over Ethernet Dynamic Subscriber Interface Configuration ....606

Figure 22: Subscriber Interfaces Using a Destination Address to Demultiplex

Traffic ...................................................................................................610

Figure 23: Subscriber Interfaces Using a Source Address to Demultiplex

Traffic ...................................................................................................612

Figure 24: IP over Ethernet Dynamic Subscriber Interface Configuration ....617

Figure 25: IP over VLAN over Ethernet Dynamic Subscriber Interface

Configuration ........................................................................................618

Figure 26: IP over Bridged Ethernet over ATM Dynamic Subscriber Interface

Configuration ........................................................................................619

Figure 27: GRE Tunnel Dynamic Subscriber Interface Configuration ...........620

Part 6 Managing Subscriber Services

Chapter 27 Configuring Service Manager 635

Figure 28: Service Manager Configuration Flowchart ...................................639

Figure 29: Sample Service Definition Macro File .........................................642

Figure 30: QoS Configuration Dependency Chain ........................................652

Figure 31: Comparing RADIUS Login and RADIUS CoA Methods .................655

Figure 32: Guided Entrance .........................................................................688

Figure 33: Input Traffic Flow with Rate-Limit Profile on an External Parent

Group for a Combined IPv4/IPv6 Service ..............................................696

Figure 34: Output Traffic Flow with Rate-Limit Profile on an External Parent

Group for a Combined IPv4/IPv6 Service ..............................................696

xxx ■ List of Figures

List of Tables

About the Documentation xxxvii

Table 1: Notice Icons ..............................................................................xxxviii

Table 2: Text and Syntax Conventions ....................................................xxxviii

Part 1 Managing Remote Access

Chapter 1 Configuring Remote Access 3

Table 3: Username and Domain Name Examples .........................................16

Table 4: Local UDP Port Ranges by RADIUS Request Type ............................19

Table 5: RADIUS IETF Attributes in Preauthentication Request .....................78

Table 6: VSAs That Apply to Dynamic IP Interfaces .......................................82

Table 7: Traffic-Shaping VSAs That Apply to Dynamic IP Interfaces ..............83

Table 8: Supported RADIUS Acct-Terminate-Cause Codes .............................84

Table 9: RADIUS Attributes Specifying LAG Interface ....................................93

Table 10: SRC Client and COPS Terminology ................................................94

Chapter 2 Monitoring and Troubleshooting Remote Access 109

Table 11: show aaa accounting Output Fields ..............................................113

Table 12: show aaa accounting vr-group Output Fields ................................114

Table 13: show aaa domain-map Output Fields ...........................................116

Table 14: show aaa profile Output Fields .....................................................119

Table 15: show aaa route-download Output Fields ......................................120

Table 16: show aaa route-download routes Output Fields ............................122

Table 17: show aaa route-download routes global Output Fields .................124

Table 18: show aaa statistics Output Fields .................................................126

Table 19: show configuration category aaa global-attributes Output

Fields ....................................................................................................129

Table 20: show configuration category aaa local-authentication Output

Fields ....................................................................................................130

Table 21: show configuration category aaa server-attributes include-defaults

Output Fields ........................................................................................131

Table 22: show cops info Output Fields .......................................................133

Table 23: show cops statistics Output Fields ................................................135

Table 24: show ip local alias Output Fields ..................................................136

Table 25: show ip local pool Output Fields ..................................................137

Table 26: show ip local shared-pool Output Fields .......................................139

Table 27: show radius override Output Fields ..............................................140

Table 28: show radius servers Output Fields ...............................................142

Table 29: show radius statistics Output Fields .............................................145

Table 30: show sscc info Output Fields ........................................................149

Table 31: show sscc statistics Output Fields ................................................151

Table 32: show subscribers Output Fields ...................................................156

Table 33: show terminate-code Output Fields .............................................159

List of Tables ■ xxxi

JUNOSe 11.0.x Broadband Access Configuration Guide

Table 34: show ipv6 local pool Output Fields ..............................................159

Table 35: show ipv6 local pool poolName Output Fields .............................160

Table 36: show ipv6 local pool statistics Output Fields ................................162

Part 2 Managing RADIUS and TACACS+

Chapter 3 Configuring RADIUS Attributes 165

Table 37: AAA Access Message RADIUS IETF Attributes Supported .............168

Table 38: AAA Access Message Juniper Networks (Vendor ID 4874) VSAs

Supported .............................................................................................170

Table 39: AAA Accounting Message RADIUS IETF Attributes Supported ......176

Table 40: AAA Accounting Message Juniper Network (Vendor ID 4874) VSAs

Supported .............................................................................................179

Table 41: AAA Accounting Tunnel Message RADIUS Attributes

Supported .............................................................................................181

Table 42: DSL Forum (Vendor ID 3561) VSAs Supported in AAA Access and

Accounting Messages ............................................................................183

Table 43: CLI AAA Access Message RADIUS Attributes Supported ...............184

Table 44: ANCP (L2C)-Related Keywords for radius include Command .......229

Chapter 4 Configuring RADIUS Dynamic-Request Server 235

Table 45: Error-Cause Codes (RADIUS Attribute 101) ..................................238

Table 46: Error-Cause Codes (RADIUS Attribute 101) ..................................240

Chapter 5 Configuring RADIUS Relay Server 245

Table 47: Required RADIUS Access-Request Attributes ...............................247

Table 48: Required RADIUS Accounting Attributes ......................................248

Chapter 6 RADIUS Attribute Descriptions 253

Table 49: RADIUS IETF Attributes Supported by JUNOSe Software ..............253

Table 50: Juniper Networks (Vendor ID 4874) VSA Formats ........................259

Table 51: JUNOSe Software DSL Forum (Vendor ID 3561) VSA Formats .....270

Table 52: RADIUS Attribute Passed Through by JUNOSe Software ..............272

Chapter 7 Application Terminate Reasons 273

Table 53: Default AAA Mappings .................................................................273

Table 54: Default L2TP Mappings ................................................................274

Table 55: Default PPP Mappings ..................................................................289

Table 56: Default RADIUS Client Mappings .................................................295

Chapter 8 Monitoring RADIUS 297

Table 57: show radius override Output Fields ..............................................298

Table 58: show radius attributes-included Output Fields ..............................303

Table 59: show radius dynamic-request statistics Output Fields ..................305

Table 60: show radius dynamic-request servers Output Fields ....................306

Table 61: show radius relay statistics Output Fields ....................................308

Table 62: show radius relay servers Output Fields .......................................309

Table 63: show radius relay udp-checksum Output Fields ...........................310

Chapter 9 Configuring TACACS+ 311

Table 64: TACACS-Related Terms ................................................................312

Table 65: TACACS+ Accounting Information ..............................................314

Chapter 10 Monitoring TACACS+ 323

Table 66: show statistics tacacs Output Fields .............................................324

xxxii ■ List of Tables

Table 67: show tacacs Output Fields ...........................................................325

Part 3 Managing L2TP

Chapter 11 L2TP Overview 329

Table 68: L2TP Terms .................................................................................330

Chapter 13 Configuring an L2TP LNS 369

Table 69: L2TP-Resynch-Method RADIUS Attribute .....................................388

Table 70: Transmit Connect Speeds for L2TP over ATM 1483 Example ......397

Table 71: Transmit Connect Speeds for L2TP over Ethernet Example .........397

Table 72: Tunnel--Tx-Speed-Method RADIUS Attribute ................................402

Chapter 14 Configuring L2TP Dial-Out 405

Table 73: L2TP Dial-Out Terms ...................................................................406

Table 74: Chassis Operational States ...........................................................408

Table 75: Virtual Router Operational States .................................................408

Table 76: Target Operational States .............................................................408

Table 77: Session Operational States ...........................................................409

Table 78: Additions to RADIUS Attributes in Access-Accept Messages .........411

Chapter 15 L2TP Disconnect Cause Codes 417

Table 79: PPP Disconnect Cause Codes .......................................................417

Chapter 16 Monitoring L2TP and L2TP Dial-Out 421

Table 80: show aaa domain-map Output Fields ...........................................422

Table 81: show aaa tunnel-group Output Fields ...........................................424

Table 82: show aaa tunnel-parameters Output Fields ..................................426

Table 83: show l2tp Output Fields ...............................................................428

Table 84: show l2tp destination Output Fields .............................................430

Table 85: show l2tp destination lockout Output Fields ................................431

Table 86: show l2tp destination profile Output Fields ..................................433

Table 87: show l2tp destination summary Output Fields .............................434

Table 88: show l2tp received-disconnect-cause-summary Output Fields ......435

Table 89: show l2tp session Output Fields ...................................................436

Table 90: show l2tp session summary Output Fields ...................................438

Table 91: show l2tp switch-profile Output Fields .........................................438

Table 92: show l2tp tunnel Output Fields ....................................................440

Table 93: show l2tp tunnel summary Output Fields ....................................442

Table 94: show l2tp dial-out Output Fields ..................................................444

Table 95: show l2tp dial-out session Output Fields ......................................448

Table 96: show l2tp dial-out target Output Fields ........................................449

Table 97: show l2tp dial-out virtual-router Output Fields .............................451

List of Tables

Part 4 Managing DHCP

Chapter 18 DHCP Local Server Overview 463

Table 98: Local Pool Selection in Equal-Access Mode ..................................465

Table 99: Local Pool Selection in Standalone Mode Without AAA

Table 100: Local Pool Selection in Standalone Mode with AAA

Chapter 20 Configuring DHCP Relay 489

Authentication ......................................................................................467

Authentication ......................................................................................467

List of Tables ■ xxxiii

JUNOSe 11.0.x Broadband Access Configuration Guide

Table 101: Router Configuration and Transmission of DHCP Reply

Packets .................................................................................................493

Table 102: Effect of Commands on Option 82 Suboption Settings ..............503

Chapter 22 Monitoring and Troubleshooting DHCP 533

Table 103: show ip dhcp-local excluded Output Fields ................................536

Table 104: show dhcp binding Output Fields ...............................................539

Table 105: show dhcp count Output Fields ..................................................541

Table 106: show dhcp host Output Fields ....................................................543

Table 107: show ip dhcp-external binding Output Fields .............................545

Table 108: show ip dhcp-external binding-id ...............................................546

Table 109: show ip dhcp-local binding Output Fields ..................................547

Table 110: show ip dhcp-external configuration Output Fields ....................547

Table 111: show ip dhcp-external statistics Output Fields ...........................548

Table 112: show dhcp-external Output Fields ..............................................549

Table 113: show ip dhcp-local pool Output Fields ........................................551

Table 114: show ip dhcp-local auth Output Fields .......................................552

Table 115: show ip dhcp-local Output Fields ...............................................553

Table 116: show ip dhcp-local leases Output Fields .....................................555

Table 117: show ip dhcp-local statistics output fields. .................................556

Table 118: show dhcp vendor-option Output Fields ....................................559

Table 119: show ip dhcp-capture Output Fields ...........................................559

Table 120: show dhcp relay Output Fields ...................................................560

Table 121: show dhcp relay proxy statistics Output Fields ..........................562

Table 122: show dhcp relay statistics Output Fields ....................................564

Table 123: show dhcp server statistics Output Fields ..................................566

Table 124: show dhcp server Output Fields .................................................567

Table 125: show ipv6 dhcpv6-local binding Output Fields ...........................568

Table 126: show ipv6 dhcpv6-local dns-domain-searchlist Output Fields .....568

Table 127: show ipv6 dhcpv6-local dns-servers Output Fields .....................569

Table 128: show ipv6 dhcpv6-local prefix-lifetime Output Fields .................569

Table 129: show ipv6 dhcpv6-local statistics Output Fields .........................570

Table 130: show ip dhcp-local duplicate-clients Output Fields .....................571

Table 131: show ip dhcp-local limits Output Fields ......................................572

Table 132: show ip dhcp-local reserved Output Fields .................................573

Table 133: show dhcp summary Output Fields ...........................................574

Part 5 Managing the Subscriber Environment

Chapter 24 Monitoring Subscriber Management 593

Table 134: show ip service-profile Output Fields .........................................593

Table 135: show ip-subscriber Output Fields ...............................................595

Chapter 26 Monitoring Subscriber Interfaces 629

Table 136: show ip demux interface Output Fields ......................................629

Table 137: show ip-subscriber Output Fields ...............................................631

Part 6 Managing Subscriber Services

Chapter 27 Configuring Service Manager 635

Table 138: Service Manager Terms and Acronyms ......................................636

Table 139: JUNOSe Objects Tracked by Service Manager ............................640

xxxiv ■ List of Tables

List of Tables

Table 140: Sample Modifications Using the Add and Initial-Value

Keywords ..............................................................................................649

Table 141: Sample Modifications Using Parameter Instances ......................649

Table 142: Configuration Within a Single Service Manager Event ................650

Table 143: Modifying QoS Configurations with Other Sources .....................651

Table 144: Service Manager RADIUS Attributes ...........................................657

Table 145: Sample RADIUS Access-Accept Packet .......................................658

Table 146: Using Tags .................................................................................659

Table 147: Service Manager RADIUS Accounting Attributes ........................667

Table 148: Determining the Service Interim Accounting Interval .................668

Table 149: Sample Acct-Start Message for a Service Session .......................668

Table 150: RADIUS-Enabled Statistics .........................................................681

Table 151: Deactivating a Guided Entrance Service .....................................690

Chapter 28 Monitoring Service Manager 701

Table 152: show ip http scalar Output Fields ...............................................702

Table 153: show ip http server Output Fields ..............................................703

Table 154: show ip http statistics Output Fields ..........................................704

Table 155: show profile Output Fields .........................................................705

Table 156: show aaa service accounting interval Output Fields ...................705

Table 157: show license service-management Output Fields .......................706

Table 158: show profile Output Fields .........................................................707

Table 159: show ip interface Output Fields .................................................709

Table 160: show ipv6 interface Output Fields ..............................................712

Table 161: show service-management service-definition Output Fields .......717

Table 162: show service-management service-session-profile Output

Fields ....................................................................................................719

Table 163: show service-management owner-session Output Fields ...........720

Table 164: show service-management subscriber-session Output Fields .....723

Table 165: show service-management summary Output Fields ...................725

List of Tables ■ xxxv

JUNOSe 11.0.x Broadband Access Configuration Guide

xxxvi ■ List of Tables

About the Documentation

■ E Series and JUNOSe Documentation and Release Notes on page xxxvii

■ Audience on page xxxvii

■ E Series and JUNOSe Text and Syntax Conventions on page xxxvii

■ Obtaining Documentation on page xxxix

■ Documentation Feedback on page xxxix

■ Requesting Technical Support on page xxxix

E Series and JUNOSe Documentation and Release Notes

For a list of related JUNOSe documentation, see

http://www.juniper.net/techpubs/software/index.html .

If the information in the latest release notes differs from the information in the
documentation, follow the JUNOSe Release Notes.

To obtain the most current version of all Juniper Networks® technical documentation,
see the product documentation page on the Juniper Networks website at

http://www.juniper.net/techpubs/.

Audience

This guide is intended for experienced system and network specialists working with
Juniper Networks E Series Broadband Services Routers in an Internet access
environment.

E Series and JUNOSe Text and Syntax Conventions

Table 1 on page xxxviii defines notice icons used in this documentation.

E Series and JUNOSe Documentation and Release Notes ■ xxxvii

JUNOSe 11.0.x Broadband Access Configuration Guide

Table 1: Notice Icons

Table 2 on page xxxviii defines text and syntax conventions that we use throughout the
E Series and JUNOSe documentation.

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates a situation that might result in loss of data or hardware damage.Caution

Alerts you to the risk of personal injury or death.Warning

Alerts you to the risk of personal injury from a laser.Laser warning

Table 2: Text and Syntax Conventions

Represents commands and keywords in text.Bold text like this

Bold text like this

Fixed-width text like this

Represents text that the user must type.

Represents information as displayed on your
terminal’s screen.

Italic text like this

Emphasizes words.

■

Identifies variables.

■

Identifies chapter, appendix, and book

■

names.

Plus sign (+) linking key names

keys simultaneously.

Syntax Conventions in the Command Reference Guide

ExamplesDescriptionConvention

Issue the clock source command.

■

Specify the keyword exp-msg.

■

host1(config)#traffic class low-loss1

host1#show ip ospf 2

Routing Process OSPF 2 with Router
ID 5.5.0.250
Router is an Area Border Router
(ABR)

There are two levels of access: user and

■

privileged.

clusterId, ipAddress.

■

Appendix A, System Specifications

■

Press Ctrl + b.Indicates that you must press two or more

terminal lengthRepresents keywords.Plain text like this

| (pipe symbol)

xxxviii ■ E Series and JUNOSe Text and Syntax Conventions

mask, accessListNameRepresents variables.Italic text like this

diagnostic | lineRepresents a choice to select one keyword
or variable to the left or to the right of this
symbol. (The keyword or variable can be
either optional or required.)

Table 2: Text and Syntax Conventions (continued)

About the Documentation

ExamplesDescriptionConvention

[ internal | external ]Represent optional keywords or variables.[ ] (brackets)

[ ]* (brackets and asterisk)

that can be entered more than once.

Represent required keywords or variables.{ } (braces)

Obtaining Documentation

To obtain the most current version of all Juniper Networks technical documentation,
see the products documentation page on the Juniper Networks Web site at

http://www.juniper.net/.

To download complete sets of technical documentation to create your own
documentation CD-ROMs or DVD-ROMs, see the CD-ROM and DVD-ROM
Documentation page at

http://www.juniper.net/techpubs/resources/cdrom.html

Copies of the Management Information Bases (MIBs) available in a software release
are included on the software CDs and at http://www.juniper.net/.

Documentation Feedback

[ level1 | level2 | l1 ]*Represent optional keywords or variables

{ permit | deny } { in | out }

{ clusterId | ipAddress }

We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation to better meet your needs. Send your comments to

techpubs-comments@juniper.net, or fill out the documentation feedback form at

https://www.juniper.net/cgi-bin/docbugreport/. If you are using e-mail, be sure to include

the following information with your comments:

■ Document or topic name

■ URL or page number

■ Software release version

Requesting Technical Support

Technical product support is available through the Juniper Networks Technical
Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support
contract, or are covered under warranty, and need post-sales technical support, you
can access our tools and resources online or open a case with JTAC.

■ JTAC policies—For a complete understanding of our JTAC procedures and policies,

review the JTAC User Guide located at

http://www.juniper.net/customers/support/downloads/7100059-EN.pdf .

Obtaining Documentation ■ xxxix

JUNOSe 11.0.x Broadband Access Configuration Guide

■ Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/ .

■ JTAC hours of operation—The JTAC centers have resources available 24 hours a

day, 7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with
the following features:

■

Find CSC offerings: http://www.juniper.net/customers/support/

■

Search for known bugs: http://www2.juniper.net/kb/

■

Find product documentation: http://www.juniper.net/techpubs/

■ Find solutions and answer questions using our Knowledge Base:

http://kb.juniper.net/

■ Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

■ Search technical bulletins for relevant hardware and software notifications:

https://www.juniper.net/alerts/

■ Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

■

Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

To verify service entitlement by product serial number, use our Serial Number
Entitlement (SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

■

Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .

■ Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, see

http://www.juniper.net/support/requesting support.html .

xl ■ Requesting Technical Support

Part 1

Managing Remote Access

■ Configuring Remote Access on page 3

■ Monitoring and Troubleshooting Remote Access on page 109

Managing Remote Access ■ 1

JUNOSe 11.0.x Broadband Access Configuration Guide

2 ■ Managing Remote Access

Chapter 1

Configuring Remote Access

This chapter describes how to configure remote access to an Juniper Networks E
Series Broadband Services Router. This chapter discusses the following topics:

■ Remote Access Overview on page 4

■ Remote Access Platform Considerations on page 5

■ Remote Access References on page 6

■ Before You Configure B-RAS on page 6

■ Remote Access Configuration Tasks on page 6

■ Configuring a B-RAS License on page 7

■ Mapping a User Domain Name to a Virtual Router on page 8

■ Setting Up Domain Name and Realm Name Usage on page 12

■ Specifying a Single Name for Users from a Domain on page 16

■ Configuring RADIUS Authentication and Accounting Servers on page 18

■ Configuring Local Authentication Servers on page 40

■ Configuring Tunnel Subscriber Authentication on page 50

■ Configuring Name Server Addresses on page 51

■ Configuring Local Address Servers on page 54

■ Configuring DHCP Features on page 60

■ Creating an IP Interface on page 61

■ Configuring AAA Profiles on page 63

■ Using RADIUS Route-Download Server to Distribute Routes on page 71

■ Using the AAA Logical Line Identifier to Track Subscribers on page 76

■ Using VSAs for Dynamic IP Interfaces on page 82

■ Mapping Application Terminate Reasons to RADIUS Terminate Codes on page 84

■ Configuring Timeout on page 88

■ Limiting Active Subscribers on page 89

■ Notifying RADIUS of AAA Failure on page 90

■ Configuring Standard RADIUS IPv6 Attributes for IPv6 Neighbor Discovery Router

Advertisements and DHCPv6 Prefix Delegation on page 90

■ Propagation of LAG Subscriber Information to AAA and RADIUS on page 92

■ 3

JUNOSe 11.0.x Broadband Access Configuration Guide

■ Configuring the SRC Client on page 94

■ DHCPv6 Local Address Pools for Allocation of IPv6 Prefixes Overview on page 101

■ Configuring the DHCPv6 Local Address Pools on page 104

■ Using DHCPv6 Local Address Pools for Prefix Delegation over non-PPP Links

Example on page 107

Remote Access Overview

Broadband Remote Access Server (B-RAS) is an application running on your router
that:

■ Aggregates the output from digital subscriber line access multiplexers (DSLAMs)

■ Provides user Point-to-Point Protocol (PPP) sessions or IP-over-Asynchronous

Transfer Mode (ATM) sessions

■ Enforces quality of service (QoS) policies

B-RAS Data Flow

■ Routes traffic into an Internet service provider’s (ISP’s) backbone network

A DSLAM collects data traffic from multiple subscribers into a centralized point so
that it can be uploaded to the router over an ATM connection via a DS3, OC3, E3,
or OC12 link.

The router provides the logical termination for PPP sessions, as well as the interface
to authentication and accounting systems.

The router performs several tasks for a digital subscriber line (DSL) PPP user to
establish a PPP connection. This is an example of the way B-RAS data might flow:

1. Authenticate the subscriber using RADIUS authentication.

2. Assign an IP address to the PPP/IP session via RADIUS, local address pools, or

Dynamic Host Configuration Protocol (DHCP).

3. Terminate the PPP encapsulation or tunnel a PPP session.

4. Provide user accounting via RADIUS.

NOTE: For information about configuring RADIUS attributes see “Configuring RADIUS
Attributes” on page 165.

Configuring IP Addresses for Remote Clients

A remote client can obtain an IP address from one of the following:

■ RADIUS server

■ Local address server

4 ■ Remote Access Overview

AAA Overview

Chapter 1: Configuring Remote Access

■ DHCP proxy client and server

■ DHCP relay agent (Bridged IP only)

■ DHCP local server

■ DHCP external server

For information about configuring DHCP support on the E Series router, see “DHCP
Overview” on page 455.

For information about how to configure a RADIUS server, see your RADIUS server
documentation.

Collectively, authentication, authorization, and accounting are referred to as AAA.
Each has an important but separate function.

■ Authentication—Determines who the user is, then determines whether that user

should be granted access to the network. The primary purpose is to prevent
intruders from networks. It uses a database of users and passwords.

■ Authorization—Determines what the user is allowed to do by giving network

managers the ability to limit network services to different users.

■ Accounting—Tracks what the user did and when they did it. You can use

accounting for an audit trail or for billing for connection time or resources used.

Central management of AAA means the information is in a single, centralized, secure
database, which is much easier to administer than information distributed across
numerous devices.

Remote Access Platform Considerations

B-RAS services are supported on all E Series routers.

For information about the modules supported on E Series routers:

■ See the ERX Module Guide for modules supported on ERX7xx models, ERX14xx

models, and the ERX310 Broadband Services Router.

■ See the E120 and E320 Module Guide for modules supported on the Juniper

Networks E120 and E320 Broadband Services Routers.

B-RAS Protocol Support

The E Series router supports the following protocols for B-RAS services:

■ PPP

■ PPP over Ethernet (PPPoE)

Remote Access Platform Considerations ■ 5

JUNOSe 11.0.x Broadband Access Configuration Guide

■ Bridged Ethernet

■ Layer 2 Tunneling Protocol (L2TP), both L2TP access concentrator (LAC) and

L2TP network server (LNS)

Remote Access References

For more information about the topics covered in this chapter, see the following
documents:

■ RFC 2748—The COPS (Common Open Policy Service) Protocol (January 2000)

■ RFC 2865—Remote Authentication Dial In User Service (RADIUS) (June 2000)

■ RFC 3084—COPS Usage for Policy Provisioning (COPS-PR) (March 2001)

■ RFC 3159—Structure of Policy Provisioning Information (SPPI) (August 2001)

■ RFC 3198—Terminology for Policy-Based Management (November 2001)

■ RFC 3317—Differentiated Services Quality of Service Policy Information Base

(DIFFSERV-PIB)

■ RFC 3318—Framework Policy Information Base (March 2003)

JUNOSe Release Notes, Appendix A, System Maximums—Refer to the Release Notes
corresponding to your software release for information about the number of
concurrent RADIUS requests that the router supports for authentication and accounting
servers.

Before You Configure B-RAS

Before you begin to configure B-RAS, you need to collect the following information
for the RADIUS authentication and accounting servers:

■ IP addresses

■ User Datagram Protocol (UDP) port numbers

■ Secret keys

Remote Access Configuration Tasks

Each configuration task is presented in a separate section in this chapter. Most of
the B-RAS configuration tasks are optional.

To configure B-RAS, perform the following tasks:

1. Configure a B-RAS license.

2. (Optional) Map a user domain name to a virtual router. By default, all requests

go through a default router.

3. (Optional) Set up domain name and realm name usage.

4. (Optional) Specify a single name for users from a domain.

6 ■ Remote Access References

Chapter 1: Configuring Remote Access

5. Configure an authentication server on the router.

6. (Optional) Configure UDP checksums.

7. (Optional) Configure an accounting server on the router.

8. (Optional) Configure Domain Name System (DNS) and Windows Internet Name

Service (WINS) name server addresses.

9. (Optional) Configure a local address pool for remote clients.

10. (Optional) Configure one or more DHCP servers.

11. Create a PPP interface on which the router can dynamically create an IP interface.

12. (Optional) Configure AAA profiles.

13. (Optional) Use vendor-specific attributes (VSAs) for Dynamic Interfaces.

14. (Optional) Set idle or session timeout.

15. (Optional) Limit the number of active subscribers on a virtual router (VR) or port.

16. (Optional) Set up the router to notify RADIUS when a user fails AAA.

17. (Optional) Configure a RADIUS download server on the router.

18. (Optional) Configure the Session and Resource Control (SRC) client (formerly the

SDX client).

19. (Optional) Set baselines for AAA statistics or RADIUS authentication and

accounting statistics.

Configuring a B-RAS License

From Global Configuration mode, configure a B-RAS license:

host1(config)#license b-ras k3n91s6gvtj

B-RAS licenses are available in various sizes to enable subscriber access for up to
one of the following maximum number of simultaneous active IP, LAC, and bridged
Ethernet interfaces:

■ 4000

■ 8000

■ 16,000

■ 32,000

■ 48,000

NOTE: To use a B-RAS license for 16,000 or more interfaces, each of your SRP
modules must have 1 gigabyte (GB) of memory.

license b-ras

Configuring a B-RAS License ■ 7

JUNOSe 11.0.x Broadband Access Configuration Guide

■ Use to specify the B-RAS license.

■ The license is a unique string of up to 15 alphanumeric characters.

NOTE: Acquire the license from Juniper Networks Customer Service or your Juniper
Networks sales representative.

■ You can purchase licenses that allow up to 2,000, 4,000, 8,000, 16,000, 32,000,

or 48,000 simultaneous active IP, LAC, and bridged Ethernet interfaces.

■ Example

host1(config)#license b-ras jwmR4k8D

■ Use the no version to disable the license.

■ See license b-ras

Mapping a User Domain Name to a Virtual Router

You can configure RADIUS authentication, accounting, and local address pools for a
specific virtual router and then map a user domain to that virtual router.

The router keeps track of the mapping between domain names and virtual-routers.
Use the aaa domain-map command to map a user domain to a virtual router.

NOTE: This domain name is not the NT domain sometimes found on the Dialup
Networking dialog box.

When the router is configured to require authentication of a PPP user, the router
checks for the appropriate user domain-name-to-virtual-router mapping. If it finds a
match, the router sends a RADIUS authentication request to the RADIUS server
configured for the specific virtual router.

Mapping User Requests Without a Valid Domain Name

You can create a mapping between a domain name called default and a specific
virtual router so that the router can map user names that contain a domain name
that does not have an explicit map.

If a user request is submitted with a domain name for which the router cannot find
a match, the router looks for a mapping between the domain name default and a
virtual router. If a match is found, the user’s request is processed according to the
RADIUS server configured for the named virtual router. If no entry is found that maps
default to a specific virtual router, the router sends the request to the RADIUS server
configured on the default virtual router.

8 ■ Mapping a User Domain Name to a Virtual Router

Mapping User Requests Without a Configured Domain Name

You can map a domain name called none to a specific virtual router so that the router
can map user names that do not contain a domain name.

If a user request is submitted without a domain name, the router looks for a mapping
between the domain name none and a virtual router. If a match is found, the user’s
request is processed according to the RADIUS server configured for the named virtual
router. If the router does not find the domain name none, it checks for the domain
name default. If no matching entries are found, the router sends the request to the
server configured on the default virtual router.

Using DNIS

The E Series router supports dialed number identification service (DNIS). With DNIS,
if users have a called number associated with them, the router searches the domain
map for the called number. If it finds a match, the router uses the matching domain
map entry information to authenticate the user. If the router does not find a match,
it searches the domain map using normal processing.

Chapter 1: Configuring Remote Access

NOTE: For DNIS to work, the router must be acting as the LNS. Also, the phone
number configured in the aaa domain-map command must be an exact match to
the value passed by L2TP in the called number AVP (AVP 21).

For example, as specified in the following sequence, a user calling 9785551212
would be terminated in vrouter_88, while a user calling 8005554433 is terminated
in vrouter_100.

host1(config)#aaa domain-map 9785551212 vrouter_88
host1(config)#aaa domain-map 8005554433 vrouter_100

Redirected Authentication

Redirected authentication provides a way to offload AAA activity on the router, by
providing the domain-mapping-like feature remotely on the RADIUS server. Redirected
authentication works as follows:

1. The router sends an authentication request (in the form of a RADIUS

access-request message) to the RADIUS server that is configured in the default
VR.

2. The RADIUS server determines the user’s AAA VR context and returns this

information in a RADIUS response message to the router.

3. The router then behaves in similar fashion as if it had received the VR context

from the local domain map.

To maintain local control, the only VR allowed to redirect authentication is the default
VR. Also, to prevent loopbacks, the redirection may occur only once to a non-default
VR.

Mapping a User Domain Name to a Virtual Router ■ 9

JUNOSe 11.0.x Broadband Access Configuration Guide

To maintain flexibility, the redirection response may include idle time or session
attributes that are considered as default unless the redirected authentication server
overrides them. For example, if the RADIUS server returns the VR context along with
an idle timeout attribute with the value set to 20 minutes, the router uses this idle
timeout value unless the RADIUS server configured in the VR context returns a
different value.

Since the router supports the RADIUS User-Name attribute [1] in the RADIUS response
message, the default VR RADIUS server may override the user’s name (this can be
a stripped name or an entirely different name). Overriding is useful for the case when
the user enters a login name containing a domain name that is significant only to
the RADIUS server in the default VR.

IP Hinting

You can allocate an address before authentication of PPP sessions. This address is
included in the Access-Request sent to the authentication server as an IP address
hint.

aaa domain-map

ip-hint

■ Use to map a user domain name to a virtual router or a loopback interface.

■ When you specify only the domain name, the command sets the mode to Domain

Map Configuration.

■ Example

host1(config)#aaa domain-map juniper.net vrouter_1
host1(config)#aaa domain-map none vrouter_all_purpose
host1(config)#aaa domain-map default vrouter_all_purpose
host1(config)#aaa domain-map 8005558934 vrouter_78
host1(config)#aaa domain-map westford.com
host1(config-domain-map)#

■ Use the no version to delete the map entry.

■ See aaa domain-map

■ Use to preallocate an IP address for the remote B-RAS user before authenticating

the remote user.

■ The address is passed as a hint in the authentication request.

■ Example

■ Use the no version to disable the feature.

■ See ip-hint

ipv6-local-interface

10 ■ Mapping a User Domain Name to a Virtual Router

host1(config-domain-map)#ip-hint enable

ipv6-router-name

Chapter 1: Configuring Remote Access

■ Use to map a user domain name to an IP version 6 (IPv6) loopback interface.

■ The local interface identifies the interface information to use on the local (E

Series) side of the subscriber’s interface.

■ Example

host1(config)#aaa domain-map westford.com
host1(config-domain-map)#ipv6-local-interface 2001:db8::8000

■ Use the no version to delete the entry.

■ See ipv6-local-interface

■ Use to map a user domain name to an IPv6 virtual router in Domain Map

Configuration mode.

■ Example

local-interface

router-name

host1(config)#aaa domain-map westford.com
host1(config-domain-map)#ipv6-router-name vroutv6

■ Use the no version to delete the entry.

■ See ipv6-router-name

■ Use to map a user domain name to a loopback interface.

■ The local interface identifies the interface information to use on the local (E

Series) side of the subscriber’s interface.

■ Example

host1(config)#aaa domain-map westford.com
host1(config-domain-map)#local-interface 10.10.5.30

■ Use the no version to delete the entry.

■ See local-interface

■ Use to map a user domain name to a virtual router.

■ Example

■ Use the no version to delete the entry.

■ See router-name.

host1(config)#aaa domain-map westford.com
host1(config-domain-map)#router-name vrout

Mapping a User Domain Name to a Virtual Router ■ 11

JUNOSe 11.0.x Broadband Access Configuration Guide

Setting Up Domain Name and Realm Name Usage

To provide flexibility in how the router handles different types of usernames, the
software lets you specify the part of a username to use as the domain name, how
the domain name is designated, and how the router parses names. It also allows you
to set whether or not the router strips the domain name from the username before
it sends the username to the RADIUS server.

By default, the router parses usernames as follows:

realmName/personalName@domainName

The string to the left of the forward slash (/) is the realm name, and the string to the
right of the at-symbol (@) is the domain name. For example, in the username
juniper/jill@abc.com, juniper is the realm name and abc.com is the domain name.

The router allows you to:

■ Use the realm name as the domain name.

■ Use delimiters other than / to designate the realm name.

■ Use delimiters other than @ to designate the domain name.

■ Use either the domain or the realm as the domain name when the username

contains both a realm and domain name.

■ Change the direction in which the router searches for the domain name or the

realm name.

To provide these features, the router allows you to specify delimiters for the domain
name and realm name. You can use up to eight one-character delimiters each for
domain and realm names. The router also lets you specify how it parses usernames
to determine which part of a username to use as the domain name.

Using the Realm Name as the Domain Name

Typically, a realm appears before the user field and is separated with the / character;
for example, usEast/jill@abc.com. To use the realm name usEast rather than abc.com
as the domain name, set the realm name delimiter to /. For example:

host1(config)#aaa delimiter realmName /

This command causes the router to use the string to the left of the / as the domain
name. If the realm name delimiter is null (the default), the router will not search for
the realm name.

Using Delimiters Other Than @

You can set up the router to recognize delimiters other than @ to designate the
domain name. Suppose there are two users: bob@abc.com and pete!xyz.com, and
you want to use both of their domain names. In this case you would set the domain
name delimiter to @ and !. For example:

12 ■ Setting Up Domain Name and Realm Name Usage

host1(config)#aaa delimiter domainName @!

Using Either the Domain or the Realm as the Domain Name

If the username contains both a realm name and a domain name delimiter, you can
use either the domain name or the realm name as the domain name. As previously
mentioned, the router treats usernames with multiple delimiters as though the realm
name is to the left of the realm delimiter and the domain name is to the right of the
domain delimiter.

If you set the parse order to:

■ domain-first—The router searches for a domain name first. For example, for

username usEast/lori@abc.com, the domain name is abc.com.

■ realm-first—The router searches for a realm name first and uses the realm name

as the user’s domain name. For username usEast/lori@abc.com, the domain is
usEast.

Chapter 1: Configuring Remote Access

For example, if you set the delimiter for the realm name to / and set the delimiter
for the domain name to @, the router parses the realm first by default. The username
usEast/lori@abc.com results in a domain name of usEast. To cause the parsing to
return abc.com as the domain, enter the aaa parse-order domain-first command.

Specifying the Domain Name or Realm Name Parse Direction

You can specify the direction—either left to right or right to left—in which the router
performs the parsing operation when identifying the realm name or domain name.
This feature is particularly useful if the username contains nested realm or domain
names. For example, for a username of userjohn@abc.com@xyz.com, you can
identify the domain as either abc.com@xyz.com or as xyz.com, depending on the
parse direction that you specify.

You use either the left-to-right or right-to-left keywords with one of the following
keywords to specify the type of search and parsing that the router performs:

■ domainName—The router searches for the next domain delimiter value in the

direction specified. When it reaches a delimiter, the router uses anything to the
right of the delimiter as the domain name. Domain parsing is from right to left
by default.

■ realmName—The router searches for the next realm delimiter value in the

direction specified. When it reaches a delimiter, the router uses anything to the
left of the delimiter as the realm name. Realm parsing is from left to right by
default.

■ Example

host1(config)#aaa parse-direction domainName left-to-right

Setting Up Domain Name and Realm Name Usage ■ 13

JUNOSe 11.0.x Broadband Access Configuration Guide

Stripping the Domain Name

The router provides feature that strips the domain name from the username before
it sends the name to the RADIUS server in an Access-Request message. You can
enable or disable this feature using the strip-domain command.

By default, the domain name is the text after the last @ character. However, if you
changed the domain name parsing using the aaa delimiter, aaa parse-order, or aaa
parse direction commands, the router strips the domain name and delimiter that
result from the parsing.

aaa delimiter

Use to configure delimiters for the domain and realm names. Specify one of the

■

following keywords:

■ domainName—Configures domain name delimiters. The default domain

name delimiter is @.

aaa parse-direction

■ realmName—Configures realm name delimiters. The default realm name

delimiter is NULL (no character). In this case, realm parsing is disabled
(having no delimiter disables realm parsing).

■ You can specify up to eight delimiters each for domain name and realm name.

■ Example

host1(config)#aaa delimiter domainName @*/

■ Use the no version to return to the default.

■ See aaa delimiter

Use to specify the direction the router uses to parse the username for the domain

■

or realm name.

■ domainName—Specifies that the domain name is parsed. The router

performs domain parsing from right to left by default.

■ realmName—Specifies that the realm name is parsed. The router performs

realm parsing from left to right by default.

■ left-to-right—Router searches from the left-most character. When the router

reaches a realm delimiter, it uses anything to the left of the delimiter as the
domain. When the router reaches a domain delimiter, it uses anything to
the right of the delimiter as the domain.

■ right-to-left—Router searches from the right-most character. When the

■ Example

14 ■ Setting Up Domain Name and Realm Name Usage

router reaches a realm delimiter, it uses anything to the left of the delimiter
as the domain. When the router reaches a domain delimiter, it uses anything
to the right of the delimiter as the domain.

host1(config)#aaa parse-direction domainName left-to-right

aaa parse-order

Chapter 1: Configuring Remote Access

■ Use the no version to return to the default: right-to-left parsing for domain names

and left-to-right parsing for realm names.

■ See aaa parse-direction

Use to specify which part of a username the router uses as the domain name. If

■

a user’s name contains both a realm name and a domain name, you can configure
the router to use either name as the domain name.

■ domain-first—Router searches for a domain name first. When the router

reaches a domain delimiter, it uses anything to the right of the delimiter as
the domain name. For example, if the username is usEast/lori@abc.com,
the domain name is abc.com. If the router does not find a domain name, it
then searches for a realm name if the realm delimiter is specified.

■ realm-first—Router searches for a realm name first. When the router reaches

a realm delimiter, it uses anything to the left of the delimiter as the domain.
For example, if the username is usEast/lori@abc.com, the domain name is
usEast. If no realm name is found, the router searches for a domain name.

strip-domain

■ Example

host1(config)#aaa parse-order domain-first

■ Use the no version to return to the default, realm first.

■ See aaa parse-order

■ Use to strip the domain name from the username before sending an

access-request message to the RADIUS server.

■ By default, the domain name is the text after the last @ character. However, if

you change the domain name parsing by using the aaa delimiter, aaa
parse-order, or parse-direction command, the router strips the domain name

and delimiter that result from the parsing.

■ To stop stripping the username, use the disable keyword.

■ Example

host1(config)#aaa domain-map xyz.com
host1(config-domain-map)#strip-domain enable

■ Use the no version to return to the default, disabled.

■ See strip-domain

Domain Name and Realm Name Examples

This section provides examples of possible domain or realm name results that you
might obtain, depending on the commands and options you specify. This example
uses the following username:

Setting Up Domain Name and Realm Name Usage ■ 15

JUNOSe 11.0.x Broadband Access Configuration Guide

username: usEast/userjohn@abc.com@xyz.com

The router is configured with the following commands:

host1(config)#aaa delimiter domainName @!
host1(config)#aaa delimiter realmName /

Table 3 on page 16 shows the username and domain name that result from the
parsing action of the various commands.

Table 3: Username and Domain Name Examples

Resulting Domain
NameResulting UsernameCommand

usEastuserjohn@abc.com@xyz.comaaa parse-order realm-first

xyz.comuserjohn@abc.comaaa parse-order domain-first

right-to-left

left-to-right

right-to-left

left-to-right

Specifying a Single Name for Users from a Domain

Assigning a single username and a single password for all users associated with a
domain provides better compatibility with some RADIUS servers. You can use this
feature for domains that require the router to tunnel, but not terminate, PPP sessions.

When users request a PPP session, they specify usernames and passwords. During
the negotiations for the PPP session, the router authenticates legitimate users.

NOTE: This feature works only for users authenticated by Password Authentication
Protocol (PAP) and not by Challenge Handshake Authentication Protocol (CHAP).

xyz.comuserjohn@abc.comaaa parse-direction domainName

abc.com@xyz.comuserjohnaaa parse-direction domainName

usEastuserjohn@abc.com@xyz.comaaa parse-direction realmName

usEastuserjohn@abc.com@xyz.comaaa parse-direction realmName

If you configure this feature, the router substitutes the specified username and
password for all authenticated usernames and passwords associated with that domain.

There are two options for this feature. The router can:

■ Substitute the domain name for each username and one new password for each

existing password.

16 ■ Specifying a Single Name for Users from a Domain

aaa domain-map

Chapter 1: Configuring Remote Access

For example, if the domain name is xyz.com and you specify the password
xyz_domain, the router associates the username xyz.com and the password
xyz_domain with all users from xyz.com.

■ Substitute one new username for each username and one new password for

each existing password.

For example, if the domain name is xyz.com and you specify the username
xyz_group and the password xyz_domain, the router associates these identifiers
with all users from xyz.com.

To use a single username and a single password for all users from a domain:

1. Access Domain Map Configuration mode using the aaa domain-map command.

2. Specify the new username and password using the override-user command.

■ Use to map a domain name to a virtual router or to access Domain Map

Configuration mode.

override-user

■ Example

host1(config)#aaa domain-map xyz.com
host1(config-domain-map)#

■ Use the no version to delete the map entry.

■ See aaa domain-map

■ Use to specify a single username and single password for all users from a domain

in place of the values received from the remote client.

■ Use only for domains that require the router to tunnel and not terminate PPP

sessions.

■ If you specify a password only, the router substitutes the domain name for the

username and associates the new password with the user. If you specify a
password only and you have configured the domain name none with the aaa
domain-map command, the router rejects any users without domain names.

■ If you specify a name and password, the router associates both the new name

and password with the user.

■ Example

host1(config-domain-map)#override-user name boston password abc

■ Use the no version to revert to the original username.

■ See override-user

Specifying a Single Name for Users from a Domain ■ 17

JUNOSe 11.0.x Broadband Access Configuration Guide

Configuring RADIUS Authentication and Accounting Servers

The number of RADIUS servers you can configure depends on available memory.

The order in which you configure servers determines the order in which the router
contacts those servers on behalf of clients.

Initially, a RADIUS client sends a request to a RADIUS authentication or accounting
server. The RADIUS server uses the configured IP address, the UDP port number,
and the secret key to make the connection. The RADIUS client waits for a response
for a configurable timeout period and then retransmits the request. The RADIUS
client retransmits the request for a user-configurable retry limit.

■ If there is no response from the primary RADIUS server, the RADIUS client

submits the request to the secondary RADIUS server using the timeout period
and retry limit configured for the secondary RADIUS server.

■ If the connection attempt fails for the secondary RADIUS server, the router

submits the request to the tertiary server and so on until it either is granted
access on behalf of the client or there are no more configured servers.

Server Access

■ If another authentication server is not configured, the router attempts the next

method in the method list; for accounting server requests, the information is
dropped.

For example, suppose that you have configured the following authentication servers:
Auth1, Auth2, Auth3, Auth4, and Auth5. Your router attempts to send an
authentication request to Auth1. If Auth1 is unavailable, the router submits the request
to Auth2, then Auth3, and so on until an available server is found. If Auth5, the last
configured authentication server, is not available, the router attempts the next method
in the methods list. If the only method configured is RADIUS, then the router notifies
the client that the request has been denied.

The router offers two options by which servers are accessed:

■ Direct—The first authentication or accounting server that you configure is treated

as the primary authentication or accounting server, the next server configured
is the secondary, and so on.

■ Round-robin—The first configured server is treated as a primary for the first

request, the second server configured as primary for the second request, and so
on. When the router reaches the end of the list of servers, it starts again at the
top of the list until it comes full cycle through the list.

Use the radius algorithm command to specify the server access method.

When you configure the first RADIUS accounting server, a RADIUS Acct-On message
is sent. When you delete the last accounting server, a RADIUS Acct-Off message is
sent.

18 ■ Configuring RADIUS Authentication and Accounting Servers

Server Request Processing Limit

You can configure RADIUS authentication servers and accounting servers to use
different UDP ports on the router. This enables the same IP address to be used for
both an authentication server and an accounting server. However, you cannot use
the same IP address for multiple authentication servers or for multiple accounting
servers.rs.

NOTE: For information about the number of concurrent RADIUS requests that the
router supports for authentication and accounting servers, see JUNOSe Release Notes,
Appendix A, System Maximums.

The E Series router listens to a range of UDP source (or local) ports for RADIUS
responses. Each UDP source port supports a maximum of 255 RADIUS requests.
When the 255 per-port limit is reached, the router opens the next source port. When
the max-sessions command limit is reached, the router submits the request to the
next configured server.

Chapter 1: Configuring Remote Access

Table 4 on page 19 lists the range of UDP ports the router uses for each type of
RADIUS request.

Table 4: Local UDP Port Ranges by RADIUS Request Type

Authentication and Accounting Methods

When you configure AAA authentication and accounting services for your B-RAS
environment, one important task is to specify the authentication and accounting
method used. The JUNOSe software gives you the flexibility to configure authentication
or accounting methods based on the type of subscriber. This feature allows you to
enable RADIUS authentication for some subscribers, while disabling authentication
completely for other subscribers. Similarly, you can enable RADIUS accounting for
some subscribers, but no accounting for others. For example, you might use RADIUS
authentication for ATM 1483 subscribers, while granting IP subscriber management
interfaces access without authentication (using the none keyword).

ERX310, ERX710, ERX1410, and
E120 Broadband Services
RoutersRADIUS Request Type

ERX1440 and E320
Broadband Services Routers

50000–5012450000–50124RADIUS authentication

50125–5049950125–50249RADIUS accounting

50500–5062450250–50374RADIUS preauthentication

50625–5074950375–50500RADIUS route-download

You can specify the authentication or accounting method you want to use, or you
can specify multiple methods in the order in which you want them used. For example,

Configuring RADIUS Authentication and Accounting Servers ■ 19

JUNOSe 11.0.x Broadband Access Configuration Guide

if you specify the radius keyword followed by the none keyword when configuring
authentication, AAA initially attempts to use RADIUS authentication. If no RADIUS
servers are available, AAA uses no authentication. The JUNOSe software currently
supports radius and none as accounting methods and radius, none, and local as
authentication methods. See “Configuring Local Authentication Servers” on page 40
for information about local authentication.

You can configure authentication and accounting methods based on the following
types of subscribers:

■ ATM 1483

■ Tunnels (for example, L2TP tunnels)

■ PPP

■ RADIUS relay server

■ IP subscriber management interfaces

NOTE: IP subscriber management interfaces are static or dynamic interfaces that
are created or managed by the JUNOSe software’s subscriber management feature.

Supporting Exchange of Extensible Authentication Protocol Messages

Extensible Authentication Protocol (EAP) is a protocol that supports multiple methods
for authenticating a peer before allowing network layer protocols to transmit over
the link. JUNOSe software supports the exchange of EAP messages between JUNOSe
applications, such as PPP, and an external RADIUS authentication server.

The JUNOSe software’s AAA service accepts and passes EAP messages between the
JUNOSe application and the router’s internal RADIUS authentication server. The
internal RADIUS authentication server, which is a RADIUS client, provides EAP
pass-through—the RADIUS client accepts the EAP messages from AAA, and sends
the messages to the external RADIUS server for authentication. The RADIUS client
then passes the response from the external RADIUS authentication server back to
the AAA service, which then sends a response to the JUNOSe application. The AAA
service and the internal RADIUS authentication service do not process EAP
information—both simply act as pass-through devices for the EAP message.

The router’s local authentication server and TACACS+ authentication servers do not
support the exchange of EAP messages. These type of servers deny access if they
receive an authentication request from AAA that includes an EAP message. EAP
messages do not affect the none authentication configuration, which always grants
access.

The local RADIUS authentication server uses the following RADIUS attributes when
exchanging EAP messages with the external RADIUS authentication server:

20 ■ Configuring RADIUS Authentication and Accounting Servers

■ Framed-MTU (attribute 12)—Used if AAA passes an MTU value to the internal

RADIUS client

■ State (attribute 24)—Used in Challenge-Response messages from the external

server and returned to the external server on the subsequent Access-Request

■ Session-Timeout (attribute 27)—Used in Challenge-Response messages from the

external server

■ EAP-Message (attribute 79)—Used to fragment EAP strings into 253-byte

fragments (the RADIUS limit)

■ Message-Authenticator (attribute 80)—Used to authenticate messages that include

an EAP-Message attribute

For additional information on configuring PPP to use EAP authentication, see JUNOSe
Link Layer Configuration Guide .

Immediate Accounting Updates

Chapter 1: Configuring Remote Access

You can use the aaa accounting immediate-update command to configure immediate
accounting updates on a per-VR basis. If you enable this feature, the E Series router
sends an Acct-Update message to the accounting server immediately on receipt of
a response (ACK or timeout) to the Acct-Start message.

This feature is disabled by default. Use the enable keyword to enable immediate
updates and the disable keyword to halt them.

The accounting update contains 0 (zero) values for the input/output octets/packets
and 0 (zero) for uptime. If you have enabled duplicate or broadcast accounting, the
accounting update goes to both the primary virtual router context and the duplicate
or broadcast virtual router context.

Duplicate and Broadcast Accounting

Normally, the JUNOSe software sends subscriber-related AAA accounting information
to the virtual router that authenticates the subscriber. If an operational virtual router
is configured that is different from the authentication router, it also receives the
accounting information. You can optionally configure duplicate or broadcast AAA
accounting, which sends the accounting information to additional virtual routers
simultaneously. The accounting information continues to be sent to the authenticating
virtual router, but not to the operational virtual router.

Both the duplicate and broadcast accounting features are supported on a per-virtual
router context, and enable you to specify particular accounting servers that you want
to receive the accounting information.

For example, you might use broadcast accounting to send accounting information
to a group of your private accounting servers. Or you might use duplicate accounting
to send the accounting information to a customer’s accounting server.

■ Duplicate accounting—Sends the accounting information to a particular virtual

router

Configuring RADIUS Authentication and Accounting Servers ■ 21

JUNOSe 11.0.x Broadband Access Configuration Guide

■ Broadcast accounting—Sends the accounting information to a group of virtual

routers. An accounting virtual router group can contain up to four virtual routers
and the E Series router supports a maximum of 100 virtual router groups. The
accounting information continues to be sent to the duplicate accounting virtual
router, if one is configured.

Configuring AAA Duplicate Accounting

To configure and enable duplicate accounting on a virtual router, you use the aaa
accounting duplication command with the name of the accounting server that will

receive the information. For example, to enable duplicate accounting for the default
virtual router:

host1(config)#aaa accounting duplication xyzCompanyServer

Configuring AAA Broadcast Accounting

To configure and enable broadcast accounting on a virtual router:

1. Create the virtual router group and enter VR Group Configuration mode:

host1(config)#aaa accounting vr-group groupXyzCompany
host1(vr-group-config)#

2. Add up to four virtual routers to the group. The accounting information will be

sent to all virtual routers in the group.

host1(vr-group-config)#aaa virtual-router 1 vrXyz1
host1(vr-group-config)#aaa virtual-router 2 vrXyz2
host1(vr-group-config)#aaa virtual-router 3 vrXyz3
host1(vr-group-config)#exit
host1(config)#

3. Enable broadcast accounting. Enter the correct virtual router context, and specify

the virtual router group whose virtual routers will receive the accounting
information.

host1(config)#virtual-router opVr100
host1:opVr100(config)#aaa accounting broadcast groupXyzCompany

Overriding AAA Accounting NAS Information

AAA accounting packets normally include two RADIUS attributes—NAS-IP-Address
[4] and NAS-Identifier [32]—of the virtual router that generates the accounting
information. You can override the default configuration and specify that accounting
packets from particular broadcast virtual routers instead include the NAS-IP-Address
and NAS-Identifier attributes of the authenticating virtual router.

To override the normal AAA accounting NAS information, access the correct virtual
router context, and use the radius override nas-info command. For example:

host1(config)#virtual-router vrXyz1
host1:vrXyz1(config)#radius override nas-info

22 ■ Configuring RADIUS Authentication and Accounting Servers

host1:vrXyz1(config)#virtual-router vrXyz2
host1:vrXyz2(config)#radius override nas-info
host1:vrXyz3(config)#exit
host1(config)#

UDP Checksums

Each virtual router on which you configure B-RAS is enabled to perform UDP
checksums by default. You can disable and reenable UDP checksums.

Collecting Accounting Statistics

You can use the aaa accounting statistics command to specify how the AAA server
collects statistics on the sessions it manages. Use the volume-time keyword to specify
that AAA notifies applications to collect a full set of statistics from each of their
connections. Use the time keyword to specify that only the uptime status is collected
for each connection. Collecting only uptime information reduces the amount of data
sent to AAA and is a more efficient use of system resources for customers that do
not need a full set of statistics. The router collects a full set of statistics by default.

Chapter 1: Configuring Remote Access

Configuring RADIUS AAA Servers

The number of RADIUS servers you cansure configure depends on available memory.
The router has an embedded RADIUS client for authentication and accounting.

NOTE: You can configure B-RAS with RADIUS accounting, but without RADIUS
authentication. In this configuration, the username and password on the remote end
are not authenticated and can be set to any value.

You must assign an IP address to a RADIUS authentication or accounting server to
configure it.

If you do not configure a primary authentication or accounting server, all
authentication and accounting requests will fail. You can configure other servers as
backup in the event that the primary server cannot be reached. Configure each server
individually.

To configure an authentication or accounting RADIUS server:

1. Specify the authentication or accounting server address.

host1(config)#radius authentication server 10.10.10.1
host1(config-radius)#
or
host1(config)#radius accounting server 10.10.10.6
host1(config-radius)#

2. (Optional) Specify a UDP port for RADIUS authentication or accounting server

requests.

host1(config-radius)#udp-port 1645

Configuring RADIUS Authentication and Accounting Servers ■ 23

JUNOSe 11.0.x Broadband Access Configuration Guide

3. Specify an authentication or accounting server secret.

host1(config-radius)#key gismo

4. (Optional) Specify the number of retries the router makes to an authentication

or accounting server before it attempts to contact another server.

host1(config-radius)#retransmit 2

5. (Optional) Specify the number of seconds between retries.

host1(config-radius)#timeout 5

6. (Optional) Specify the maximum number of outstanding requests.

host1(config-radius)#max-sessions 100

7. (Optional) Specify the amount of time to remove a server from the available list

when a timeout occurs.

host1(config-radius)#deadtime 10

8. (Optional) In Global Configuration mode, specify whether the E Series router

should move on to the next RADIUS server when the router receives an
Access-Reject message for the user it is authenticating.

host1(config)#radius rollover-on-reject enable

9. (Optional) Enable duplicate address checking.

host1(config)aaa duplicate-address-check enable

10. (Optional) Specify that duplicate accounting records be sent to the accounting

server for a virtual router.

host1(config)#aaa accounting duplication routerBoston

11. (Optional) Enter the correct virtual router context, and specify the virtual router

group to which broadcast accounting records are sent.

host1(config)#virtual-router vrSouth25
host1:vrSouth25(config)#aaa accounting broadcast westVrGroup38
host1:vrSouth25(config)#exit

12. (Optional) Specify that immediate accounting updates be sent to the accounting

server when a response is received to an Acct-Start message.

13. (Optional) Specify whether the router collects all statistics or only the uptime

status.

14. (Optional) Specify that tunnel accounting be enabled or disabled.

24 ■ Configuring RADIUS Authentication and Accounting Servers

host1(config)#aaa accounting immediate-update

host1(config)#aaa accounting time

host1(config)#radius tunnel-accounting enable

aaa accounting broadcast

Chapter 1: Configuring Remote Access

15. (Optional) Specify the default authentication and accounting methods for the

subscribers.

host1(config)#aaa authentication ppp default radius none

16. (Optional) Disable UDP checksums on virtual routers you configure for B-RAS.

host1:(config)#virtual router boston
host1:boston(config)#radius udp-checksum disable

■ Use to enable AAA broadcast accounting on a virtual router. Specifies that

accounting records be sent to the accounting servers on the virtual routers in
the named virtual router group.

■ A virtual router group can be used in any virtual router context, not just the

context in which it is created.

■ Example

aaa accounting default

host1(config)#virtual-router vrSouth25
host1:vrSouth25(config)#aaa accounting broadcast westVrGroup38
host1:vrSouth25(config)#exit

■ Use the no version to disable the AAA broadcast accounting.

■ See aaa accounting broadcast

■ Use to specify the accounting method used for a particular type of subscriber.

■ Specify one of the following types of subscribers:

■ atm1483; this keyword is not supported

■ tunnel

■ ppp

■ radius-relay

■ ipsec

■ ip (IP subscriber management interfaces)

NOTE: IP subscriber management interfaces are static or dynamic interfaces that
are created or managed by the JUNOSe software’s subscriber management feature.

Although the atm1483 keyword is available in the CLI for this command, that
subscriber type is not supported. The router does not support accounting for ATM
1483 subscribers.

■ Specify one of the following types of accounting methods:

Configuring RADIUS Authentication and Accounting Servers ■ 25

JUNOSe 11.0.x Broadband Access Configuration Guide

■ radius—RADIUS accounting for the specified subscribers.

■ none—No accounting is done for the specified subscribers.

■ radius none—Multiple types of accounting; used in the order specified. For

example, radius none specifies that RADIUS accounting is initially used;
however, if RADIUS servers are not available, no accounting is done.

■ Example

host1(config)#aaa accounting ppp default radius

■ Use the no version to set the accounting protocol to the default, radius.

■ See aaa accounting default

aaa accounting duplication

■ Use to enable AAA duplicate accounting on a virtual router. Specifies that duplicate

accounting records be sent to the accounting server on another virtual router.

■ Example

host1(config)#aaa accounting duplication routerBoston

■ Use the no version to disable the feature.

■ See aaa accounting duplication

aaa accounting immediate-update

■ Use to send an accounting update to the accounting server immediately on

receipt of a response for an Acct-Start message.

■ Use the enable keyword to enable immediate updates. Use the disable keyword

to disable immediate updates. Immediate updates are disabled by default.

■ Example

host1(config)#aaa accounting immediate-update enable

■ Use the no version to restore the default condition, disabling immediate updates.

■ See aaa accounting immediate-update

aaa accounting interval

26 ■ Configuring RADIUS Authentication and Accounting Servers

Chapter 1: Configuring Remote Access

■ Use to specify the default interval between updates for user and service interim

accounting.

NOTE: This command is deprecated and might be removed completely in a future
release. Use the aaa user accounting interval command to specify the default interval
for user accounting. Use the aaa service accounting interval command to specify
the default interim accounting interval used for services created by the Service
Manager application. See “Configuring Service Manager” on page 635.

■ Select an interval in the range 10–1440 minutes. The default is 0, which means

that the feature is disabled.

■ Example

host1(config)#aaa accounting interval 60

■ Use the no version to turn off interim accounting for both users and services.

aaa accounting statistics

aaa accounting vr-group

■ See aaa accounting interval

■ Use to specify how the AAA server collects statistics on the sessions it manages.

■ Use the volume-time keyword to collect all statistics for the sessions.

■ Use the time keyword to collect only the uptime status of the sessions. Collecting

only uptime information is more efficient because less data is sent to AAA.

■ Example

host1(config)#aaa accounting statistics time

■ Use the no version to restore the default, in which all statistics are collected.

■ See aaa accounting statistics

■ Use to create an accounting virtual router group and enter VR Group Configuration

mode. Virtual routing groups are used for AAA broadcast accounting.

■ A virtual router group can have up to four virtual routers. The accounting servers

of the virtual routers in the group receive broadcast accounting records that are
forwarded to the group.

■ The E Series router supports a maximum of 100 virtual router groups.

■ When creating a virtual router group, you must add at least one virtual router to

the group; otherwise, the group is not created.

■ A virtual router group can be used in any virtual router context, not just the

context in which it is created.

■ Example

host1(config)#aaa accounting vr-group westVrGroup38
host1(config-vr-group)#

Configuring RADIUS Authentication and Accounting Servers ■ 27

JUNOSe 11.0.x Broadband Access Configuration Guide

■ Use the no version to delete the accounting virtual router group.

■ See aaa accounting vr-group

aaa authentication default

■ Use to specify the authentication method used for a particular type of subscriber.

■ Specify one of the following types of subscribers:

■ atm1483

■ tunnel

■ ppp

■ radius-relay

■ ipsec

■ ip (IP subscriber management interfaces)

NOTE: IP subscriber management interfaces are static or dynamic interfaces that
are created or managed by the JUNOSe software’s subscriber management feature.

■ Specify one of the following types of accounting methods:

■ Example

■ Use the no version to set the authentication protocol to the default, radius.

■ See aaa authentication default

aaa duplicate-address-check

■ Use to enable or disable routing table address lookup or duplicate address check.

■ radius—RADIUS authentication for the specified subscribers.

■ none—Grants the specified subscribers access without authentication.

■ radius none—Multiple types of authentication; used in the order specified.

For example, radius none specifies that RADIUS authentication is initially
used; however, if RADIUS servers are not available, users are granted access
without authentication.

host1(config)#aaa authentication ip default radius

By default, this command is enabled.

■ The router checks the routing table for returned addresses for PPP users. If the

address existed, then the user was denied access.

■ You can disable this routing table address lookup or duplicate address check

with the aaa duplicate-address-check command.

■ Example

28 ■ Configuring RADIUS Authentication and Accounting Servers

■ There is no no version.

■ See aaa duplicate-address-check

aaa user accounting interval

■ Use to specify the default interval between user accounting updates. The router

■ This command and the aaa service accounting interval command replace the

■ The default interval is applied on a virtual router basis—this setting is used for

■ Specify the user accounting interval in the range 10–1440 minutes. The default

Chapter 1: Configuring Remote Access

host1(config)#aaa duplicate-address-check enable

uses the default interval when no value is specified in the RADIUS
Acct-Interim-Interval attribute (RADIUS attribute 85).

aaa accounting interval command, which is deprecated and might be removed
in a future release. For information about setting the default interim accounting
interval for services, see “Configuring Service Manager” on page 635.

all users who attach to the corresponding virtual router.

setting is 0, which disables the feature.

aaa virtual-router

■ Example

host1(config)#aaa user accounting interval 20

■ Use the no version to reset the accounting interval to 0, which turns off interim

user accounting when no value is specified in the RADIUS Acct-Interim-Interval
attribute.

■ See aaa user accounting interval

■ Use to add virtual routers to a virtual router group. During AAA broadcast

accounting, accounting records are sent to the accounting servers on the virtual
routers in the named virtual router group.

■ You can add up to four virtual routers to a virtual router group. Use the

indexInteger parameter to specify the order (1–4) in which the virtual routers
receive the accounting information. The indexInteger is used with the no version
to delete a specific virtual router from a group (see Example 2).

■ A virtual router name consists of 1–32 alphanumeric characters.

■ The virtual router names in the group must be unique. An error message appears

if you enter a duplicate name.

■ Example 1

host1(config)#aaa accounting vr-group westVrGroup38
host1(config-vr-group)#aaa virtual-router 1 vrWestA
host1(config-vr-group)#aaa virtual-router 2 vrWestB
host1(config-vr-group)#aaa virtual-router 4 vrSouth1

■ Example 2

host1(config-vr-group)#no aaa virtual-router 2

Configuring RADIUS Authentication and Accounting Servers ■ 29

JUNOSe 11.0.x Broadband Access Configuration Guide

■ Use the no version of the command with the indexInteger parameter to delete

a specific virtual router from a group. If all virtual routers in a group are deleted,
the group is also deleted; a group must contain at least one virtual router.

■ See aaa virtual-router

deadtime

■ Use to configure the amount of time (0–1440 minutes) that a server is marked

as unavailable if a request times out for the configured retry count.

■ If a server fails to answer a request, the router marks it unavailable. The router

does not send requests to the server until the router receives a response from
the server or until the configured time is reached, whichever occurs first.

■ If all servers fail to answer a request, then instead of marking all servers as

unavailable, all servers are marked as available.

■ To turn off the deadtime mechanism, specify a value of 0.

■ Example

key

host1(config)#radius authentication server 10.10.0.1
host1(config-radius)#deadtime 10

■ Use the no version to set the time to the default value, 0

■ See deadtime

■ Use to configure secrets on the primary, secondary, and tertiary authentication

servers.

■ The authentication or accounting server secret is a text string used by RADIUS

to encrypt the client and server authenticator field during exchanges between
the router and a RADIUS authentication server. The router encrypts PPP PAP
passwords using this text string.

■ The default is no server secret.

■ Example

host1(config)#radius authentication server 10.10.8.1
host1(config-radius)#key gismo

■ Use the no version to remove the secret.

NOTE: Authentication fails if no key is specified for the authentication server.

■ See key

logout subscribers

30 ■ Configuring RADIUS Authentication and Accounting Servers

max-sessions

Chapter 1: Configuring Remote Access

■ Use to issue an administrative reset to the user’s connection to disconnect the

user.

■ From Privileged Exec mode, you can log out all subscribers, or log out subscribers

by username, domain, virtual-router, port, or icr-partition.

■ This command applies to PPP users, as well as to non-PPP DHCP users.

■ Example

host1#logout subscribers username bmurphy

■ There is no no version.

■ See logout subscribers

■ Use to configure the number of outstanding requests supported by an

authentication or accounting server.

no radius client

■ If the request limit is reached, the router sends the request to the next server.

NOTE: For information about the number of concurrent RADIUS requests that the
router supports for authentication and accounting servers, see JUNOSe Release Notes,
Appendix A, System Maximums.

■ The same IP address can be used for both an authentication and accounting

server (but not for multiple servers of the same type). The router uses different
UDP ports for authentication servers and accounting servers.

■ For each multiple of 255 requests (the RADIUS protocol limit), the router opens

a new UDP source (or local) port on the server to send and receive RADIUS
requests and responses.

■ Example

host1(config)#radius authentication server 10.10.0.1
host1(config-radius)#max-sessions 100

■ Use the no version to restore the default value, 255.

■ See max-sessions.

■ Use to remove all RADIUS servers for the virtual router context and to delete the

E Series RADIUS client for the virtual router context.

■ Example

■ There is no affirmative version of this command; there is only a no version.

■ See no radius client

host1:boston(config)#no radius client

Configuring RADIUS Authentication and Accounting Servers ■ 31

JUNOSe 11.0.x Broadband Access Configuration Guide

radius accounting server

■ Use to specify the IP address of authentication and accounting servers.

■ Example

host1(config)#radius authentication server 10.10.10.1
host1(config-radius)exit
host1(config)#radius authentication server 10.10.10.2
host1(config-radius)exit
host1(config)#radius authentication server 10.10.10.3
host1(config-radius)exit
host1(config)#radius accounting server 10.10.10.20
host1(config-radius)exit
host1(config)#radius accounting server 10.10.10.30

■ Use the no version to delete the instance of the RADIUS server.

■ See radius accounting server

radius algorithm

radius override nas-info

■ Use to specify the algorithm—either direct or round-robin—that the E Series

RADIUS client uses to contact the RADIUS server.

■ The algorithm that you choose impacts the display status of a RADIUS server.

For information on the effect of the algorithm configuration on the display of
the show radius servers command, see “Monitoring RADIUS Server Information”
on page 141

■ Example

host1(config)#radius algorithm round-robin

■ Use the no version to set the algorithm to the default, direct.

■ See radius algorithm

■ Use to configure the RADIUS client to include the NAS-IP-Address [4] and

NAS-Identifier [32] RADIUS attributes of the authenticating virtual router in
accounting packets when the client performs AAA broadcast accounting.
Normally, the accounting packets include the NAS-IP-Address and NAS-Identifier
of the virtual router that generated the accounting information.

■ This override operation is a per-virtual router specification; use this command

in the correct virtual router context.

■ This command is ignored if the authenticating virtual router does not have a

configured RADIUS server.

■ Example

32 ■ Configuring RADIUS Authentication and Accounting Servers

host1(config)#virtual-router vrXyz1
host1:vrXyz1(config)#radius override nas-info
host1:vrXyz1(config)#exit

radius rollover-on-reject

radius tunnel-accounting

Chapter 1: Configuring Remote Access

■ Use the no version to restore inclusion of the NAS-IP-Address [4] and

NAS-Identifier [32] RADIUS attributes of the virtual router that requested the
accounting information.

■ See radius override nas-info

■ Use to specify whether the router rolls over to the next RADIUS server when the

router receives an Access-Reject message for the user it is authenticating.

■ Example

host1(config)#radius rollover-on-reject enable

■ Use the no version to set the default of disable.

■ See radius rollover-on-reject

radius udp-checksum

■ Use to specify that tunnel accounting be enabled or disabled.

■ This command turns on accounting messages: Tunnel-Start, Tunnel-Stop,

Tunnel-Reject, Tunnel-Link-Start, Tunnel-Link-Stop, and Tunnel-Link-Reject, as
described in RFC 2867.

■ Your router supports tunnel accounting for the L2TP LAC and LNS.

■ Example

host1(config)#radius tunnel-accounting enable

■ Use the no version to set the default, disabled.

■ See radius tunnel-accounting

■ Use to disable UDP checksums on virtual routers you configure for B-RAS.

■ Issue this command in the context of the appropriate virtual router.

■ Example

host1(config)#virtual router boston
host1:boston(config)#radius udp-checksum disable

■ Use the no version to reenable UDP checksums on virtual routers you configure

for B-RAS.

■ See radius udp-checksum

radius update-source-addr

■ Use to specify an alternate source IP address for the router to use rather than

the default router ID.

■ Example

Configuring RADIUS Authentication and Accounting Servers ■ 33

JUNOSe 11.0.x Broadband Access Configuration Guide

host1(config)#radius update-source-addr 192.168.40.23

■ Use the no version to delete the parameter so that the router uses the router ID.

■ See radius update-source-addr

retransmit

■ Use to set the maximum number of times (0–100) that the router retransmits a

RADIUS packet to an authentication or accounting server.

■ If there is no response from the primary RADIUS authentication or accounting

server in the specified number of retries, the client sends the request to the
secondary server. If there is no response from the secondary server, the router
sends the request to the tertiary server, and so on.

■ Example

host1(config)#radius authentication server 10.10.8.1
host1(config-radius)#retransmit 2

test aaa

■ Use the no version to set the value to the default, 3 retransmits.

■ See retransmit

■ Use to verify RADIUS authentication and accounting and IP address assignment

setup.

■ You must specify either a PPP or Multilink PPP (MLPPP) user. PPP indicates a

regular PPP user. MLPPP simulates Multilink PPP so that if multiple test
commands are issued, all test users are bound by the same address.

■ The command uses a username and password and attempts to authenticate a

user, get an address assignment, and issue a start accounting request.

■ Optionally, you can specify the virtual router context in which to authenticate

the user.

■ The command pauses for several seconds, then terminates the session by issuing

a stop accounting request and an address release.

■ Example

host1#test aaa ppp jsmith mypassword virtual-router charlie2

NOTE: Specifying the password to associate with the username is optional. Specifying

a virtual router is optional.

■ There is no no version.

■ See test aaa

timeout

34 ■ Configuring RADIUS Authentication and Accounting Servers

Chapter 1: Configuring Remote Access

■ Use to set the number of seconds (1–1000) before the router retransmits a

RADIUS packet to an authentication or accounting server.

■ If the interval is reached and there is no response from the primary RADIUS

authentication or accounting server, the router attempts another retry. When
the retry limit is reached, the client sends the request to the secondary server.
When the retry limit for the secondary server is reached, the router attempts to
reach the tertiary server, and so on.

NOTE: After the fourth retransmission, the configured timeout value is ignored, and
the router uses a backoff algorithm that increases the timeout between each
succeeding transmission.

The backoff algorithm is:

udp-port

■ Example

host1(config)#radius authentication server 10.10.0.1
host1(config-radius)#timeout 5

■ Use the no version to restore the default value, 3 seconds.

NOTE: When a RADIUS server times out or when it has no available RADIUS identifier
values, the router removes the RADIUS server from the list of available servers for
a period of time. The router restores all configured servers to the list if it is about to
remove the last server. Restoring the servers avoids having an empty server list.

■ See timeout

■ Use to configure the UDP port on the router where the RADIUS authentication,

accounting, preauthentication, and route-download servers reside. The router
uses this port to communicate with the RADIUS authentication servers.

■ Specify a port number in the range 0–65536. For authentication,

preauthentication, or route-download servers, the default UDP port is 1812. For
accounting servers, the default is 1813.

■ For an accounting server, specify a port number in the range 0–65536. The

default is 1813.

■ Example

host1(config)#radius authentication server 10.10.9.1
host1(config-radius)#udp-port 1645

Configuring RADIUS Authentication and Accounting Servers ■ 35

JUNOSe 11.0.x Broadband Access Configuration Guide

■ Use the no version to set the port number to the default value.

■ See udp-port

SNMP Traps and System Log Messages

The router can send Simple Network Management Protocol (SNMP) traps to alert
network managers when:

■ A RADIUS server fails to respond to a request.

■ A RADIUS server that previously failed to respond to a request (and was

consequently removed from the list of active servers) returns to active service.

Returning to active service means that the E Series RADIUS client receives a
valid response to an outstanding RADIUS request after the server is marked
unavailable.

■ All RADIUS servers within a VR context fail to respond to a request.

The router also generates system log messages when RADIUS servers fail to respond
or when they return to active service; no configuration is required for system log
messages.

SNMP Traps

The router generates SNMP traps and system log messages as follows:

■ If the first RADIUS server fails to respond to the RADIUS request, the E Series

RADIUS client issues a system log message and, if configured, an SNMP trap
indicating that the RADIUS server timed out. The E Series RADIUS client will not
issue another system log message or SNMP trap regarding this RADIUS server
until the deadtime expires, if configured, or for 3 minutes if deadtime is not
configured.

■ The E Series RADIUS client then sends the RADIUS request to the second

configured RADIUS server. If the second RADIUS server fails to respond to the
RADIUS request, the E Series RADIUS client again issues a system log message
and, if configured, an SNMP trap indicating that the RADIUS server timed out.

■ This process continues until either the E Series RADIUS client receives a valid

response from a RADIUS server or the list of configured RADIUS servers is
exhausted. If the list of RADIUS servers is exhausted, the E Series RADIUS client
issues a system log message and, if configured, an SNMP trap indicating that all
RADIUS servers have timed out.

If the E Series RADIUS client receives a RADIUS response from a “dead” RADIUS
server during the deadtime period, the RADIUS server is restored to active status.

If the router receives a valid RADIUS response to an outstanding RADIUS request,
the E Series client issues a system log message and, if configured, an SNMP trap
indicating that the RADIUS server is now available.

36 ■ Configuring RADIUS Authentication and Accounting Servers

System Log Messages

You do not need to configure system log messages. The router automatically sends
them when individual servers do not respond to RADIUS requests and when all
servers on a VR fail to respond to requests. The following are the formats of the
warning level system log messages:

RADIUS [ authentication | accounting ] server serverAddress unavailable in VR

RADIUS no [ authentication | accounting ] servers responding in VR virtualRouterName
RADIUS [ authentication | accounting ] server serverAddress available in VR

Configuring SNMP Traps

This section describes how to configure the router to send traps to SNMP when
RADIUS servers fail to respond to messages, and how to configure SNMP to receive
the traps.

Chapter 1: Configuring Remote Access

virtualRouterName [; trying nextServerAddress]

virtualRouterName

To set up the router to send traps:

1. (Optional) Enable SNMP traps when a particular RADIUS authentication server

fails to respond to Access-Request messages.

host1(config)#radius trap auth-server-not-responding enable

2. (Optional) Enable SNMP traps when all of the configured RADIUS authentication

servers on a VR fail to respond to Access-Request messages.

host1(config)#radius trap no-auth-server-responding enable

3. (Optional) Enable SNMP traps when a RADIUS authentication server returns to

active service.

host1(config)#radius trap auth-server-responding enable

4. (Optional) Enable SNMP traps when a RADIUS accounting server fails to respond

to a RADIUS accounting request.

host1(config)#radius trap acct-server-not-responding enable

5. (Optional) Enable SNMP traps when all of the RADIUS accounting servers on a

VR fail to respond to a RADIUS accounting request.

host1(config)#radius trap no-acct-server-responding enable

6. (Optional) Enable SNMP traps when a RADIUS accounting server returns to active

service.

To set up SNMP to receive RADIUS traps:

1. Set up the appropriate SNMP community strings.

host1(config)#radius trap acct-server-responding enable

Configuring RADIUS Authentication and Accounting Servers ■ 37

JUNOSe 11.0.x Broadband Access Configuration Guide

host1(config)#snmp-server community admin view everything rw
host1(config)#snmp-server community private view user rw
host1(config)#snmp-server community public view everything ro

2. Specify the interface whose IP address is the source address for SNMP traps.

host1(config)#snmp-server trap-source fastEthernet 0/0

3. Configure the host that should receive the SNMP traps.

host1(config)#snmp-server host 10.10.132.93 version 2c 3 udp-port 162 radius

4. Enable the SNMP router agent to receive and forward RADIUS traps.

host1(config)#snmp-server enable traps radius

5. Enable the SNMP on the router.

host1(config)#snmp-server

NOTE: For more information about these SNMP commands, see JUNOSe System

Basics Configuration Guide.

radius trap acct-server-not-responding

■ Use to enable or disable SNMP traps when a particular RADIUS accounting server

fails to respond to a RADIUS accounting request.

■ The associated SNMP object is rsRadiusClientTrapOnAcctServerUnavailable.

■ Example

host1(config)#radius trap acct-server-not-responding enable

■ Use the no version to return to the default setting, disable.

■ See radius trap acct-server-not-responding

radius trap acct-server-responding

■ Use to enable or disable SNMP traps when a RADIUS accounting server returns

to service after being marked as unavailable.

■ The associated SNMP object is rsRadiusClientTrapOnAcctServerAvailable.

■ This command affects only the current VR context.

■ Example

■ Use the no version to restore the default, disable.

■ See radius trap acct-server-responding

radius trap auth-server-not-responding

38 ■ Configuring RADIUS Authentication and Accounting Servers

host1(config)#radius trap acct-server-responding enable

■ Use to enable or disable SNMP traps when a RADIUS authentication server fails

to respond to a RADIUS Access-Request message.

■ The associated SNMP object is rsRadiusClientTrapOnAuthServerUnavailable.

■ Example

host1(config)#radius trap auth-server-not-responding enable

■ Use the no version to return to the default setting, disabled.

■ See radius trap auth-server-not-responding

radius trap auth-server-responding

■ Use to enable RADIUS to send SNMP traps when a RADIUS authentication server

returns to service after being marked as unavailable.

■ The associated SNMP object is rsRadiusClientTrapOnAuthServerAvailable.

■ This command affects only the current VR context.

Chapter 1: Configuring Remote Access

■ Example

host1(config)#radius trap auth-server-responding enable

■ Use the no version to restore the default setting, disabled.

■ See radius trap auth-server-responding

radius trap no-acct-server-responding

■ Use to enable or disable SNMP traps when all of the configured RADIUS

accounting servers per VR fail to respond to a RADIUS accounting request.

■ The associated SNMP object is rsRadiusClientTrapOnNoAcctServerAvailable.

■ Example

host1(config)#radius trap no-acct-server-responding enable

■ Use the no version to return to the default setting, disabled.

■ See radius trap no-acct-server-responding

radius trap no-auth-server-responding

■ Use to enable or disable SNMP traps when all of the configured RADIUS

authentication servers per VR fail to respond to a RADIUS Access-Request
message.

■ The associated SNMP object is rsRadiusClientTrapOnNoAuthServerAvailable.

■ Example

■ Use the no version to return to the default setting, disabled.

■ See radius trap no-auth-server-responding

host1(config)#radius trap no-auth-server-responding enable

Configuring RADIUS Authentication and Accounting Servers ■ 39

JUNOSe 11.0.x Broadband Access Configuration Guide

Configuring Local Authentication Servers

The AAA local authentication server enables the E Series router to provide local PAP
and CHAP user authentication for subscribers. The router also provides limited
authorization, using the IP address, IP address pool, and operational virtual router
parameters. When a subscriber logs on to the E Series router that is using local
authentication, the subscriber is authenticated against user entries in a local user
database; the optional parameters are assigned to subscribers after the subscriber
is authenticated.

Creating the Local Authentication Environment

To create your local authentication environment:

1. Create local user databases—Create the default database or a named database.

2. Add entries to local user databases—Add user entries to the database. A database

can contain information for multiple users.

3. Assign a local user database to the virtual router—Specify the database that the

virtual router will use to authenticate subscribers.

4. Enable local authentication on the virtual router—Specify the local method as

an AAA authentication method used by the virtual router.

Creating Local User Databases

When a subscriber connects to an E Series router that is using local authentication,
the local authentication server uses the entries in the local user database selected by
the virtual router to authenticate the subscriber.

A local authentication server can have multiple local user databases, and each
database can have entries for multiple subscribers. The default local user database,
if it exists, is used for local authentication by default. The E Series router supports a
maximum of 100 user entries. A maximum of 100 databases can be configured.

To create a local user database, use the aaa local database command and the name
of the database; use the name default to create the default local user database:

host1(config)#aaa local database westLocal40

Adding User Entries to Local User Databases

The local authentication server uses the information in a local user database to
authenticate a subscriber. A local user database can contain information for multiple
users.

The E Series router provides two commands for adding entries to local user databases:
the username command and the aaa local username command. You can specify
the following parameters:

40 ■ Configuring Local Authentication Servers

Chapter 1: Configuring Remote Access

■ Username—Name associated with the subscriber.

■ Passwords and secrets—Single words that can be encrypted or unencrypted.

Passwords use two-way encryption, and secrets use one-way encryption. Both
passwords and secrets can be used with PAP authentication; however, only
passwords can be used with CHAP authentication.

■ IP address—The IP address to assign to the subscriber (aaa local username

command only).

■ IP address pool—The IP address pool used to assign the subscriber’s IP address

(aaa local username command only).

■ Operational virtual router—The virtual router to which the subscriber is assigned.

This parameter is applicable only if the subscriber is authenticated by the default
virtual router (aaa local username command only).

Using the username Command

The username command is similar to the command used by some third-party
vendors. The command can be used to add entries in the default local user database;
it is not supported for named local user databases. The IP address, IP address pool,
and operational virtual router parameters are not supported in the username
command. However, after the user is added to the default local user database, you
can use the aaa local username command with a database name default to enter
Local User Configuration mode and add the additional parameters.

NOTE: If the default local user database does not exist, the username command
creates this database and adds the user entry to the database.

To add a subscriber and password or secret to the default local user database,
complete the following step:

host1(config)#username rockyB password rockyPassword

Using the aaa local username Command

To enter Local User Configuration mode and add user entries to a local user database,
use the following commands:

1. Specify the subscriber’s username and the database you want to use. Use the

database name default to specify the default local user database. This command
also puts the router into Local User Configuration mode.

host1(config)# aaa local username cksmith database westLocal40
host1(config-local-user)#

NOTE: You can use the aaa local username command to add or modify user entries
to a default database that was created by the username command.

Configuring Local Authentication Servers ■ 41

JUNOSe 11.0.x Broadband Access Configuration Guide

2. (Optional) Specify the type of encryption algorithm and the password or secret

that the subscriber must use to connect to the router. A subscriber can be assigned
either a password or a secret, but not both. For example:

host1(config-local-user)#password 8 iTtakes2%

3. (Optional) Specify the IP address to assign to the subscriber.

host1(config-local-user)#ip-address 192.168.101.19

4. (Optional) Specify the IP address pool used to assign the subscriber’s IP address.

host1(config-local-user)#ip-address-pool svPool2

5. (Optional) Assign the subscriber to an operational virtual router. This parameter

is applicable only if the subscriber is authenticated in the default virtual router.

host1(config-local-user)#operational-virtual-router boston2

Assigning a Local User Database to a Virtual Router

Use the procedure in this section to assign a local user database to a virtual router.
The virtual router uses the database for local authentication when the subscriber
connects to the E Series router. Use the following commands in Global Configuration
mode:

NOTE: If you do not specify a local user database, the virtual router selects the default
database by default. This applies to all virtual routers.

1. Specify the virtual router name.

host1(config)# virtual-router cleveland

2. Specify the database to use for authentication on this virtual router.

host1:cleveland(config)# aaa local select database westLocal40

Enabling Local Authentication on the Virtual Router

On the E Series router, RADIUS is the default AAA authentication method for PPP
subscribers. Use the commands in this section to specify that the local authentication
method is used.

To enable local authentication on the default router, use the following command:

host1(config)# aaa authentication ppp default local

To enable local authentication on a specific virtual router, first select the virtual router:

host1(config)# virtual-router cleveland
host1:cleveland(config)# aaa authentication ppp default local

42 ■ Configuring Local Authentication Servers

Configuration Commands

Use the following commands to configure the local authentication server.

aaa authentication default

■ Use to specify that the local authentication method is used to authenticate PPP

NOTE: You can specify multiple authentication methods; for example, aaa
authentication ppp default local radius. If, during local authentication, the matching

user entry is not found in a populated database or if it is found and rejected, the
authentication procedure terminates. However, if the specified local user database
is empty or if it does not exist, the authentication process uses the next authentication
method specified (RADIUS in this case).

Chapter 1: Configuring Remote Access

subscribers on the default virtual router or on the selected virtual router.

aaa local database

aaa local select database

■ Example

host1(config)#aaa authentication ppp default local radius

■ Use the no version to restore the default authentication method of radius.

■ See aaa authentication default

■ Use to create a local user database.

■ Use the database name default to specify the default local user database, or

enter a name for the specific local user database.

■ Example

host1(config)#aaa local database westLocal40

■ Use the no version to delete the specified database and all entries in the database.

■ See aaa local database

■ Use to assign the local user database that the virtual router uses for local

authentication.

■ Example

■ Use the no version to restore the default setting, which uses the default local

user database for local authentication.

■ See aaa local select database

host1(config)#virtual-router cleveland
host1:cleveland(config)#aaa local select database westLocal40

Configuring Local Authentication Servers ■ 43

JUNOSe 11.0.x Broadband Access Configuration Guide

aaa local username

■ Use to configure a user entry in the specified local user database and to enter

Local User Configuration mode.

■ The username must be unique within a particular database; however, the same

username can be used in different databases.

■ Use the database name default to configure the username in the default local

user database.

NOTE: The router supports usernames up to 64 characters long; however, PAP and
CHAP support is limited to 31-character usernames.

■ Example

host1(config)#aaa local username cksmith database westLocal40

ip address

ip address-pool

■ Use the no version to delete the user entry from the specified local user database.

Use the database name default to delete the user entry from the default local
user database.

■ See aaa local username

■ Use to specify the IP address parameter for a user entry in the local user database.

The address is negotiated with the subscriber after the subscriber is authenticated.

■ Example

host1(config-local-user)#ip-address 192.168.42.6

■ Use the no version to delete the IP address parameter from the user entry in the

local user database.

■ See ip address

■ Use to specify the IP address pool parameter for a user entry in the local user

database. The address pool is used to assign an IP address to the subscriber; the
address is negotiated with the subscriber after the subscriber is authenticated.

■ Example

■ Use the no version to delete the IP address pool parameter from the user entry

in the local user database.

■ See ip address-pool

operational-virtual-router

44 ■ Configuring Local Authentication Servers

host1(config-local-user)#ip-address-pool svPool2

password

Chapter 1: Configuring Remote Access

■ Use to specify the virtual router parameter for a user entry in the local user

database. The subscriber is assigned to the operational virtual router only if the
default virtual router performs the authentication.

■ If authentication is performed by a non-default virtual router, then the subscriber

is assigned to the same virtual router that performs authentication, regardless
of this parameter setting.

■ Example

host1(config-local-user)#operational-virtual-router boston2

■ Use the no version to delete the operational virtual router parameter from the

user entry in the local user database.

■ See operational-virtual-router

■ Use to add a password to a user entry in the local user database. The password

is used to authenticate a subscriber, and is encrypted by means of a two-way
encryption algorithm.

secret

NOTE: CHAP authentication requires that passwords and secrets be stored in clear
text or use two-way encryption. Two-way encryption is not supported for the secret
command. Therefore, use the password command if you want to enable encryption
for subscribers that use CHAP authentication.

■ The new password replaces any current password or secret.

■ Specify one of the following encryption algorithms, followed by the password:

■ 0—An unencrypted password; this is the default

■ 8—A two-way encrypted password

■ Example

host1(config-local-user)#password 0 myPassword

■ Use the no version to delete the password or secret from the user entry in the

local user database.

■ See password

Configuring Local Authentication Servers ■ 45

JUNOSe 11.0.x Broadband Access Configuration Guide

■ Use to add a secret to a user entry in the local user database. The secret is used

to authenticate a subscriber, and is encrypted by means of the Message Digest
5 (MD5) encryption algorithm.

NOTE: CHAP authentication requires that passwords and secrets be stored in clear
text or use two-way encryption. Two-way encryption is not supported for the secret
command. Therefore, use the password command if you want to enable encryption
for subscribers that use CHAP authentication.

■ The new secret replaces any current password or secret.

■ Specify one of the following encryption algorithms, followed by the secret:

■ 0—An unencrypted secret; this is the default

■ 5—An MD5-encrypted secret

■ Example

user-name

host1(config-local-user)#secret 5 Q3&t9REwk45jxSM#fj$z

■ Use the no version to delete the secret or password from the user entry in the

local user database.

■ See secret

■ Use to configure a user entry and optional password or secret in the default local

user database. This command creates the database if it does not already exist.

■ Optionally, specify a password or secret that is assigned to the user in the default

local user database, or specify that no password is required for the particular
username.

■ Specify one of the following encryption algorithms, followed by the password:

■ 0—An unencrypted password; this is the default

■ 8—A two-way encrypted password

■ Specify one of the following encryption algorithms, followed by the secret:

■ 0—An unencrypted secret; this is the default

■ 5—An MD5-encrypted secret

■ Use the nopassword keyword to remove the password or secret

NOTE: CHAP authentication requires that passwords and secrets be stored in clear
text or use two-way encryption. Two-way encryption is not supported for the secret
command. Therefore, use the password command if you want to enable encryption
for subscribers that use CHAP authentication.

■ Example

46 ■ Configuring Local Authentication Servers

host1(config-local-user)#username cksmith secret 5 Q3&t9REwk45jxSM#fj$z

■ Use the no version to delete the username entry from the default local user

database.

■ See user-name

Local Authentication Example

This example creates a sample local authentication environment. The steps in this
example:

1. Create a named local user database (westfordLocal40).

2. Configure the database westfordLocal40.

■ Add users btjones and maryrdavis and their attributes to the database.

3. Create the default local database using the optional username command.

Chapter 1: Configuring Remote Access

■ Add optional subscriber parameters for user cksmith to the default database.

4. Assign the default local user database to virtual router cleveland; assign database

westfordLocal40 to the default virtual router and to virtual router chicago.

5. Enable AAA authentication methods local and none on all virtual routers.

6. Use the show commands to display information for the local authentication

environment (various show command displays are listed after the example).

Example 1 This example shows the commands you use to create the AAA local authentication

environment.

host1(config)#aaa local database westfordLocal40
host1(config)#aaa local username btjones database westfordLocal40
host1(config-local-user)#secret 38schillCy
host1(config-local-user)#ip-address-pool addressPoolA
host1(config-local-user)#operational-virtual-router boston2
host1(config-local-user)#exit
host1(config)#aaa local username maryrdavis database westfordLocal40
host1(config-local-user)#secret 0 dav1sSecret99
host1(config-local-user)#ip-address 192.168.20.106
host1(config-local-user)#operational-virtual-router boston1
host1(config-local-user)#exit
host1(config)#username cksmith password 0 yourPassword1
host1(config)#aaa local username cksmith database default
host1(config-local-user)#ip-address-pool addressPoolA
host1(config-local-user)#operational-virtual-router boston2
host1(config-local-user)#exit
host1(config)#virtual-router cleveland
host1(config)#aaa local select database default
host1(config)#virtual-router default
host1(config)#aaa local select database westfordLocal40
host1(config)#virtual-router chicago
host1(config)#aaa local select database westfordLocal40
host1(config)#virtual-router default

Configuring Local Authentication Servers ■ 47

JUNOSe 11.0.x Broadband Access Configuration Guide

host1(config)#aaa authentication ppp default local none

Example 2 This example verifies that local authentication is configured on the router.

host1#show aaa authentication ppp default
local none

Example 3 This example uses the show configuration category aaa local-authentication

command with the databases keyword to show the local user databases that are
configured on the router.

host1# show configuration category aaa local-authentication databases
! Configuration script being generated on TUE NOV 09 2004 12:50:18 UTC
! Juniper Edge Routing Switch ERX-1400
! Version: 6.1.0 (November 8, 2004 18:31)
! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved.
!
! Commands displayed are limited to those available at privilege level 15
!
! NOTE: This script represents only a subset of the full system configuration.
! The category displayed is: aaa local-authentication databases
!
hostname host1
aaa new-model
aaa local database default
aaa local database westfordLocal40

Example 4 This example uses the local-authentication users keywords to show the configured

users and their parameters. The password for username cksmith is displayed
unencrypted because the default setting of disabled or no for the service
password-encryption command is used for the example. Secrets are always displayed
encrypted.

host1# show configuration category aaa local-authentication users
! Configuration script being generated on THU NOV 11 2004 13:40:41 UTC
! Juniper Edge Routing Switch ERX-1400
! Version: 6.1.0 (November 10, 2004 21:15)
! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved.
!
! Commands displayed are limited to those available at privilege level 15
!
! NOTE: This script represents only a subset of the full system configuration.
! The category displayed is: aaa local-authentication users
!
hostname host1
aaa new-model
aaa local username cksmith database default
password yourPassword1
operational-virtual-router boston2
ip-address-pool addressPoolA
!
aaa local username btjones database westfordLocal40
secret 5 }9s7-4N<WK2)2=)^!6~#
operational-virtual-router boston2
ip-address-pool addressPoolA
!
aaa local username maryrdavis database westfordLocal40
secret 5 E@A:nDXJJ<irb\`mF#[j

48 ■ Configuring Local Authentication Servers

Chapter 1: Configuring Remote Access

operational-virtual-router boston1
ip-address 192.168.20.106

Example 5 This example uses the users include-defaults keywords to show the configured users

and their parameters, including the default parameters no-ip-address and no
ip-address-pool.

host1# show configuration category aaa local-authentication users include-defaults
! Configuration script being generated on TUE NOV 09 2004 13:09:03 UTC
! Juniper Edge Routing Switch ERX-1400
! Version: 6.1.0 (November 8, 2004 18:31)
! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved.
!
! Commands displayed are limited to those available at privilege level 15
!
! NOTE: This script represents only a subset of the full system configuration.
! The category displayed is: aaa local-authentication users
!
hostname host1
aaa new-model
aaa local username cksmith database default
password yourPassword1
operational-virtual-router boston2
no ip-address
ip-address-pool addressPoolA
!
aaa local username btjones database westfordLocal40
secret 5 }9s7-4N<WK2)2=)^!6~#
operational-virtual-router boston2
no ip-address
ip-address-pool addressPoolA
!
aaa local username maryrdavis database westfordLocal40
secret 5 E@A:nDXJJ<irb\`mF#[j
operational-virtual-router boston1
ip-address 192.168.20.106
no ip-address-pool

Example 6 This example uses the virtual-router keyword with the default specification to show

the local user database that is used by the default virtual router.

host1# show configuration category aaa local-authentication virtual-router default
! Configuration script being generated on TUE NOV 09 2004 13:09:45 UTC
! Juniper Edge Routing Switch ERX-1400
! Version: 6.1.0 (November 8, 2004 18:31)
! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved.
!
! Commands displayed are limited to those available at privilege level 15
!
! NOTE: This script represents only a subset of the full system configuration.
! The category displayed is: aaa local-authentication
!
virtual-router default
aaa local select database westfordLocal40

Configuring Local Authentication Servers ■ 49

JUNOSe 11.0.x Broadband Access Configuration Guide

Example 7 This example uses the virtual-router keyword with a named virtual router. The

include-defaults keyword shows the default configuration, including the line showing

that there is no named local user database selected.

host1# show configuration category aaa local-authentication virtual-router cleveland include-defaults
! Configuration script being generated on TUE NOV 09 2004 13:09:25 UTC
! Juniper Edge Routing Switch ERX-1400
! Version: 6.1.0 (November 8, 2004 18:31)
! Copyright (c) 1999-2004 Juniper Networks, Inc. All rights reserved.
!
! Commands displayed are limited to those available at privilege level 15
!
! NOTE: This script represents only a subset of the full system configuration.
! The category displayed is: aaa local-authentication
!
virtual-router cleveland
no aaa local select

Configuring Tunnel Subscriber Authentication

When a AAA domain map includes any tunnel configuration, users in this domain
are considered to be tunnel subscribers. By default, any such subscriber is granted
access without being authenticated by the authentication server. Access is granted
even when the user provides an invalid username and password. The tunnel
configuration for the subscriber comes from the AAA domain map.

For example, if the authentication protocol for a AAA domain map is RADIUS, AAA
grants access to subscribers from this domain immediately without sending access
requests to the configured RADIUS server. Because of this behavior, these subscribers
cannot get any additional control attributes from the authentication server. This
reduces your ability to manage the tunnel subscribers.

In this default situation, if you want the domain subscribers to be managed by the
authentication server for any control attribute, then that domain map cannot have
any tunnel configuration. Typically, this means you must configure the subscriber
individually.

You can use the tunnel-subscriber authentication command to get around this
limitation. When you enable authentication with this command, access requests for
the tunnel subscribers in the domain are sent to the configured authentication server.
When the access replies from authentication server are processed, various user
attributes from the server can be applied to the subscribers.

When the authentication server returns tunnel attributes, these returned values take
precedence over the corresponding local tunnel configuration values in the AAA
domain map. If the server does not return any tunnel attributes, then the tunnel
subscriber’s tunnel settings are configured according to the domain map’s tunnel
settings.

If the authentication server returns a redirect VSA and the corresponding AAA domain
map has local tunnel configurations, the VSA is ignored. Access is denied to the user
when the authentication server rejects the access request.

50 ■ Configuring Tunnel Subscriber Authentication

Chapter 1: Configuring Remote Access

The tunnel-subscriber authentication command has no effect on subscribers in a
domain with no tunnel configuration. When a AAA domain map has no tunnel
configuration, subscribers in the domain are authenticated by the authentication
server. If the server grants access, then the subscribers get their tunnel settings only
from the authentication server.

By default, tunnel subscribers in the domain are granted access with no external
authentication. Use the enable keyword to enable authentication. Use the disable
keyword to restore disable user authentication.

To configure authentication of tunnel subscribers within a AAA domain by an external
authentication server.

■ Example

host1(config-domain-map)#tunnel-subscriber authentication enable

Related Topics tunnel-subscriber authentication■

■ Mapping a User Domain Name to a Virtual Router on page 8

Configuring Name Server Addresses

You can assign IP or IPv6 addresses for DNS and IP addresses for WINS name servers.
During setup negotiations between the router and remote PC clients using PPP
(Internet Protocol Control Protocol [IPCP] specifically), the remote client may request
the DNS and WINS server IP addresses. If the IP addresses passed to the router by
the remote PC client are different from the ones configured on your router, the router
returns the values that you configured as the correct values to the remote PC client.
This behavior is controlled by the ppp peer dns and ppp peer wins interface
commands.

If a PPP client request contains address values of 0.0.0.0 for the name servers, the
router considers that the remote PC client is not configured and returns the configured
values as the correct values to the remote PC client.

The DNS and WINS addresses are considered as part of the PPP user information.
These addresses are provided to the PPP client as part of the IPCP negotiations
between PPP peers. For details, see RFC 1877—PPP Internet Protocol Control Protocol
Extensions for Name Server Addresses (December 1995).

NOTE: All name server address parameters are defined in the context of a virtual
router.

Configuration Tasks

This section contains procedures for configuring the DNS and WINS primary and
secondary name server addresses.

Configuring Name Server Addresses ■ 51

JUNOSe 11.0.x Broadband Access Configuration Guide

DNS Primary and Secondary NMS Configuration

To configure the DNS primary and secondary name server addresses:

1. Specify the IP address of the DNS primary name server.

host1(config)#aaa dns primary 10.10.10.5

or, for IPv6,

host1(config)#aaa ipv6-dns primary 2001:db8::8001

2. Specify the IP address of the DNS secondary name server.

host1(config)#aaa dns secondary 10.10.10.6

or, for IPv6,

host1(config)#aaa ipv6-dns secondary 2001:db8::8002

aaa dns primary

aaa dns secondary

NOTE: The router uses name server addresses exclusively for PPP clients and not
for domain name server resolution.

■ Use to specify the IP address of the DNS primary name server.

■ Example

host1(config)#aaa dns primary 10.10.10.5

■ Use the no version to set the corresponding address to 0.0.0.0.

■ See aaa dns

■ Use to specify the IP address of the DNS secondary name server.

■ Example

host1(config)#aaa dns secondary 10.10.10.6

■ Use the no version to set the corresponding address to 0.0.0.0.

■ See aaa dns

aaa ipv6-dns primary

■ Use to specify the IPv6 address of the DNS primary name server.

■ Example

52 ■ Configuring Name Server Addresses

host1(config)#aaa ipv6-dns primary 2001:db8::8001

aaa ipv6-dns secondary

Chapter 1: Configuring Remote Access

■ Use the no version to set the corresponding address to 0 (or ::).

■ See aaa ipv6-dns

■ Use to specify the IPv6 address of the DNS secondary name server.

■ Example

host1(config)#aaa ipv6-dns secondary 2001:db8::8002

■ Use the no version to set the corresponding address to 0 (or ::).

■ See aaa ipv6-dns

WINS Primary and Secondary NMS Configuration

To configure the WINS primary and secondary name server addresses:

aaa wins primary

aaa wins secondary

1. Specify the IP address of the WINS primary name server.

host1(config)#aaa wins primary 192.168.10.05

2. Specify the IP address of the WINS secondary name server.

host1(config)#aaa wins secondary 192.168.10.40

NOTE: The router uses name server addresses exclusively for PPP clients and not

for domain name server resolution.

■ Use to specify the IP address of the WINS primary name server.

■ Example

host1(config)#aaa wins primary 192.168.10.05

■ Use the no version to set the corresponding address to 0.0.0.0.

■ See aaa wins

■ Use to specify the IP address of the WINS secondary name server.

■ Example

■ Use the no version to set the corresponding address to 0.0.0.0.

■ See aaa wins

host1(config)#aaa wins secondary 192.168.10.40

Configuring Name Server Addresses ■ 53

JUNOSe 11.0.x Broadband Access Configuration Guide

Configuring Local Address Servers

The local address server allocates IP addresses from a pool of addresses stored locally
on the router. You can optionally configure shared local address pools to obtain
addresses from a DHCP local address pool that is in the same virtual router. Addresses
are provided automatically to client sessions requiring an IP address from a virtual
router that is configured to use a local address pool.

A local address server is defined in the context of a virtual router. You create a local
address server when you configure the first local pool. Local address servers exist
as long as the virtual router exists or until you remove them by deleting all configured
pools.

Figure 1 on page 54 illustrates the local address pool hierarchy. Multiple local address
server instances, one per virtual router. can exist. Each local address server can have
one or more local address pools. Each pool can contain a number of IP addresses
that are available for allocation and used by clients, such as PPP sessions.

Figure 1: Local Address Pool Hierarchy

Local Address Pool Ranges

As shown in Figure 1 on page 54, each local address pool is named and contains
ranges of sequentially ordered IP addresses. These addresses are allocated when the
AAA server makes a request for an IP address.

If a local address pool range is exhausted, the next range of addresses is used. If all
pool ranges are exhausted, you can configure a new range to extend or supplement
the existing range of addresses, or you can create a new pool. The newly created
pool range is then used for future address allocation. If addresses allocated from the
first pool range are released, then subsequent requests for addresses are taken from
the first pool range.

Addresses are assigned sequentially from a range within a pool. If a range has no
addresses available, the next range within that pool is used. If a pool has no addresses
available, the next configured pool is used, unless a specific pool is indicated.

54 ■ Configuring Local Address Servers

Local Address Pool Aliases

An alias is an alternate name for an existing local address pool. It comprises an alias
name and a pool name.

When the AAA server requests an IP address from a specific local address pool, the
local address server first verifies whether an alias exists for the requested pool. If an
alias exists, the IP address is allocated from the pool specified by the alias. If no alias
exists, the IP address is allocated from the pool originally specified in the request.

The use of aliases simplifies management of subscribers. For example, you can use
an alias to migrate subscribers from one local address pool to another. Instead of
having to modify countless subscriber records on the AAA server, you create an alias
to make the configuration change.

Shared Local Address Pools

Chapter 1: Configuring Remote Access

Typically, the local address server allocates IP addresses from a pool of addresses
that is stored locally on the router. However, shared local address pools enable a local
address server to hand out addresses that are allocated from DHCP local server
address pools within the same virtual router. The addresses are configured and
managed within DHCP. Therefore, thresholds are not configured on the shared pool,
but are instead managed by the referenced DHCP local server pool.

A shared local address pool references one DHCP address pool. The shared local
address pool can then obtain addresses from the referenced DHCP address pool and
from any DHCP address pools that are linked to the referenced DHCP address pool.

Figure 2 on page 55 illustrates a shared local address pool environment that includes
four linked DHCP address pools. In the figure, both Shared_LAS_Pool_A and
Shared_LAS_Pool_B reference DHCP_Pool_1, and can therefore obtain addresses
from all four DHCP address pools. Shared_LAS_Pool_C references DHCP_Pool_3 and
can get addresses from DHCP_Pool_3 and DHCP_Pool_4.

Figure 2: Shared Local Address Pools

When the local address server requests an address from a shared address pool, the
address is returned from the referenced DHCP pool or a subsequent linked pool. If
no address is available, DHCP notifies the local address server and the search is
ended.

Keep the following guidelines in mind when using shared local address pools:

Configuring Local Address Servers ■ 55

JUNOSe 11.0.x Broadband Access Configuration Guide

■ The DHCP attributes do not apply to shared local address pools; for example,

the lease time for shared local address pools is infinite.

■ When you delete the referenced DHCP address pool, DHCP notifies the local

address server and logs out all subscribers that are using addresses from the
deleted pool.

■ When you delete a shared local address pool, the local address server logs out

the subscribers that are using addresses from the deleted pool, then notifies
DHCP and releases the addresses.

■ If the chain of linked DHCP address pools is broken, no action is taken and the

existing subscribers retain their address. However, the DHCP local address pools
that are no longer part of the chain are now unable to provide any new addresses.

Example This following commands create the shared address pools in Figure 2 on page 55:

host1(config)#ip local shared-pool Shared_LAS_Pool_A DHCP_Pool_1
host1(config)#ip local shared-pool Shared_LAS_Pool_B DHCP_Pool_1
host1(config)#ip local shared-pool Shared_LAS_Pool_C DHCP_Pool_3

SNMP Thresholds

An address pool has SNMP thresholds associated with it that enable the local address
server to signal SNMP traps when certain conditions exist. These thresholds include
high utilization threshold and abated utilization threshold. If a pool’s outstanding
addresses exceed the high utilization threshold and the SNMP trap signaling is enabled,
SNMP is notified. Likewise, when a pool’s utilization drops below the abated threshold
utilization threshold, SNMP is notified.

Configuring a Local Address Server

You can create, modify, and delete address pools. You can display address pool
information or status with the show ip local pool command. The following are
examples of tasks you can configure:

■ Specify an addressing scheme.

host1(config)#ip address-pool local

■ Map an address pool name to a range of local addresses. You can also use this

command to add additional ranges to a pool.

host1(config)#ip local pool addrpool_10 192.168.56.10 192.168.56.15

■ Map a primary local address pool name to a domain name.

■ (Optional) Map a backup address pool to a domain name, which is used for

address allocation if the primary local address pool is fully allocated.

56 ■ Configuring Local Address Servers

host1(config)#aaa domain-map westford.com
host1(config-domain-map)#address-pool-name poolA

host1(config)#aaa domain-map westford.com

Chapter 1: Configuring Remote Access

host1(config-domain-map)#backup-address-pool-name backup_poolB

■ (Optional) Map the domain name to the IPv6 local address pool, which is used

for prefix delegation. If the authentication server returns the prefix pool name
in the Framed-Ipv6-Pool attribute of the RADIUS-Accept-Request message, this
value overrides the IPv6 local pool configured using the ipv6-prefix-pool-name
command.

host1(config)#aaa domain-map westford.com
host1(config-domain-map)#ipv6-prefix-pool-name local_addr_pool

■ Delete an address pool.

host1(config)#no ip local pool addrpool_10

NOTE: If a pool or range is deleted and addresses are outstanding, the AAA server

logs out the clients using the addresses.

address-pool-name

■ Create a shared local address pool.

host1(config)#ip local shared-pool Shared_LAS_Pool_A DHCP_Pool_1

■ Delete a shared local address pool.

host1(config)#no ip local shared-pool Shared_LAS_Pool_C

■ Set SNMP variables by specifying an existing pool name and values.

host1(config)#ip local pool addrpool_10 warning 90 80

■ Use to specify the name of the primary local address pool from which the router

allocates addresses for the domain that you are configuring.

■ If the authentication server does not return an address, the router allocates an

address from this pool. The authentication server may override this pool name
using RADIUS attributes such as Framed-Pool.

■ The primary pool name is a character string up to 16 characters long.

■ Example

host1(config)#aaa domain-map westford.com
host1(config-domain-map)#address-pool-name poolA

■ Use the no version to remove the primary local address pool name.

■ See address-pool-name

backup-address-pool-name

Configuring Local Address Servers ■ 57

JUNOSe 11.0.x Broadband Access Configuration Guide

■ Use to specify the name of the backup local address pool from which the router

allocates addresses for the domain that you are configuring, if the primary local
address pool is fully allocated.

■ The backup local address pool takes effect only if you configured a valid primary

local address pool.

■ If the primary local address pool has been fully allocated, and if you did not

configure a backup local address pool, the request is denied. This behavior is the
same as what existed in previous JUNOSe releases.

■ If the authentication server returns the backup local address pool name in the

RADIUS-Access-Accept message, this value overrides the backup address pool
configured using the backup-address-pool-name command.

■ You can specify a local address pool to be the backup address pool for some

users and the primary pool for other users.

■ You can also use the same local address pool as the backup address pool for

subscribers using different primary address pools.

ip address-pool

ip local alias

■ The backup pool name is a character string up to 16 characters long.

■ Example

host1(config)#aaa domain-map westford.com
host1(config-domain-map)#backup-address-pool-name backup_poolB

■ Use the no version to remove the backup address pool name.

■ See backup-address-pool-name.

■ Use to specify the addressing scheme: dhcp, local, or none.

■ The addressing scheme none returns a special indicator to AAA that enables the

remote PPP client to assign its own address.

■ Example

host1(config)#ip address-pool dhcp

■ Use the no version to specify the default, local.

■ See ip address-pool

■ Use to create an alias for an existing local address pool. The IP address is allocated

from the pool specified by the alias rather than from the pool specified in the IP
address request.

■ An alias name may contain up to 16 characters.

■ You can configure a maximum of 32 aliases per virtual router.

■ A local address pool can have multiple aliases.

■ You can set the name of the alias to match the name of a local address pool;

however, the two names used in the alias cannot be the same.

58 ■ Configuring Local Address Servers

ip local pool

Chapter 1: Configuring Remote Access

■ You can modify an existing alias with a different local address pool name.

■ When a local address pool is deleted, all aliases with the matching pool name

are also deleted.

■ Example

host1(config)#ip local alias groupB pool-name addrpool_10

■ Use the no version to remove the alias name.

■ See ip local alias

■ Use to map an address pool name to a range of local addresses.

■ You can create a pool with no address ranges configured for it.

■ A name may contain up to 16 characters.

■ Example

ip local pool snmpTrap

ip local pool warning

host1(config)#ip local pool addrpool_10 192.168.56.10 192.168.56.15

■ Use the no version to remove the local pool (all ranges), or the specified range.

■ See ip local pool

■ Use to enable SNMP pool utilization traps.

■ Example

host 1(config)#ip local pool addr_test snmpTrap

■ Use the no version to disable SNMP pool utilization traps.

■ See ip local pool snmpTrap

■ Use to set SNMP utilization warning threshold values.

■ Example

host1(config)#ip local pool addr_test warning 90 80

■ Use the no version to reset the attributes to their default values; high threshold

85, abated threshold 75.

■ See ip local pool warning

ip local shared-pool

■ Use to create a local shared address pool and to specify the DHCP address pool

that provides the addresses.

■ You can reference a DHCP address pool that has not yet been configured.

Configuring Local Address Servers ■ 59

JUNOSe 11.0.x Broadband Access Configuration Guide

■ Example

host1(config)#ip local shared-pool sharedPool11 dhcpPool6

■ Use the no version to delete a specific local shared address pool.

■ See ip local shared-pool

ipv6-prefix-pool-name

■ Use to specify the name of the IPv6 local address pool from which the delegating

router allocates prefixes to the requesting routers for the domain that you are
configuring.

■ When a user is authenticated using a RADIUS server, the RADIUS server might

return one or more of the following attributes in the Access-Accept message in
response to the client authentication request:

■ Ipv6-NdRa-Prefix (VSA 26-129)

■ Framed-IPv6-Prefix (RADIUS IETF attribute 97)

■ Delegated-IPv6-Prefix (RADIUS IETF attribute 123)

■ Framed-IPv6-Pool (RADIUS IETF attribute 100)

■ The prefix or pool name that the authentication server returns in any of these

attributes of the RADIUS-Access-Accept message takes priority over the local
prefix pool name configured for the domain map.

■ If the pool name or prefix is not present in the RADIUS-Access-Accept message,

the IPv6 local address pool name configured using the ipv6-prefix-pool-name
command is used to delegate prefixes to requesting DHCPv6 clients.

■ The IPv6 local pool name is a character string up to 16 characters long.

■ Example

host1(config)#aaa domain-map sunnyvale.com
host1(config-domain-map)#ipv6-prefix-pool-name local_addr_pool

■ Use the no version to remove the IPv6 local address pool name from the domain

map.

■ See ipv6-prefix-pool-name.

Configuring DHCP Features

DHCP provides a mechanism through which computers using Transmission Control
Protocol/IP (TCP/IP) can obtain an IP address and protocol configuration parameters
automatically from a DHCP server on the network.

The E Series router provides support for the following DHCP features:

■ DHCP proxy client

■ DHCP relay agent

60 ■ Configuring DHCP Features